Copy Link
Add to Bookmark
Report
hwa-hn34
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 34 Volume 1 1999 Sept 19th 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
__ ___ _____ __ ___
/ // / | /| / / _ | / / ___ __ __/ _ \____ ___ ___ _ _____
/ _ /| |/ |/ / __ |_ / _ Y _ `| \ / // / __/ / _ Y -_) |/|/ (_-<
/_//_/ |__/|__/_/ |_(_)_//_|_,_/_\_\\___/_/ (_)_//_|__/|__,__/___/
http://welcome.to/HWA.hax0r.news/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
The Hacker's Ethic
Sadly, due to the traditional ignorance and sensationalizing of the mass
media, the once-noble term hacker has become a perjorative.
Among true computer people, being called a hacker is a compliment. One of
the traits of the true hacker is a profoundly antibureaucratic and
democratic spirit. That spirit is best exemplified by the Hacker's Ethic.
This ethic was best formulated by Steven Levy in his 1984 book Hackers:
Heroes of the Computer Revolution. Its tenets are as follows:
1 - Access to computers should be unlimited and total.
2 - All information should be free.
3 - Mistrust authority - promote decentralization.
4 - Hackers should be judged by their hacking not bogus criteria such as
degrees, age, race, or position.
5 - You create art and beauty on a computer,
6 - Computers can change your life for the better.
The Internet as a whole reflects this ethic.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
A Comment on FORMATTING:
I received an email recently about the formatting of this
newsletter, suggesting that it be formatted to 75 columns
in the past I've endevoured to format all text to 80 cols
except for articles and site statements and urls which are
posted verbatim, I've decided to continue with this method
unless more people complain, the zine is best viewed in
1024x768 mode with UEDIT.... - Ed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
New mirror sites
http://www.sysbreakers.com/hwa
http://www.attrition.org/hosted/hwa/
http://www.ducktank.net/hwa/issues.html.
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwazine.cjb.net/
http://www.hackunlimited.com/files/secu/papers/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
* http://hwa.hax0r.news.8m.com/
* http://www.fortunecity.com/skyscraper/feature/103/
* Crappy free sites but they offer 20M & I need the space...
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth
and airportman for the Cubesoft bandwidth. Also shouts out to all our
mirror sites! tnx guys.
http://www.csoft.net/~hwa
http://www.digitalgeeks.com/hwa
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa. *DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #34
=-----------------------------------------------------------------------=
We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #34
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Army to Use MacOS ...............................................
04.0 .. Phrack Issue 55 Has Been Released ...............................
05.0 .. E-Commerce Sites Still Vulnerable ...............................
06.0 .. Fakescan.c by Vortexia...........................................
07.0 .. MS get Independent Auditor for HotMail ..........................
08.0 .. US Gov to Switch From NT to Open Source .........................
09.0 .. Sept 15th CryptoGram.............................................
10.0 .. Move over BO2k here's Donald Dick from Russia with love..........
11.0 .. New HOTMAIL hole found...........................................
12.0 .. Security Hole Found in Security Product .........................
13.0 .. Globalstar and FBI Are Nearing Agreement ........................
14.0 .. Matt Drudge Defaced .............................................
15.0 .. South Africa Stats Site Defaced .................................
16.0 .. India And Israel BackDooring US Software ........................
17.0 .. The Russians Are Coming, The Russians Are Coming ................
18.0 .. Biometrics Takes Frightening New Step "I am not a number!".......
19.0 .. NASDAQ Defaced ..................................................
20.0 .. WebTV Hole Divulges User Info ...................................
21.0 .. Bookshelf: "Hacking Exposed" Available Soon .....................
22.0 .. Major Tech Companies Announce Security Plans ....................
23.0 .. NIST To Offer Security Awareness Workshops ......................
24.0 .. Yet Another Firewall ............................................
25.0 .. HNN Announces Partnership With Security Focus ...................
26.0 .. The Search for ULG Begins........................................
27.0 .. BO2K Discontinues US Distribution................................
28.0 .. Taiwan Increases Cyber Warfare Training .........................
29.0 .. White House Set to Relax Crypto Export Controls .................
30.0 .. Crypto Compromise Reached .......................................
31.0 .. Network Solutions Screws Up .....................................
32.0 .. Feds Approve GPS Tracking .......................................
33.0 .. Student Sentenced to Five Weeks .................................
34.0 .. Stupid Mistakes Worse than Viruses ..............................
35.0 .. "23".............................................................
36.0 .. STEALTH SOFTWARE RANKLES PRIVACY ADVOCATES.......................
37.0 .. SOPHOS: TOO MUCH VIRUS SCAREMONGERING............................
38.0 .. CRYPTO BREAKER TELLS PROGRAMMERS TO WISE UP......................
39.0 .. REPORT URGES TOUGH NET STALKING LAWS.............................
40.0 .. CODEBREAKERS AND PHONE-SPIES TARGET CRIME ON THE INTERNET........
41.0 .. LAW ENFORCEMENT MAY BENEFIT FROM NEW CRYPTO POLICY...............
42.0 .. LIBELING AGAIN (ATTRITION vs ANTIONLINE).........................
43.0 .. SECURITY A MANAGEMENT PROBLEM?...................................
44.0 .. TROJAN IN FAKE MICROSOFT Y2K MAIL................................
45.0 .. CERT ADVISORY CA-99-11-CDE.......................................
46.0 .. HACKER PROFILER..................................................
47.0 .. eDOCTOR GLOBAL NETWORK...........................................
48.0 .. DEFAULT ISSUE 5 OUT..............................................
49.0 .. ANOTHER WANNABE HACKER CAUGHT....................................
50.0 .. TROJANS - MODERN THREAT..........................................
51.0 .. IE5 BUG LEAVES COMPUTERS OPEN TO INVASION........................
52.0 .. US OFFERS RUSSIA TO HELP TRASH ISLAMIC MILITANT SITES............
53.0 .. RUSSIAN HACKERS REPORTEDLY ACCESSED US MILITARY SECRETS..........
=--------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: POSTPONED til further notice, place: TBA.. .................
Ha.Ha .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
Stuff you can email:
- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities)
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner, *g*)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp*
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
Websites;
sAs72.......................: http://members.tripod.com/~sAs72/
Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/
NewsTrolls .(daily news ).........http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+Security................http://www.gammaforce.org/
News site+Security................http://www.projectgamma.com/
News site+Security................http://securityhole.8m.com/
News site+Security related site...http://www.403-security.org/ *DOWN*
News/Humour site+ ................http://www.innerpulse.com
News/Techie news site.............http://www.slashdot.org
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=hack
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://ech0.cjb.net ech0 Security
http://axon.jccc.net/hir/ Hackers Information Report
http://net-security.org Net Security
http://www.403-security.org Daily news and security related site
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
<a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not
"CC" the bugtraq reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that
reproduction of those words without your permission in any medium outside the distribution of this list may be
challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
eentity ...( '' '' ): Currently active/IRC+ man in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
HWA members ......................: World Media
Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Wyze1.............................: South Africa
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck, where the fuck, when the fuck etc ..
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs72
Spikeman p0lix Vortexia Wyze1
Pneuma
Ken Williams/tattooman ex-of PacketStorm,
& Kevin Mitnick
kewl sites:
+ http://www.securityportal.com/ NEW
+ http://www.securityfocus.com/ NEW
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.packetstorm.harvard.edu/ ******* DOWN (THANKS JP) ******
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
++ UNMASKING CHAT ROOM IMPOSTORS (TECH. 3:00 am)
http://www.wired.com/news/news/email/explode-infobeat/technology/story/21754.html
Ever wonder who you're really chatting with online? A new
game based on the Turing test may tell whether she is really
a he, and vice versa. By Kristen Philipkoski.
++ CISCO PAYS $65 MILLION FOR COCOM (BUS. 8:30 am)
http://www.wired.com/news/news/email/explode-infobeat/business/story/21760.html
The computer networking company buys Copenhagen's Cocom to
expand its delivery of broadband access products.
++ SCREAMS OF DELIGHT AT VISIO (BUS. 8:30 am)
http://www.wired.com/news/news/email/explode-infobeat/business/story/21761.html
The technical drawing software company joins the Redmond
empire in a US$1.3 billion stock deal.
++ MOTOROLA BUYS INTO BROADBAND (BUS. 7:35 am)
http://www.wired.com/news/news/email/explode-infobeat/business/story/21759.html
The cell phone and pager company agrees to spend US$11
billion in stock for set-top box supplier General
Instrument. Also: FCC walks a fine line with new orders....
Seagate to trim 8,000 jobs.... American Airlines finds few
New Year's passengers.... And more.
++ SPRECHEN SIE INTERNET DEUTSCH? (CULT. 3:00 am)
http://www.wired.com/news/news/email/explode-infobeat/culture/story/21752.html
As Germans clamor for Net access and tools like email, they
leave their language behind them. German isn't what it used
to be. By Carter Dougherty.
++ IS PALM LOSING ITS GRIP? (TECH. Tuesday)
http://www.wired.com/news/news/email/explode-infobeat/technology/story/21751.html
Handspring licenses the Palm OS for its handheld, then
releases a more flexible organizer. Is the Palm dynasty on
shaky ground? By Leander Kahney.
++ SPARKING THE PLUG-AND-PLAY CAR (TECH. Tuesday)
http://www.wired.com/news/news/email/explode-infobeat/technology/story/21745.html
Motorola develops a streamlined socket system for plugging
info gadgets into autos. Adding wireless news,
entertainment, and ads could get much simpler. By
Craig Bicknell.
++ DEMOS TO PREZ: 'USE SAFE TEXT' (POL. Tuesday)
http://www.wired.com/news/news/email/explode-infobeat/politics/story/21744.html
House Democrats want Bill Clinton to help them overturn his
administration's own long-term policy restricting the export
of strong encryption products.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
++ OPEN ACCESS FIGHT RAGES ON (POL. Tuesday)
http://www.wired.com/news/news/email/explode-infobeat/politics/story/21748.html
An ISP industry group tells a federal court that local
governments should decide who gets access to cable networks.
Thanks to myself for providing the info from my wired news feed and others from whatever
sources, also to Spikeman for sending in past entries.... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(No mail worthy of posting here this issue,)
Yeah we have a message board, feel free to use it, remember there are no stupid questions...
well there are but if you ask something really dumb we'll just laugh at ya, lets give the
message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org
domain comes back online (soon) meanwhile the beseen board is still up...
==============================================================================
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/* This issue is a little late, sorry 'bout that but I got a new toy
* and have been spending time setting it up and playing with it, its
* a PII 400 with Voodoo III 3000 and a Diamond Monster sound 3d card
* with a 19" monitor and 10 gig hd plus a DVD drive and HP 8100 CDRW
* all that connects to a soho 5 port CAT5 hub which goes out to the
* cablemodem, my other system will be delegated to FreeBSD and the
* Linux box remains untouched. FreeBSD will be bestowed with a 13G
* HD and I am probably going to bring Linux 'up front' as a proxy
* and shell server at some point... so yay me
*
* This issue has a couple of articles contributed by wyzewun of FK
* (Forbidden Knowledge) a .ZA zine that sheds some light on the hack
* / security scene in South Africa so read on and enjoy the issue...
*
* Cruciphux
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
03.0 Army to Use MacOS
~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by McIntyre
The US Army has migrated its web server duties off
WindowsNT and onto MacOS. The site administrator has
said that according the World Wide Web Consortium
(W3C) MacOS is more secure and does not allow remote
logins. (The reason army.mil was recently defaced was
do to an application hole, not an OS problem and
nothing against the W3C but when did they become
security experts?)
Army Link News
http://www.dtic.mil/armylink/news/Sep1999/a19990901hacker.html
CMP Tech Web
http://www.techweb.com/wire/story/TWB19990910S0017
US Army
http://www.army.mil
Army Link News;
Web page hacker arrested, government sites becoming more secure
by Sgt. 1st Class Connie E. Dickey
WASHINGTON (Army News Service, Sept. 1, 1999) - Working from information
provided by the U.S. Army's Criminal Investigation Command, FBI agents
arrested a 19-year-old Wisconsin man Aug. 30 for malicious altering of
a U.S. Army Web page.
The agents identified the Green Bay man as the co-founder of a hacker
organization known as "Global Hell."
The arrest capped a two-month investigation led by Army CID agents,
after an unidentified intruder gained illegal access to the Army Home
Page June 28 and modified its contents. The intruder also gained access
to an unclassified Army network and removed and modified computer files
to prevent detection.
Since the case is still ongoing, Christopher Unger, web site administrator
for the Army Home Page, didn't want to talk about specifics of what the
hacker did to the web page or what the Army is doing to protect its sites
from future hackers. However, he said the Army has moved its web sites to
a more secure platform. The Army had been using Windows NT and is currently
using Mac OS servers running WebSTAR web server software for its home page
web site.
Unger said the reason for choosing this particular server and software is
that according to the World Wide Web Consortium, it is more secure than its
counterparts.According to the Consortium's published reports on its findings,
Macintosh does not have a command shell, and because it does not allow remote
logins, it is more secure than other platforms. The report also said the
Consortium has found no specific security problems in either the software or
the server.
The Consortium is a worldwide group of representatives from more than 350
organizations that provide the infrastructure for a global interoperable World
Wide Web. Membership is open to any organization.
"Government networks are inviting to hackers because of their high profile,"
Unger said. However, the Department of Defense is laying the groundwork now
for more secure Internet sites that will prevent unauthorized access to
information, he said.
(Editor's note: Some information was provided by the U.S. Army Criminal
Investigation Command.)
@HWA
04.0 Phrack Issue 55 Has Been Released
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Modify
Phrack, the oldest continuously published underground
e-zine , has released issue 55. This is the first issue in
over eight months. It has all the usual goodies from
Loopback and LineNoise to Phrack World News.
Phrack 55 - HTML version
http://www.attrition.org/~modify/texts/phrack/latest.htm
Phrack.com
http://www.phrack.com
@HWA
05.0 E-Commerce Sites Still Vulnerable
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by netmask
News on the various vulnerabilities with numerous
shopping cart software was first announced over four
months ago. MindSec security has found that most web
sites are still vulnerable to these holes leaving personal
information including credit card numbers at risk.
Hopefully these problems will be corrected soon.
MindSec Security
http://www.mindsec.com/webcart/
E-Commerce.. Shouldn't Security Be Involved?
By: Erik Parker
E-Commerce is something that isn't getting any smaller. Hundreds of sites are
popping up every day that are using E-Commerce. People are spending millions of
dollars over the web, via secure servers, and online shopping applications. We
have found that some of those shopping applications, commonly referred to as
"Shopping Carts", may be a major downfall to the security of your credit cards
and personal information being secure.
Just because you are transferring your Credit Card number over a secure
connection, just exactly who is it, that is going to guarantee that it is safe once it
reaches its destination server? Over 6 Months ago, Joe H. Had made a report to
Bugtraq (www.securityfocus.com) that many sites were insecure. Bugtraq is the
most widely used, and a highly respected mailing list that the best security
administrators in the world discuss possible security problems, and verified
vulnerabilities.
Dozens of Brands, and Hundreds of sites were vulnerable to people reading your
credit card numbers, what you ordered, your home telephone number, and all the
personal information you entered. Some of these carts even unknowingly let
anyone who knows where the configuration program is, point their web browser
to it, and change the site, the prices, the tax, and even make their own orders at
whatever price they want. After 6 months some of these sites still remain remain
vulnerable. It is almost as if the manufacturers didn't notify their customers of the
problem. Many of the customers either were never informed, or just didn't take
the time to pursue fixing their sites. Perhaps people hoped the problem would go
away or be forgotten.
In Joe's first post to Bugtraq, he noted that c|net would be running an article on
E-Commerce Security. He did not disclose who the manufacturers of these
products were. However, when he got dozens of E-mails with people asking him
who they were, he went ahead and posted a second post, which lists several
companies that were vulnerable. Then other people started looking into these, and
Bo Elkjaer posted a followup listing another company, Mountain Network
Systems. Joe then checked out their products and in his follow up post he
determined it was also vulnerable.
Mind Security has taken interest in the shopping cart problems, to make
E-Commerce a little more safer, and a bit more trusted, as a good majority of
people are still hesitant to shop online. E-Commerce is a great way of shopping
and purchasing things over the web. With E-Commerce you do not have to be
bothered by a sales man or be pressured, and yet you can still find all the
information on products that you want without the help of a salesman who just
wants to get his commission.
The other reason we took interest, is because we were asked to investigate a
recent hack by a group called HiP (Hackers In Paradise), who had hit a Web site
that sells Adult Items. The web site owner had requested for us to look into it, and
advise them on what they should do.
After investigating and obtaining the logs we determined that the hackers never
gained access to the machine, under the Administrator account. There were
hundreds of web sites hosted on that machine, and several that were more high
profile. Also looking at their track record, many of these sites they had taken
credit for ran WebCart®, or other shopping cart like programs. There was no
FTP involved, and no shell access granted that we could determine. We can't say
with 100% certainty that it was done via the webcart®. It does have an html
update utility, and has such a bad track record, we had to strongly consider this as
as being the point of entry for the hackers. The product also doesn't log any of its
usage. People can upload, update, and if they aren't logged via the web server,
then they were never logged.
When we went to yahoo.com and put "webcart AND mountain" in the search
engine, we came up with dozens of matches We did a quick investigation and
found more than 70% were vulnerable. We read an E-mail earlier from someone
at Mountain-Net, which claims that if the user properly configures their web
servers and read the install file, this wouldn't be a problem. I beg to differ, a good
product ships with its own built-in security measures, and does not rely on other
programs being setup, like Apaches htaccess feature, which lets you grant and
refuse access by username and password and even by hostname is you wish.
Mind Security made a follow up post to Bugtraq on September 9th, concerning
this, and the fact that no one had fixed it, and it was just kind of forgotten about.
The post named off of a couple of sample vulnerable sites, as well as the correct
paths to check for these problems.
If you would like to check your site for this vulnerability, we worked with Renaud
Deraison who runs The Nessus Project. The "Nessus" Project aims to provide to
the internet community a free, powerful, up-to-date and easy to use and remote
security scanner. They have included a way to search for these vulnerabilities
within their scanner. If you download their most current version from their CVS
repository, you will be able to scan your site for it with that. If you can not get it
from their repository, it will be included in their nessus-0.98.2 release.
Thanks go to:
Brian Martin
Benjamin DeLong, Research Lead, ZOT Group
L0pht Heavy Industries
The Attrition.org Staff
The Nessus Project
@HWA
06.0 Fakescan.c by Vortexia
~~~~~~~~~~~~~~~~~~~~~~
Read the comments in the source, its self explanitory, Vort tells me he initiated
quite a stir in .za with this program with half the country thinking they were
being scanned by the other half etc... fun. anyways check it out...and shouts to
Forbidden Knowledge, Vort and Wyze1
-=-
[09:54] <Vortexia> Cruciphux did I give you fakescan.c?
[09:54] <Cruciphux> no
[09:55] <Vortexia> this one is evil :)
[09:55] <multisync> me to me to
[09:55] <Cruciphux> ok
[09:55] <Vortexia> it really caused some ppl in the industry to go loco
[09:55] <Cruciphux> hehe
[09:56] <Vortexia> cause suddenly half the world was scanning half the world
[09:56] <Cruciphux> you been causing shit again?
[09:56] <Vortexia> hahaha
[09:56] <Vortexia> Cruciphux :) read what it does
[09:56] <Cruciphux> ok
[09:56] <Vortexia> its a braindead port scan spoofer that looks exactly like an nmap scan
but is far easier to use to do mass scans and requires no brains to use :)
[09:57] <wyze1> vort: u giving him the ver with the fixed tcp/ip sequencing
[09:58] <wyze1> ?
[09:58] <wyze1> damnit, now he's making a phonecall ;)
[09:58] <Vortexia> wyze1 its got almost perfect seq'ing
[09:58] <Cruciphux> hehe
[09:58] <Cruciphux> no greets to HWA yet huh?
[09:58] <Cruciphux> :-/
[09:58] <Vortexia> its large enough to be realistic
[09:58] <Cruciphux> *g*
[09:58] <Vortexia> Cruciphux ack I forgot
[09:58] <Vortexia> add em in there yourself :)
[09:58] <Cruciphux> hahaha
[09:58] <Cruciphux> nah
[09:59] <Cruciphux> i'm not THAT lame
[09:59] <wyze1> hehehe
[09:59] <wyze1> there is pr0ps to HWA in the new FK
No we're not THAT lame but just lame enough to include the irc log of me aquiring
this copy of fakescan ;-) ,,, enjoy
-=-
/*
* Fakescan.c (c) 1999 Vortexia / Andrew Alston andrew@idle.za.org
*
* Ok... more crap code from me... thats yes... entirely useless other than as a
* proof of case. I wrote this quickly while trying to prove the case that
* logging portscans that are syn/fin based is entirely useless.
*
* What the code does: It reads in a list of hosts to spoof from a spoof host,
* and sends fake fin or syn scans to a list of hosts found in the victims
* file. Sorry there is no dns resolve on hosts in those files, it was a
* quick job while I was bored and I found better things to do while coding
* it so I didnt get around to adding it.
*
* The code is once again written for BSD and compiles with no warnings under
* fbsd 3.2 - I hate linux - Dont expect a linux port from me, someone else -
* feel free to make one
*
* If you wanna use my code, as always, feel free but I expect credit where
* credit is due, I.E you use my code, you put my name in your code.
*
* Greets and Shoutouts..
*
* Mithrandi - Thanks for your help Ultima - For everything you've helped me
* with in the past Van - What can I say, HI TimeWiz - Thanks for help in
* times past, and for ideas for upcoming projects Sniper - My partner in
* crime - You have and always will rock Opium - HI Hotmetal - A general
* greet DrSmoke - HI jus - My social engineering partner - lets continue to
* mindfuck together OPCODE - Thanks for the help - you rock gr1p and all the
* people at b4b0 - Keep rocking guys To all the people at Forbidden
* knowledge - Good going - Keep it up To everyone else on all the networks
* and channels I hang on, a general greet and thanks - I couldnt keep doing
* what I do without you guys.
*
* Fuckoffs, Curses and the likes:
*
* To Sunflower - If you cant handle an insult in a piece of code - and think
* thats worth of an akill - GROW UP AND GO FUCK YOURSELF To Gaspode - May
* you die a slow and painful death, and may the fleas of 10000 camels infest
* your armpits To the person who said coding stuff like this was for script
* kiddies - GET A CLUE you know who you are To anyone else I dont like -
* FUCK YOU To anyone else who doesnt like me - FUCK YOU
*
*/
#define __FAVOR_BSD
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>
struct viclist {
struct in_addr victim;
struct viclist *link;
};
struct slist {
struct in_addr spoof;
struct slist *link;
};
int
main(int argc, char *argv[])
{
int i = 0;
int sock;
int on = 1;
struct sockaddr_in sockstruct;
struct ip *iphead;
struct tcphdr *tcphead;
char evilpacket[sizeof(struct ip) + sizeof(struct
tcphdr)];
int seq, ack;
FILE *victimfile;
FILE *spooffile;
char buffer[256];
struct viclist *vcur, *vfirst;
struct slist *scur, *sfirst;
bzero(evilpacket, sizeof(evilpacket));
vfirst = malloc(sizeof(struct viclist));
vcur = vfirst;
vcur->link = NULL;
sfirst = malloc(sizeof(struct slist));
scur = sfirst;
scur->link = NULL;
if (argc < 4) {
printf("Usage: %s scan_type ((S)yn/(F)in) spoof_file victim_file\n"
"Example: %s S spooffile victimfile\n", argv[0], argv[0]);
exit(-1);
};
if ((strncmp(argv[1], "S", 1)) && (strncmp(argv[1], "F", 1))) {
printf("Scan type not specified\n");
exit(-1);
}
if ((spooffile = fopen((char *) argv[2], "r")) <= 0) {
perror("fopen");
exit(-1);
} else {
while (fgets(buffer, 255, spooffile)) {
if (!(inet_aton(buffer, &(scur->spoof))))
printf("Invalid address found in victim file.. ignoring\n");
else {
scur->link = malloc(sizeof(struct slist));
scur = scur->link;
scur->link = NULL;
}
};
bzero(buffer, sizeof(buffer));
};
fclose(spooffile);
scur = sfirst;
while (scur->link != NULL) {
printf("Found spoof host: %s\n", inet_ntoa(scur->spoof));
scur = scur->link;
};
scur = sfirst;
if ((victimfile = fopen((char *) argv[3], "r")) <= 0) {
perror("fopen");
exit(-1);
} else {
while (fgets(buffer, 255, victimfile)) {
if (!(inet_aton(buffer, &(vcur->victim))))
printf("Invalid address found in victim file.. ignoring\n");
else {
vcur->link = malloc(sizeof(struct viclist));
vcur = vcur->link;
vcur->link = NULL;
}
};
bzero(buffer, sizeof(buffer));
};
fclose(victimfile);
vcur = vfirst;
while (vcur->link != NULL) {
printf("Found victim host: %s\n", inet_ntoa(vcur->victim));
vcur = vcur->link;
};
vcur = vfirst;
if ((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("socket");
exit(-1);
}
if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *) &on, sizeof(on)) < 0) {
perror("setsockopt");
exit(-1);
}
sockstruct.sin_family = AF_INET;
iphead = (struct ip *) evilpacket;
tcphead = (struct tcphdr *) (evilpacket + sizeof(struct ip));
iphead->ip_hl = 5;
iphead->ip_v = 4;
iphead->ip_len = sizeof(struct ip) + sizeof(struct tcphdr);
iphead->ip_id = htons(getpid());
iphead->ip_ttl = 255;
iphead->ip_p = IPPROTO_TCP;
iphead->ip_sum = 0;
iphead->ip_tos = 0;
iphead->ip_off = 0;
tcphead->th_win = htons(512);
if (!(strncmp(argv[1], "S", 1)))
tcphead->th_flags = TH_SYN;
else
tcphead->th_flags = TH_FIN;
tcphead->th_off = 0x50;
while (vcur->link != NULL) {
iphead->ip_dst = vcur->victim;
sleep(1);
while (scur->link != NULL) {
seq = rand() % time(NULL);
ack = rand() % time(NULL);
tcphead->th_sport = htons(rand() % time(NULL));
sockstruct.sin_port = htons(rand() % time(NULL));
iphead->ip_src = scur->spoof;
sockstruct.sin_addr = scur->spoof;
sleep(1);
for (i = 1; i <= 1024; i++) {
seq += (rand() %10)+250;
ack += (rand() %10)+250;
srand(getpid());
tcphead->th_seq = htonl(seq);
tcphead->th_ack = htonl(ack);
tcphead->th_dport = htons(i);
sendto(sock, &evilpacket, sizeof(evilpacket), 0x0,
(struct sockaddr *) & sockstruct, sizeof(sockstruct));
}
scur = scur->link;
}
scur = sfirst;
vcur = vcur->link;
}
return (1);
};
@HWA
07.0 MS get Independent Auditor for HotMail
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Weld Pond
After prompting from industry watch dog groups
Microsoft has agree to hire a third party auditing firm to
review the recent HotMail incident. Microsoft has not
released the name of the company and it is unlikely the
resulting report will be made public.
Wired
http://www.wired.com/news/news/technology/story/21691.html
All Eyes on Hotmail Audit
by Chris Oakes
4:00 p.m. 10.Sep.99.PDT
Can the Internet industry spank itself? Some are watching the
outcome of the latest major Web breakdown to see.
Microsoft has chosen an undisclosed independent auditor to give
Hotmail a security once-over. As it does so, the company, industry
watchdog Truste, and privacy advocates cast the audit as a testament
to -- or failure of -- effective self-regulation.
Following a recommendation last week by Truste, Microsoft went about
choosing an independent auditing firm this week to test the security
of its free Hotmail email service.
"We're doing an independent review or audit of the Hotmail incident
of last week, which got lot of attention," said Microsoft spokesperson
Tom Pilla.
Hotmail users were confronted with an alarming security breach last
week. Hackers exposed every Hotmail email account so that anyone who
knew a person's username could access that account without a password.
"Truste said Microsoft was in compliance and believed [the Hotmail
security issue] to be resolved. But we are continuing to investigate
that incident completely to ensure that the service complies with the
high standards we put on consumer privacy," Pilla added.
Truste spokesman Dave Steer emphasized that his organization didn't
order Microsoft to hire an auditor; rather, it was a recommendation.
Pilla underscored the point. "They suggested and we agreed. It's not
something we had to do."
So if the agreement was such a non-threatening, voluntary arrangement,
does it stand up as an effective demonstration of the power of
self-regulation?
"Yeah, I think it [does]," Pilla said. "As soon as the incident occurred
we [were] in close coordination with Truste, as we always are on these
things."
Last week, Truste took an initial stance that the incident was a security
issue, not a privacy matter. But Steer said the organization sees the two
issues as connected, and a Truste statement on the organization's Web site
clarifies its position.
"The statement clearly highlights the fact that there's not trust without
privacy and similarly there's not privacy without reasonable security of
the data being protected," Steer explained. "So in some instances, yes --
security and privacy go hand in hand."
Jason Catlett, a privacy advocate who closely watches the self-regulation
issue, was guardedly impressed by the sheer notion of an audit.
"I don't write it off as [a] meaningless act. I'm quite pleased that they
have agreed to an independent audit. It's a small window opened in the
fortress Redmond," he said.
But Catlett read hidden meaning in the unprecedented Microsoft decision,
and doesn't see it as evidence of self-regulation's effectiveness.
"Basically, [Microsoft] realize[s] that nobody believes a single word they
say anymore, so they're paying an accounting firm to say things for them."
The nature of this security breach -- a simple function of logging into an
email account -- made it easier for Microsoft to open up Hotmail for
review, Catlett said.
In contrast, the company's undisclosed use of a unique identifier in
Microsoft Office documents and Microsoft cookies created during user
registration of Windows, had much broader implications.
Thus, when an audit was badly needed, Microsoft declined.
"Truste didn't do an audit [in that case] so [Catlett's Junkbusters watchdog
group] went to the FTC and asked them to require an audit, and Microsoft
just refused."
This time, "Truste suggested an audit and Microsoft agreed -- this is the
coziest regulation imaginable," Catlett said.
Pilla disagreed. "I think it's a very good expression of self-regulation,"
he said. "I think our swift response to the Hotmail incident coupled with
inviting a third party review is evidence of our commitment to protecting
people's online privacy."
The legitimacy of the Hotmail audit will depend on the particular security
issues the auditing firm is asked to test. "Management makes some assertion
and the acting firm attests to that assertion. If the assertions are very
limited, then the conclusion [of the] accounting firm is very limited,"
Catlett said.
Pilla said he couldn't comment on the specifics of the audit yet.
"We don't know what the process is, moving forward."
He also wouldn't say whether the public would ever get to review the test
conducted by the auditing firm.
As to skepticism of the self-regulatory process, Truste's Steer said,
"We don't dictate where the program is going to go based on the skeptics. We
have to take a good hard look at what the consumer needs. ... Any reasonable
person can take a look at what's going on right now and come to their own
conclusion. If you ask me personally, I think this is an example that the
system worked."
Whatever the outcome, it will no doubt be logged into any case histories
seeking to build a case for or against self-regulation.
Pilla said the audit should take "not months but a fairly short amount of
time."
Said Catlett: "They're on a tightrope where they're trying to maintain
credibility as a consumer advocacy organization while still not scaring away
potential licensees with any real prospects of sanctions."
@HWA
08.0 US Gov to Switch From NT to Open Source
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Weld Pond
The National Security Council will soon create a
software assessment office to evaluate different
operating systems other than Windows NT including
open source software. A major reason given for this
switch was the susceptibility of Windows to viruses and
other attacks. (The article says they are looking closely
at Linux, I hope they don't forget OpenBSD.)
Federal Times
http://www.federaltimes.com/topstory.html
The Independent Weekly
September 16, 1999
Top Officials Seek Alternatives to Microsoft
By Stephen Trimble
FEDERAL TIMES STAFF WRITER
Concerned about security and an excessive reliance on Microsoft software, senior administration
officials plan to diversify the types of operating systems software purchased by the government.
The National Security Council soon will create a new office to assess the ways federal agencies
could make greater use of open-source, or nonproprietary, software that is freely available to anyone
and has codes that are not secret.
"One of the areas we are very interested in looking at is open-source code," a senior White House
official told Federal Times.
The effort ultimately could affect the types of software the government purchases for network
servers and desktop applications.
The government will buy $2 billion worth of software in 2000, according to Federal Sources Inc., of
Fairfax, Va., a market research company.
The initial purpose of the new software assessment office will be to identify agencies and programs
that will be candidates for trials of open source software, said the White House official, who asked not
to be identified.
The General Services Administration and the National Institute of Standards and Technology also
are involved in creating the office. Its location still is to be decided.
The new office will assess the costs and benefits of using open-source software to operate many
government computers. Also to be determined are the cost and technical obstacles to communication
between systems using open-source and the proprietary software now in use.
The White House official declined to say how extensive is the administration's plan to diversify its
reliance on operating systems software. A chief reason for the effort, according to advocates, is to
address concerns that Microsoft operating systems are vulnerable to malicious computer viruses and
hacker attacks. This is partly because the Microsoft software is proprietary and security vulnerabilities
are more difficult to find and correct, said Przemek Klosowski, a NIST physicist and leader of the
Washington, D.C., Linux User's Group.
"Government should be vendor-neutral, and the government should not formulate IT requirements
that say only a single vendor is applicable," Klosowski said.
Klosowski said Linux is used on a limited basis for computer research applications at Energy
Department laboratories, NASA, NIST and the Defense Department.
"I don't know of any large government Linux contracts," he added.
Another purpose of adopting different types of software is to diversify the government's inventory of
operating systems, so not all are vulnerable to the same viruses and attacks, the White House official
said.
Linux, an open-source operating system similar in functionality to Microsoft Windows, is being
given serious consideration as an alternative for government computer users, the official said.
Access to the Linux source code "gives us some confidence," the White House official said, adding
that it simplifies patching security breeches and correcting routine errors.
Created by a Finnish graduate student named Linus Torvalls in 1991, Linux's open code is
relentlessly scrutinized and tested by tens of thousands of systems analysts worldwide, who
constantly recommend improvements, Klosowski said.
As a result, Linux boasts a robust code that rarely malfunctions and is extremely difficult for
hackers to crack, Klosowski said.
Microsoft, on the other hand, keeps its code secret and makes upgrades to its products on a
yearly basis, he said.
Microsoft software products have been the target of numerous computer viruses.
One of the best known was the Melissa virus that struck thousands of government and
nongovernment computers in March by exploiting vulnerabilities in Microsoft Word 97 and Microsoft
Word 2000. In June, another virus called ExploreZip targeted vulnerabilities in Microsoft Windows 95,
Windows 98 and Windows NT.
Microsoft officials argue their software products meet federal security standards.
Microsoft's main server software, Microsoft Windows NT 3.5, for instance, is certified under the
federal security standard known as Federal Information Processing Standard 140-1, said Quazi
Zaman, advanced technology manager for Microsoft Federal Systems of Washington, D.C. The
newest version of Microsoft's server operating system, called Microsoft Windows NT 4.0, is undergoing
certification and is expected to be certified "in the next three months," Zaman said.
Zaman added that Microsoft has been considering making some of its software products open
source for two years.
"Open source is a very innovative way to develop software," Zaman said. "The issue is how much of
our own code we should put out in the open source environment."
Zaman added that Microsoft likely would be willing to provide the National Security Council with its
code for security inspections if it is for national security purposes. So far, he said, the NSC has not
asked for access to any of Microsoft's software code.
Zaman argued that government agencies are not excessively reliant on Microsoft products, adding
that other software suppliers, namely, database software suppliers, have larger shares of the federal
software market.
The project to increase the government's use of open-source operating systems likely will present
formidable challenges.
The government already relies extensively on Microsoft products for desktop and, increasingly,
server applications. Thus, there are sure to be communications problems between systems that use
different software, said John Gilligan, the Energy Department's chief information officer.
The concept also appears to run counter to the government's 3-year-old effort to concentrate on
buying commercial, easy-to-use software, said Payton Smith of Federal Sources Inc.
Regardless of security concerns, Smith added, a multitude of software systems within an agency
often can lead to interoperability problems.
"The more variations you have in the software, the more problems and the more costs you're going
to have," Smith said.
The White House official acknowledged that concerns over costs and interoperability issues must
be settled for the project to succeed.
"That's exactly the issues we're looking at," the official said. "Both costs and interoperability are
critical issues."
@HWA
09.0 Sept 15th CryptoGram
~~~~~~~~~~~~~~~~~~~~
To: crypto-gram@chaparraltree.com
From: Bruce Schneier <schneier@counterpane.com>
Subject: CRYPTO-GRAM, September 15, 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
CRYPTO-GRAM
September 15, 1999
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
http://www.counterpane.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on computer security and cryptography.
Back issues are available at http://www.counterpane.com. To subscribe or
unsubscribe, see below.
Copyright (c) 1999 by Bruce Schneier
** *** ***** ******* *********** *************
In this issue:
Open Source and Security
NSA Key in Microsoft Crypto API?
Counterpane Systems -- Featured Research
News
Extra Scary News
Counterpane News
The Doghouse: E*Trade
Factoring a 512-bit Number
Comments from Readers
** *** ***** ******* *********** *************
Open Source and Security
As a cryptography and computer security expert, I have never understood the
current fuss about the open source software movement. In the cryptography
world, we consider open source necessary for good security; we have for
decades. Public security is always more secure than proprietary security.
It's true for cryptographic algorithms, security protocols, and security
source code. For us, open source isn't just a business model; it's smart
engineering practice.
Open Source Cryptography
Cryptography has been espousing open source ideals for decades, although we
call it "using public algorithms and protocols." The idea is simple:
cryptography is hard to do right, and the only way to know if something was
done right is to be able to examine it.
This is vital in cryptography, because security has nothing to do with
functionality. You can have two algorithms, one secure and the other
insecure, and they both can work perfectly. They can encrypt and decrypt,
they can be efficient and have a pretty user interface, they can never
crash. The only way to tell good cryptography from bad cryptography is to
have it examined.
Even worse, it doesn't do any good to have a bunch of random people examine
the code; the only way to tell good cryptography from bad cryptography is
to have it examined by experts. Analyzing cryptography is hard, and there
are very few people in the world who can do it competently. Before an
algorithm can really be considered secure, it needs to be examined by many
experts over the course of years.
This argues very strongly for open source cryptographic algorithms. Since
the only way to have any confidence in an algorithm's security is to have
experts examine it, and the only way they will spend the time necessary to
adequately examine it is to allow them to publish research papers about it,
the algorithm has to be public. A proprietary algorithm, no matter who
designed it and who was paid under NDA to evaluate it, is much riskier than
a public algorithm.
The counter-argument you sometimes hear is that secret cryptography is
stronger because it is secret, and public algorithms are riskier because
they are public. This sounds plausible, until you think about it for a
minute. Public algorithms are designed to be secure even though they are
public; that's how they're made. So there's no risk in making them public.
If an algorithm is only secure if it remains secret, then it will only be
secure until someone reverse-engineers and publishes the algorithms. A
variety of secret digital cellular telephone algorithms have been "outed"
and promptly broken, illustrating the futility of that argument.
Instead of using public algorithms, the U.S. digital cellular companies
decided to create their own proprietary cryptography. Over the past few
years, different algorithms have been made public. (No, the cell phone
industry didn't want them made public. What generally happens is that a
cryptographer receives a confidential specification in a plain brown
wrapper.) And once they have been made public, they have been broken. Now
the U.S. cellular industry is considering public algorithms to replace
their broken proprietary ones.
On the other hand, the popular e-mail encryption program PGP has always
used public algorithms. And none of those algorithms has ever been broken.
The same is true for the various Internet cryptographic protocols: SSL,
S/MIME, IPSec, SSH, and so on.
The Best Evaluation Money Can't Buy
Right now the U.S. government is choosing an encryption algorithm to
replace DES, called AES (the Advanced Encryption Standard). There are five
contenders for the standard, and before the final one is chosen the world's
best cryptographers will spend thousands of hours evaluating them. No
company, no matter how rich, can afford that kind of evaluation. And since
AES is free for all uses, there's no reason for a company to even bother
creating its own standard. Open cryptography is not only better -- it's
cheaper, too.
The same reasoning that leads smart companies to use published cryptography
also leads them to use published security protocols: anyone who creates his
own security protocol is either a genius or a fool. Since there are more
of the latter than the former, using published protocols is just smarter.
Consider IPSec, the Internet IP security protocol. Beginning in 1992, it
was designed in the open by committee and was the subject of considerable
public scrutiny from the start. Everyone knew it was an important protocol
and people spent a lot of effort trying to get it right. Security
technologies were proposed, broken, and then modified. Versions were
codified and analyzed. The first draft of the standard was published in
1995. Different aspects of IPSec were debated on security merits and on
performance, ease of implementation, upgradability, and use.
In November 1998, the committee published a slew of RFCs -- one in a series
of steps to make IPSec an Internet standard. And it is still being
studied. Cryptographers at the Naval Research Laboratory recently
discovered a minor implementation flaw. The work continues, in public, by
anyone and everyone who is interested. The result, based on years of
public analysis, is a strong protocol that is trusted by many.
On the other hand, Microsoft developed its own Point-to-Point Tunneling
Protocol (PPTP) to do much the same thing. They invented their own
authentication protocol, their own hash functions, and their own
key-generation algorithm. Every one of these items was badly flawed. They
used a known encryption algorithm, but they used it in such a way as to
negate its security. They made implementation mistakes that weakened the
system even further. But since they did all this work internally, no one
knew that PPTP was weak.
Microsoft fielded PPTP in Windows NT and 95, and used it in their virtual
private network (VPN) products. Eventually they published their protocols,
and in the summer of 1998, the company I work for, Counterpane Systems,
published a paper describing the flaws we found. Once again, public
scrutiny paid off. Microsoft quickly posted a series of fixes, which we
evaluated this summer and found improved, but still flawed.
Like algorithms, the only way to tell a good security protocol from a
broken one is to have experts evaluate it. So if you need to use a
security protocol, you'd be much smarter taking one that has already been
evaluated. You can create your own, but what are the odds of it being as
secure as one that has been evaluated over the past several years by experts?
Securing Your Code
The exact same reasoning leads any smart security engineer to demand open
source code for anything related to security. Let's review: Security has
nothing to do with functionality. Therefore, no amount of beta testing can
ever uncover a security flaw. The only way to find security flaws in a
piece of code -- such as in a cryptographic algorithm or security protocol
-- is to evaluate it. This is true for all code, whether it is open source
or proprietary. And you can't just have anyone evaluate the code, you need
experts in security software evaluating the code. You need them evaluating
it multiple times and from different angles, over the course of years.
It's possible to hire this kind of expertise, but it is much cheaper and
more effective to let the community at large do this. And the best way to
make that happen is to publish the source code.
But then if you want your code to truly be secure, you'll need to do more
than just publish it under an open source license. There are two obvious
caveats you should keep in mind.
First, simply publishing the code does not automatically mean that people
will examine it for security flaws. Security researchers are fickle and
busy people. They do not have the time to examine every piece of source
code that is published. So while opening up source code is a good thing,
it is not a guarantee of security. I could name a dozen open source
security libraries that no one has ever heard of, and no one has ever
evaluated. On the other hand, the security code in Linux has been looked
at by a lot of very good security engineers.
Second, you need to be sure that security problems are fixed promptly when
found. People will find security flaws in open source security code. This
is a good thing. There's no reason to believe that open source code is, at
the time of its writing, more secure than proprietary code. The point of
making it open source is so that many, many people look at the code for
security flaws and find them. Quickly. These then have to be fixed. So a
two year-old piece of open source code is likely to have far fewer security
flaws than proprietary code, simply because so many of them have been found
and fixed over that time. Security flaws will also be discovered in
proprietary code, but at a much slower rate.
Comparing the security of Linux with that of Microsoft Windows is not very
instructive. Microsoft has done such a terrible job with security that it
is not really a fair comparison. But comparing Linux with Solaris, for
example, is more instructive. People are finding security problems with
Linux faster and they are being fixed more quickly. The result is an
operating system that, even though it has only been out a few years, is
much more robust than Solaris was at the same age.
Secure PR
One of the great benefits of the open source movement is the
positive-feedback effect of publicity. Walk into any computer superstore
these days, and you'll see an entire shelf of Linux-based products. People
buy them because Linux's appeal is no longer limited to geeks; it's a
useful tool for certain applications. The same feedback loop works in
security: public algorithms and protocols gain credibility because people
know them and use them, and then they become the current buzzword.
Marketing people call this mindshare. It's not a perfect model, but hey,
it's better than the alternative.
** *** ***** ******* *********** *************
NSA Key in Microsoft Crypto API?
A few months ago, I talked about Microsoft's system for digitally signing
cryptography suites that go into its operating system. The point is that
only approved crypto suites can be used, which makes thing like export
control easier. Annoying as it is, this is the current marketplace.
Microsoft has two keys, a primary and a spare. The Crypto-Gram article
talked about attacks based on the fact that a crypto suite is considered
signed if it is signed by EITHER key, and that there is no mechanism for
transitioning from the primary key to the backup. It's stupid
cryptography, but the sort of thing you'd expect out of Microsoft.
Suddenly there's a flurry of press activity because someone notices that
the second key in Microsoft's Crypto API in Windows NT Service Pack 5 is
called "NSAKEY" in the code. Ah ha! The NSA can sign crypto suites. They
can use this ability to drop a Trojaned crypto suite into your computers.
Or so the conspiracy theory goes.
I don't buy it.
First, if the NSA wanted to compromise Microsoft's Crypto API, it would be
much easier to either 1) convince MS to tell them the secret key for MS's
signature key, 2) get MS to sign an NSA-compromised module, or 3) install a
module other than Crypto API to break the encryption (no other modules need
signatures). It's always easier to break good encryption by attacking the
random number generator than it is to brute-force the key.
Second, NSA doesn't need a key to compromise security in Windows. Programs
like Back Orifice can do it without any keys. Attacking the Crypto API
still requires that the victim run an executable (even a Word macro) on his
computer. If you can convince a victim to run an untrusted macro, there
are a zillion smarter ways to compromise security.
Third, why in the world would anyone call a secret NSA key "NSAKEY"? Lots
of people have access to source code within Microsoft; a conspiracy like
this would only be known by a few people. Anyone with a debugger could
have found this "NSAKEY." If this is a covert mechanism, it's not very covert.
I see two possibilities. One, that the backup key is just as Microsoft
says, a backup key. It's called "NSAKEY" for some dumb reason, and that's
that.
Two, that it is actually an NSA key. If the NSA is going to use Microsoft
products for classified traffic, they're going to install their own
cryptography. They're not going to want to show it to anyone, not even
Microsoft. They are going to want to sign their own modules. So the
backup key could also be an NSA internal key, so that they could install
strong cryptography on Microsoft products for their own internal use.
But it's not an NSA key so they can secretly inflict weak cryptography on
the unsuspecting masses. There are just too many smarter things they can
do to the unsuspecting masses.
My original article:
http://www.counterpane.com/crypto-gram-9904.html#certificates
Announcement:
http://www.cryptonym.com/hottopics/msft-nsa.html
Nice analysis:
http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=52
Useful news article:
http://www.wired.com/news/news/technology/story/21577.html
** *** ***** ******* *********** *************
Counterpane Systems -- Featured Research
"Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2)"
Bruce Schneier and Mudge, CQRE, Duesseldorf, Oct 1999, to appear.
The Point-to-Point Tunneling Protocol (PPTP) is used to secure PPP
connections over TCP/IP link. In response to [SM98], Microsoft released
extensions to the PPTP authentication mechanism (MS-CHAP), called
MS-CHAPv2. We present an overview of the changes in the authentication and
encryption-key generation portions of MS-CHAPv2, and assess the
improvements and remaining weaknesses in Microsoft's PPTP implementation.
While fixing some of the more egregious errors in MS-CHAPv1, the new
protocol still suffers from some of the same weaknesses.
http://www.counterpane.com/pptpv2-paper.html
** *** ***** ******* *********** *************
News
The Internet Auditing Project. This is REAL interesting. A group did a
low-level security audit of 36 million hosts on the Internet. Just how
secure is the Internet really?
http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id=32
http://www.internetnews.com/intl-news/print/0,1089,6_184381,00.html
And if that isn't scary enough, here's a more detailed audit of 2200
Internet sites.
http://www.fish.com/survey/
My all-time favorite Y2K compliance statement:
http://www.hartscientific.com/y2k.htm
If you need more evidence that proprietary security just doesn't work,
Microsoft's digital music security format is cracked within days of being
released:
http://www.wired.com/news/news/technology/story/21325.html
http://www.news.com/News/Item/0,4,0-40672,00.html?st.ne.lh..ni
http://www.msnbc.com/news/302195.asp
Patent blackmail: Lawyers for someone named Leon Stambler have been
sending threatening letters to security companies, claiming that SSL, PCK,
FIPS 196, SET, Microsoft PPTP, Authenticode, etc. infringe on his patent.
See for yourself; the U.S. patent numbers are 5,793,302 and 5,646,998. See
for yourself; the U.S. patent numbers are 5,793,302 and 5,646,998.
http://164.195.100.11/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&
u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1='5,793,302'.WKU.&OS=PN/5,793,302&RS=
PN/5,793,302
http://164.195.100.11/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&
u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1='5,646,998'.WKU.&OS=PN/5,646,998&RS=
PN/5,646,998
With all the talk about electronic voting, it's nice that someone
recognizes that there are some serious security problems. The most severe,
at least to me, is voter coercion. When you step into a private voting
booth, you can vote as you please. No one can do anything about it. If
you can vote from your computer, in your own home, with some kind of
electronic security measure, then it is possible for someone to buy your
vote and to ensure that you deliver on the goods.
http://www.nytimes.com/library/tech/99/08/cyber/articles/14vote.html
Many people asked me about my comment last issue about Windows NT needing
over 300 security changes to make it secure. I queried the Usenet
newsgroup comp.os.ms-windows.nt.admin.security asking if it was folklore or
truth, and got several answers. The consensus seemed to be that the
number was somewhere between 50 and 3000, and 300 wasn't an unreasonable
estimate. A good checklist is available here:
http://people.hp.se/stnor/
And see also:
http://www.trustedsystems.com/NSAGuide.htm
The U.S. crypto export regulations has led to the development of some
excellent products from non-U.S. companies. Judging from this article,
though, this isn't one of them:
http://www.rediff.com/computer/1999/jul/09suri.htm
Two Microsoft security white papers. They're not great, but they do
explain the Microsoft party line.
Security basics:
http://www.microsoft.com/security/resources/security101wp.asp
Office 2000 Macro Security:
http://officeupdate.microsoft.com/2000/downloadDetails/o2ksec.htm
A flaw in Hotmail allows anyone to read anyone else's email, without a
password. To me, the real interesting story is not that the flaw was
discovered, but that it might have been known by the underground community
long before it became public. Some of the news stories imply this.
http://www.wired.com/news/news/technology/story/21503.html
http://www.msnbc.com:80/news/306093.asp
http://www.zdnet.com.au:80/zdnn/stories/zdnn_display/0,3440,2324361,00.html
http://news.excite.com/news/zd/990901/10/the-bug-syndrome
http://news.excite.com/news/zd/990901/06/how-hotmail-blew
http://www.salon.com/tech/log/1999/09/02/hotmail_hack/print.html
Encrypted sculpture at the CIA's headquarters in Langley, VA.
http://www.npr.org/programs/atc/990826.kryptos.html
Join the military and see the basements of Ft. Meade. The National
Security Agency is offering free college tuition and room and board to
hackers willing to work for them for five years after graduation.
http://www.currents.net/newstoday/99/08/27/news3.html
http://www.cnn.com/TECH/computing/9908/26/t_t/teen.hacker/index.html
Nice BBC article on U.S. encryption debate:
http://news.bbc.co.uk/hi/english/world/americas/newsid_430000/430384.stm
Funny stuff: the real story of Alice and Bob:
http://www.conceptlabs.co.uk/alicebob.html
There was a really good article -- clear, complete, understandable -- in
_The Sciences_ recently about quantum computing. Cryptome has put the
article online, with the permission of the author.
http://cryptome.org/qc-grover.htm
** *** ***** ******* *********** *************
Extra Scary News
The Justice Department is planning to ask Congress for new authority
allowing federal agents armed with search warrants to secretly break into
homes and offices to obtain decryption keys or passwords or to implant
"recovery devices" or otherwise modify computers to ensure that any
encrypted messages or files can be read by the government.
With this dramatic proposal, the Clinton Administration is basically
saying: "If you don't give your key in advance to a third party, we will
secretly enter your house to take it if we suspect criminal conduct."
The full text of the Justice Department proposal, a section-by-section
analysis prepared by DOJ lawyers, and related materials are available at:
http://www.epic.org/crypto/legislation/cesa_release.html
http://www.cdt.org/crypto/CESA
http://www.washingtonpost.com/wp-srv/business/daily/aug99/encryption20.htm
http://www.zdnet.com/zdnn/stories/news/0,4586,2317907,00.html
http://www.techweb.com/wire/story/TWB19990820S0012
** *** ***** ******* *********** *************
Counterpane News
Bruce Schneier will be speaking at SANS Network Security 99, October 3-10,
in New Orleans. See http://www.sans.org/ns99/ns99.htm for more conference
details.
Attack Trees: Wed, 6 Oct, 10:30-12:30
Internet Cryptography: Tue, 5 Oct, 9:00-5:00
Bruce Schneier authored the "Inside Risks" column for the Aug, Sep, and Oct
99 issues of _Communications of the ACM_.
Biometrics: Uses and Abuses:
http://www.counterpane.com/insiderisks1.html
The Trojan Horse Race:
http://www.counterpane.com/insiderisks2.html
Risks of Relying on Cryptography:
http://www.counterpane.com/insiderisks3.html
** *** ***** ******* *********** *************
The Doghouse: E*Trade
E*Trade's password security isn't. They limit the logon password to a
maximum of 6 characters, and the only choices are letters (upper and lower
case are distinguished), numbers, $, and _. Whose portfolio do you want to
trade today?
** *** ***** ******* *********** *************
Factoring a 512-bit Number
A factoring record was broken last month, on 22 August. A group led by
Herman te Riele of CWI in Amsterdam factored a 512-bit (155-digit) hard
number. By "hard," I mean that it was the product of two 78-digit
primes...the kind of numbers used by the RSA algorithm.
About 300 fast SGI workstations and Pentium PCs did the work, mostly on
nights and weekends, over the course of seven months. The algorithm used
was the General Number Field Sieve. The algorithm has two parts: a sieving
step and a matrix reduction step. The sieving step was the part that the
300 computers worked on: about 8000 MIPS-years over 3.7 months. (This is
the step that Shamir's TWINKLE device can speed up.) The matrix reduction
step took 224 CPU hours (and about 3.2 Gig of memory) on the Cray C916 at
the SARA Amsterdam Academic Computer Center. If this were done over the
general Internet, using resources comparable to what was used in the recent
DES cracking efforts, it would take about a week calendar time.
The entire effort was 50 times easier than breaking DES. Factoring
e-commerce keys is definitely very practical, and will be becoming even
more so in future years. It is certainly reasonable to expect 768-bit
numbers to be factored within a few years, so comments from RSA
Laboratories that RSA keys should be a minimum of 768 bits are much too
optimistic.
Certicom used the event to tout the benefits of elliptic curve public-key
cryptography. Elliptic-curve algorithms, unlike algorithms like RSA,
ElGamal, and DSA, are not vulnerable to the mathematical techniques that
can factor these large numbers. Hence, they reason, elliptic curve
algorithms are more secure than RSA and etc. There is some truth here, but
only if you accept the premise that elliptic curve algorithms have
fundamentally different mathematics. I wrote about this earlier; the short
summary is that you should use elliptic curve cryptography if memory
considerations demand it, but RSA with long keys is probably safer.
This event is significant for two reasons. One, most of the Internet
security protocols use 512-bit RSA. This means that non-cryptographers
will take notice of this, and probably panic a bit. And two, unlike other
factoring efforts, this was done by one organization in secret. Most
cryptographers didn't even know this effort was going on. This shows that
other organizations could already be breaking e-commerce keys regularly,
and just not telling anyone.
As usual, the press is getting this story wrong. They say things like:
"512-bit keys are no longer safe." This completely misses the point. Like
many of these cryptanalysis stories, the real news is that there is no
news. The complexity of the factoring effort was no surprise; there were
no mathematical advances in the work. Factoring a 512-bit number took
about as much computing power as people predicted. If 512-bit keys are
insecure today, they were just as insecure last month. Anyone implementing
RSA should have moved to 1028-bit keys years ago, and should be thinking
about 2048-bit keys today. It's tiring when people don't listen to
cryptographers when they say that something is insecure, waiting instead
for someone to actually demonstrate the insecurity.
http://www.cwi.nl/~kik/persb-UK.html
http://www.msnbc.com/news/305553.asp
RSA's analysis:
http://www.rsa.com/rsalabs/html/rsa155.html
Certicom's rebuttal:
http://www.certicom.com/press/RSA-155.htm
Prominent Web sites that still use 512-bit RSA:
Travelocity
Microsoft's online store
Compaq's online store
Godiva's online store
Dr. Koop.com
Flowers N More
There are lots more. You can check yourself by connecting to a site with a
secure domestic version of Microsoft Internet Explorer 4.0.
** *** ***** ******* *********** *************
Comments from Readers
From: Gene Spafford <spaf@cs.purdue.edu>
Subject: Re: Comments on the "NSA" key in Windows NT
Well, it is always easier to believe a conspiracy theory or dark designs.
However, there may be alternative explanations.
For instance, I happen to know that various 3-letter agencies use a lot of
Windows machines (in a sense, that should be scary all by itself). Suppose
they want to load their own highly-classified, very closely-guarded version
of their own crypto routines. Do you think they will send copies of their
code out to Redmond to get it signed so it can be loaded? Or are they
going to sign it themselves, with their own key, doing it in-house where it
is "safe"? If they are going the in-house route, then either Microsoft
needs to share the private key with them (bad idea), or the code needs to
accommodate a second key schedule generated inside the TLA. Hmmm, that
sounds familiar, doesn't it?
Another explanation, that I may have read here (this issue has been
discussed on many lists) is that to get the approval for export, the folks
at MS needed to include a "back-up" key in case the first was compromised
in some way. They would need to switch over to using the alternate key for
all the systems already out there. But how would they do that unless the
second key was already installed, so they could do the switch using that
second key? So, if you were MS, and the NSA required you to install a
backup key like this, what would you call it?
Of course, it could be that MS wanted the backup key themselves, and the
programmer involved in the coding decided to name it something silly.
Or, there is a history of MS code being shipped with undocumented code
elements, and things that MS management don't know are present. Suppose the
code (involving only a few lines of code) was placed there by an agent of
the intelligence services of some other country (it wouldn't be that hard
to subvert an existing employee or place one at MS with good coding skills
who could eventually gain access to the appropriate code). He/she names
the variables with "NSA" in place in case anyone doing a code review would
question it -- and includes a comment block that says "The NSA required
this to be here -- do not change or ask questions." The "sinister purpose"
might be correct, but you are blaming the wrong entity.
Heck, maybe this is a grand design of Mr. Gates himself: after all, he's
certainly having some aggravation from the U.S. Justice Department!
There are other possible explanations for the name, too.
These alternate explanations do not mean that the extra key does not have
side-effects (such as clandestine installation and circumvention of the
export controls). And of course, we will probably never know what the
primary reason for this key is, nor will we know what role these
side-effects may have had in the decision, despite what people eventually
claim.
The key thought is that there are possible scenarios for the naming of the
key that do not involve nefarious activity, or do not involve such activity
by the NSA. That should not be the immediate conclusion people reach.
And, at the risk of starting some tirades, let me ask a (rhetorical)
question: even if it was put there for purposes of clandestine monitoring,
what is wrong with that? If this gets used to monitor terrorists with NBC
weapons, drug cartels, or weapons labs in Iraq, isn't that what we want
done? In that light, there should be some concern that this has now been
exposed and possibly nullified! The history of cryptography shows --
repeatedly -- that having crypto assets makes a huge difference in times of
conflict, and that getting such assets in place and working takes time. It
would be naive to believe that there are no such threats looming, or that
there is no such likelihood in the future.
We should be clear in our discussions as to whether our concern is the
presence of the code, or over who may have control of it. Is the issue
really one of what controls are in place that ensure that the code isn't
used against inappropriate targets (e.g., law-abiding, friendly businesses
and citizens)? Unfortunately, we don't have strong assurances in this
realm, and there have been some past abuses (or alleged abuses). But that
may be moot if we the code was actually placed for some other group's dark
design.
From: "Lucky Green" <shamrock@cypherpunks.to>
Subject: More NSAKEY musings
I'd like to comment on some of your public comments regarding the NSAKEY.
The goal of this email is to provide you with a few data points about the
mindset intelligence agencies employ when compromising systems.
First, I agree with your assessment that the NSA does not /need/ to
compromise CAPI to compromise the computers of those running Windows. Which
is not analogous to the claim that the NSA would not seek to compromise
CAPI by causing Microsoft to install the NSA's key.
For the academic cryptographer, once one catastrophic flaw in a cipher has
been found, the work is over. "We have a 2^16th attack. The job is done.
Let's go home". Intelligence agencies don't operate this way.
My work with GSM has revealed that intelligence agencies, which as we all
know ultimately stand behind the GSM ciphers, take a very different
approach. Intelligence agencies will compromise every single component of a
crypto system they can compromise. Intelligence agencies will, given the
opportunity, compromise a component just because they can, not because they
need to. This appears to be a somewhat perverted manifestation of
implementing multiple redundancy into a system. Which, as I am sure we all
agree, is generally a good idea.
In the case of GSM, we have discovered the following compromises:
o Compromised key generation.
The 64-bit keys have the last 10 bits of key zeroed out. (I heard rumors
that some implementations only zero out the last 8 bits, but either way,
this is undeniably a deliberate compromise of the entropy of the key).
o Compromise of the authentication system and keygen algorithm.
The GSM MoU was formally notified in 1989 (or 1990 at the latest) about the
flaws in COMP128 we discovered last year. Long before GSM was widely
fielded. The MoU's Security Algorithm Group of Experts (SAGE), staffed by
individuals who's identities are unknown to this day, kept this discovery
secret and failed to inform even the MoU's own members. As a result,
intelligence agencies can clone phones and calculate the voice privacy keys
used during a call.
o Compromise of the stronger voice privacy algorithm A5/1.
This 64 bit cipher has numerous design "flaws", resulting in a strength of
at most 40 bits. It is inconceivable to me and virtually everybody I
talked with that these rather obvious flaws were overlooked by A5/1's
French military designers.
o Compromise of the weaker voice privacy algorithm A5/2.
The MoU admits that breakability was a design goal of A5/2, even thought
SAGE stated in their official analysis of A5/2 that they were unaware of
any cryptographic flaws in A5/2.
To allow for interception and decryption of GSM traffic, it would have
sufficed to compromise the effective key length. It would have sufficed to
compromise the keygen. It would have sufficed to compromise the ciphers.
The NSA/GCHQ did all three.
Given these facts, it would not be at all unusual for the NSA to install
backdoors in the Windows OS itself *and* have obtained a copy of
Microsoft's signing key *and* have Microsoft install the NSA's own key.
Think of it as well-designed failover redundant compromise.
From: "Kevin F. Quinn" <kevq@banana.demon.co.uk>
Subject: Crypto-Gram April 15 1999, and the recent "NSA" spare-key debate.
In Crypto-Gram April 15 1999, you mentioned the two-key approach of
Microsoft with regard its root keys for Authenticode, and that they
included the two keys "presumably for if one ever gets compromised". We
now know the same approach was taken for CSP. Microsoft's own announcement
on the subject is interesting; the two keys are present "in case the root
key is destroyed" (paraphrase). I think in your Crypto-Gram you meant
"destroyed" rather than "compromised" -- Microsoft seem to be trying to
guard against the possibility that the secret root key is burnt in a fire
or somesuch; they're not guarding against unauthorised copies of the key
being made with the two-key approach. I think it's an important
distinction to make.
The only good reason I can see to have two keys, is to provide security
against compromise -- in which case you need to validate signatures against
both keys (i.e., AND rather than OR). That way if one key is compromised,
the validation will still fail as the second signature won't be valid. If
both keys are stored in separate secured locations, the attacker has to
break the security of both locations in order to acquire both keys, and you
hope that you might notice one break-in before the second occurs. The
sensible way to guard against the possibility of destruction (fire,
catastrophe etc) is to have several copies, each securely stored and
monitored (the same way classified documents are controlled).
Microsoft claim that the two-key approach was suggested by the NSA -- I
find it difficult to believe the NSA would suggest including two root keys,
to guard against destruction of a root key. My pet theory is that there
was a communication problem; the NSA advice went something along the lines
of, "having two root keys guards against loss", meaning compromise, and
Microsoft took this to mean destruction.
From: Greg Guerin <glguerin@amug.org>
Subject: A new spin on the NSA-key/NT issue?
In your article at
<http://www.counterpane.com/crypto-gram-9904.html#certificates>, you end by
saying: "This virus doesn't exist yet, but it could be written." [This is
a virus that would replace the backup key in NT with a rogue key, and could
trick the user into accepting malicious code as signed.]
After I wrote <http://amug.org/~glguerin/opinion/win-nsa-key.html>, it
occurred to me that the virus now exists, or at least all the parts of it
do. It only needs to be "turned to the Dark Side" and assembled. The
"construction kit" for this virus is none other than the "repair program" at:
<http://www.cryptonym.com/hottopics/msft-nsa/ReplaceNsaKey.zip>
All the parts are there. The "AddDelCsp.exe" program (no source provided)
is the active infecting agent. The "nsarplce.dll" and other DLL's are the
"toxins". The kit even includes "TestReplacement.exe" (with source) to
test whether an enterprising young kit-builder has made his changes
successfully or not.
I'm sorta guessing, but someone with Wintel programming skills could
probably construct a virus or Trojan horse with this kit in a matter of
hours. Probably the only skill they would have to sharpen is the crypto,
but there's some nice starter info in the Fernandes report itself. A
little reading, a little key-generating time, maybe a little patching, and
presto. Try it on a local NT system, then release it to the world by
mirroring the Fernandes report. Or just send it to some "friends" via
Hotmail. It would certainly look authentic, and because even the original
"repair" program was unsigned, and
the original report says nothing about
authenticating the download before running it, it could be a very
well-traveled Trojan horse indeed.
If this virulent "repair program" is written with a little restraint, it
can spread VERY far before anyone even notices. It could even camouflage
itself and name its toxic key "NSAKEY", just like Microsoft's original.
That is, after "removing" itself, it's still present. How often do people
even think of checking that key?
If you know someone with NT programming experience, it might be interesting
to have them read the Fernandes report, download the virus construction
kit, er, I mean "repair" program, then give this a try. I'd guess that not
even prior virus-writing skills would be needed, just above-average NT
programming skills. I bet you'd have a virulent version in less than an
afternoon. A fine project for a lazy Labor Day holiday, eh?
From: Sam Kissetner
Subject: Meganet
I thought this might amuse you. The February issue of Crypto-Gram makes
fun of Meganet's home page for saying:
1 million bit symmetric keys -- The market offer's [sic] 40-160
bit only!!
I visited that page today. (The URL changed; it's at
<http://www.meganet.com/index.htm>.) Maybe they read Crypto-Gram, because
they tried to fix the grammatical error. But it was part of a graphic, so
they just pasted a little white box over the apostrophe and s, leaving:
1 million bit symmetric keys -- The market offer 40-160 bit only!!!
Gee, that's *much* better.
From: Marcus Leech <mleech@nortelnetworks.com>
Subject: HP's crypt(1) description
To be fair to HP, and crypt(1) -- HP has merely faithfully reproduced the
original crypt(1) MAN page. Crypt(1) first appeared in Unix V7, back
around 1978 or so -- at a time when DES was just starting to be used in
certain limited areas. That an operating system had any kind of file
encryption facility at all was some kind of miracle at the time. Sun has
obviously lightly hacked-over the documentation to reflect current reality,
while HP has taken the approach of staying faithful to the original
documentation.
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on computer security and cryptography.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who will
find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as
it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of
Counterpane Internet Security Inc., the author of "Applied Cryptography,"
and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served
on the board of the International Association for Cryptologic Research,
EPIC, and VTW. He is a frequent writer and lecturer on computer security
and cryptography.
Counterpane Internet Security, Inc. is a venture-funded company bringing
innovative managed security solutions to the enterprise.
http://www.counterpane.com/
Copyright (c) 1999 by Bruce Schneier
@HWA
10.0 Move over BO2k here's Donald Dick from Russia with love...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Donald Dick v1.52 was coded by Yaworsky (aka Alexander A. Yaworsky) and
BAdMAN F0ReVeR (aka Alexander A. Fedenko)
Yaworsky: http://redrival.com/donalddick/ay.jpg
BAdMAN..: http://redrival.com/donalddick/badman.jpg
From the site; http://donalddick.da.ru/
News
15 September 1999
We just have received and used new AVP update. Very funny. It found only distributive Donald Dick file and GUI/cmd.line
clients ;) (old 1.5 beta3 only). It does not see real Donald Dick installation.
By the way, the life for AVP will not be too easy soon - now we are implementing new 'SmartMorph' technology. The
result will be that executable file will be different with each installation and will never contain any unique sequence of
bytes.
13 September 1999
Almost all keyboard features are implemented into Donald Dick client 1.52
10 September 1999
We have good news for you:
New Donald Dick version 1.52 is now available. Catch!
Now we will produce only full version of server and it will be completely free with its current set of features (or
bugs ;).
Network protocol was changed. So be careful - previous and current versions are incompatible. If you already use
Donald Dick in any place you must completely reinstall it. You can upload server file on target machine using
previous client and run it (don't issue upgrade command); after you issue run command, connection may be
immediately lost and after that you must use new client.
Donald Dick server: new features:
The most wishful: UNINSTALL. Don't care - it completely wipes Donald Dick server out.
Hidden mode: server does not respond if the request was not actually processed
Ports can be set by server; now you don't need to edit the registry manually.
Pre-, Post-delay and repeat count for requests
Keyboard control: issue keystroke, remap keys and save key map so it will be loaded at startup ;) keyboard input is
now captured, and because the server becomes operational immediately after the shell is loaded, you can see what
the user typed at login prompts. NOTE that keyboard features except keystroke simulation are available only under
Windows9X. For winNT they will be available later.
Chat rooms - volatile and non-volatile
So you need to wait a little for updated Donald Dick GUI client. New features will be available in nearest days. Or
take the power of command line right now.
6 September 1999
We radically changed design of this site.
18 August 1999
Donald Dick 1.5 beta 3 became available.
-=-
About Donald Dick
We are not liable for any damages caused by use of software we did.
And we don't advise to ride our little brothers. But if you want to do it...
Let us introduce Donald Dick - another remote control system.
Donald Dick is a remote control system for workstations running Windows 95, 98 or NT 4.0 (not tested on 5,
we didn't steal it yet). First, it was implemented to replace well-known trojans we used to confuse dummies,
and to be invisible for existing antiviruses. We used it locally since february - march of '99 till the summer. The
first implementation could only open and close cdrom tray but it quickly becomes powerful remote control
system.
Donald Dick consists of two parts - client and server. To install server on the destination computer, you simply
must launch executable file there. Since you install Donald Dick server on a computer, all of its resources
becomes completely yours. You can control it with Donald Dick client via TCP or SPX network protocol. But if
you are going to use Donald Dick for serious purposes then you can restrict access to the server with
password.
Under Windows9X Donald Dick server becomes operational immediately after shell starts up. Under WindowsNT the server is
loaded as a service process but we tried to hide it in the control panel->services.
Here is the list of actions you can perform:
File system - full access: browse, create, remove directories; erase, rename, copy, upload, download files; set date/time
of file.
Processes and threads: browse, terminate; run programs; additionally for processes - set priority; for threads - suspend,
resume.
Registry - full access: browse, create, remove keys and values; set values.
System: get/set system time (you can perform Y2K compliance test ;) ); shutdown/logoff/reboot/power off; query
system info, query/set system parameters.
Windows: get list of windows; query and set system colors; get screenshot or the shot for particular window; send
messages to window.
Hardware: read and write CMOS (does not work under Windows NT, we not implemented this feature yet).
Keyboard: simulate keystrokes, remap, disable keys, view keyboard input (all features except keystroke simulation are not
implemented under Windows NT yet)
Jokes: open and close CD; turn monitor's power off and on; talk with dummy using message boxes; play wave files.
Chat: you can chat with other guys in volatile chat room and leave important messages in non-volatile chat room
Using services provided by server, GUI client offers additional services. You can:
query passwords for screensaver, BIOS (Phoenix is currently supported, not tested for other BIOSes) and shared
resources
make folders shared (still in progress)
Our to-do list:
change file names of server components when it is required
implement setup program to generate executable file which installs Donald Dick server with all predefined settings
read/write CMOS under NT
capture, disable, remap keys under NT
batch request execution
mixer control
capture and transmit sound
receive and play sound
mouse control
plugins support
@HWA
11.0 New HOTMAIL hole found
~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by AlienPlaque
Just several weeks after a major Hotmail security hole
left 40 million Hotmail accounts freely open to anyone
on the Internet, yet another hole has been discovered.
The new hole allows embedded JavaScript in the 'style'
tag to "jimmy open" accounts. While it looks like the
problem could easily be solved by having Hotmail disable
the style tags as it does regular JavaScript, Microsoft
says "This is not a security issue."
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2333253,00.html?chkpt=hpqs014
Internet News
http://www.internetnews.com/bus-news/article/0,1087,3_199751,00.html
ZDNet;
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
New Hotmail hole discovered
By Steven J. Vaughan-Nichols, Sm@rt Reseller
September 13, 1999 3:50 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2333253,00.html
Just what the world didn't need: Another way to crack open Microsoft's beleaguered free,
Web-based e-mail system, Hotmail. But, that's exactly what noted Bulgarian bugfinder Georgi
Guninski claims to have found.
Guninski, who has made a name for himself by finding security violations in browsers, has found that
Hotmail enables Web-paged embedded Javascript code to run automatically.
This makes it possible for someone to write Web programs that could do anything from steal
passwords to read others' mail. While it's long been known that active Web applets, whether written
in ActiveX or Java, have the potential to pry open systems from the inside, this is the first case in
which someone has shown that Hotmail is vulnerable to such attacks.
Not just a theoretical hole
Is this a purely theoretical hole or one that can only be used by crackers to attack users? The
answer, unfortunately, is the latter: Correctly written JavaScript programs can, at the least, raid
users' inboxes.
Microsoft (Nasdaq:MSFT) is not claiming ownership of this latest problem. "This is not a Hotmail
security issue. We see it as an example of people encouraging users to run malicious code on the
Web," a Microsoft spokesperson said.
"To protect yourself now, you can disable JavaScript, just disable it before using Hotmail, or do not
open mail from unknown people when you think it might contain JavaScript," the spokesperson
added. "Microsoft is investigating ways for Hotmail users to have greater security against threats
posed by malicious use of JavaScript in e-mail."
The latest Hotmail hole opens up because Hotmail doesn't handle the new HTML tag "STYLE."
Java programmers and Webweavers use STYLE to insert JavaScript into HTML pages. The
solution is to force Hotmail to handle STYLE in the same way it does ordinary JavaScript --
disabling it on arrival.
Timing couldn't be worse
The fix may be simple, but the timing for Microsoft could not be worse. The latest Hotmail security
breach follows by weeks a major Hotmail security meltdown. It took Microsoft hours to fix the
problem, but millions of user accounts were left unprotected in the interim. Since that initial breach,
the company has brought in TrustE and another auditing firm to help it head off future Hotmail
security breaches.
-=-
Internet News;
New Security Hole in Hotmail
September 13, 1999
By Brian McWilliams
InternetNews.com Correspondent
Business News Archives
Microsoft's Hotmail service is at risk again from a new security threat.
Bulgarian programmer Georgi Guninski has discovered that the Web-based email service allows embedded javascript code to be
automatically executed on the computers of Hotmail users.
According to Guninski, the flaw could enable a malicious person to launch password stealing programs or to secretly access the
contents of a Hotmail users' account.
A functional but relatively harmless demonstration of the attack was sent by Guninski to InternetNews Radio. The test message
showed how embedded javascript could be used to read messages from the Hotmail user's inbox and display them in a separate
window.
The latest Hotmail flaw affects users of Web browsers that support cascading style sheets, such as Internet Explorer version 5 and
Netscape Navigator versions 4.x.
While Hotmail ordinarily detects and disables incoming messages containing javascript, according to Guninski it fails to properly handle
a new HTML tag named STYLE which allows Web programmers to embed javascript in a Web page.
An MSN Hotmail spokesperson said the service is investigating the report. As a temporary workaround, concerned users can disable
javascript in their browsers.
Last month, a separate security hole enabled outsiders to log in to others' Hotmail account without a password.
Gary McGraw, vice president of corporate technology for Reliable Software Technologies, said the new discovery suggests the
Hotmail service may have become a new favorite target of hackers.
"As an attacker, it's a much juicier target than trying to attack every individual platform out there,"McGraw said.
"These holes are like raw material, and its good when the holes are discovered by people who are honest. But you can work that raw
material into many different sorts of attacks."
In the wake of the earlier Hotmail attack, late last week Microsoft confirmed that it intends to hire an outside firm to audit the security
of the service.
@HWA
12.0 Security Hole Found in Security Product
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Simple Nomad
Nomad Mobil Research Center, an HNN Affiliate, has
released an advisory regarding Bindview's HackerShield
scanner. During installation of the product (including the
demo) a Service User with a non machine specific
password is created.
NMRC
http://www.nmrc.org/advise/hs.txt
BindView
http://www.bindview.com/products/HackerShield/HS_Patch2_advisory.html
NMRC;
_______________________________________________________________________________
Nomad Mobile Research Centre
A D V I S O R Y
www.nmrc.org
Simple Nomad [thegnome@nmrc.org]
10Sep1999
_______________________________________________________________________________
Platform : Microsoft NT 4.0 SP5
Application : Hackershield v1.1
Severity : High
Synopsis
--------
The HackerShield product creates a local account during installation with
a password that is not machine specific. This includes the HackerShield
demo product available via the Internet.
Tested configuration
--------------------
Testing was done with the following configuration :
Microsoft NT 4.0 Server and Workstation with SP3 (no additional hotfixes)
Microsoft NT 4.0 Server and Workstation with SP5 (with Csrss, LSA-3, RAS,
WinHelp hotfixes)
HackerShield Product Version 1.10.1105, Package Version 11
Product Background
------------------
Hackershield (http://www.bindview.com/products/HackerShield/) --
originally developed by Netect (http://www.netect.com/), but recently
purchased by Bindview (http://www.bindview.com) -- is a security scanner
that scans for security flaws on Windows and Unix platforms. It is very
similar and compares nicely to the feature set of ISS' Internet Security
Scanner and NAI's CyberCop. It allows both manual and auto-updates of new
hack signatures, called RapidFire updates, as well as automated scanning
sessions which allow a system administrator to define a schedule for
scanning a set of network resources. The idea is to provide an automated
method of keeping your systems fairly up-to-date from a security
perspective by downloading new vulnerabilities and running pre-scheduled
scans. This is fairly similar to the modern anti-virus model where you set
your anti-virus software to automatically download new virus signature
files from the anti-virus vendor's FTP site and then run the virus scan,
except the automated updates come via PGP-signed email.
Bug - Service User password is recoverable
------------------------------------------
To facilitate HackerShield automation of scanning, a Service User named
NetectAgentAdmin$ is installed with local Administrator privileges on the
scanning computer. Unfortunately, the password can be easily recovered.
Since the advent of recent patches to Microsoft NT, recovery of Service
User password information is a little harder. For example, pwdump will not
recover the hash for NetectAgentAdmin$, but pwdump2 will. Users of
L0phtcrack will not be able to dump this user, but using pwdump2 will get
the following for this user (text is wrapped):
NetectAgentAdmin$:1001:7a8754eda3b21376136260cc65a99030: \
2d6156879a7f61fdddb10c96427483d7:::
Being security conscious, the HackerShield folks at least made the
password 14 characters, but the password is not machine-specific. The
first 12 characters are np7m4qM1M7VT while the last two are non-printing
characters. Due to the non-printing characters, L0phtcrack will not
brute-force crack the password using the standard choices of character
sets (although it should be possible to type in the alt codes into a
custom character set -- we did not try this as the characters are still
non-printing), but using Paul Ashton's code (posted to NTBugtraq August 9,
1997) it can be extracted as plaintext on an NT 4 SP3 workstation or
server.
The implications of this should be obvious -- a service user with a known
password and local administrator rights is a prime target for intruders of
NT systems. Depending on where the product is loaded in your organization,
you have a potential vehicle for additional password recovery, trojan
horse planting, and further compromise of the NT environment.
Bug Conclusions
---------------
If you have loaded the HackerShield product (including the demo) then you
have installed the Service User, and the two services called
HackerShieldAgent and HackerShieldSniffer. If this system is not
physically secure, or has Server services running, you have the potential
for compromise via the Service User.
Solution/Workaround
-------------------
Do not install HackerShield on non-physically secured systems. If you have
loaded HackerShield onto an NT host only to perform a localhost scan, it
is recommended you uninstall the product using the HSUninstall.exe program
once you have completed the scan.
Bindview has developed a patch for the Service User password to be machine
specific. It can be downloaded from
http://www.bindview.com/products/HackerShield/HS_Patch2.zip. In the Readme
file with the zip, Bindview has a reference to the following page:
http://www.bindview.com/products/HackerShield/HS_Patch2_advisory.html.
Comments
--------
We'd like to commend Bindview in their response to our contact. An email
was sent to them with our concerns, giving them an opportunity to respond.
The email was sent at 9:30AM on August 30, 1999 to a generic support
address, and a real human being replied within an hour, and confirmed our
findings later that day. They stated this is a bug as they never intended
to have non-unique passwords for the NetectAgentAdmin$ account.
The fact that Service Users' passwords can be recovered is reason enough
to upgrade to the latest patches, although Microsoft has still not
addressed the pwdump2 issue. Despite the fact that you have to be a local
administrator to recover the hashes, it still illustrates the danger of
using Microsoft's own authentication methods when trying to deliver a
secured solution to NT. For this we would like to issue our strong
distaste for Microsoft's built-in authentication measures, and how they
are (un) protected.
We do understand why Bindview (or technically, Netect) did it -- they are
in the business of delivering products to market as quickly as possible --
but when you deliver a security product you must ensure that the product
itself is secure. Personally, we like the anti-virus styled model as far
as security scanners go, but if you build your security application on a
shaky and flawed security model then your security application is only
going to be as good as that flawed model.
This scenario is probably in existence in any number of other products
that use Service Users. Bindview is not alone here, we just happened to
look at their product.
_______________________________________________________________________________
BindView;
HackerShieldTM Security Advisory
Features and Benefits
Types of Checks
RapidFire Updates
System Requirements
View Online Demo
View Press Coverage
Download Eval Copy
BindView Development (formerly Netect, Inc.) has been notified of a potential high risk security problem with HackerShield v1.0
and v1.1.
Full details and correction actions are described below.
Description of the Problem
HackerShield creates the account, "NetectAgentAdmin$" during installation. This account has local administrator privileges on
the machine on which HackerShield is installed and is created with a 14-character password. This password is supposed to be
randomly generated for each installation.
Unfortunately, due to a programming error, the HackerShield installer creates the same "random" password every time. Since
the password is not unique to each machine on which HackerShield is installed, the password created for the
NetectAgentAdmin$ account is the same on every machine. Thus, an attacker could crack the password from one installation
of HackerShield and then have a valid username and password (with Administrator privilege) on other HackerShield machines.
If those machines are accessible, either physically or via any NetBios service over the network, an attacker could use this
information to gain unauthorized access to the machine on which HackerShield is installed.
This problem was discovered by an external group who will shortly release their own advisory on the subject. Once the problem
is made public, hackers may attempt to exploit it. It is therefore imperative that you take one of the actions described below to
correct the problem.
Correction Actions
In order to eliminate this security problem, you need to take one (and only one) of the following corrective actions:
Correction Option 1
Download and run HackerShield 1.1 - Maintenance Patch 2:
http://www.bindview.com/products/HackerShield/HS_Patch2.zip
This patch generates a unique password, changes the password for the NetectAgentAdmin$ account, and restarts the
HackerShield services (HackerShield Agent and HackerShield Sniffer services). After you do so, your installation of
HackerShield will no longer be vulnerable.
Corrective Option 2
You may fix this problem manually by either changing the password to one of your choosing (remembering to also
change it in the Services control panel) or by deleting the NetectAgentAdmin$ account and using a different account to
provide 'Log In As' permissions to the HackerShield services.
Corrective Option 3
If you have installed an evaluation copy of HackerShield 1.0 or 1.1 that is past its evaluation period, the simplest way to
eliminate the problem is to uninstall HackerShield. HackerShield uses a standard uninstall procedure and may be
uninstalled using the Add/Remove Programs feature in the Windows NT Control Panel. After you uninstall HackerShield,
you should verify that the NetectAgentAdmin$ account has also been removed from your system.
Final Note
Please note that there are no reports of this problem being exploited. However, once the problem has been made
public, hackers may attempt to exploit it. Therefore, you must apply Maintenance Patch 2 or take one of the other
corrective actions (described above) to avoid being vulnerable.
If you are interested in evaluating the latest version of HackerShield (version 1.1.1), it is available for download here:
http://www.bindview.com/products/HackerShield/hs_dl.html
HackerShield 1.1.1 includes Maintenance Patch 1 and 2 and RapidFire Updates 1 and 2.
Support
If you have any issues that require technical support,
please contact BindView Support at:
HSupdate@bindview.com or
http://www.bindview.com/support/support.html
@HWA
13.0 Globalstar and FBI Are Nearing Agreement
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by AlienPlaque
Globalstar, a satellite phone firm, is close to an
agreement with federal law enforcement officials who
had threatened to delay its service if the FBI couldn't
wiretap phone conversations. Even though the company
is based in Canada, it needs to win approval from the
Federal Communications Commission, which has already
held up a license for another company due to concerns
that the FBI would not be able to wiretap and monitor
its service.
C|Net
http://news.cnet.com/news/0-1004-200-117671.html?tag=st.ne.1002.thed.1004-200-117671
Globalstar close to pact with FBI over wiretaps
By John Borland
Staff Writer, CNET News.com
September 13, 1999, 4:15 p.m. PT
A satellite phone firm is close to an agreement with federal law enforcement officials who had threatened to delay its
service if the FBI couldn't wiretap phone conversations, company officials say.
Officials at the Federal Bureau of Investigation have been concerned that Globalstar and other satellite phone companies could
undermine their ability to listen in on suspected criminals' telephone calls by sending the transmissions across national
borders--and outside U.S. jurisdiction.
The issue had threatened to hold up Globalstar's long-awaited launch date, scheduled for later this month. FBI officials had even
raised the possibility that the company would have to move several of its expensive land-based transmission stations from
Canada into the United States--an option that would have dramatically raised costs and delayed service for the fledgling firm.
The FBI's scrutiny of the satellite phone business has proved rocky for the struggling industry. Few
providers can afford to restructure their network to satisfy law enforcement concerns, and many in
the industry are watching Globalstar to see if a cheap technical solution to federal demands can be
found.
After several months of negotiations with U.S. and Canadian officials, the company may have found
a way to deal with the law as well as stay financially afloat. In a recent meeting, FBI officials and
Globalstar executives agreed to pursue a technological fix that appears likely to satisfy the FBI's
needs to tap into the satellite calls, company officials now say.
"We have tentatively agreed on a technical solution," said Andy Radlow, a spokesman for
Vodafone AirTouch, the company that is managing Globalstar's North American operations. "We
don't get any indication that they intend to hold us up."
An FBI spokesman confirmed that the agency is in discussions with satellite phone providers, but
declined to comment specifically on negotiations with Globalstar.
Aside from federal concerns, Globalstar is just the latest player to enter an industry that has seen two of its early pioneers fall by
the wayside. The firm's largest competitor, Iridium, has already filed for bankruptcy protection and is undergoing a company
reorganization. Another smaller competitor has also filed for bankruptcy protection.
Not quite a borderless world
Globalstar is run by a coalition of companies including Loral Space and Communications, Vodafone AirTouch, and Qualcomm,
among others. With satellites already in orbit around earth, the company has said it plans to begin offering telephone service by
the end of September. By the time its $3.9 billion satellite system is complete, the company will be able to serve customers
almost anywhere on Earth.
But before it can begin serving customers in the United States, it needs to win approval from the Federal Communications
Commission--and that's where the trouble starts.
The FCC has already held up a license for at least one smaller Canadian satellite phone company based on concerns that the
FBI would not be able to tap and trace telephone calls made over the system. FCC officials say they have wanted to allow
negotiations between the phone companies and the FBI to proceed before acting on the license requests.
In Globalstar's case, two of the four ground stations--places where equipment sends calls to and from the satellite
network--serving the United States will be located across the border in Canada.
This has worried FBI officials, who don't want to have to seek approval from foreign governments when tapping telephones.
Seeking permission from Canadian officials to conduct surveillance of U.S. suspects--a likely outcome if the FBI had to physically
put taps in Globalstar's Canadian stations--would be a serious breach of national security, officials say.
The fix that Globalstar and the FBI are reportedly discussing would allow law enforcement officials a way to tap into the satellite
system without having to cross the U.S. border. The technical details are still being finalized, but Qualcomm--the company that
provides the land station and handset equipment to Globalstar--has assured the Justice Department that the fix will satisfy their
concerns, Radlow said.
"We feel we're going to continue to have a good relationship on the federal and local level with law-enforcement," Radlow said.
Once the FBI has officially signed off, Globalstar can go to the FCC for its license without much fear of delay.
The company is running up against its own stated deadline to begin rolling out service this month, however. But the North
American version of the service still plans a "soft launch" this November and appears likely to make this deadline despite the
wiretap concerns.
@HWA
14.0 Matt Drudge Defaced
~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by evil wench
The 'United Loan Gunmen" who recently claimed
responsibility for defacing CSPAN and ABC have now
replaced the home page of the political commentary site
of Matt Drudge, www.drudgereport.com.
HNN Cracked Pages Archive
http://www.hackernews.com/archive/crackarch.html
Yahoo News
http://dailynews.yahoo.com/h/ap/19990913/tc/drudge_hacked_2.html
CNN
http://www.cnn.com/TECH/computing/9909/14/drudge.hackers.ap/index.html
Nando Times
http://www.techserver.com/noframes/story/0,2294,92924-147335-1037579-0,00.html
Yahoo;
http://dailynews.yahoo.com/h/ap/19990913/tc/drudge_hacked_2.html
Hackers Vandalize Drudge Web Site
By TED BRIDIS Associated Press Writer
WASHINGTON (AP) - Hackers who earlier claimed responsibility for computer attacks against ABC and C-SPAN
vandalized the Web site run by Internet gossip columnist Matt Drudge late Monday.
The group, calling itself ``United Loan Gunmen,'' replaced Drudge's main page with a message saying they ``take control of Mike (sic) Drudge's data stockyard to once
again show the world that this is the realm of the hacker.''
Drudge could not be reached immediately for comment.
Although such electronic attacks aren't unusual, it was remarkable for a little-known hacker group to have claimed responsibility for raids on three remarkably
high-profile Web sites over a period of weeks.
The ``ULG'' group also had claimed responsibility for the defacement of the Internet site for ABC just weeks ago and for an attack at C-SPAN one week ago.
It's believed to be relatively newly formed, and its only previously known attacks have been the ones against C-SPAN and ABC.
The defacement of the Drudge site was first reported on a computer security Web site, Attrition.Org, which monitors hacking activity on the Internet.
The vandalism of Drudge's Web site comes during a period of stepped-up prosecution of hackers by federal authorities.
The Justice Department weeks ago arrested Chad Davis, 19, of Green Bay, Wis., on charges that he vandalized the Army's Internet site.
And a colleague of Davis', Eric Burns, pleaded guilty recently in federal court in Virginia to charges that he vandalized a spate of Web pages and told others earlier this
summer how to attack the Internet site run by the White House. Burns' sentencing was set for Nov. 19.
Earlier Stories
-=-
CNN;
http://www.cnn.com/TECH/computing/9909/14/drudge.hackers.ap/index.html
Hackers vandalize Web site run
by Internet gossip Drudge
September 14, 1999
Web posted at: 1:57 a.m. EDT (0557 GMT)
WASHINGTON (AP) -- Hackers who earlier claimed responsibility for
computer attacks against ABC and C-SPAN vandalized the Web site run by
Internet gossip columnist Matt Drudge late Monday.
The group, calling itself "United Loan Gunmen," replaced Drudge's main page
with a message saying they "take control of Mike Drudge's data stockyard to
once again show the world that this is the realm of the hacker."
Drudge could not be reached immediately for comment.
Although such electronic attacks aren't unusual, it was remarkable for a
little-known hacker group to have claimed responsibility for raids on three
remarkably high-profile Web sites over a period of weeks.
The "ULG" group also had claimed responsibility for the defacement of the
Internet site for ABC just weeks ago and for an attack at C-SPAN one week
ago.
It's believed to be relatively newly formed, and its only previously known
attacks have been the ones against C-SPAN and ABC.
The defacement of the Drudge site was first reported on a computer security
Web site, Attrition.Org, which monitors hacking activity on the Internet.
The vandalism of Drudge's Web site comes during a period of stepped-up
prosecution of hackers by federal authorities.
The Justice Department weeks ago arrested Chad Davis, 19, of Green Bay,
Wisconsin, on charges that he vandalized the Army's Internet site.
And a colleague of Davis', Eric Burns, pleaded guilty recently in federal court
in Virginia to charges that he vandalized a spate of Web pages and told others
earlier this summer how to attack the Internet site run by the White House.
Burns' sentencing was set for November 19.
Copyright 1999 The Associated Press. All rights reserved.
-=-
Nando Times;
http://www.techserver.com/noframes/story/0,2294,92924-147335-1037579-0,00.html
Hackers vandalize Drudge Report
Copyright © 1999 Nando Media
Copyright © 1999 Associated Press
From Time to Time: Nando's in-depth look at the 20th century
By TED BRIDIS
WASHINGTON (September 14, 1999 6:20 a.m. EDT http://www.nandotimes.com) - Hackers who claimed responsibility for earlier attacks against ABC and
C-SPAN vandalized the Web site run by Internet gossip columnist Matt Drudge late Monday.
The group, calling itself "United Loan Gunmen," replaced Drudge's main page with a message saying they "take control of Mike (sic) Drudge's data
stockyard to once again show the world that this is the realm of the hacker."
Drudge could not be reached immediately for comment.
Although such electronic attacks aren't unusual, it was remarkable for a little-known hacker group to have claimed responsibility for raids on three
remarkably high-profile Web sites over a period of weeks.
The "ULG" group also had claimed responsibility for the defacement of the Internet site for ABC just weeks ago and for an attack at C-SPAN one week
ago.
It's believed to be relatively newly formed, and its only previously known attacks have been the ones against C-SPAN and ABC.
The defacement of the Drudge site was first reported on a computer security Web site, Attrition.Org, which monitors hacking activity on the Internet.
The vandalism of Drudge's Web site comes during a period of stepped-up prosecution of hackers by federal authorities.
The Justice Department weeks ago arrested Chad Davis, 19, of Green Bay, Wis., on charges that he vandalized the Army's Internet site.
And a colleague of Davis', Eric Burns, pleaded guilty recently in federal court in Virginia to charges that he vandalized a spate of Web pages and told
others earlier this summer how to attack the Internet site run by the White House. Burns' sentencing was set for Nov. 19.
@HWA
15.0 South Africa Stats Site Defaced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Anonymous
The official statistic web site for South Africa was
defaced recently. The site is used mainly by economists
looking for information such as the consumer price
index, manufacturing production and gross domestic
product growth.
Excite News
http://news.excite.com/news/r/990913/07/tech-safrica-hackers
Attrition Mirror
http://www.attrition.org/mirror/attrition/1999/09/11/www.statssa.gov.za/
Excite;
Hackers attack S.Africa's key statistics website
Click on our sponsors!
Updated 7:41 AM ET September 13, 1999
JOHANNESBURG, Sept 13 (Reuters) - Cyber-hackers broke into South Africa's official statistics website on Monday, replacing
details of the latest consumer price index with a slew of obscenities railing against national phone company Telkom.
Visitors to the site (www.statssa.gov.za), which normally provides information on staid topics such as manufacturing production
and gross domestic product growth, were met instead with a foulmouthed tirade against Telkom's alleged shortcomings.
"Telkom stop your...lame-ass monopoly or we will disconnect you," the hackers warned, among other things.
The page is a crucial source of information for economists tracking the country's performance.
Many of Telkom's unionised workers are involved in a wage dispute with the employer and have engaged in organised go-slows.
But a Telkom official said she didn't believe the defacing of the statistics website was related.
Telkom's site (www.telkom.co.za) wasn't affected.
An information technology expert at Statistics South Africa said it could take at least two days to get the site back to normal.
@HWA
16.0 India And Israel BackDooring US Software
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Simple Nomad
This article spreads a bit of FUD that manages to
implicate Israel and India in plots to plant backdoors in
U.S. systems because of the out-sourced Y2K
programming efforts that utilize those country's
programmers. It is of course possible that Israeli and
Indian programmers might backdoor their code, but so
might programmers from anywhere else. Somehow HERF
guns make it into this article as well. This article is great
if you are planning on preying upon the Y2K paranoid
survivalist crowd.
Network Fusion
http://www.nwfusion.com/archive/1999/75306_09-13-1999.html
(Registration Required)
This story appeared on Network World Fusion at http://www.nwfusion.com/archive/1999/75306_09-13-1999.html.
Threat of 'infowar' brings CIA warnings
Y2K work has given foreign-born programmers 'unprecedented access' to U.S. computer systems.
By ELLEN MESSMER
Network World, 09/13/99
ARLINGTON, VA. - Some might call it paranoia, but the U.S. government is growing increasingly worried that foreign infiltrators are building secret trap doors into
government and corporate networks with the help of foreign-born programmers doing Y2K-related work.
A CIA representative last week named Israel and India as the countries most likely to be doing this because they each handle a large amount of Year 2000 software
repair not done by U.S.-born workers. According to the CIA, the two countries each have plans to conduct information warfare and planting trapdoors wherever they
can would be a part of that.
Information warfare is a nation's concerted use of network hacking, denial-of-service attacks or computer viruses to gain access to or disrupt computer networks, now
the heart of modern society in terms of banking, telecommunications and commerce.
HERF guns work
Though still secretive about the practice, nations are also building futuristic radio-pulse devices - popularly called High Energy Radio Frequency (HERF) guns - that can
disrupt or destroy electronics in networks, cars, airplanes and other equipment by sending an energy beam at them.
A homemade version of a HERF gun successfully disrupted a PC and a digital camera during a demonstration last week at a session of the Infowar conference. This
conference typically draws a large crowd of government spooks and high-tech strategists from around the world.
Y2K work is giving foreign programmers "unprecedented access to computer systems," Terrill Maynard, the CIA's chief of analysis and warning, said at the Infowar
conference. He works at the National Information Protection Center, which is the government organization housed at the FBI that keeps a watch on threats to the U.S.
cyberinfrastructure.
While Maynard calls Israel and India the key suspects for planting software backdoors in American systems, Russia is also viewed as a threat because it has defensive
and offensive information warfare programs underway. Cuba and Bulgaria are working on computer-virus weapons, he says. But Maynard claims Israel has already
hacked its way into U.S. computer systems to steal information about the Patriot missile.
With most Y2K work completed, "action options are few at this date," Maynard says. He recommends that IT departments closely examine the Y2K code that went in
their systems and also run extensive checks on network security.
In the 21st century, the threat of nuclear war is being displaced by that of information weapons, said another conference speaker, Igor Nemerov, general counsel of the
Russian Embassy. "We can't allow the emergence of another area of confrontation," Nemerov said, adding that Russia is calling for "cyberdisarmament."
The first step in the cyberdisarmament process is to get the nations of the world to discuss the issue openly, Nemerov said. Russia recently requested that the United
Nations ask member countries to recognize the threat and state their views on it.
The U.S. Department of Defense has complained in meetings with Congressional subcommittees that it has seen severe network-based attacks coming from Russia.
Congress has become convinced there's a big problem - and not just with Russia. Rep. Curt Weldon (R-Pa.) made an appearance at the Infowar conference last week
to say he thinks information warfare is a bigger threat than biological or nuclear weapons.
When asked by Network World if Russia carries out network-based attacks on U.S. computer systems, Nemerov conceded that sometimes things do happen, but "it's
unauthorized."
Robert Garique, chief technical officer for the Canadian province of Manitoba, said he favors cyberdisarmament talk. Garique noted that new hacking tools, such as one
called nmap, make it very hard to be sure where a network-based attack is originating because the tool makes it easy for the attacker to spoof his identity.
Easy to make
But more than traditional hacker techniques constitute infowar. A new genre of high-energy radio-pulse weapons that disable electrical flows are under development in
government labs around the world. "People are spending a lot of money on cyberweapons," Garique said.
But how easy is it for terrorists or other criminals to build their own homemade HERF guns? That has been a topic of much debate, but last week a California-based
engineer, David Schriner, demonstrated it's not very hard.
Schriner, president of Schriner Engineering and a former engineer at the Naval Air Warfare Center, hooked up a 4-foot parabolic antenna powered by ignition coils and
parts from a cattle stun gun during one Infowar session. People with pacemakers were asked to exit the room.
With not much more than $400 in parts, he directed a 300-MHz pulse at a computer running a program. Blasted in this manner from 10 feet away, the computer went
haywire and a digital camera twice that distance away was affected.
"It's high-school science, basically," says Schriner, who believes that as this kind of threat becomes better understood through research, the computer industry is going to
have to sit up and take note. "It's going to cost an extra nickel or dime to put a shield in a computer where it's needed," he says. o
@HWA
17.0 The Russians Are Coming, The Russians Are Coming
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Space Rogue
A lot of people have been sending in a link to a recent
Newsweek article and are wondering why HNN has not
mentioned it. The article claims that the Russians are on
our cyber back door waiting to break in. The article is
written so that it appears that this is a current event.
It is not. It is months old. Operation Moonlight Maze, as
discussed in the article took place last spring, the DOD
password change also mentioned in the article happened
last month. While news outlets like Newsweek may think
it is OK to report on stuff that is months old HNN tries
to only report on timely events.
Newsweek
http://www.newsweek.com/nw-srv/printed/us/st/sr0612_5.htm
Note: Page 5 of 8
Relevant section only, included
POLITICS
'We're in the Middle of a Cyberwar'
Russian hackers may have pulled off what could be the most
damaging breach ever of U.S. computer security
By Gregory Vistica
It's being called "Moonlight Maze," an
appropriately cryptic name for one of the
most potentially damaging breaches of
American computer security ever
serious enough for the Department of
Defense to order all of its civilian and
military employees to change their
computer passwords by last month, the first time this precaution has ever
been taken en masse. The suspects: crack cyberspooks from the Russian
Academy of Sciences, a government-supported organization that interacts
with Russia's top military labs. The targets: computer systems at the
Departments of Defense and Energy, military contractors and leading
civilian universities. The haul: vast quantities of data that, intelligence
sources familiar with the case tell NEWSWEEK, could include classified
naval codes and information on missile-guidance systems. This was,
Pentagon officials say flatly, "a state-sponsored Russian intelligence effort to
get U.S. technology" as far as is known, the first such attempt ever by
Russia. Washington has not yet protested to Moscow. But Deputy
Secretary of Defense John Hamre, who has briefed congressional
committees on the investigation, has told colleagues: "We're in the middle of
a cyberwar."
In a cyberwar, the offensive force picks the battlefield, and the other side
may not even realize when it's under attack. Defense Department officials
believe the intrusions, which they describe as "sophisticated, patient and
persistent," began at a low level of access in January. Security sleuths
spotted them almost immediately and "back-hacked" the source to
computers in Russia. Soon, though, the attackers developed new tools that
allowed them to enter undetected (although they sometimes left electronic
traces that could be reconstructed later). Intelligence sources say the
perpetrators even gained "root level" access to some systems, a depth
usually restricted to a few administrators. After that, "we're not certain
where they went," says GOP Rep. Curt Weldon, who has held classified
hearings on Moonlight Maze.
As a federal interagency task force begins its damage assessment, a key
question is whether the Russians managed to jump from the unclassified
(although non-public) systems where they made their initial penetration into
the classified Defense Department network that contains the most sensitive
data. Administration officials insist the "firewalls" between the networks
would have prevented any such intrusion, but other sources aren't so sure.
Besides, one intelligence official admitted, classified data often lurk in
unclassified databases. With enough time and computer power, the Russians
could sift through their mountains of pilfered information and deduce those
secrets they didn't directly steal. That's one more thing to worry about,
although security officials admit that they have a more pressing concern.
The intruders haven't been spotted on the network since May 14. Have they
given up their efforts or burrowed so deeply into the network that they
can no longer even be traced?
Newsweek, September 20, 1999
@HWA
18.0 Biometrics Takes Frightening New Step "I am not a number!" ready to be barcoded?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What I want to know is how someone gets a patent for something like this? its an IDEA
I was led to beleive that an IDEA was not patentable....this is proof otherwise..- Ed
From HNN http://www.hackernews.com
contributed by Weld Pond
The United States Patent and Trademark Office has
issued a patent for what some may find extremely
disturbing. Thomas W. Heeter of Houston, TX has been
awarded patent #5,878,155 for using tattoos to identify
customers prior to a retail transaction. The tattoo would
consist of a bar code or other design that would be
electronically scanned to confirm identity. (Personally I
think this is taking biometrics a little to far. Hopefully no
one will actually implement this patent.)
US Patent and Trademark Office
http://patents.uspto.gov/cgi-bin/ifetch4?ENG+PATBIB-ALL+0+946309+0+7+25907+OF+1+1+1+PN%2f5%2c878%2c155
United States Patent
5,878,155
Heeter
Mar. 2, 1999
Method for verifying human identity during electronic sale transactions
Abstract
A method is presented for facilitating sales transactions by electronic media. A bar code or a design is tattooed on an individual. Before the sales transaction can be
consummated, the tattoo is scanned with a scanner. Characteristics about the scanned tattoo are compared to characteristics about other tattoos stored on a computer
database in order to verify the identity of the buyer. Once verified, the seller may be authorized to debit the buyer's electronic bank account in order to consummate the
transaction. The seller's electronic bank account may be similarly updated.
Inventors:
Heeter; Thomas W. (55 Lyerly, Houston, TX 77022).
Appl. No.:
709,471
Filed:
Sept. 5, 1996
Intl. Cl. :
G06K 9/00
Current U.S. Cl.:
382/115
Field of Search:
382/115, 116, 124-127, 100, 128, 133; 348/77, 15, 161; 209/3.3, 555; 356/71;
340/825.34; 235/379, 380, 382
19.0 NASDAQ Defaced
~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by punkis
At approx. 21:23 on 9.14.99, United Loan Gunmen
temporarily defaced a section of the NASDAQ website.
This is the same group responsible for such high-profile
defacements as the ABC Network, C-SPAN, and most
recently the Drudge Report Web site. Data integrity
measures on the part of NASDAQ appear to have limited
the impact the ULG had on the site, but the intrusion
was nonetheless evident. Unfortunately we were unable
to get a full mirror of the defacement due to the limited
time the page remained up.
Attrition Mirror
http://www.attrition.org/mirror/attrition/1999/09/15/www.nasdaq-amex.com/
Late Update: 1628EST
And the media frenzy begins.
Associated Press - via USA Today
http://www.usatoday.com/life/cyber/tech/ctg141.htm
Wired
http://www.wired.com/news/news/politics/story/21762.html
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2334751,00.html?chkpt=hpqs014
Rueters - Via Yahoo News
http://dailynews.yahoo.com/h/nm/19990915/wr/markets_hacker_1.html
Associated Press/USA Today;
Nasdaq, Amex sites hacked overnight
WASHINGTON (AP) - Computer hackers vandalized the Internet sites
of the Nasdaq and American Stock Exchanges early Wednesday in a bold
electronic affront to the world's financial markets.
A group calling itself ''United
Loan Gunmen,'' infiltrated the
computer running the Web sites
for Nasdaq and Amex just after
midnight.
It was highly unlikely the hackers
manipulated any financial data
within the exchanges. Nasdaq
recently acquired the American
Stoc
k Exchange.
A spokesman for the exchanges was not available immediately for
comment.
The hacker group left a taunting message saying it intended to ''make
stocks rise drastically, thus making all investors happy, hopefully ending
with the investors putting bumper stickers on their Mercedez' that say
'Thanks ULG!'''
''Meanwhile, ULG members go back to flipping burgers at McDonalds.''
It also claimed to have briefly created for itself an e-mail account on
Nasdaq's computer system, suggesting a broad breach in the system's
security.
''That's a pretty serious allegation,'' said Christopher Rouland, director of a
team of computer security engineers, called X-force, for Atlanta-based
Internet Security Systems Inc. ''It's difficult to say if it's accurate, but once
you breach the perimeter, it certainly is easier to get into the
infrastructure.''
Nasdaq's Web site uses software from Microsoft Corp., called Internet
Information Server, that has suffered several serious security problems
during the past year. Microsoft has distributed patches in each case but
relies on local computer administrators to install them correctly.
''System administrators can forget to install patches,'' Rouland said.
Another expert, Russ Cooper, said it's a mistake to assume that the
Internet's most popular sites are secure from hackers.
''It would be nice if we could assume that a high-profile site would have
better security people on-staff,'' said Cooper, who runs the NTBugtraq
discussion group on the Internet for security flaws. ''Unfortunately, my
experience is that's a hope, not a reality.''
The hacker group also had claimed responsibility earlier this week for the
defacement of the Internet site for Matt Drudge, the Internet gossip
columnist, and electronic attacks against C-Span last week and ABC just
weeks ago. All those organizations also used Microsoft's Internet
Information Server to run their Web sites.
Rouland said the attacks on Nasdaq and Amex were likely to cause
anxiety among computer professionals on Wall Street.
''It certainly will in the financial communities,'' he said. ''People will notice,
and it will cause a buzz. This is going to cause more people to pay
attention to security.''
Nasdaq trading volume averages about 800 million shares a day.
As global financial markets have expanded at a dizzying pace, Nasdaq has
adopted an aggressive international strategy. Earlier this year, Nasdaq
took over the Amex and announced plans to establish an electronic trading
exchange in Japan.
Nasdaq also has set up a joint Web site with Hong Kong's stock
exchange that will allow U.S. investors to trade in Hong Kong securities,
has signed a similar deal with the Australian Stock Exchange, and is
looking into new alliances in Europe.
The global expansion by the world's second-largest stock market has
sharpened its competition with the largest, the New York Stock
Exchange, which uses a traditional trading floor.
-=-
Wired
http://www.wired.com/news/news/politics/story/21762.html
Latest Cracker Caper: Nasdaq
by Chris Oakes and Leander Kahney
11:30 a.m. 15.Sep.99.PDT
Apparently following through on a threat earlier in the week, a cracking group called the United Loan Gunmen has attacked another major Web site.
But was the Nasdaq-AMEX stock site really attacked? And is that really bigger than cracking The New York Times' site?
Finally, to add to the intrigue, are the United Loan Gunmen the same people who called themselves Hacking for Girlies, which claimed responsibility
for the Times' attack?
What is known is this: a high-profile information site was attacked in some way for a few minutes late Tuesday night. It appeared to the latest in a
what has become a wave of Web site-cracking.
Visitors to domains hosting the news section of the Nasdaq-AMEX Web site were greeted by a mock news story boasting of the crack. The text
attributed the break-in to the recently active hacker group the United Loan Gunmen.
"The Elite Computer Hacking group ULG [United Loan Gunmen] uprooted the Nasdaq Stock Market Web Site," the Nasdaq front page read. "... Their
goal was to attempt to make stocks rise drastically, thus making all investors happy, hopefully ending with the investors putting bumper stickers on
their Mercedez [sic] that say 'Thanks ULG!'"
Nasdaq denied any break-in.
"There's no evidence of an intrusion," said Nasdaq spokesman Scott Peterson.
The company said it wouldn't rule out the possibility until it had investigated its systems completely.
The crack was first tracked by Attrition, a security information group that monitors and archives cracks and site defacement. Attrition says it
captured a browser image from the Nasdaq site early Wednesday, and said the pages showed clear evidence that the site had been breached.
"Nasdaq is still saying there's no evidence of intrusion -- but that's either because they don't want thousands of people who track the stock market
each day to freak out or because [the crackers] are good at covering their tracks," said B.K. DeLong, a consultant and member of Attrition.
He said Attrition staffers visited the several host domains of the Nasdaq-AMEX site Tuesday evening after being notified of the crack around 9 p.m.
PDT. The HTML behind the hacked page showed that the location of the intruding message had to be located at the actual Web site of Nasdaq,
rather than a spoof site.
The motive in all these cases is almost always publicity for the group, said Peter Shipley, chief security architect for security firm KPMG. "The
majority of Web hacks these days are by people trying to establish names for themselves."
He said it's the easiest -- and least respected -- path to notoriety in the hacker world. "One [path] is to do something shocking, the other is
publish information -- write a good article for Phrack or 2600 [two highly regarded hacker publications].
"The former is the route to quick glory rather than respect."
Regardless of the motivation, DeLong said ULG's communications indicate that they are expert crackers who know how to cover their tracks.
The recently established group also claimed responsibility for breaking into media-owned Web sites to post similar boasts on those homepages. Late
Monday, the same group claimed it had cracked the site of self-styled gossip king Matt Drudge.
The latest incident only goes to show how easy Web page hacks are, Shipley said.
"You're dealing with a machine that's designed to have public access. So it's usually outside the firewall or at a co-locator's network, as opposed to
one inside a secure internal network," Shipley said.
The message from the ULG also cited an email address at the nasdaq.com domain for reaching the group.
Shipley said a lack of appropriate security measures -- a security team, regular security audits -- are behind most site hacks. But even when
security is in place, the public nature of sites make them prime targets. The Nasdaq crack lasted only a few minutes, according to the Hacker News
Network.
The United Loan Gunmen also praised the security news service, which distanced itself from the incident. Hacker News' editor, who calls himself
Space Rogue, said following the Drudge crack that the United Loan Gunmen were reportedly planning another media-site attack that would be
"bigger than NYT."
A source close to the hacking community said that the United Loan Gunmen are actually the same group as Hacking For Girlies, which last fall
claimed responsibility for defacing the Web site of The New York Times.
"It's not ... any lame kiddie group under a new name, nor is it a new group just formed to take on the media," said the source. "The hacks were
carried out by the same group in order to gain media attention."
Early last week, the United Loan Gunmen defaced the home page for C-SPAN. Last month, they defaced the Web site of the ABC television
network.
In Monday's attack, they added headlines to the Drudge site, including "Kevin Mitnick Still In Jail."
FBI officials in Maryland, where the Nasdaq site is based, couldn't be reached to confirm the possibility of an investigation.
Shipley said when the FBI does investigate such cases, their work is primarily "forensic," examining site logs that would show how the intruder broke
in. Many sites don't maintain proper logs, which hinders any investigation.
In any case, it's highly unlikely the computers of the trading system itself would be at risk in such events.
It's equally unlikely that the crackers will be caught.
"It really depends on the person," Shipley said. "With proper efforts it would be very hard to catch the person. Anybody who would break in would
relay their attack from various sites around the world. This causes a legal jurisdiction problem in tracing their path."
-=-
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2334751,00.html?chkpt=hpqs014
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
'United Loan Gunmen' attack again
By Robert Lemos, ZDNN
September 15, 1999 11:22 AM PT
URL: http://inbloom.yi.org/a.out.shtml
Cyber vandals who recently hit a number of high-profile Web sites attacked again late Tuesday
night, defacing the Nasdaq/AMEX Web home page.
The group, which calls itself the "United Loan Gunmen," posted an obviously false story on the site
for a short amount of time under the headline, "United Loan Gunmen take control of Nasdaq
stock market."
Despite claims in the story that the cybergang had "uprooted" the Web site, the only effects of the
intrusion seemed to be defacing of the home page.
The Nasdaq site offers financial news and quotes.
Up just a few minutes
The phony page stayed up only a few minutes before Nasdaq's Web servers automatically
detected and removed it, said B. K. DeLong, a staff member with security Web site Attrition.org.
Reports of the defacement initially appeared on Attrition.org, which obtained a screenshot of the
modified site before Nasdaq's automatic measures cut in.
Nasdaq officials could not confirm the intrusion at press time.
"Our sites are working perfectly," said Scott Peterson, a spokesman for Nasdaq. "We have no
evidence of intrusion at this time. However, we take all such allegations very seriously and we are
investigating at this time."
The United Loan Gunmen is a new group that has made a name for itself in recent weeks by
defacing major sites, and leaking word of the defacements to Attrition.org. The same group has
claimed responsibility for hacks on sites including ABC.com, C-SPAN and -- just this last
Monday -- the Drudge Report.
More details to follow.
-=-
Rueters - Via Yahoo News
http://dailynews.yahoo.com/h/nm/19990915/wr/markets_hacker_1.html
Wednesday September 15 5:07 PM ET
Nasdaq Web Site Targeted By Hackers - Report
By Jennifer Westhoven
NEW YORK (Reuters) - The Web site for Nasdaq and the American Stock Exchange was reportedly attacked Wednesday by a hacker
group calling itself the United Loan Gunmen, one day after the group sabotaged Internet gossip columnist Matt Drudge's Web site.
The attack shortly after midnight was the latest in a recent wave of online graffiti sprayed on prominent media Web sites. It was reported by several news
organizations, including Hacker News Network (http://www.hackernews.com), which monitors hacking incidents and keeps an archive of ``cracked'' sites as they
appeared after being vandalized.
The hacked site could be found at http://www.nasdaq.com, http://www.nasdaq-amex.com or http://www.amex.com.
Nasdaq, citing security reasons, said it would not confirm or deny whether its site had been cracked. ``The Nasdaq Web site is operational and secure, and we will
continue to monitor our sites,'' said Nasdaq spokesman Scott Peterson.
Hacker News Network said the United Loan Gunmen, or ULG, temporarily defaced a section of the Nasdaq site. ``Data integrity measures on the part of Nasdaq
appear to have limited the impact the ULG had on the site, but the intrusion was nonetheless evident,'' Hacker News Network said.
The group posted a computer ``screen shot,'' or picture, of the hacked Web page. However, the picture itself does not prove the site was defaced; it is relatively
easy for skilled computer users to make a copy of a page and deface the copy.
In the screen shot, the group said its goal was ``to attempt to make stocks rise drastically, thus making all investors happy, hopefully ending with the investors putting
bumper stickers on their Mercedez' (sic) that say 'Thanks ULG!'
``Meanwhile, ULG members go back to flipping burgers at McDonalds,'' it said.
The group also claimed it set up an e-mail address on the Nasdaq site. If that claim is true, it would show a deeper level of penetration into the system than just
defacing a Web site, two computer experts said.
The latest media site to get hit by the United Loan Gunmen was the Drudge Report (http://www.drudgereport.com), which was sabotaged briefly Monday,
according to news reports.
The masthead for the Drudge site was replaced with the message: ``United Loan Gunmen take control of Mike (sic) Drudge's data stockyard to once again show the
world that this is the realm of the hacker,'' according to a mirror, or duplicate of the hacked page posted by Hacker News Network.
Drudge, who is based in Los Angeles and also hosts weekly shows on cable television's Fox News Channel and on ABC radio, could not be reached for comment
Wednesday.
The attack on the Drudge site followed similar attacks on other high-profile media sites, including C-Span (http://www.cspan.org), ABC (http://www.abc.com),
Wired Online (http://www.wired.com) and ``The Jerry Springer Show'' (http://www.universalstudios.com/tv/jerryspringer).
@HWA
20.0 WebTV Hole Divulges User Info
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Weld Pond
A security flaw in Microsoft's WebTV product could
divulge user information such as the user ID. This
information could then be used to change information
about the account. WebTV accounts can only hold 150
messages, once this limit was reached bounce messages
would include the customers information.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2334232,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
WebTV hole leaves users exposed
By Lisa M. Bowman, ZDNN
September 14, 1999 6:21 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2334232,00.html?chkpt=hpqs014
The account information of some WebTV customers could have ended up in the wrong hands, as
a result of a security flaw in the set top box's software.
Microsoft Corp. (Nasdaq:MSFT), which owns WebTV, said Tuesday it has taken care of the
flaw, which made it possible for malicious hackers to tinker with WebTV customers' accounts.
The problem occurred when an e-mail message sent to a WebTV user's mailbox was bounced
back -- WebTV accounts can only hold about 150 messages and bounce back incoming e-mail
messages when they are full. If the WebTV user had the spam filter activated, then the returned
message would divulge the user's ID numbers to the sender -- in addition to the reason the e-mail
was deflected.
As a result, those who knew about the flaw could gather a WebTV customer's account
information by e-mail bombing the account -- without the customer ever knowing about the
invasion.
Net4TV duplicated flaw
The glitch was first reported by Net4TV Voice, a publication of the interactive television
consulting firm Iacta Inc. Net4TV Voice publisher Laura Buddine said some users notified her of
the breach last week. In addition, she came across it the flaw when some messages on the
Net4TV mailing list were returned containing the user's account information. Eventually, she
duplicated the problem.
Microsoft said it would be difficult for hackers to alter accounts once they had the IDs because
they also would have to trick the WebTV user into issuing certain commands.
The security breach appears to be an iteration of a flaw that surfaced last November, when people
began noticing that user ID numbers showed up in e-mails that had bounced back from WebTV
accounts.
The glitch became a system-wide problem a few weeks ago, when WebTV installed a new
automatic spam filter, which is activated by default. After it discovered the flaw, Net4TV was
urging people to turn off the spam filter.
@HWA
21.0 Bookshelf: "Hacking Exposed" Available Soon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Weld Pond
Osborne McGraw-Hill, has published a new book by
authors Stuart McClure and Joel Scambray entitled
HACKING EXPOSED: Network Security Secrets and
Solutions. McClure and Scambray are better known as
columnists for InfoWorld's Security Watch column. This
book is being billed as the ultimate resource for
businesses needing a comprehensive plan to defend
their network against the sneakiest hacks and latest
attacks. Advanced reviews by leading security experts
such as Marcus Ranum, Dr. Mudge, Simple Nomad, And
Aleph One have all been extremely positive.
Internet Wire
http://www.internetwire.com/technews/tn/tn984175.dsl
Hacking Exposed: Network Security Secrets and Solutions
http://www.amazon.com/exec/obidos/ASIN/0072121270/thehackernewsnet
Technology News
HACKING EXPOSED
Network Security Experts Debut Just Released Book at N+I
ATLANTA, GA -- (INTERNET WIRE) -- 09/13/99 -- Osborne McGraw-Hill, A Division of the McGraw-Hill Companies,
today announced authors Stuart McClure and Joel Scambray will be signing copies of their just released book,
HACKING EXPOSED: Network Security Secrets and Solutions, at Networld + Interop 99.
McClure and Scambray, Senior Manager and manager within the eSecurity Solutions Attack and Penetration Group
at Ernst & Young, and columnists for InfoWorld's Security Watch column, have developed the ultimate resource for
businesses needing a comprehensive plan to defend their network against the sneakiest hacks and latest attacks.
With the dramatic growth of e-commerce, network security is one of the most important issues facing network
administrators today-Hacking Exposed: Network Security Secrets & Solutions shows network administrators how to
hack into their system in order to protect it.
HACKING EXPOSED provides invaluable information on:
Finding and fixing security holes in your network
Implementing security, auditing, and intrusion procedures
Providing the top hacks the authors use to test security systems
Outlining the top 15 vulnerabilities found on common networks
Don't miss the first opportunity to purchase copies of this book (not yet available elsewhere) and to meet the authors
in person at their signing!
DATE: Tuesday, September 14th
TIME: 12pm
PLACE: DigitalGuru Bookshop (Official N+I Bookstore)
Contact
To learn more about HACKING EXPOSED, receive a press copy, or to schedule an interview with the authors for
Tuesday, September 14th, please call Jane Brownlow at 510-549-6690.
Background Information
The Osborne Media Group is a leading publisher of computer books that include user and reference guides;
best-selling series on computer certification; high level but practical titles on networking, communication, and
programming; and the hottest titles on new web development tools. With its established strategic publishing
relationships with Oracle, Corel, Global Knowledge, J.D. Edwards, and Intuit, the Osborne Media Group is targeting
consumer support, emerging technologies, and innovative applications for developing future computer books. For
more information visit www.osborne.com.
Contact: Jane Brownlow
Voice: 510-549-6690
22.0 Major Tech Companies Announce Security Plans
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Code Kid
Intel, IBM, Compaq, Microsoft and Entrust have
announced what they are claiming is an end-to-end
security network solution. The announcement was made
at Networld+Interop in Atlanta. The plan calls for IPSec
products for PCs and servers, optimized for MS Win2000
and chipsets from Intel which include the 82594ED
network encryption processor.
The UK Register
http://www.theregister.co.uk/990914-000029.html
Posted 14/09/99 6:46pm by Mike Magee
Intel, PC giants announce network security plans
Intel is announcing what it claims is an end-to-end security network solution, in
conjunction with IBM, Compaq, Microsoft and Entrust.
The announcement, at Network+Interop in humid Atlanta, includes IPSec (Internet
Protocol Security) products for PCs and servers, optimised for MS Win2000.
Compaq and IBM will also include this technology in their products, with the aim of
keeping corporate networks safe.
The aim is to prevent access by individuals able to monitor Lan traffic. Intel claims that
firewalls are not safe enough.
Part of the protection will be chipsets from Intel which include the 82594ED network
encryption processor. This will be built into adaptors and other devices during the
course of this year.
The device is intended to thwart crime within rather than without a corporate firewall. ®
@HWA
23.0 NIST To Offer Security Awareness Workshops
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Code Kid
The National Institute for Standard and Technology
(NIST) will be offering a series of workshops to help
agencies and companies deal with the complexity of
information security. The Computer System Security and
Privacy Advisory Board, part of NIST, will design the
workshops over the next few months with the first one
to be held in the middle of next year.
Federal Computer Week
http://www.fcw.com:80/pubs/fcw/1999/0913/web-nist-09-14-99.html
SEPTEMBER 14, 1999 . . . 15:45 EDT
NIST to offer workshops on security issues
BY DIANE FRANK (dfrank@fcw.com)
A government and industry advisory group today took the first steps to
develop the metrics for a series of workshops to help agencies and companies
deal with the complexity of protecting their computer systems and
organizations.
The Computer System Security and Privacy Advisory Board, a group at the
National Institute of Standards and Technology, plans to design the focus and
format of the workshops over the next few months.
Concepts for the workshops range from measuring the progress of an
organization's security measures to measuring the return on investment for
specific security practices and products to provide a business case to
administrators.
The first workshops will be based on subjects that everyone agrees on are
needed most, and the board will develop issues that can be addressed in the
future, said Fran Nielsen, a member of NIST's Computer Security Division
who is heading the workshop development effort.
The board has been working on the idea of metrics workshops for
government and industry security professionals since NIST director Ray
Kammer encouraged them last year. The first workshop is planned to be held
by mid-2000.
@HWA
24.0 Yet Another Firewall
~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Code Kid
Novell has announced the Novell FireWall for NT, a
directory-enabled Internet security solution. The new
firewall integrates Internet security features with
network bandwidth-management tools. The combination
allows IS managers from small and medium-sized
companies to prioritize critical traffic during peak
network usage.
Info World
http://www.infoworld.com/cgi-bin/displayStory.pl?990914.ennovfire.htm
Novell bows toward NT with firewall solution
By Katherine Bull
InfoWorld Electric
Posted at 9:55 AM PT, Sep 14, 1999
ATLANTA -- Continuing its push toward supporting all aspects of Windows NT, Novell announced its Novell FireWall for NT here Tuesday at
Networld+Interop.
A directory-enabled Internet security solution, Novell FireWall for NT integrates Internet security features with network bandwidth-management tools. The
combination allows IS managers from small and medium-sized companies to prioritize critical traffic during peak network usage, officials said.
"Users can do the bandwidth management and have the Internet security - all from one place in NDS," said Patti Dock, Novell's vice president of product
marketing.
The Novell Firewall for NT is based on technology Novell obtained through its acquisition of Ukiah Software in June 1999.
Dock said the product will ship in October, and claims that it is the first directory-enabled firewall product to run on NT.
Novell also announced Tuesday a partnership with IBM to provide an Internet Caching System. The partners will offer preconfigured caching appliance
solutions based on the Novell Internet Caching System and IBM's Netfinity line of server hardware.
The caching appliances can be plugged into existing networks to speed access to frequently requested Web pages, will be available through authorized
distributors of IBM and Novell.
In addition, Novell announced the availability of directory-enabled Netware Cluster Services for NetWare 5.0. Executives from Compaq, Dell,
Hewlett-Packard, and IBM were on hand at the press conference to endorse the Novell strategy.
Compaq announced ProLiant Clusters for NetWare; Dell said it would offer Dell PowerEdge Server with NetWare Cluster Services; HP will provide its HP
NetServer Family with NetWare Cluster Services; and IBM will provide its IBM Netfinity with NetWare Cluster Services.
Novell in Orem, Utah, is at www.novell.com.
Katherine Bull is InfoWorld's news editor.
@HWA
25.0 HNN Announces Partnership With Security Focus
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Space Rogue
We apologize for todays news being slightly delayed but
we where busy working on a new script to bring you the
latest in security files. HNN now lists the newest
security related files from Security Focus. This list will
be displayed in the left menu and will be dynamically
updated so keep checking back for new listings.
Security Focus
http://www.securityfocus.com
26.0 The Search for ULG Begins
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
ULG Attacks windows2000test ULG != HFG
contributed by Space Rogue
With ABC, C-SPAN, Drudge, and NASDAQ behind them
the ULG now has the FBI hot on their trial. NASDAQ has
said that they have not found any evidence left behind
from the intrusion, which will not give the FBI much to
go on. The big question is will The United Loan Gunmen
strike yet another high profile media site, or disappear
quietly into cyberspace?
The United Loan Gunmen have also claimed to have
broken into two boxes on the windows2000test.com
subnet last week. Windows2000test.com was
established by Microsoft to invite people to test the
security features of the next release of the operating
system. By violating the rules set up by Microsoft ULG
claims to have gotten access to two terminals servers
on the same network as the target system. They say
that they were then disconnected from the systems and
their access was later blocked. HNN has been unable to
confirm any of these allegations. (This information
provided by a trusted third party who was contacted
by ULG)
There have been a few rumors floating around that net
that the United Loan Gunmen are actually the same as
Hacking For Girlies. HFG claimed responsibility for
defacing the NYT web site last year. Most of the
'evidence' presented to support this rumor is purely
circumstantial and in reality proves nothing. It is
interesting to note that most of sites attacked by HFG
were UNIX based while ULG has only attacked NT
systems. While this is not concrete evidence either, it
does cast doubt on these rumors.
The staff of Attrition.org, in cooperation with HNN, have
worked hard to create an accurate analysis and
comparison of the few examples of HFG and ULG works.
While this analysis is not actual proof it does make a
very convincing argument that the two groups are not
the same.
Graphics Comparison
http://www.attrition.org/news/content/proof/ulg-comp.html
HTML Analysis
http://www.attrition.org/news/content/proof/ulg-html.html
HNN Cracked Pages Archive - abc.com, c-span.org, drudgerport.com
http://www.hackernews.com/archive/crackarch.html
Attrition Mirror - nasdaq-amex.com
http://www.attrition.org/mirror/attrition/1999/09/15/www.nasdaq-amex.com
Associated Press - via USA Today
http://www.usatoday.com/life/cyber/tech/ctg141.htm
Wired
http://www.wired.com/news/news/politics/story/21762.html
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2334751,00.html?chkpt=hpqs014
Reuters - Via Yahoo News
http://dailynews.yahoo.com/h/nm/19990915/wr/markets_hacker_1.html
CBS Market Watch
http://cbs.marketwatch.com/archive/19990915/news/current/nasdaq_hack.htx?source=htx/http2_mw
(See section on the NASDAQ site defacement for these articles)
Marketwatch;
Hackers penetrate Nasdaq Web site
By William L. Watts, CBS MarketWatch
Last Update: 6:06 PM ET Sep 15, 1999
Net Economy
Silicon Stocks
WASHINGTON (CBS.MW) -- The hackers who attacked Web sites
operated by C-Span and Matt Drudge struck again early Wednesday,
temporarily defacing a section of the Nasdaq-Amex Web site.
The group, which calls itself the "United Loan Gunmen," hacked the
computer running the Nasdaq and Amex sites early Wednesday morning.
The hackers attacked the news section of the sites, posting a
self-congratulatory message on the successful hack.
Nasdaq acquired the American Stock Exchange
earlier this year.
"The Nasdaq Web site is operational and secure.
We will continue to monitor our Web sites to
maintain their integrity," said Nasdaq spokesman
Scott Peterson. He wouldn't elaborate on specifics
of the attack nor whether law enforcement agencies
had been called in to investigate.
In their message, the hackers claimed to have set
up an e-mail account on the Nasdaq computer
system. If true, such a measure would represent a
major violation of the system's security measures,
security experts said.
Peterson would neither confirm nor deny whether
the hackers had established an e-mail account,
repeating only that the incident had nothing to do
with the exchange's trading system.
In their message, the hackers said they "uprooted the Nasdaq Stock
Market Web site" with the goal of making "stocks rise drastically, thus
making all investors happy, hopefully ending with the investors putting
bumper stickers on their Mercedez' (sic) that say 'Thanks ULG.'"
Hacker News Network, a Web site that monitors hacking incidents, said
data integrity measures put in place by Nasdaq appeared to have limited
the impact of the short-lived attack.
Carolyn Meinel, a computer security expert who operates the Happy
Hacker Web site, said the hackers' claim to have set up an e-mail account
is disturbing. If true, it would represent a serious security breach, she said.
"When you see a Web site hacked, it's a good idea to assume that every
single computer has been compromised," she said.
The hacker group claimed responsibility for an attack earlier this week
that defaced Internet gossip columnist Matt Drudge's Web site. The
company also attacked C-span's site last week and the ABC site a few
weeks before.
William L. Watts is a reporter for CBS MarketWatch.
@HWA
27.0 BO2K Discontinues US Distribution
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Netmask
The 'U.S. Only' version of BO2K along with the 3DES
plugin, has been discontinued. The reason for this
discontinuation was given as the high cost of
maintaining the U.S.-only download server. There will
now only be one version of BO2K available to anyone
world wide. if you want strong crypto there are
numerous plug-ins available that where developed over
seas and are therefore not subject to the draconian
U.S. encryption export controls
BO2K
http://www.bo2k.com
@HWA
28.0 Taiwan Increases Cyber Warfare Training
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Space Rogue
A series of nine seminars focusing on on computer
security and virus prevention will be given by the
Taiwanese Defense Ministry in an effort to increase the
military's ability regarding electronic warfare. The
Defense Ministry said that this was a direct result of the
increased electronic threat from mainland China.
Inside China Today
http://www.insidechina.com/news.php3?id=92236
Taiwan Steps Up Training For
Electronic Warfare
TAIPEI, Sep 14, 1999 -- (Agence France Presse)
Taiwan has stepped up training of its military units to
thwart any electronic warfare by rival China, officials
said Tuesday.
The defense ministry launched the first of nine
seminars Tuesday "to beef up the military's ability
regarding electronic warfare and to cope with the
Chinese Communist threat," defense ministry
spokesman Kung Fan-ding said.
The seminars, focusing on communication security
and computer virus prevention, aimed to "show the
(ministry's) determination to ensure information
security," said Kung.
Several wargames held in China's Nanjing, Beijing
and Lanzhou military districts since 1985 have focused on using electronic
equipment to paralyze or destroy enemy computer and communications
systems, the ministry noted.
Last month Chinese computer hackers launched a cyber war to destroy the
websites of several Taiwan government agencies venting their anger at
Taiwan President Lee Teng-hui's provocative claim that the islands relations
with Beijing were "state-to-state."
Local hackers fought back posting Taiwan's national anthem and national flag
on several Chinese government agencies websites.
"Although the attacks by hackers did not ruin information systems here in
sectors such as banking and stock market, the effect of the scare on the
public might be far-reaching," warned General Tang Yao-ming, chief of the
General Staff, at the opening of Tuesday's seminar.
"We have to be cautious and should regard such events as the beginning of a
potential electronic warfare," Tang said.
Taipei-Beijing ties have hit the lowest level in the wake of Lee's remarks
since 1996 when China lobbed ballistic missiles into the shipping lanes of
Taiwan during the island's first direct presidential elections.
Beijing has kept up a propaganda barrage against Lee describing him as a
"historical sinner," trying to split the island from the motherland.
Taiwan and the mainland were split in 1949 at the end of a civil war. ((c)
1999 Agence France Presse)
@HWA
29.0 White House Set to Relax Crypto Export Controls
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by AlienPlague
The Clinton Administration is due to release by the end
of the day Thursday recommendations on encryption
export controls that are expected to suggest that
current restrictions be eased. While agencies like the
FBI have pushed to have encryption export controls
tightened, it is reported that the President's Export
Council Subcommittee on Encryption has advised the
President to loosen the restrictions.
Info World
http://www.infoworld.com/cgi-bin/displayStory.pl?990915.encrypto.htm
White House set to release crypto recommendations
By Nancy Weil
InfoWorld Electric
Posted at 11:02 AM PT, Sep 15, 1999
The Clinton Administration is due to release by the end of the day Thursday recommendations on encryption export controls that are expected to suggest
that current restrictions be eased.
Members of a high-tech panel formed by U.S. Rep. Richard Gephardt, a Missouri Democrat, also are emphasizing the issue this week, sending a letter
Tuesday to Clinton urging that he meet with them within the next week to discuss how best to make progress regarding encryption this year.
A presidential advisory committee, the President's Export Council Subcommittee on Encryption, passed its recommendations on to the White House in June
and although that report has not been made public it has been widely reported to advise that encryption restrictions be loosened.
U.S. high-tech companies and some lawmakers have pushed for less-restrictive encryption laws, arguing that the current general prohibition on exportation of
technology over 56 bits hurts vendors who cannot compete globally. However, the FBI and other law enforcement agencies argue that encryption
restrictions should remain strong to keep encrypted data out of the hands of terrorists and other miscreants.
The subcommittee has recommended that restrictions be eased so that products and technology using 128-bit key encryption can be exported, according to
the New York Times.
Gephardt's high-tech panel would likely welcome such a sweeping change. Along with Zoe Lofgren and Anna Eshoo, both Democrats from California,
Gephardt is urging the administration to support the Security and Freedom Through Encryption (SAFE) Act (H.R. 850), under consideration by the House.
SAFE would ease encryption export restrictions, but also addresses law-enforcement concerns.
"We recognize that opponents of H.R. 850, including several senior members of your Administration, have raised national security and law enforcement
concerns regarding this legislation. While we respect these individuals and the expertise they bring to this debate, we believe that their opposition fails to fully
appreciate how important strong encryption is to protecting the integrity of our national information infrastructure, ensuring the privacy of our citizens'
personal communications over the Internet and enhancing the safety of their electronic commerce transactions," said the letter from the three lawmakers to
Clinton.
"We must change our current encryption policy that needlessly places American companies behind the curve of technological advancements and international
competition," they wrote.
Nancy Weil is a correspondent in the Boston bureau of the IDG News Service, an InfoWorld affiliate.
@HWA
30.0 Crypto Compromise Reached
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Dildog
As expected, The White House has relaxed U.S. controls
on the export of data encryption technology. On the
surface it would appear that the high-tech industry,
Internet users, and privacy advocates have won the
debate, arguing that the export rules hand the entire
market to non-U.S. companies. But who really wins
here? The only major change is that the export limit has
been raised from 56-bit to 64-bit. Law Enforcement
agencies have said that they will still push for Key
escrow. And what will now become of the bill currently
in the House, authored by Rep. Bob Goodlatte
(R-Virginia), that would relax crypto exports even
further? Was this announcement a preemptive strike by
the Clinton Administration to take the steam out from
under this bill?
C|Net
http://news.cnet.com/news/0-1005-200-120700.html?tag=st.ne.1002.thed.1005-200-120700
Wired
http://www.wired.com/news/news/politics/story/21810.html
White House moves to ease encryption limits
By Reuters
Special to CNET News.com
September 16, 1999, 1:10 p.m. PT
WASHINGTON--President Clinton has decided to relax U.S. controls on the export of data encryption technology, a
step long sought by the nation's computer industry and resisted by federal law enforcement officials.
The move, which is to be announced later today, affects software and hardware and is intended to benefit the economy, preserve
privacy, serve the national security interest, and protect law enforcement capabilities, said White House spokeswoman Nanda
Chitre.
Once the realm of spies and generals, encryption has become an increasingly critical tool for securing e-commerce and global
communications over the Internet.
Until now, the White House has tilted its export policy toward the needs of law enforcement and national security agencies, which
fear strong encryption could be used by rogue nations and criminals to thwart U.S. surveillance.
But the high-technology industry, Internet users, and privacy groups appear finally to have won the debate, arguing that the export
rules are simply handing a vast, international market to non-U.S. companies.
The announcement won't be without its detractors, though.
"This is going to be a severe blow to national security interests, and it is going to hurt law enforcement," said Stewart Baker,
former general counsel to the National Security Agency.
But even Baker, a lawyer representing high-tech companies, said the change is inevitable, given the growing availability of
encryption from non-U.S. companies.
"If they had delayed much longer, there was a real risk that large parts of the encryption technology would have moved offshore
irretrievably," he said.
The change comes weeks ahead of an expected vote in the House of Representatives on legislation that would have gutted the
existing export limits. The bill, authored by Rep. Bob Goodlatte (R-Virginia), was sponsored by more than half of the members of
the House.
Industry officials welcome the change, which has been a major lobbying priority for years.
"It speaks very highly to their ability to see the writing on the wall and do exactly what they needed to do," said Lauren Hall, chief
technology officer for the Software and Information Industry Association.
People who were briefed on the White House policy change said the new rules will largely abandon the case-by-case licensing
approach that has applied to all but the weakest encryption products.
The slow and cumbersome licensing process has made it extremely difficult for U.S. companies such as Network Associates and
RSA Security to sell their popular computer security products overseas.
And for makers of mass-market software, such as Microsoft and IBM, the rules have forced companies to weaken the security in
Web browsers, email programs, and other products.
Under the new rules, such products with strong encryption features will undergo only a one-time review and then can be sold
anywhere in the world--except to a handful of nations such as Libya and Iraq.
Exporters will have to report who bought the products, such as an overseas distributor, but not who the ultimate end-user is--an
impossible requirement for programs sold in retail stores to millions of customers.
The administration's plan is also expected to ask for $500 million to beef up government computer security and additional funds to
help law enforcement agencies deal with encrypted criminal communications.
Story Copyright © 1999 Reuters Limited. All rights reserved.
-=-
Wired
http://www.wired.com/news/news/politics/story/21810.html
Decoding the Crypto Policy Change
by Declan McCullagh
3:00 a.m. 17.Sep.99.PDT
Why did the Clinton administration cave on crypto? What caused the nation's top generals and cops to back down this week after spending the
better part of a decade warning Congress of the dangers of privacy-protecting encryption products?
Why would attorney general Janet Reno inexplicably change her mind and embrace overseas sales of encryption when as recently as July she
warned Congress of the "rising threat from the criminal community of commercially available encryption?"
See also: Clinton Relaxes Crypto Exports and Crypto Law: Little Guy Loses
It can't simply be that tech firms were pressing forward this fall with a House floor vote to relax export rules. National security and law enforcement
backers in the Senate could easily filibuster the measure. Besides, Clinton had threatened to veto it.
It could be the presidential ambitions of Vice President Gore, who just happened to be in Silicon Valley around the time of the White House press
conference Thursday. Still, while tech CEOs can get angry over the antediluvian crypto regulations Gore has supported, they regard Y2K liability
and Internet taxation as more important issues.
Another answer might lie in a little-noticed section of the legislation the White House has sent to Congress. It says that during civil cases or
criminal prosecutions, the Feds can use decrypted evidence in court without revealing how they descrambled it.
"The court shall enter such orders and take such other action as may be necessary and appropriate to preserve the confidentiality of the technique
used by the governmental entity," Section 2716 of the proposed Cyberspace Electronic Security Act says.
There are a few explanations. The most obvious one goes as follows: Encryption programs, like other software, can be buggy. The US National
Security Agency and other supersecret federal codebreakers have the billion-dollar budgets and hyper-smart analysts needed to unearth the bugs
that are lurking in commercial products. (As recent events have shown, Microsoft Windows and Hotmail have as many security holes as a sieve
after an encounter with a 12-gauge shotgun.)
If the Clinton crypto proposal became law, the codebreakers' knowledge could be used to decipher communications or introduce decrypted
messages during a trial.
"Most crypto products are insecure. They have bugs. They have them all the time. The NSA and the FBI will be working even harder to find them,"
says John Gilmore, a veteran programmer and board member of the Electronic Frontier Foundation.
Providing additional evidence for that view are Reno's comments on Thursday. When asked why she signed onto a deal that didn't seem to provide
many obvious benefits to law enforcement, she had a ready response.
"[The bill covers] the protection of methods used so that ... we will not have to reveal them in one matter and be prevented, therefore, from using
them in the next matter that comes along," the attorney general said.
Funding for codebreaking and uncovering security holes also gets a boost. The White House has recommended US$80 million be allocated to an FBI
technical center that it says will let police respond "to the increasing use of encryption by criminals."
Another reason for the sea change on crypto is decidedly more conspiratorial. But it has backers among civil libertarians and a former NSA analyst
who told Wired News the explanation was "likely."
It says that since the feds will continue to have control of legal encryption exports, and since they can stall a license application for years and
cost a company millions in lost sales, the US government has a sizeable amount of leverage. The Commerce Department and NSA could simply
pressure a firm to insert flaws into its encryption products with a back door for someone who knows how to pick the lock.
Under the current and proposed new regulations, the NSA conducts a technical analysis of the product a company wishes to export. According to
cryptographers who have experienced the process, it usually takes a few months and involves face-to-face meetings with NSA officials.
"This may be a recipe for government-industry collusion, to build back doors into encryption products," says David Sobel, general counsel for the
Electronic Privacy Information Center and a veteran litigator.
Sobel points to another part of the proposed law to bolster his claim: It says any such information that a company whispers to the Feds will remain
secret.
That section "generally prohibits the government from disclosing trade secrets disclosed to it [by a company] to assist it in obtaining access to
information protected by encryption," according to a summary prepared by the administration.
Is there precedent? You bet. Just this month, a debate flared over whether or not Microsoft put a back door in Windows granting the NSA secret
access to computers that run the operating system.
While that widespread speculation has not been confirmed, other NSA back doors have been.
In the 1982 book The Puzzle Palace, author James Bamford showed how the agency's predecessor in 1945 coerced Western Union, RCA, and ITT
Communications to turn over telegraph traffic to the feds.
"Cooperation may be expected for the complete intercept coverage of this material," an internal agency memo said. ITT and RCA gave the
government full access, while Western Union limited the number of messages it handed over. The arrangement, according to Bamford, lasted at
least two decades.
In 1995, The Baltimore Sun reported that for decades NSA had rigged the encryption products of Crypto AG, a Swiss firm, so US eavesdroppers
could easily break their codes.
The six-part story, based on interviews with former employees and company documents, said Crypto AG sold its security products to some 120
countries, including prime US intelligence targets such as Iran, Iraq, Libya, and Yugoslavia. Crypto AG disputed the allegation.
"It's a popular practice. It has long historical roots," says EFF's Gilmore. "There's a very long history of [the NSA] going quietly to some ex-military
guy who happens to run the company and say, 'You could do your country a big favor if...'"
Could the security flaw be detected? Probably not, said Gilmore, who during a previous job paid a programmer to spend months disassembling parts
of Adobe's PostScript interpreter. "Reverse engineering is real work. The average company would rather pay an engineer to build a product rather
than tear apart a competitors'."
@HWA
31.0 Network Solutions Screws Up
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by McIntyre
Network Solutions attempted to offer a free email
service to all of its customers yesterday. Unfortunately
they totally screwed up the implementation. First, the
default passwords on these accounts where relatively
simple and easily guessable. Second, they emailed those
passwords in the clear to their customers. Third, they
made it almost impossible to remove yourself from their
spam list. If you did opt to remove yourself you would
no longer receive real info from Network Solutions about
your domains. It is unknown what Network Solutions has
done to rectify this situation but the free email site is
not currently open.
InfoWorld
http://www.infoworld.com/cgi-bin/displayStory.pl?990916.iinsi.htm
Attrition - Security Advisory
http://www.attrition.org/news/content/99-09-16.001.html
NSI makes free e-mail security blunder
By Sean Dugan
InfoWorld Electric
Posted at 12:00 PM PT, Sep 16, 1999
Network Solutions Inc. (NSI) discovered that no good deed goes unpunished
this week, when its attempt to offer a free e-mail service backfired with
a significant security problem.
NSI, the company that assigns and manages Internet domain names, recently
launched a new Web site (www.netsol.com) and an accompanying free e-mail
service, similar to that offered by Yahoo and Microsoft Hotmail. Through
the service, called "Dot Com Now Mail," NSI offered free e-mail accounts
for all those who registered domain names.
However, as it turns out, nearly anyone, including unauthorized users,
could sign up to use a domain registrant's e-mail account -- thanks to badly
configured default security.
NSI set up the e-mail accounts for registrants using the convention
"domainid" for log-in, and "domainidnsi" for the password. InfoWorld on
Wednesday confirmed that anyone who knows a domain name could access the
free e-mail account before the legitimate owner did. In doing so, the
unauthorized user could change the password and effectively lock legitimate
users out.
Additionally, the accounts were set up using the domain registrant's last
name, with the password "lastnamenai" convention, which makes them subject
to the same problem -- if an unauthorized user knows a registrant's last
name, they gain access to the e-mail account.
NSI could not be reached for comment Thursday.
As of 2 p.m. Eastern time Thursday, the NSI Web site www.netsol.com was
redirecting users to NSI's home site at www.networksolutions.com.
Sean Dugan is InfoWorld's senior research editor.
attrition advisory #001
September 16, 1999 - "NSI are morons"
99.09.16-001.nsi_stupidity_and_blackmail
by: jericho@attrition.org
Vulnerability: Due to Network Solutions (NSI) unsolicited email, practical
monopoly on domain registration, and their own stupidity,
all NSI "customers" are at risk. Two vulnerabilities have
been identified at this time, "stupidity" and "blackmail"
respectively.
Vendor Status: NSI was contacted and made aware of this issue on Wed, 15
Sep. Due to past lack of correspondance, no reply is
expected.
Impact: Any NSI customer is vulnerable to a wide variety of social
engineering attacks stemming from a "service" being forced upon
them by NSI. NSI customers must continue to receive unsolicited
spam at the threat of losing service from NSI.
Details >-------------------------------------------------------------------
Stupidity:
----------
Beginning mid September, NSI began spamming their 'customers' with the
mail regarding "Important information about your domain name account". For
anyone who has registered a domain via NSI, you are likely to be targeted
and potentially affected by this security threat.
NSI's mail goes on to offer all domain holders a free "dot com" email
service. This web based email is akin to Hotmail or any of the other free
mail services out there. Unfortunately, NSI makes two mistakes.
1. As a domain holder, you are not given a choice in receiving this
account. Further, NSI sends you the login name and password, via
email, with no encryption or other means of protection or
verification. Here is a sample from the mail I received. (Yes, my
password was changed).
"3. Lastly, we are pleased to offer you a FREE e-mail account using
our new dot com now mail service. Because it's Web-based, you can
use it in the office, at home or on the road. You'll need the
following information to set up your account:
>>>>>>>>>>>>Login name: jericho
>>>>>>>>>>>>Password: jerichonsi"
2. As you can probably guess, the login name and password are quite
easily guessed. Examining my domain:
Forced Attrition (ATTRITION2-DOM)
Administrative Contact, Technical Contact, Zone Contact:
Jericho, T (TJ2573) jericho@DIMENSIONAL.COM
602.347.0028 (FAX) private
By using the last name as the "login name", and "last name+nsi"
as the password, it is trivial to log into the 'dot com' mail
service and pose as the legitimate owner of the domain.
Blackmail:
----------
The last paragraph of the unsolicted mail reads:
"If you do not wish to receive e-mail from Network Solutions, click on
this e-mail address and type
"remove" in the subject line. PLEASE NOTE: by opting to be removed
from this list we will not be able to communicate to you, in
real-time, on issues regarding your account."
This is a clear case of blackmail on NSI's part. By clicking on the link,
they inform you that no further updates will reach you regar
ding your
domain. This means that you must suffer under their unethical ways and
receive their spam if you wish to receive mail about your registered
domain that you paid for.
Reference >-----------------------------------------------------------------
Here is the full text of the mail for reference. Use this to alert others and
watch for blatant spam by NSI.
Date: Wed, 15 Sep 1999 21:00:29 -0400
From: Network Solutions
To: "T Jericho"
Reply-To: Network Solutions
Subject: Important information about your domain name account
Dear T Jericho,
As a customer of Network Solutions or one of our Premier Program members,
we'd like to update you on three important items:
1. On September 18, 1999, Network Solutions plans to move to a new
Web-based prepayment process for registering domain names. At that point,
we will no longer accept NEW registrations without payment in full at time
of registration. This new online payment method gives customers the
convenience of payment by credit card. THIS CHANGE DOES NOT AFFECT YOUR
CURRENT DOMAIN(S) IN ANY WAY AND NO ACTION IS REQUIRED ON YOUR PART.
If you register ten or more domain names per month, you could be eligible
for Network Solutions' Affiliates or Business Account Programs. Under
these programs, you may qualify to continue receiving invoices for domain
name registrations. To be eligible, you must apply at
http://www.netsol.com/affiliates or
http://www.netsol.com/business_account.
2. Because you registered your domain name with us, your company has
received a FREE listing in the NEW dot com directory. We believe the dot
com directory gives you a unique competitive advantage, enabling potential
customers to find and do business with you. Search the directory for your
own business to see how easy it is! Go to http://www.netsol.com/directory
to find your business. You can also click on "Update Your Listing" to
search for and verify your company information.
3. Lastly, we are pleased to offer you a FREE e-mail account using our new
dot com now mail service. Because it's Web-based, you can use it in the
office, at home or on the road. You'll need the following information to
set up your account:
>>>>>>>>>>>>Login name: jericho
>>>>>>>>>>>>Password: jerichonsi
Please visit http://www.netsol.com/dotcomnowmail to review all the
features of dot com now mail and set up your account.
Thank you for choosing Network Solutions to launch and develop your
Internet identity. We look forward to serving you for many years to come.
Network Solutions, Inc. the dot com people
Copyright 1999 Network Solutions, Inc. Network Solutions is a registered
trademark. The following are trademarks of Network Solutions, Inc.: the
dot com people; dot com directory; dot com now mail. All rights reserved.
If you do not wish to receive e-mail from Network Solutions, click on this
e-mail address and type "remove" in the
subject line. PLEASE NOTE: by opting to be removed from this list we will
not be able to communicate to you, in real-time, on issues regarding your
account.
(c)opyright 1999, Brian Martin. Permission granted to reprint this
advisory in full for any non-profit purpose.
@HWA
32.0 Feds Approve GPS Tracking
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by TurTleX
The US Federal Communications Commission agreed on
Wednesday to allow cellular telephone companies to
include GPS technology in their phones. Some uses for
this will be to help lost travelers or provide directions to
a destination. The primary reason for this, however, is
to pinpoint 911 callers for emergency services. (Those
of us who are a little paranoid see a few other possible
uses. Glad I don't have a cell phone.)
Wired
http://www.wired.com/news/news/business/story/21781.html
Feds OK Cell Phone Tracking
by Joanna Glasner
3:00 a.m. 16.Sep.99.PDT
Cell phone users of the future many never have to get lost or deal with the
embarrassment of asking for directions. But if they ever need help, police
and paramedics won't have trouble tracking them down.
On Wednesday, the US Federal Communications Commission agreed to allow mobile
phone companies to distribute handsets equipped with global positioning
satellite, or GPS, technology that pinpoints the location from which a call
is made.
FCC officials said GPS-equipped handsets will help authorities get to the
scene of emergencies faster by tracing the source of 911 calls from mobile
phones. Currently, police and paramedics don't always arrive at the scene as
fast as they might without detailed information about a wireless caller's
location.
Manufacturers said the technology could also have commercial uses, like
providing directions to drivers or access to local Yellow Pages.
GPS technology, which uses an embedded device in a handset to transmit
location information to a satellite, is one of two main technologies used
for tracking the source of mobile phone calls.
Cellular providers can also derive location information by triangulating the
location of the base station and antenna nearest to the caller.
But technologies for placing the location of cell phones have raised the
hackles of privacy advocates, who say the technology can be used to track
users without their consent.
Advocates of the GPS system argue users can avoid surveillance by switching
off their GPS units.
Steve Poizner, chief executive of SnapTrack, a company that develops GPS
systems for wireless handsets, said many carriers are leaning toward the
satellite technology. Getting FCC approval was the last major hurdle in the
way of a commercial launch.
"Everyone has had a wait-and-see posture," Poizner said. "We expect to see
pretty rapid deployment now."
The company is planning its first commercial rollout in Japan later this year,
and hopes to launch in the United States in the second half of 2000.
@HWA
33.0 Student Sentenced to Five Weeks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Code Kid
Four students of North View Secondary in Singapore
shoulder surfed a password from a teacher two years
ago. Some of those students then used that password
for their own use. One student, no longer in school, has
been sentenced to five weeks in jail, another is awaiting
sentencing.
The Strait Times
http://www.straitstimes.asia1.com/cyb/cyb1_0917.html
Students stole Net password in class
One of them gave the password to a friend, so that
the friend could access the Internet on the school's
account
FOUR students of North View Secondary peeped over
a teacher's shoulder when he was logging on to the
Internet two years ago, and memorised the password
for their own use.
One student also gave the password to a friend, so that
the friend could access the Internet on the school's
account.
All of them are no longer at the school.
Yesterday, one of the students involved, and the youth
who was given the password admitted securing
unauthorised access to a computer account.
The youth, NSman Koh Chee Siang, 20, was sentenced
to five weeks in prison.
One of the students who got hold of the password,
Adam Cheang Mohamed Khairi, 17, will be sentenced
on Wednesday. Cheang first stole the password and
used it himself.
After the passwords were changed, he conspired with
three others to steal a new password.
Deputy Public Prosecutor Christopher Ong told the
court yesterday that in 1996, the head of North View's
information technology department, Mr David Chia
Hock Boon, had applied to subscribe to three Internet
accounts for the school.
Two would be used by students and one would be used
by staff.
The students did not have free access to these accounts.
They had to ask Mr Chia for permission. Then he would
personally enter the password and log in, and let them
use the computer.
In November 1996, Cheang requested permission.
Mr Chia agreed and logged on to one account.
Cheang peeped over Mr Chia's shoulder and
memorised the password used.
He then made use of the account on several other
occasions to access the Internet.
In January 1997, Mr Chia changed the password for all
three of the school accounts.
About a week later, Cheang conspired with three other
North View students to get the new password by the
same method.
One of them then gave the password to Koh, a former
North View student, who used it to access the Internet.
In mitigation yesterday, Koh's counsel said that his client
started on Internet relay chat in 1996, when he first
became a subscriber.
A year later, Koh told his friend, one of Cheang's
accomplices, that he had stopped going on IRC because
it was getting too expensive. That friend then gave him
North View's password so that he would not have to
pay for Internet access, the lawyer added.
He asked the court to be lenient with Koh, saying his
client had used the password illegally only to chat with
his friends, and not for illegal purposes.
The cases of the other two boys allegedly involved in
this incident will be mentioned on Wednesday and
another is expected to be dealt with on Sept 30.
ILLEGAL ACCESS
Koh Chee Siang, 20, was given the password for North
View Secondary's Internet account by a friend.
Koh had told the friend that he had stopped going on
IRC chats because it was getting too expensive.
Koh, a former North View student, was sentenced to
five weeks in prison.
@HWA
34.0 Stupid Mistakes Worse than Viruses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Code Kid
A poll of 300 Microsoft Windows NT administrators found
that 88 percent claimed accidental deletions of
computer files by in-house workers caused more
problems than viruses. Only 3 percent of the
administrators said viruses were a major problem.
Chicago Tribune
http://www.chicago.tribune.com/tech/specialreport/article/0,2669,ART-34595,FF.html
Electronic data loss:
malice or missteps?
By Darnell Little
Tribune Staff Writer
September 17, 1999
Worried about computer
viruses like Toadie,
ExploreZip and Melissa?
Maybe you shouldn't be. When it comes to electronic
data loss, malicious viruses are no match for the daily
missteps of average computer users, according to a
recent poll.
Out of the 300 Microsoft Windows NT administrators
surveyed in the study, 88 percent said accidental
deletions of computer files by in-house workers caused
most of their headaches, while only 3 percent said
viruses were a major problem.
"There is a tremendous amount of media coverage on
viruses and the amount of damage that viruses can
cause, but even in some of the oldest studies that I've
pulled up, viruses only account for 3 to 7 percent of all
data loss," said Phil Proffit, director of research for
Broadcasters Network International, the
California-based market research firm that conducted
the study earlier this summer.
"I can understand why the media covers viruses so
much, it's a sexy topic," Proffit said. "And yet there is
this vastly larger amount of data and productivity being
loss due to accidental deletions. If we try to place a
dollar value on it, it would just be billions and billions of
dollars being lost in terms of productivity."
The poll focused only on Windows NT because of the
operating system's growing popularity among business
users and because there is a general belief among system
administrators that Windows users are less technically
adept than users on other operating systems, according
to Proffit.
"Unix users tend to be better educated than NT users,"
he said. "And uneducated users are the single largest
source of accidental deletions. It's just that on
Unix-based systems, either the system administrators
have been more clever about how they protect certain
critical files on servers or the users themselves tend to be
a bit more educated on exactly what the program can
and can't do.
"This isn't to say that educated users aren't making
mistakes. But the uneducated user is a greater risk on
NT systems because they have the Recycle Bin sitting
there and they think, 'Great, if I make a deletion it's
caught, it's not a big deal.'"
Microsoft's Recycle Bin, however, doesn't provide
equal protection to every type of computer file on a
network system. If a Windows user deletes a file on a
local hard drive, the file goes into the Recycle Bin and
stays there until the user manually empties the Bin. Until
the Bin is emptied, all deleted files in the Bin can be
easily recovered.
But data deleted from within an application program or
files deleted from a network drive don't go into the
Recycle Bin, and many NT users learn this fact the hard
way, Proffit said.
"I also found an amazing degree of ignorance about
programs that would handle accidental deletions on NT
networks," he said. "Many people are unaware of
utilities from Symantec or Executive Software that could
help un-delete files.
"A lot of people rely on tape backups, but trying to find
the tape backup that might contain some version of the
file that was deleted is a bit like jumping into the space
shuttle to go to the grocery store. It's just a tremendous
amount of work, and in many cases we found that a lot
of times the backups failed."
The susceptibility of NT networks to accidental data
loss is the shared fault of both NT administrators and
Microsoft, according to Antony Chen, vice president of
Advantage Consulting and Technologies in Ann Arbor,
Mich.
"People who are running Windows environments just
don't seem to educate their users enough about the type
of power they wield and how not to step on their own
feet," Chen said. "So you end up with user madness,
they just don't know any better. They go and delete stuff
and they empty the Recycle Bin and they just don't think
about it."
But Microsoft contributes to the problem in the way that
NT systems are designed to be set up, Chen said.
"When you create a new file system in Unix, it basically
gives all the users no rights whatsoever and you actually
have to install the rights. In NT, it's the other way
around. Everyone has got access to everything and then
you've got to lock it down."
Although the Unix method is more work, it forces the
system administrator to manually give the appropriate
access privileges to each user, Chen said. Unfortunately,
since NT administrators can skip this step, many do and
NT users often end up with more usage rights than they
really should have.
"(Microsoft) thinks that, at first, you should just give
everyone access to everything. The problem with that is
it creates data-loss situations," Chen said.
Accidental data loss can, however, happen quite
frequently on other operating systems besides NT,
according to Edward Garcia, the management
information systems manager for Datalogics, a
Chicago-based publishing software firm.
Garcia manages more than a dozen different operating
systems at Datalogics, and he's seen even vaunted Unix
users destroy data through careless mistakes.
"People will issue command line commands and forget
where they are in terms of directory structure," Garcia
said. "So they do a delete *.* and they wind up deleting
their whole home directory. That's basically where most
of our restores happen. I'm surprised it doesn't happen
more.
"Or you do a copy command on a Unix system, and
there's something that already exists with the same name
in the location you're copying to. Unix doesn't ask if you
are sure you want to overwrite it, it just does it."
Datalogics also suffers from too many users having too
much access to network drives and files, Garcia said.
But having a nearly wide-open system was a corporate
decision, not a technical one.
"It's kind of crazy, but we feel -- at least the
management feels -- that it's not worth it to risk
hindering somebody from getting their job done as a
result of security. I cringed when I first heard that, but
we're kind of wide open here. And that's where
inadvertent mistakes such as deletions really come back
to haunt you, because somebody shouldn't have the
rights to delete an entire shared folder. But because we
like to leave it open that type of a situation happens."
But of all the issues confronting Garcia as a manager of
multiple networks, he says viruses barely qualify as a
minor nuisance.
"I've lost zero data as a result of viruses. I have never
been bit by a virus so badly that an anti-virus software
package couldn't fix it for me."
@HWA
35.0 'Hackers' Equal Global Terrorists In '23'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Weld Pond
A new movie by Hans-Christian Schmid entitled '23' uses
the stereotypical, media perpetuated image of the
'hacker' as a small-time gangster and global terrorist.
Supposedly based on true events, "23" details how two
anti-nuclear protesters break into computers, steal data
and later sell it to the KGB. (Yeah, I'll wait in line to see
this drivel.)
The Boston Phoenix
http://www.bostonphoenix.com/archive/movies/99/09/16/23.html
"23"
Why have so many notorious political assassinations or elections
occurred on the 23rd of the month? Why do Masonic symbols appear
on US currency? Why is information more important than wealth?
Hans-Christian Schmid's German thriller makes clever use of the
writings of Robert Anton Wilson, whose Iluminatus trilogy explores
the web of secret societies that rule the world as we know it.
Karl Koch and his pal David are 19 years old in 1985: phone phreaks
and computer hackers involved with anti-nuclear protesters. They meet
a couple of small-time gangsters who arrange to sell their information
to the KGB. Drunk on power, high on drugs, and obsessed with conspiracy
theory, Karl and David take to their life of cyber-crime like ducks to
water. Later a TV network wants to buy their story, and Karl, who has
become a coke and speed addict, manages to hack into the security system
of a nuclear facility. But he's being followed by cops, and he's
increasingly paranoid and out of touch with reality, seeing occult
significance in news headlines and secret agents around every corner.
Remember the '80s? People snorted coke on dashboards, Reagan sold
weapons to Qaddafi, computers were as big as fridges, and a small
brotherhood of geeks with PCs infiltrated the political and economic
infrastructure. Based on true events, "23" follows the maze of discovery
that made hackers into global terrorists and suggests a terrifying
explanation for the Chernobyl disaster. Using lots of claustrophobic
slow motion and fuzzed edges, Schmid crafts a slice of history so surreal
it seems a fairy tale -- and so plausible it must surely be our future.
-- Peg Aloi
@HWA
36.0 STEALTH SOFTWARE RANKLES PRIVACY ADVOCATES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Saturday 18th September 1999 on 2:30 am CET
A super stealthy software covertly monitors all keyboard and application activity, then
invisibly e-mails a detailed report to the employees' boss. The newly upgraded
software, Investigator 2.0 from WinWhatWhere, runs silently, unseen by the end-user
as it gathers exacting details on every keystroke touched, every menu item clicked,
all the entries into a chat room, every instant message sent and all e-commerce
transactions. While it bolsters IT's ability to monitor workplace computer usage, it
troubles privacy advocates who are claiming that workplace electronic monitoring
calls out for new privacy legislations. Story.
Stealth Software Rankles Privacy
Advocates
(09/17/99, 5:19 p.m. ET)
By Stuart Glascock, TechWeb
A super stealthy software covertly monitors
all keyboard and application activity, then
invisibly e-mails a detailed report to the
employees' boss. While it bolsters IT's
ability to monitor workplace computer
usage, it troubles privacy advocates.
The newly upgraded software, Investigator 2.0 from
WinWhatWhere, runs silently, unseen by the end-user
as it gathers exacting details on every keystroke
touched, every menu item clicked, all the entries into a
chat room, every instant message sent and all
e-commerce transactions.
"You get shocking detail," said Richard Eaton, president
of WinWhatWhere, in Kennewick, Wash.
In one client case, a large grocery store chain suspected
an employee was wrongfully taking information.
Management installed the software and discovered the
suspect employee was saving accounting information
onto a diskette. In other cases, employees have been
busted for taking client lists and sales leads.
WinWhatWhere Customers have included sensitive
government agencies, private investigators, a trucking
company, a tool and die company, a penitentiary, a
dentist, and several libraries. Specific customers have
included the U.S. State Department, the U.S. Mint in
Denver, Exxon, Delta Airlines, Ernst & Young, the U.S.
Department of Veteran Affairs, and Lockheed Martin.
"People buying it the most are people in corporations
who need it because they suspect something is going on
in a department, so they put on a computer for a small
amount of time," Eaton said.
While it may sound Orwellian,
electronic monitoring can serve
a purpose, said Jan Kallberg,
chief operating officer of
CyberDefense, a New York
company specializing in
protecting corporate digital
assets.
"It can be a good thing if the
rules are set and everybody
knows the policies, then it eliminates the risk that
someone gets blamed who is without any guilt," he said.
It is not surprising that major employers are concerned
about employee computer use, but monitoring all their
keystrokes is frightening, said Lou Maltby, ACLU
director of employment rights.
"Employers who practice this kind of monitoring don't
have a clue as to what they are getting into," Maltby
said. "People now turn to the Web for all kinds of
information, including information about the most
sensitive personal issues imaginable. If you are a
member of [Alcoholics Anonymous], 20 years ago, you
went to a meeting. Today, you are just as likely to talk
to your support group over the Web. The same is true
for incest survivors and people who are HIV positive. If
you want to pry into your employees' deepest, darkest
secrets, there couldn't be a better way."
Workplace electronic monitoring calls out for new
privacy legislation, Maltby said, adding it is illegal for
employers to listen in on an employee's telephone call to
a spouse. But the same conversation over e-mail could
be read and posted on a bulletin board. No legislation
to address the issue is currently pending.
Privacy concerns aside, most corporations need
protection, and not just from people who are hacking
into their network, but from people working inside the
firewall, Eaton said.
"If it is used incorrectly it is horrible," Eaton said." If you
put it on with no suspicion or reason, that's wrong. But
if you suspect something is going on your equipment,
you have every right to do this."
Pricing runs from $99 for a single user to $5,500 for
site licensing.
@HWA
37.0 SOPHOS: TOO MUCH VIRUS SCAREMONGERING
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Friday 17th September 1999 on 8:30 pm CET
UK company Sophos has laid into arch anti-virus rivals Network Associates and
Symantec for "virus scaremongering". Sophos, quoting recent statements by
collegues Network Associates and Symantec, warned that with many businesses
deeply concerned about Y2K, confusing statements from anti-virus companies
trivialise the virus issue and damage the credibility of the industry as a whole.
17 September 1999
Too much virus scaremongering, says
vendor
by Jo Pettitt, VNU Newswire
Anti-virus vendors are falling into yet another
spat, this time about whether the millennium
poses a severely increased risk of virus
attacks.
UK company Sophos has laid into arch
anti-virus rivals Network Associates and
Symantec for "virus scaremongering", claiming
that in a recent interview, the chief
researcher at Symantec said there might be
up to 200,000 new viruses written especially
for the millennium.
In addition, it said that Network Associates
has set up a Web site warning of virus threats
which, according to Sophos, are not in the
wild and are never likely to be.
Sophos warned that with many businesses
deeply concerned about Y2K, confusing
statements from anti-virus companies trivialise
the virus issue and damage the credibility of
the industry as a whole.
Graham Cluely, Sophos senior technology
consultant, commented: "Predictions of this
type are unhelpful. We are surprised to see
anti virus companies trying to capitalise on
Y2K worries."
Executives at Symantec said Sophos had
taken its comments out of context.
Kevin Street, Symantec technical director,
commented: "What he meant was that there
could be between one and 20,000 new
viruses, but the numbers aren't what matter.
What matters is that we are prepared."
He added: "There will be a great temptation
for virus writers to be the one to write the
first Y2K virus to get the attention."
David Emms, product manager at Network
Associates, said the company's new Web site
had been set up in response to customer
requests.
"We have put the information up there
because people are concerned," he said.
He added: "We don't know exactly what the
numbers of viruses will be yet, but it is most
likely that virus writers will tack on to Y2K
because of the date."
To comment on this story email
newswire@vnu.co.uk
Article from» News Wire
©1999
VNU Business Publications
<LONDON UK>
@HWA
38.0 CRYPTO BREAKER TELLS PROGRAMMERS TO WISE UP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Friday 17th September 1999 on 8:10 pm CET
Sun senior staff engineer Alec Muffett told an audience of developers at Sun's ".com"
conference and exhibition in London on Thursday that businesses using strong
encryption, such as RSA, had to be aware of developments like the recently broken
512-bit keys in the latest RSA challenge and cycle their keys often; especially banks
that adopted 512-bit crypto in the 1980s to protect long-term information such as
mortgage databases. "You must think ahead," he said. "Use cryptography not only
against people like me, here and now, but people who come after me in 10, 15, 20
years time." Techweb.
Crypto Breaker Tells Programmers
To Wise Up
(09/17/99, 1:56 p.m. ET)
By Madeleine Acey, TechWeb
Since the recent breaking of an RSA 512-bit
encryption key -- the kind used by many
banks -- IT managers should think
longer-term about how to protect data with a
long shelf-life, said one of the team that won
the latest RSA challenge.
Sun senior staff engineer Alec Muffett told an audience
of developers at Sun's ".com" conference and exhibition
in London on Thursday that businesses using strong
encryption, such as RSA, had to be aware of
developments like this and cycle their keys often;
especially banks that adopted 512-bit crypto in the
1980s to protect long-term information such as
mortgage databases.
At the time, breaking 512-bit keys "wasn't something a
band of mere mortals could do," Muffett said, but things
had changed. The self-described "band of like-minded
geeks" took just a few days to crack the required
155-digit number using Cray supercomputers and spare
capacity on an Amsterdam university's PCs.
"You must think ahead," he said. "Use cryptography not
only against people like me, here and now, but people
who come after me in 10, 15, 20 years time."
A Giga Information Group spokesman said many banks
used outside technology experts to look after certain
aspects of their security, but there was a range of
different levels of awareness.
"It's a constant game of using advances in technology to
stay ahead of advances in technology," the spokesman
said. "Not everyone is up to speed."
As well as foresight, IT decision makers also needed
the support of thoughtful programmers, Muffett said.
They had a responsibility to not program "silly things"
into software in the first place when it came to security.
"Passwords of only one to eight characters are very
silly," he said, and have been since the 1970s.
"How many of you still have 1234 as the password for
your voice mail?" said Geoffrey Baehr, Sun's chief
networking engineer, sharing the stage with Muffett.
"We as engineers have done a terrible job."
"I've definitely heard complaints on that from experts,"
the Giga Information Group spokesman said.
The panel, including Sun's chief scientist John Gage,
took the opportunity to attack rival Microsoft.
"The best thing you can do is run a secure OS," Baehr
said. "No one system can be stronger than the weakest
point."
"'That's it,' some countries say. 'We cannot accept
black box OSes that feed back information," said Gage,
referring to the key labeled "NSA KEY" discovered in
Windows, which Microsoft denied was a backdoor for
the U.S. National Security Agency.
"If you want a solid place to stand, it's good to be able
to see everything," Muffett said.
The Giga Information Group spokesman said the IT
research company had found that "regardless of
whether it's an espionage key, it definitely has harmed
Microsoft overseas".
@HWA
39.0 REPORT URGES TOUGH NET STALKING LAWS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Friday 17th September 1999 on 1:05 am CET
Federal and state laws should be strengthened to help curb the growing problem of
online stalking, a U.S. Justice Department report recommends. Two-thirds of states
have no laws on the books that explicitly cover stalking on the Internet or through
other electronic communications means, the report found. And federal law ought to be
amended to make it easier to track down "cyberstalkers," it said.
Report urges tough Net stalking laws
SACRAMENTO, Calif. (AP) - Federal and state laws should be
strengthened to help curb the growing problem of online stalking, a U.S.
Justice Department report recommends.
Two-thirds of states have no laws on the books that explicitly cover
stalking on the Internet or through other electronic communications means,
the report found. And federal law ought to be amended to make it easier
to track down ''cyberstalkers,'' it said.
''As more and more Americans are going online
-- particularly our children -- it is critical that they
are protected from online stalking,'' said Vice
President Al Gore, who requested the report in
February and was to release it in California on
Thursday.
''Cyberspace should be a place for learning and
exploration, not a place for fear,'' he said in
remarks prepared for a meeting in San Diego
with victims of online stalking and their family
members.
The report surveyed steps that law enforcement, online industries, victims
groups and others are taking to crack down on cyberstalking, and
explored whether existing laws are adequate to combat a problem it
contends is on the rise.
Internet service providers, which link users to e-mail and the World Wide
Web, report a growing number of complaints about harassing and
threatening behavior online, it said. The head of the sex crimes unit in the
Manhattan District Attorney's Office reported that about 20% of the unit's
cases involve cyberstalking.
The report cited several chilling examples.
In one case, a Los Angeles security guard terrorized a woman who
rejected his romantic advances by posting online messages that she
fantasized about being raped, and listed her phone number and
address. On at least six occasions, sometimes in the middle of the
night, men knocked on her door saying they wanted to rape her.
A San Diego man sent more than 100 e-mail messages to five
female students at the University of San Diego and the University of
California, San Diego last year. They included death threats, graphic
sexual descriptions and references to the women's daily activities,
prosecutors said.
Federal law enforcement officials have reported many cases in
which pedophiles have made advances to children through online
chat rooms and later made contact with the children, the report
said.
Technology allows some stalkers to harass victims anonymously, it said.
The report recommends that all states review their laws to ensure they
prohibit and provide ''appropriate'' punishment for stalking through the
Internet and other means of electronic communication, including pagers.
California recently amended its stalking statute to cover cyberstalking.
Last year President Clinton signed a bill into law that protects children
from online stalking. But the report said the law should be expanded to
outlaw interstate or international communication made with the intent to
threaten or harass another person.
Such new laws should include stiffer penalties when victims are minors, the
report said. And federal law should make it easier for law enforcement to
track down cyberstalkers.
The report cited as a hindrance the Cable Communications Policy Act,
which bars investigators from obtaining cable subscriber records without a
court order and advance notice to the subscriber.
@HWA
40.0 CODEBREAKERS AND PHONE-SPIES TARGET CRIME ON THE INTERNET
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Thursday 16th September 1999 on 7:10 pm CET
Here's more on the UK forming of a cybercrime unit tapping data streams and
breaking codes for surveillance sake. Tapping proposals outlined in a Government
consultation document call for the monitoring of one in every 500 telephone
connections to the Internet to extend the Governments surveillance powers to the
Web. According to a report in The Economist today, it would require the Home
Secretary to issue 10,000 tapping warrants a year, five times the current level of
authorisations.
Codebreakers and
phone 'spies' target
crime on Internet
By Robert Uhlig
ONE in every 500 telephone connections to the internet
is to be monitored under Government proposals to
extend surveillance powers to the Web.
The plans are outlined in a Government consultation
document and require internet service providers to have
facilities to intercept one telephone line in every 500 that
they operate.
The tapping proposals represent a considerable increase
in police powers and a capacity roughly 20 times the
level required in other European countries. According to
a report in The Economist today, it would require the
Home Secretary to issue 10,000 tapping warrants a
year, five times the current level of authorisations.
Using such tapping facilities, the police and intelligence
agencies will be able to harvest raw data streams
containing private e-mail or text and pictures. Jack
Straw, the Home Secretary, has argued that law
enforcers need to improve their ability to intercept
communications between terrorists and criminals.
The Home Office claims law enforcers now have few
powers to fight the increased use of encrypted messages
on the internet to arrange drugs deals or pass on
paedophile images.
To sift through the vast quantities of tapped data the
Government is also to set up a £20 million specialist
code-cracking unit using staff from the Government's
communications centres at GCHQ, the National Criminal
Intelligence Unit and code-breakers recruited from the
private sector.
But even the code-breakers admit that current encrypting
technologies would take the most powerful computers
several weeks to crack, by which time the information is
likely to be redundant. The unworkability, cost and
technical ignorance encompassed by the proposals have
united the internet industry with privacy campaigners.
Demon Internet, Britain's third largest service provider,
estimates that the switches and infrastructure required by
the intercept proposals would cost them more than £1
million initially and up to 15 per cent of their infrastructure
costs to upgrade the facilities every year. Richard
Clayton, Demon's Internet adviser, said: "If the
Government wants this information they should pay for
it."
Tim Pearson, chairman of the Internet Service Providers
Association, said his members were concerned by the
extension in state and police powers being requested.
Malcolm Hutty, director of Liberty, said the proposals
were "hideously expensive, technically unworkable and a
threat to civil liberties."
He added that with such a tapping system in place
"Government could be checking on people's tax returns
or anything else they fancy keeping an eye on."
@HWA
41.0 LAW ENFORCEMENT MAY BENEFIT FROM NEW CRYPTO POLICY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Thursday 16th September 1999 on 6:50 pm CET
The White House in a briefing today will announce what one administration official told
will be a "large" relaxation of encryption controls. This is a major victory from the
industries' and users' point of view, but there is another side to it. Key recovery is
expected to be a part of this proposal, something to which strong encryption export
supporters object. The key recovery program essentially guarantees law enforcement
officials a so-called "back door" to encrypted communications.
Newsbytes.
http://www.newsbytes.com/pubNews/99/136355.html
Law Enforcement May Benefit From New Crypto Policy
By Robert MacMillan, Newsbytes
WASHINGTON, DC, U.S.A.,
16 Sep 1999, 10:54 AM CST
Despite an initially jubilant reaction from the high- tech industry over the White House's anticipated
relaxation of its encryption export controls, the policy change could pave the way for more unfettered law
enforcement access to sensitive data.
The White House in a briefing today will announce what one administration official told Newsbytes will be a "large"
relaxation of encryption controls.
Stewart Baker, a member of the President's Export Council Subcommittee on Encryption, told Newsbytes that if the
administration allows an easing of regulations, it has a firm platform on which to petition Congress to pass its proposed
Cyberspace Electronic Security Act (CESA), which would give law enforcement agencies sweeping access to sensitive
communications.
"Key recovery is dumb even from the Justice Department's point of view," Baker said. "It's peculiar to say 'I really like your
industry and to encourage you I'm going to add costs and expose you to criminal liability.'"
Baker said that when the subcommittee made recommendations to the administration to change its encryption export
policies, "that was not on our list."
Attorney General Janet Reno, Defense Department official John J. Hamre, and several other administration representatives
are expected to announce that 64-bit encryption will now become the strongest mass-market algorithm level available, in
conjunction with the 33-nation Wassenaar Arrangement.
In addition, the administration is expected to make it easier for companies to export strongly encrypted products of an
unlimited algorithm length, subject to a one-time Commerce Department review.
The announcement is particularly important to the high-tech industry because it is getting itself heartily smacked in the
encryption products arena by other countries that don't have such onerous export restrictions.
Rep. Robert Goodlatte, R-Va., and his Democratic counterpart Zoe Lofgren, D-Calif., both are chief sponsors of the Security
and Freedom Through Encryption (SAFE) Act, which calls for a total stand-down on encryption export controls.
Goodlatte officials were not immediately available for comment, though he is expected to discuss the White House proposal
at a press conference later today.
Unfortunately for him, key recovery is expected to be a part of this proposal, something to which strong encryption export
supporters object. The key recovery program essentially guarantees law enforcement officials a so-called "back door" to
encrypted communications.
Kristin Litterst of Americans for Computer Privacy said the administration announcement is significant because House
Speaker Dennis Hastert, R-Ill., has said he wants SAFE to come to the House floor for a vote, but added that the ACP
wants to work with the administration to shape the regulations.
"The announcement is a real mixed bag from a privacy perspective," Center for Democracy and Technology (CDT) counsel
Alan Davidson said. "We've seen so many promises of broad relief that don't in fact protect people's privacy
It opens up a
very important new debate on the Fourth Amendment in cyberspace - under what circumstances the government should
have access to our most sensitive information."
Davidson added, however, that "If they follow through on their promise, this would be a real step forward. This would give
encryption users around the world much stronger privacy protection software."
A staffer for Senate Communications Subcommittee Chairman Conrad Burns, R-Mont., a stalwart supporter of strong
encryption exports, said that "It's great that (the White House supports) the need for encryption reform....but anything that
is going to allow the federal government to just creep in the back door of Americans' computers is just unacceptable to us."
As a supporter of Senate Commerce Committee Chairman John McCain's, R-Ariz., PROTECT Act, the staffer said that
Burns already has compromised his stance somewhat in deference to law enforcement, because PROTECT tends to fit in
more with the scope of Wassenaar.
He added that Burns is unwilling to give up more ground.
Baker said that the administration announcement "will substantially reduce, if not completely eliminate, any of the burden
associated with encryption controls, so it's a very big step and will probably take the issue off the table as a competitive
(subject)."
Nevertheless, the move seems to tie into the administration's desire to offer a gift to law enforcement now that it has tried to
please the high-tech industry.
Baker said CESA includes key recovery agent provisions, and allows law enforcement to ignore the privacy rights of criminal
suspects in searches for information. The proposed bill also would allow law enforcement to require companies to get
electronic information even in violation of privacy standards.
It also calls for sentencing guidelines to be drafted that would devise encryption crime penalties. "It sounds mildly harmless,
but in my view is potentially rather dangerous," Baker said. "That provision is too broad."
He also said that CESA puts no restrictions on the Justice Department's ability to "order companies to violate the laws of
other countries."
"You can imagine how a foreign country would feel if a local Internet service provider started hacking into their citizens'
computers at the order of the Justice Department," Baker said.
MORE TO COME
Reported by Newsbytes.com, http://www.newsbytes.com .
10:54 CST
Reposted 11:31 CST
(19990916/WIRES TOP, ONLINE, LEGAL, BUSINESS/WEBPOLICE/PHOTO)
@HWA
42.0 LIBELING AGAIN
~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by BHZ, Thursday 16th September 1999 on 3:45 pm CET
Attrition members reacted to latest John Vranesevich article (Loan Gunmen ==
HFG?). "Read on to see the obvious errors, illogical conclusions and outright libel
contained within the AntiOnline article. It is being quoted here within guidelines of
"Fair Use" quoting". http://www.attrition.org/news/content/99-09-15.001.html
Attrition Responds to More AntiOnline Allegations
Wed Sep 15 22:27:25 MDT 1999
ATTRITION Staff
(Official Press Release)
For almost five years, various members of the Attrition staff have fought
off unyielding attempts by AntiOnline and/or its staff to slander and
defame their characters. These countless accusations and libelous statements
have always come without a shred of proof from those making them. Time and
time again, Attrition meets these allegations with arguments citing each and
every log or mail needed to openly prove our claims. Just once, the staff of
Attrition would like to be maligned using reasonably founded proof.
The sickening irony in John Vranesevich and AntiOnline's malicious comments,
is that they come in the middle of them plagiarizing Attrition's mirrors
and other resources. In the past thirteen days,our logs have shown 13377 unique
hits from AntiOnline's "AntiBot" as it spiders our site and utilizes
our resources. For them to turn around and call us criminals, makes one wonder
if they are saying it purely to get media attention, supporting the people he
speaks ill of, or some sick hybrid of the two.
Read on to see the obvious errors, illogical conclusions and outright libel
contained within the AntiOnline article. It is being quoted here within
guidelines of "Fair Use" quoting. The original article is in white text,
Attrition comments are in red.
http://www.antionline.com/cgi-bin/News?type=antionline&date=09-13-1999&story=loan.news
Loan Gunmen == HFG?
Wednesday, September 15, 1999 at 15:27:48
by John Vranesevich - Founder of AntiOnline
September 13, 1998, The New York Times was broken into by a group
calling itself HFG, Hacking for Girlies. The attack, which the New
York Times claims cost them over $1 million in damages, falls almost
one year ago to the day of when the Nasdaq was broken into.
ABC News, C-span, The Drudge Report, and now the Nasdaq have all
fallen victim to a group calling itself "The United Loan Gunmen".
AntiOnline has reason to believe that this "new group", is actually
the HFG acting out under a new name.
[Consistant with a five year pattern of allegations and no proof to back
them, these conclusions are no different.]
Using concepts developed under its "Virtual Fingerprinting System",
AntiOnline has taken data from the recent United Loan Gunman hacks,
and compared it to data in its extensive databases of over 6,700
individual hackers. The results?
[This "Virtual Fingerprinting System" is nothing but a glorified hand-
comparison of two files, as illustrated below.]
Graphic Creation: Graphics created by members of the United Loan
Gunman match the style and technique as graphics developed by members
of HFG in September of last year. Several of these graphics also bear
resemblance in creation method to a Defcon 6 logo submitted by a known
individual, who's work also can be compared to several other attacks.
[False. A comparison of their HTML elements and attributes, visual style,
signatures and more, prove how inaccurate the above statement is. There is
practically no similarity between HFG and ULG graphics. Determine for yourself.
The Defcon 6 graphic referred to was designed well before HFG began their
defacement spree. This image was paraded before over 4,000 hackers at
the Defcon 6 convention in Las Vegas. The fact that a member of HFG
chose to emulate the graphic is inconsequential to this scenario. To suggest
otherwise without verfiable proof is to invite charges of defamation of
character. Look at ALL of the graphics in question, on the same page.
You make the determination.]
Content: Similar writing styles, political agendas, affiliates, and
attacks as hacks done in September of last year by HFG.
[False. The writing styles of both groups are quite different. Compare the
content in the ABC Hack (ULG) to that of the New York Times Hack.
Notice the use of "elite speak" and all caps in most of HFG's defacements.
This style is seen nowhere in the ULG mirrors.]
HTML: Matches in "free hand" creation style to hacks done by the HFG.
[Due to the fact that HTML is a markup language and lacks a header identifying
how it was created, one cannot assume anything about how a page was created
without the existance of appropriate META tags denoting the authoring tool used.
Furthermore, well over half the pages created by defacers are done free-hand.
Compare the radical differences in HTML style between the two groups. To claim
that there are similarities between the HTML of both groups is a gross assumption.]
Affiliation: "Attrition" members once again claim to have "spoken to"
the individuals involved with the recent attacks, just as they claimed
last year during the HFG hacks. Brian Martin, founder of Attrition,
[False. HFG sent a notification e-mail to Brian Martin along with over
twenty other people regarding their defacement. Likewise, the contact made
between ULG and Attrition staff was via IRC who have logs readily available
to any Federal law enforcement organization that makes a formal request as
mentioned in the warning on our mirror. In the statement made by AntiOnline,
the Attrition staff are being "jewelled." That is, they are being blamed for
a crime simply because they are the bearer of the news before others. This
is an ironic claim since AntiOnline has gained its reputation for doing exactly
the same thing. The only difference is the Attrition staff did not
admit to several felonies in their dealings with hackers. Attrition staff had no
foreknowledge of the victim of the intrusions and make it known that they are
aware such activity constitutes a felony.]
was raided in December of 1998 as part of an FBI investigation into
Hacking For Girlies (as reported by Forbes columnist Adam Penninburg).
[References to the December 1998 raid of Brian Martin are total innuendo and
counter the long-standing American concept of justice in which all are
innocent until proven guilty. Further, it should be noted that it has
been almost a year since the raid, no arrest warrant has been issued. That
in itself speaks volumes when observing how quick Federal law enforcement
has been recently in raiding and charging other hackers.]
Attack Method: Once again the methodology seems to be rather cloudy,
and other industry leaders are drawing similarities into the attack
styles (this could potentially become more clear as data from the
recent Loan Gunmen attacks surfaces from the individual
organizations).
[False. Industry leaders are not making such illogical conclusions. It has
been confirmed that at a minimum, four machines compromised by HFG were
Unix, (one of which was Solaris), and the operating systems of all four of
the servers compromised by ULG were either Windows NT4 or Windows NT5.]
Time: Just as before, attacks apparently done by the same group of
people, yet under different names, are spread far apart by almost a
year exactly.
[False. AntiOnline has not established that there has been any indication of
previous examples where one group turned out to be a second group just with
a different name.]
AntiOnline has been receiving more data from several other
organizations who are also investigating these similarities, and is in
the process of adding them to its catalog to be "fingerprinted".
[If this is true, then just like AntiOnline, their resulting information
is completely based on speculation and print such assumptions without
concrete evidence is a violation of journalistic ethics.]
Exact results of AntiOnline's investigations are leading to a
particular group of known hackers that AntiOnline has extensive
information on. For obvious legal reasons, that data is not being
disclosed to individuals outside of the law enforcement arena.
[Such statements should be closely examined by AntiOnline readers.
Attrition staff has recently obtained hard proof that Vranesevich
has continued to be involved in illegal activity, all in
the name of 'journalism'. See for yourself.]
For more information about "Hacker Profiling", read AntiOnline's Three
Part Special Report entitled:
"[6]How To Be A Hacker Profiler.
Related Information On AntiOnline:
[And see how easily these methods are countered in our piece called
"Debunking the Hacker Profiler".]
[7]What Hackers Head The Culture?
[Another example of Vranesevich's libel can be found in this article. Once
again, we have pointed out the errata and slander
in this piece.]
- Attrition Staff
The original Article from Anti-Online
Loan Gunmen == HFG?
Wednesday, September 15, 1999 at 15:27:48
by John Vranesevich - Founder of AntiOnline
September 13, 1998, The New York Times was broken into by a
group calling itself HFG, Hacking for Girlies. The attack, which the
New York Times claims cost them over $1 million in damages, falls
almost one year ago to the day of when the Nasdaq was broken into.
ABC News, C-span, The Drudge Report, and now the Nasdaq have
all fallen victim to a group calling itself "The United Loan Gunmen".
AntiOnline has reason to believe that this "new group", is actually the
HFG acting out under a new name.
Using concepts developed under its "Virtual Fingerprinting System",
AntiOnline has taken data from the recent United Loan Gunman
hacks, and compared it to data in its extensive databases of over
6,700 individual hackers. The results?
Graphic Creation: Graphics created by members of the United Loan
Gunman match the style and technique as graphics developed by
members of HFG in September of last year. Several of these graphics
also bare resemblance in creation method to a Defcon 6 logo
submitted by a known individual, whose work also can be compared
to several other attacks.
Content: Similar writing styles, political agendas, affiliates, and
personal attacks as hacks done in September of last year by HFG.
HTML: Matches in "free hand" creation style to hacks done by the
HFG.
Affiliation: "Attrition" members once again claim to have "spoken to"
the individuals involved with the recent attacks, just as they claimed
last year during the HFG hacks. Brian Martin, founder of Attrition,
was raided in December of 1998 as part of an FBI investigation into
Hacking For Girlies (as reported by Forbes columnist Adam L.
Penenberg).
Attack Method: Once again the methodology seems to be rather
cloudy, and other industry leaders are drawing similarities into the
attack styles (this could potentially become more clear as data from
the recent Loan Gunmen attacks surfaces from the individual
organizations).
Time: Just as before, attacks apparently done by the same group of
people, yet under different names, are spread far apart by almost a
year exactly.
AntiOnline has been receiving more data from several other
organizations who are also investigating these similarities, and is in the
process of adding them to its catalog to be "fingerprinted".
Exact results of AntiOnline's investigations are leading to a particular
group of known hackers that AntiOnline has extensive information on.
For obvious legal reasons, that data is not being disclosed to
individuals outside of the law enforcement arena.
For more information about "Hacker Profiling", read
AntiOnline's Three Part Special Report entitled:
"How To Be A Hacker Profiler".
http://www.antionline.com/SpecialReports/hacker-profiler/
@HWA
43.0 SECURITY A MANAGEMENT PROBLEM?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Thursday 16th September 1999 on 2:50 am CET
The next big issue after the year 2000 is the threat to computer security, said a
senior federal official whose job includes hacking into government systems to find
their vulnerabilities. "Like Y2K, computer security is a management problem," says
Keith Rhodes on a conference entitled "Defending Cyberspace: Enabling Electronic
Government", quoting weaknesses in engineering, operations, and management.
http://www.techweb.com/wire/story/TWB19990914S0014
Most Computer Attacks Come
From Organizations
(09/14/99, 1:46 p.m. ET)
By Mary Mosquera, TechWeb
ARLINGTON, VA. -- The next big issue after
the year 2000 is the threat to computer
security, said a senior federal official whose
job includes hacking into government
systems to find their vulnerabilities.
Although threats to computer security from somewhere
on the Internet capture more headlines, the most
successful government break-ins are from within, said
Keith Rhodes, director of the General Accounting
Office's computer and information-technology
assessment unit. Rhodes tests the security of federal
systems by breaking in from within the government and
from the Internet.
Like Y2K, computer security is a management
problem. "There was no emphasis on Y2K until
management took it seriously," Rhodes told a
conference titled "Defending Cyberspace: Enabling
Electronic Government," in Arlington, Va.
Computer-security threats come from non-malicious
hackers, such as teenagers breaking into systems for the
thrill, malicious attackers spreading viruses or wreaking
other havoc, industrial spies, and terrorists.
"Being a cybercop is like being a sheriff in the old
Arizona territory," Rhodes said.
Security is not just an issue for large federal or financial
systems, but for any company doing business online or
depending on email for communications.
Well-publicized viruses, such as the Melissa virus, took
their toll, albeit temporary, on businesses, including
Microsoft and General Electric, Rhodes said.
In sniffing out security vulnerability, Rhodes finds
weaknesses in engineering, operations, and
management. "Why protect a computer firewall when
you prop open the door to the computer room?"
Rhodes said. While it used to take Rhodes one hour to
break into government computers, it now takes three
minutes, he said.
Lessons to be learned from Y2K start with having good
personnel, Rhodes said. Similar to early in harnessing
national attention for Y2K, management is afraid to
disclose information about computer security for fear of
litigation or disturbing public confidence. Threats come
from not having enough competent personnel and the
inability to recognize if a crash is Y2K-related or a
break-in, Rhodes said. Organizations must take care
with whom they outsource major tasks, such as payroll,
and which personnel are given code to mission-critical
systems.
Myths about computer security can make organizations
complacent until they get creamed and need valuable
time to get back up, Rhodes said. Some believe
security is adequate if a single standard can be
developed, or a sole vendor or product fills all its
needs. "Public-key infrastructure is needed now,"
Rhodes said, adding "You won't be able to operate
without it."
"Attacks are faster and more bad software is being sold
with holes in it. And changing system software will still
present problems," Rhodes said.
Although systems can never be completely secure, a
company can protect itself by putting a value on assets
and deciding what it wants to protect, assure continuity
of operations with contingency plans, and form a
computer emergency response team that can protect
the system, detect attacks, and react to them.
Organizations should be willing to cooperate with law
enforcement when systems are attacked, Rhodes said.
Because of its size and importance, government is
experiencing increasingly more cyber attacks.
"Government must take the lead in defending
cyberspace," said Ben Miller, chairman of
CardTech/SecurTech, which promotes advanced smart
card and secure technologies.
Congress is recognizing the importance of computer
security by increasing agency budgets against
cyberthreats. However, funds are being taken from
other programs, Rhodes said.
@HWA
44.0 TROJAN IN FAKE MICROSOFT Y2K MAIL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Wednesday 15th September 1999 on 11:40 pm CET
Antivirus experts are urging computer users not to open a year 2000 countdown
program that comes in the form of an e-mail sent by Microsoft. The "Y2Kcount.exe."
file is said to include a Trojan. Users who try to install the program will see a
message saying the Y2K counter was unable to install. It says: "Error!.. Password
protection error or invalid CRC32!." However, analysis of the program's installation
routine shows it already has connected to internal Windows files by the time it
displays the error message.
Beware Of Virus-Riddled Y2K
E-Mail
(09/15/99, 3:36 p.m. ET)
By Lee Kimber, Special To TechWeb, TechWeb
Antivirus experts are urging computer users
not to open a year 2000 countdown
program that comes in the form of an e-mail
sent by Microsoft on Tuesday.
The e-mail was not sent by Microsoft, and the enclosed
attachment is not a Y2K countdown program, but
rather a Trojan virus. If users attempt to open the
alleged program, the virus can install itself onto the
user's computer and then is capable of sending data and
information from that system across the Internet.
Microsoft did not return calls by publishing deadline
time.
Antivirus experts at Star Internet, a U.K.-based ISP,
along with Network Associates and Sophos, are
analyzing the e-mail attachment, called "Y2Kcount.exe."
Star has confirmed that the virus, which has been
named Count2K, originated in Bulgaria and has also
identified some key warning signs.
"It makes a lot of socket communications calls," said
Star antivirusprogrammer Alex Shipp. "There's also a
lot of file handle calls and keyboard handling calls."
Shipp said similar to the ExploreZip virus that
decimated corporate e-mail systems several months
ago, Count2K appears to have the ability to take files
from users' systems and send them across the Net. The
destination of the files or data has not yet been
determined by Star's virus experts. On Wednesday,
Network Associates antivirus experts confirmed
Shipp's findings.
Shipp's analysis has determined -- that like the
ExploreZip Trojan virus -- both are written in Pascal.
He also said the internal programming of two viruses
are very similar.
Users who simply open the e-mail but do not attempt to
load the Y2K program are in no danger from the virus.
Users who try to install the program will see a message
saying the Y2K counter was unable to install. It says:
"Error!..Password protection error or invalid CRC32!."
However, analysis of the program's installation routine
shows it already has connected to internal Windows
files by the time it displays the error message, Shipp
said.
"If you see that [message], you think it failed," said
Shipp. "By then, it has installed itself."
The message first raised eyebrows because of
awkward wording that didn't seem like it would come
from Microsoft. The accompanying message headers
also suggested that the e-mail passed through
CompuServe's e-mail system. No valid e-mail from
Microsoft should route through CompuServe.
Antivirus experts said they are working quickly to
develop a Count2K fix. Network Associates confirmed
that programmers in their antivirus labs are working on
a patch. Sophos has posted a warning on its website
alerting users that it is working on a patch. Star Internet
has already protected its 1,000 U.K. business
customers from the Trojan by installing a scanner on its
e-mail servers. The scanner looks for the Trojan's
unique signature.
@HWA
45.0 CERT ADVISORY CA-99-11-CDE
~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by BHZ, Wednesday 15th September 1999 on 7:12 pm CET
CERT (www.cert.org) released an advisory on several vulnerabilities in the Common
Desktop Environment. http://www.cert.org/advisories/CA-99-11-CDE.html
CERT® Advisory CA-99-11 Four Vulnerabilities in the
Common Desktop Environment
Original release date: September 13, 1999
Last revised: September 13, 1999
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
Systems running the Common Desktop Environment (CDE)
I. Description
Multiple vulnerabilities have been identified in some distributions of the Common Desktop Environment (CDE). These vulnerabilities are different from those
discussed in CA-98.02. We recommend that you install appropriate vendor patches as soon as possible (see Section III below). Until you can do so, we
encourage you to disable or uninstall vulnerable copies of the CDE package. Note that disabling these programs will severely affect the utility of the CDE
environment.
At this time, the CERT/CC has not received any reports of these vulnerabilities being exploited by intruders.
Vulnerability #1: ToolTalk ttsession uses weak RPC authentication mechanism
The ToolTalk messaging server ttsession allows independent applications to communicate without having direct knowledge of each other. Applications can
communicate through an associated ttsession which delivers messages via RPC calls between interested agents.
On many systems, ttsession uses AUTH_UNIX authentication (a client-based security option) by default. When messages are received, ttsession uses certain
environment variables supplied by the client to determine how the message is handled. Because of this, the ttsession process can be manipulated to execute
unauthorized arbitrary programs with the privileges of the running ttsession.
Vulnerability #2: CDE dtspcd relies on file-system based authentication
The network daemon dtspcd (a CDE desktop subprocess control program) accepts CDE requests from clients to execute commands and launch applications
remotely.
When a client makes a request, the dtspcd daemon asks the client to create a file that has a predictable name so that the daemon can authenticate the request.
If a local user can manipulate the files used for authentication, then that user can craft arbitrary commands that may run as root.
Vulnerability #3: CDE dtaction buffer overflow
The dtaction utility allows applications or shell scripts that otherwise are not connected into the CDE development environment, to request that CDE actions be
performed.
A buffer overflow can occur in some implementations of dtaction when a username argument greater than 1024 bytes is used.
Vulnerability #4: CDE ToolTalk shared library buffer overflow in TT_SESSION
There is a vulnerability in some implementations of the ToolTalk shared library which allows the TT_SESSION environment variable buffer to overflow. A setuid root
program using a vulnerable ToolTalk library, such as dtsession, can be exploited to run arbitrary code as root.
II. Impact
Vulnerability #1: ToolTalk ttsession uses weak RPC authentication mechanism
A local or remote user may be able to use this vulnerability to run commands on a vulnerable system with the same privileges of the attacked ttsession. For this
attack to work, a ttsession must be actively running on the system attacked. The ttsession daemon is started whenever a user logs in using the CDE desktop, or
upon interaction with CDE at some future point.
Vulnerability #2: CDE dtspcd relies on file-system based authentication
A vulnerable dtspcd may allow a local user to run arbitrary commands as root.
Vulnerability #3: CDE dtaction buffer overflow
A local user may be able to exploit this vulnerability to execute arbitrary code with root privileges.
Vulnerability #4: CDE ToolTalk shared library buffer overflow in TT_SESSION
A local user may be able to exploit this vulnerability to execute arbitrary code with root privileges.
III. Solution
Install appropriate patches from your vendor
We recommend installing vendor patches as soon as possible and disabling the vulnerable programs until you can do so (or uninstalling the entire CDE package
if not needed). Note that disabling these programs will severely affect the utility of the CDE environment.
Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your
vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly.
Appendix A. Vendor Information
Compaq Computer Corporation
Problem #1
CDE ToolTalk session daemon & ToolTalk shared library overflow
This potential security problem has been resolved and a patch for this problem has been made available for Tru64 UNIX V4.0D, V4.0E, V4.0F and V5.0.
This patch can be installed on:
V4.0D-F, all patch kits
V5.0, all patch kits
*This solution will be included in a future distributed release of Compaq's Tru64/ DIGITAL UNIX.
This patch may be obtained from the World Wide Web at the following FTP address:
http://www.service.digital.com/patches
The patch file name is SSRT0617_ttsession.tar.Z
Problem #2
Compaq's Tru64/DIGITAL UNIX is not vulnerable.
Problem #3
CDE dtaction buffer overflow
This potential security problem has been resolved and a patch for this problem has been made available for Tru64 UNIX V4.0D, V4.0E and V4.0F.
This patch can be installed on:
V4.0D Patch kit BL11 or BL12
V4.0E Patch kit BL1 or BL12
V4.0F Patch kit BL1
*This solution will be included in a future distributed release of Compaq's Tru64/ DIGITAL UNIX.
This patch may be obtained from the World Wide Web at the following FTP address:
http://www.service.digital.com/patches
The patch file name is SSRT0615U_dtaction.tar.Z
Problem #4
CDE ToolTalk shared library overflow
See solution fix described in in Problem #1.
Fujitsu
Fujitsu's UXP/V operating system is not vulnerable to any of these vulnerabilities.
Hewlett-Packard Company
HP-9000 Series 700/800 HP-UX releases 10.X and 11.0 systems with CDE patches previously recommended in HP Security Bulletins are not vulnerable to
vulnerabilities #2, #3, and #4.
All HP-UX 10.X and 11.0 systems running CDE are vulnerable to vulnerability #1.
Patches are in progress.
IBM Corporation
All releases of AIX version 4 are vulnerable to vulnerabilities #1, #3, and #4. AIX is not vulnerable to #2. The following APARs will be available soon:
AIX 4.1.x: IY03125 IY03847
AIX 4.2.x: IY03105 IY03848
AIX 4.3.x: IY02944 IY03849
Customers that do not require the CDE desktop functionality can disable CDE by restricting access to the CDE daemons and removing the dt entry from
/etc/inittab. Run the following commands as root to disable CDE:
# /usr/dt/bin/dtconfig -d
# chsubserver -d -v dtspc
# chsubserver -d -v ttdbserver
# chsubserver -d -v cmsd
# chown root.system /usr/dt/bin/*
# chmod 0 /usr/dt/bin/*
For customers that require the CDE desktop functionality, a temporary fix is available via anonymous ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/cdecert.tar.Z
Filename sum md5
=================================================================
dtaction_4.1 32885 18 82af470bbbd334b240e874ff6745d8ca
dtaction_4.2 52162 18 b10f21abf55afc461882183fbd30e602
dtaction_4.3 56550 19 6bde84b975db2506ab0cbf9906c275ed
libtt.a_4.1 29234 2132 f5d5a59956deb8b1e8b3a14e94507152
libtt.a_4.2 21934 2132 73f32a73873caff06057db17552b8560
libtt.a_4.3 12154 2118 b0d14b9fe4a483333d64d7fd695f084d
ttauth 56348 31 495828ea74ec4c8f012efc2a9e6fa731
ttsession_4.1 19528 337 bfac4a06b90cbccc0cd494a44bd0ebc9
ttsession_4.2 46431 338 05949a483c4e390403055ff6961b0816
ttsession_4.3 54031 339 e1338b3167c7edf899a33520a3adb060
NOTE - This temporary fix has not been fully regression tested. Use the following steps (as root) to install the temporary fix.
1. Uncompress and extract the fix.
# uncompress < cdecert.tar.Z | tar xf -
# cd cdecert
2. Replace the vulnerable executables with the temporary fix for
your version of AIX.
# (cd /usr/dt/lib && mv libtt.a libtt.a.before_security_fix)
# (cd /usr/dt/bin && mv ttsession ttsession.before_security_fix)
# (cd /usr/dt/bin && mv dtaction dtaction.before_security_fix)
# chown root.system /usr/dt/lib/libtt.a.before_security_fix
# chown root.system /usr/dt/bin/ttsession.before_security_fix
# chown root.system /usr/dt/bin/dtaction.before_security_fix
# chmod 0 /usr/dt/lib/libtt.a.before_security_fix
# chmod 0 /usr/dt/bin/ttsession.before_security_fix
# chmod 0 /usr/dt/bin/dtaction.before_security_fix
# cp ./libtt.a_ /usr/dt/lib/libtt.a
# cp ./ttsession_ /usr/dt/bin/ttsession
# cp ./dtaction_ /usr/dt/bin/dtaction
# cp ./ttauth /usr/dt/bin/ttauth
# chmod 555 /usr/dt/lib/libtt.a
# chmod 555 /usr/dt/bin/ttsession
# chmod 555 /usr/dt/bin/dtaction
# chmod 555 /usr/dt/bin/ttauth
IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on
FixDist, and to obtain fixes via the Internet, please reference
http://techsupport.services.ibm.com/support/rs6000.support/downloads
or send electronic mail to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line. To facilitate ease of ordering all security related APARs
for each AIX release, security fixes are periodically bundled into a cumulative APAR. For more information on these cumulative APARs including last
update and list of individual fixes, send electronic mail to "aixserv@austin.ibm.com" with the word "subscribe Security_APARs" in the "Subject:" line.
Santa Cruz Operation, Inc.
SCO is investigating these vulnerabilities on SCO UnixWare 7. Other SCO products (OpenServer 5.0.x, UnixWare 2.1.x, Open Server / Open Desktop 3.0
and CMW+) are not vulnerable as CDE is not a component of these releases.
SCO will make patches and status information available at
http://www.sco.com/security.
Silicon Graphics, Inc.
SGI acknowledges the CDE vulnerabilities reported and is currently investigating. No further information is available at this time. As further information
becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list.
Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate
steps according to local site security policies and requirements.
The SGI Security Headquarters Web page is accessible at the URL
http://www.sgi.com/Support/security/security.html
Sun Microsystems, Inc.
Vulnerability #1:
Systems running Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3, and SunOS 4.1.4 and 4.1.3_U1 are vulnerable if the UNIX authentication mechanism (default) is
used with ttsession.
The use of DES authentication is recommended to resolve this issue. To set the authentication mechanism to DES, use the ttsession command with the
'-a' option and specify 'des' as the argument (see ttsession(1) for more information). The use of DES authentication also requires that the system uses
Secure NFS, NIS+, or keylogin. For more information about Secure NFS, NIS+, or keylogin, please see the System Administration Guide, Volume II.
Information is also available at:
http://docs.sun.com:80/ab2/coll.47.8/SYSADV2/@Ab2PageView/34908?DwebQuery=secure+rpc
Vulnerability #2:
The following patches are available:
CDE version SunOS version Patch ID
___________ _____________ _________
1.3 5.7 108221-01
1.3_x86 5.7_x86 108222-01
1.2 5.6 108199-01
1.2_x86 5.6_x86 108200-01
1.0.2 5.5.1, 5.5, 5.4 108205-01
1.0.2_x86 5.5.1_x86, 5.5_x86, 5.4_x86 108206-01
1.0.1 5.5, 5.4 108252-01
1.0.1_x86 5.5_x86, 5.4_x86 108253-01
Vulnerability #3:
The following patches are available:
CDE version SunOS version Patch ID
___________ _____________ _________
1.3 5.7 108219-01
1.3_x86 5.7_x86 108220-01
1.2 5.6 108201-01
1.2_x86 5.6_x86 108202-01
Patches for CDE versions 1.0.2 and 1.0.1 will be available within two weeks of the release of this advisory.
Vulnerability #4:
Patches will be available within two weeks of the release of this advisory.
Sun security patches are available at:
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pubpatches
The CERT Coordination Center would like to thank Job de Haas for reporting these vulnerabilities and working with the vendors to effect fixes. We would also like
to thank Solutions Atlantic for their efforts in coordinating vendor solutions.
This document is available from: http://www.cert.org/advisories/CA-99-11-CDE.html
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT® Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S.
holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
http://www.cert.org/
To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of
your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be found in
http://www.cert.org/legal_stuff.html
@HWA
46.0 HACKER PROFILER
~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by BHZ, Wednesday 15th September 1999 on 7:01 pm CET
John Vranesevich published his thesis on United Loan Gunmen. Combining his
"hacker profiler technique", he concluded: "Using concepts developed under its
"Graphics created by members of the United Loan Gunman match the style and
technique as graphics developed by members of HFG in September of last year".
His article - "Loan Gunmen == HFG?"
(found elsewhere in this issue, see LIBEL section 42.0)
@HWA
47.0 eDOCTOR GLOBAL NETWORK
~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by BHZ, Wednesday 15th September 1999 on 6:11 pm CET
Security software company Trend Micro Inc. today released new online virus scanning
service that builds virus protection directly into networks and e-mail systems. Service
is called eDoctor Global Network and you could find more information on it here
http://www.antivirus.com/corporate/default.htm
Trend Micro Announces eDoctor Global Network
September 14, 1999 Trend Micro Inc. today announced the eDoctor Global
Network, a worldwide Internet antivirus service initiative designed to provide a
better defense against Internet viruses. The eDoctor Global Network builds
malicious code protection right into the Internet infrastructure, enabling
customers to obtain virus protection as a value-added service from Internet
service providers, telcos, and managed service providers. By utilizing Internet
technology and partnering with Internet infrastructure providers and security
maintenance experts, the Trend eDoctor Global Network provides both home
and corporate customers with the highest level of virus protection, 24x7
support and information, and faster response to virus events. Global Network
Service Providers include Sprint, US WEST Breakwater Security Associates
and others.
@HWA
48.0 DEFAULT ISSUE 5 OUT
~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by BHZ, Tuesday 14th September 1999 on 7:37 pm CET
We have released fifth edition of Default newsletter. Topics in this issue are: Hit2000
report, Interview with v00d00, Want secure and encrypted e-mails?, Security audit
with our Mac Part-2/2, More from the ACPO front, Infection and vaccination, Watch
out for documents you publish on The Internet, Freedom of speech - related incidents,
Y2K survey for 72 countries and brief article on Journalism (see the story below). So
download default5.txt or default5.zip. If you want to get Default in your mailbox mail
majordomo@net-security.org with this message in the body - subscribe news
your@email.
@HWA
49.0 ANOTHER WANNABE HACKER CAUGHT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by BHZ, Tuesday 14th September 1999 on 7:24 pm CET
Another trojan user has been caught in Croatia. Denis Perisa (16) was questioned of
entering the home PC of a known politician in his country. He said that he just
wanted to snatch a connection password for Croatian ISP. Article was first published
in daily newspapers Vecernji list, but I had to react to the article. It was written very
badly and the purpose of the article was to modify his part in it. The plain trojan user
without any knowledge became a super-hacker. My comments to the article could be
seen here (Croatian language).
http://www.monitor.hr/security/clanci/denis.htm
@HWA
50.0 TROJANS - MODERN THREAT
~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by BHZ, Tuesday 14th September 1999 on 7:18 pm CET
SubSeven, Hack'a'Tack, Deep Throat, NetSphere are just couple of hundreds of
trojans that are cruising The Internet. German web site (www.heise.de) has a nice
article on trojans and their impact.
Read the article here http://www.heise.de/ct/english/99/17/088/
Norbert Luckhardt
Party Crashers
Danger from uninvited guests on the Windows PC
It was hardly possible not to hear the uproar triggered by the new Back-Orifice version. But there are several other less
known relatives of these hacker tools lurking in the Internet that are just as dangerous - no matter whether they are
called Trojan Horses, viruses or remote management tools.
The most prominent member of the backdoor family is probably Back Orifice 2000 (BO2K). Already one week before its 'birth' the
online media went into a reporting frenzy as if it was the unborn successor to the thrown of a cherished monarch. Up to now there
was much less commotion around SubSeven, Hack'a'Tack, Deep Throat, NetSphere and other cousins of the backdoor celebrities.
Nevertheless the analysts of the Data Fellows virus laboratories write about the SubSeven author Mobman: 'His backdoor is the
currently most advanced out there'. And also Network Associates (McAfee) attest a 'high risk potential' for SubSeven - while BO2K
is only recognizes as a medium-size danger.
Windows backdoors offer an attacker almost unrestricted access to the victims' computer - according to what is publicized again and
again. But this formulation is actually still not strong enough: Besides complete access to all files and system passwords such a 'remote
management access' also paves the road to the local network or Intranet with all the rights of the user. If the user has a multimedia
computer with camera and microphone he offers the attacker a monitoring station with picture and sound. There even are special
Websites that show pictures of Back-Orifice victims.
Encryption and security software are no real obstacles: The backdoor sends all keyboard entries to the attacker; they can also record
protocol functions while the user is offline. Together with secret keys or management information from the hard disk the attacker has
the same capabilities as the rightful user. The backdoors are generally able to start any software while hiding it - there are no visible
windows.
Changing entries in dialog boxes in the last second also seems possible: Just before the user sends off his transfer during homebanking
for example - PIN and TAN have already been entered - an attacker could principally lock the keyboard, blackout the screen,
quickly change the data on the fly and finish the transaction. Until the user gets a sobering look at his account statement he probably
would assume the whole thing only was a minor technical glitch...
The 'open' computer can also be used for downloads or remotely turned into a server that covers up the tracks of the attacker for
more - possibly criminal - activities: for example breaking into other computer systems or exchange and trading with illegal software
copies or pornography. Apart from that the hacker tools offer a variety of harmless functions that only serve the purpose of confusing
and annoying the user: switching mouse keys, mirroring the screen, opening and closing the CD-ROM drive, playing sounds, ending
or crashing Windows and so on.
In the early days of the backdoor servers a dial-up connection to the Internet provider still offered a certain protection. After all, the
attacker needed the IP address of the victim to connect with the parasitical software - and that address generally changes with every
call. However, today the advanced backdoor servers notify their owners via the communication service ICQ, IRC (Internet Relay
Chat) or via email and give them the IP victims as soon as their computer goes online.
From Redmond ...
Meanwhile there are more than a handful of universal very well camouflaged backdoors. Partially they try tricking their opponents the
virus scanners by changing shape or varying the data lengths. The anti-virus industry remains unfazed and says that the hacker
community is underestimating the capabilities of the scanner if they think that they will not be discovered. However, the pure amount
does bother the manufacturers: Almost 120 culprits are found on one single Website in the 'Black Library of Trojans' - 'The Trojans
Removal Database' (www.multimania.com/ilikeit/) lists more than 50 backdoors with standard file names and registry entries. The
motto for the virus laboratories is 'stay on it'. Contrary to the classic viruses that only do damage after some time, it does not help the
user to find out after two weeks that he has a backdoor problem - by then the damage is probably already done.
Unfortunately the virus scanners so far only fight half-heartedly against the threat from backdoor servers. The software recognizes
known Trojan horses (often just called 'Trojans' disregarding the historical events) and for the most part is also capable of deleting the
dangerous program files. But specific problems are often not taken care off: For example virus scanners investigate generally only
executable files with the usual file extensions - but during the start from the registry a backdoor server could also be called
'Readme.txt'... Additionally backdoors are usually not recognized during regular operation. Therefore the risk of overlooking Trojans
depends very much on the users' behavior - if he just relies on the standard settings of a virus scanner he is only protected
moderately.
Elaborate descriptions of the PC parasites are also hard to find - even if they are in the virus databases. The terminology is getting
more and more mixed up and makes the search more difficult than necessary. Up to one year ago the families were separated clearly:
remote management software allows system administrators and support personnel access to the computer without actually having to
sit in front of it. Trojan horses steal the passwords in the background or do other nasty things while the innocent user is deceived by
the façade of a more or less useful application or even just by an error message during the startup of the program. Viruses attach to
the files, multiply and wait to be spread by the user - and then come up with a nasty surprise sometime later.
And today? The unsuspecting user opens a backdoor to his system without realizing it while starting or installing a program - with lax
security settings it could happen by just clicking on a WWW page or reading an email (fortunately in this case several factors must
come together - so far more a theoretical threat). The backdoors nest in the Windows systems like a virus in a file, trigger hidden
actions like a Trojan and possess the same capabilities like remote management programs. For example 'Kuang2' is the first real file
virus that opens a backdoor to the file system - with only 11 KByte code. Luckily Kuang2 is not very widespread.
...to Troy
Initially the manufacturers of anti-virus software took the easy way out by classifying the backdoors as Trojans because of the hidden
functions. Strictly speaking this is not correct because the hacker tools do not do anything different than they claim to do - they are
only difficult to detect. The actual Trojans are the programs that an attacker uses to wrap up the backdoor so a user installs them
without knowing it. And there even is no need for programming - everything works with the toolbox principle: There is more than just
one hacker tool for linking events during the program start of Back Orifice and consorts to random useful or funny programs or
self-extracting archives without the need for any hex editor or previous knowledge.
The fact that the producers of anti-virus software increasingly add the new class 'backdoor' to their taxonomy will help to clarify
matters. Unfortunately the conventions and names of the PC parasites differ from distributor to distributor making it difficult to stay
informed - a synchronization of the names seems to become more and more impossible because of the sheer number of new entries.
On top of that the backdoor authors increasingly protest against the 'denigration' as Trojan Horses: they actually have a point by
saying that the 'official' tools for remote management can be installed in a certain way so the user does not notice it. The NetBus
people even accuse Symantec for ruining their business: Their tool is in direct competition with Symantec's PCAnywhere but the virus
scanner calls NetBus a Trojan leading to confusion among potential customers (also see our interview with C.F. Neikter).
The Back Orifice authors from the Cult of the Dead Cow (cDc) direct their criticism against Microsoft: On one side Bill Gates'
company condemns the cDc program as vicious because it contains 'camouflage functions that have no other purpose than to make it
more difficult to detect'. On the other side Microsoft writes in their security guide for their own remote management software: 'It is
possible to configure remote management in a way that there is never any proof of existing remote accesses'. Appropriate measures
have been take to satisfy certain customers. CDc calls this 'hypocritical'.
Side door
To declare the hacker tools as a 'totally normal' remote management program that could be misused is only half the truth, however:
Whether the risk of the authors implementing additional backdoors to their programs is higher than with software from commercial
distributors is yet another story. But at least the customer would stand a chance of winning when suing the latter for damages. On top
of that in many hacker tools it seems to be possible to supersede the password protection that is supposed to protect implemented
servers from unauthorized access.
The openly displayed source codes of Back Orifice 2000 offer a new quality: Everybody can convince himself that the backdoor is
not a real Trojan Horse as well. Evaluating the source code also decreases the probability of undetected implementation errors that
can lead to security holes - this is a competitive advantage to commercial software for remote management.
As long as the operating system does not offer any protection against unwanted programs and hidden functions the user can only use
the virus scanner to avoid backdoors. A manual search is almost impossible. We can only discourage from using any special solutions
against the backdoors: Firstly it is highly recommendable to have a virus scanner in the system anyway. And on top of that many
backdoor killers originate from hacker circles. The temptation of adding a few hidden functions should be fairly high.
The best protection against a PC parasite is a healthy portion of mistrust: To execute a program from an unknown source is like
crossing the street without looking left and right first. It is definitely not a good idea to start executable files that were send as an
attachment to email if the transfer was not explicitly arranged with the sender. This is also true for personal email - there is quite a
variety of viruses that automatically send out email with the name of the computer owner. And 'executable files' is becoming a wider
and wider expression with regards to macro-capable office documents and HTML mails with active content: If you not care about
the more colorful presentation or have confidential data on your computer you should rigorously ban active contents (ActiveX, Java,
Javascript, VBScript and so on) from mail client and Web browser.
In general if the backdoor is used it would probably look more like a cat-and-mouse game between the hacker and the home user.
However, one should not underestimate possible damage and the threat of criminal use.
We can only hope that for future operating system generations more thought is given to the question whether every program really
needs to have access to every resource of the computer. Until then only three things should be kept in mind: to be careful - but also to
use chip cards that at least protect secret key data, and to store data that need protection on non-networked computers. (nl)
Rainer Hansen
Moose test for Windows
NetBus Pro and how it happened
Since version 2.0 the former perfect Trojan example NetBus does not want to be called Trojan Horse nor backdoor but be
recognized as commercial software for remote management. What started out as hacker fun among friends wants to be all grown-up
now.
The 21-year-old programmer Carl-Fredrik Neikter caused a lot of commotion. The young Swede developed one of the first
programs that allows spying out a Windows computer in quite an easy fashion. With version 1.60 Netbus gained worldwide attention
because contrary to the first Back Orifice it also worked under Windows NT.
Neitker almost completely rewrote version 2.0 and added many functions and a sophisticated user interface. Therefore the author
does not just call it a spy tool anymore but experienced remote management software. At the same time NetBus changed from
Freeware to Shareware (12 US-Dollar). c't talked to Carl-Fredrik Neikter about background and history of the controversial tool.
c't: What are your motives behind NetBus?
Neikter: The NetBus 1.x versions were supposed to be a toy. When I noticed that the program is mainly used as a hacker tool I
decided to continue developing it into remote management software. It already had a few good features that suggested this direction.
There are already a few good remote management programs on the market. With the spy functions I wanted to carve out a special
niche for NetBus Pro. My plan is to also integrate real-time control functions like you would find for example in PCAnywhere or in
ReachOut. This would allow real-time interaction with other computers.
c't: How do you see NetBus in comparison to similar programs like Back Orifice or Socket de Troie?
Neikter: I reject any comparison between NetBus Pro and Trojan Horses - NetBus Pro is not a Trojan anymore and should not be
treated like one by anti-virus software either.
Read my Website (www.netbus.org) and you will understand that every program can be hacked and misused. NetBus Pro is in the
limelight and this can be a problem. But NetBus Pro is not the predominant program out there that can be misused. Look at the
macro problems with Microsoft Word and the recently discovered CALL security hole in Excel. Should anti-virus software not also
detect and 'disinfect' non-patched Word and Excel versions?
c't: Do you know about any serious damage resulting from your program?
Neikter: I do not have any statistics but I know that it was misused often. I received mail from angry people. I am afraid that hackers
that only wanted to destroy stuff logged on the systems. Unfortunately there are bad people everywhere.
c't: Have there also been questions from 'official' sides?
Neikter: Yes, a few. NASA and the US Air Force wrote to me. The security chief wanted more information about NetBus because
he was working on a presentation.
c't: Could NetBus not also be used for actual criminal purposes - for example for manipulating homebanking?
Neikter: I do not believe that there is a big threat of money being stolen from bank accounts, because online banking (at least in
Sweden) uses the same password only once. You enter your PIN code in a password generator and receive a code for logging into
the system or transactions. For every login or for every transaction you must generate a new code [annotation of the editor: in
Germany this is still pie in the sky.]
@HWA
51.0 IE5 BUG LEAVES COMPUTERS OPEN TO INVASION
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Monday 13th September 1999 on 10:30 pm CET
Microsoft is warning users of its Internet Explorer 5.0 Web browser about a
vulnerability in IE 5's ImportExportFavorites that could let an attacker take the user's
computer hostage. This feature could allow a malicious Web site operator run
executable code on the computer of someone who visits that Web site. "The net
result is that a malicious Web site operator potentially could take any action on the
computer that the user would be capable of taking," warned Microsoft in a security
alert. More info. http://news.cnet.com/news/0-1005-200-117462.html?tag=st.ne.1002.thed.1005-200-117462
IE 5 bug leaves computers open to invasion
By Paul Festa
Staff Writer, CNET News.com
September 13, 1999, 9:40 a.m. PT
Microsoft is warning users of its Internet Explorer 5.0 Web browser about a security hole that could let an attacker
take the user's computer hostage.
The vulnerability is in IE 5's ImportExportFavorites feature, which lets users import and export lists of commonly accessed Web
addresses. The trouble is that the feature lets a malicious Web site operator run executable code on the computer of someone
who visits that Web site.
"The net result is that a malicious Web site operator potentially could take any action on the computer that the user would be
capable of taking," warned Microsoft in a security alert.
Microsoft said IE 5 users can disable Active Scripting to protect themselves pending the release of a patch. Scripting lets Web
authors run mini applications, or "scripts," on a visitor's computer that operate without the user's interaction. Scripting typically is
used on Web sites for functions like launching pop-up windows or scrolling text across the screen.
Microsoft posted a list of frequently asked questions, which includes instructions for disabling Active Scripting.
Microsoft acknowledged Bulgarian bug hunter Georgi Guninski for discovering the security hole. Guninski has been credited for
discovering numerous security holes in Microsoft and America Online's Web browsers, many exploiting unintended effects of Web
scripting capabilities.
Guninski reported a similar hole in IE two weeks ago. Microsoft patched yet another hole in IE's armor the same week.
@HWA
52.0 US OFFERS RUSSIA TO HELP TRASH ISLAMIC MILITANT SITES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Monday 13th September 1999 on 10:00 pm CET
The FBI has offered Russia a helping hand in cleaning up the Web from Islamic
militants fighting in Dagestan. According to a report by the BBC the Feds have offered
to trash Web sites set up by Islamic militants and "eliminate" them. Read (a bit)
more.
http://www.theregister.co.uk/990910-000023.html
Posted 10/09/99 3:33pm by Tim Richardson
US helps Russia trash Islamic militant Web sites
The FBI has offered Russia a helping hand in cleaning up the Web from Islamic
militants fighting in Dagestan.
According to a report by the BBC the Feds have offered to trash Web sites set up by
Islamic militants and "eliminate" them.
Although there has been no official confirmation it would not be the first time such
tactics have been used in international disputes.
Earlier this year it was reported that the CIA had been given the go-ahead by
President Clinton to wage a cyberwar against Yugoslav leader Slobodan Milosevic.
Tim Richardson
@HWA
53.0 RUSSIAN HACKERS REPORTEDLY ACCESSED US MILITARY SECRETS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Sunday 12th September 1999 on 11:00 pm CET
Russian hackers broke into U.S. government computers and may have snatched
classified naval codes and information on missile systems, Newsweek reported in its
latest issue. The weekly, quoting intelligence sources, said the suspects were elite
cyber-spooks from the Russian Academy of Sciences, a government-backed
organization which works with Russia's leading military laboratories. Newsweek
quoted one Pentagon official as saying this was "a state-sponsored Russian
intelligence effort to get U.S. technology," adding it was apparently the first such
attempt by Moscow. It further quoted Deputy Defense Secretary John Hamre as
saying: "We're in the middle of a cyber war."
Full story.
http://www.techserver.com/noframes/story/0,2294,92270-146247-1027890-0,00.html
Russian hackers reportedly accessed U.S. military secrets
Copyright © 1999 Nando Media
Copyright © 1999 Agence France-Press
From Time to Time: Nando's in-depth look at the 20th century
WASHINGTON (September 12, 1999 2:03 p.m. EDT http://www.nandotimes.com) - Russian hackers broke into U.S. government computers and may
have snatched classified naval codes and information on missile systems, Newsweek reported in its latest issue.
The weekly, quoting intelligence sources, said the suspects were elite cyber-spooks from the Russian Academy of Sciences, a
government-backed organization which works with Russia's leading military laboratories.
The hackers targeted computer systems at the Defense and Energy Departments, military contractors and leading civilian universities.
Pentagon officials, describing the intrusions as "sophisticated, patient and persistent," said they began in January and were almost immediately
detected by U.S. security agents who traced them back to computers in Russia and developed counter-measures, according to Newsweek.
But the cyber-spies were said to have quickly developed new tools that allowed them to penetrate undetected, although they at times left behind
electronic traces.
Newsweek quoted one Pentagon official as saying this was "a state-sponsored Russian intelligence effort to get U.S. technology," adding it was
apparently the first such attempt by Moscow.
The weekly said Washington had not yet protested to Moscow but quoted Deputy Defense Secretary John Hamre as saying: "We're in the
middle of a cyber war."
It said the security breach was so serious that the Pentagon had ordered its civilian and military employees to change their computer
passwords, the first time such a step has been taken.
@HWA
-=----------=- -=----------=- -=----------=- -=----------=-
O
0
o
O O O
0
-=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
END of main news articles content... read on for ads, humour, hacked websites etc
-=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
HWA.hax0r.news
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
<a href="www.2600.com</a">http://www.2600.com/">www.2600.com</a>
<a href="http://www.kevinmitnick.com></a>
+-----------------------------------------------------------------------------+
| SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE |
| =================== http://smog.cjb.net/ NEWS on SECURITY |
| NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET |
| http://smog.cjb.net/ NEWS on TECHNOLOGY |
+-----------------------------------------------------------------------------+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
<a href="One">http://www.csoft.net">One of our sponsers, visit them now</a> www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Send in submissions for this section please! ............c'mon, you KNOW you
wanna...yeah you do...make it fresh and new...be famous...<sic>
____ _ _ _ _ _
/ ___| ___ _ __ __| (_)_ __ _ _ ___ _ _ _ __ / \ ___ ___(_|_)
\___ \ / _ \ '_ \ / _` | | '_ \| | | |/ _ \| | | | '__| / _ \ / __|/ __| | |
___) | __/ | | | (_| | | | | | |_| | (_) | |_| | | / ___ \\__ \ (__| | |
|____/ \___|_| |_|\__,_|_|_| |_|\__, |\___/ \__,_|_| /_/ \_\___/\___|_|_|
|___/
/ \ _ __| |_
/ _ \ | '__| __|
/ ___ \| | | |_
/_/ \_\_| \__| TOO, for inclusion in future issues
Do the HWA logo etc and we'll showcase it here to show off your talents...remember
the 80's? dig out those ascii editors and do yer best...
High Tech Computer Sales Jargon
NEW - Different color from previous design
ALL NEW - Parts not interchangable with previous design
EXCLUSIVE - Imported product
UNMATCHED - Almost as good as the competition
DESIGNED SIMPLICITY - Manufacturer's cost cut to the bone
FOOLPROOF OPERATION - No provision for adjustments
ADVANCED DESIGN - The advertising agency doesn't understand it
IT'S HERE AT LAST! - Rush job; Nobody knew it was coming
FIELD-TESTED - Manufacturer lacks test equipment
HIGH ACCURACY - Unit on which all parts fit
DIRECT SALES ONLY - Factory had big argument with distributor
YEARS OF DEVELOPMENT - We finally got one that works
REVOLUTIONARY - It's different from our competitiors
BREAKTHROUGH - We finally figured out a way to sell it
FUTURISTIC - No other reason why it looks the way it does
DISTINCTIVE - A different shape and color than the others
MAINTENANCE-FREE - Impossible to fix
RE-DESIGNED - Previous faults corrected, we hope...
HAND-CRAFTED - Assembly machines operated without gloves on
PERFORMANCE PROVEN - Will operate through the warranty period
MEETS ALL STANDARDS - Ours, not yours
ALL SOLID-STATE - Heavy as Hell!
BROADCAST QUALITY - Gives a picture and produces noise
HIGH RELIABILITY - We made it work long enough to ship it
SMPTE BUS COMPATABILE - When completed, will be shipped by Greyhound
NEW GENERATION - Old design failed, maybe this one will work
MIL-SPEC COMPONENTS - We got a good deal at a government auction
CUSTOMER SERVICE ACROSS THE COUNTRY - You can return it from most airports
UNPRECEDENTED PERFORMANCE - Nothing we ever had before worked THIS way
BUILT TO PRECISION TOLERANCES - We finally got it to fit together
SATISFACTION GUARANTEED - Manufacturer's, upon cashing your check
MICROPROCESSOR CONTROLLED - Does things we can't explain
LATEST AER0SPACE TECHNOLOGY - One of our techs was laid off by Boeing
@HWA
SITE.1
#1 http://www.in.tum.de/~pircher/anonymouse/
Anonymous Email, WWW and surfing. A sample of a message sent from the anonymous
replay remailer is included below. This message arrived with 15 minutes of me
sending it from the WWW. Check this site out before it gets closed down/becomes
pay.
Email sent using the remailer;
Return-Path: <remailer@mail.replay.com>
Received: from physical.graffiti.datacrest.com (physical.graffiti.datacrest.com [205.241.5.77])
Delivered-To: dok-cruciphux@dok.org
Received: (qmail 5532 invoked from network); 19 Sep 1999 18:45:25 -0000
Received: from basement.replay.com (HELO mail.replay.com) (194.109.9.44)
by physical.graffiti.datacrest.com with SMTP; 19 Sep 1999 18:45:25 -0000
Received: (from remailer@localhost) by mail.replay.com (8.9.2/8.9.2) id UAA28531;
Sun, 19 Sep 1999 20:44:57 +0200 (CEST)
Date: Sun, 19 Sep 1999 20:44:57 +0200 (CEST)
Message-Id: <199909191844.UAA28531@mail.replay.com>
From: Anonymous <nobody@replay.com>
Comments: This message did not originate from the Sender address above.
It was remailed automatically by anonymizing remailer software.
Please report problems or inappropriate use to the
remailer administrator at <abuse@replay.com>.
To: cruciphux@dok.org
You can Send in submissions for this section too if you've found a cool site...
anonymous email
-------------------------------------------------------------
Sent with AnonEmail at http://anonymouse.home.pages.de/
-=-
#2 http://lynx.neu.edu/z/zbrown/ug.html
From smog.cjb.net (remodelled, check it out!)
Origami is the art of "modelling" paper, erotism is the art of naked bodies. See these two
mix in Zak Brown Underground origami page. See the dollar bill vagina...etc
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
Mass Defacement
By: L0rdMyst1cal
Mirror:
http://www.attrition.org/mirror/attrition/1999/09/17/www.herreramedia.com
OS: NT
Domains:
www.tental.com
www.herreramedia.com
www.worldtek.net
www.danwebb.com
www.elixirs.com
www.brownsweb.com
www.jodo.com
www.voyagergroup.net
www.softwarepundits.com
www.crowe.org
www.mayhewandassoc.com
www.cruisinco.com
[--------------------------------------------------------------------SNIP
Uh oh...It seems we have a small security problem here..LoL.
This page is 0wned by L0rdM1stycal. AkA W4rl0rD
I am g0d.
h0 h0 h0 h0 naw, just kiddin, this site was h4x0r3d by santa clause....
How d0es it feel t0 be 0wned lewzer?
The fact of the matter happens to be, the newz and the press, and the government all get the wrong idea of what a hacker really is, it kinda makes me sick, i'm doing
this for edjucational perposes ONLY, and i'm doing it because it's fun, and i'm doing it because i'm smarter then you, but the main reason that i'm doing all this is
because i'm g0d, naw, just kidding, i'm actually doing it, because you IDIOTS out there have no idea what hacking really is. If i see this on the newz and i hear a
hacker did it, i'm going to hack 80 more pages, why? because what i just did isnt hacking, i diddn't delete anything, i diddn't fuck anything up, all they have 2 do is
re-upload index.html or index.htm whichever it happens to be on that particular server. The point is i CRACKED this page, i diddn't HACK it, you people need to
learn the difference between the 2, and stop badgering real hackers because of what some lamer did.
"This moment in history shall always be remembed, know thy name, but never know they face" -99 L0rdMyst1cal
[--------------------------------------------------------------------SNIP
Latest cracked pages courtesy of attrition.org
Last Updated: 09/16/99 at 14:30
The Nasdaq Stock Market Web page (www.nasdaq-amex.com)
Penghu Islands National Scenic Area, Republic Of China (www.tbrocph.gov.tw)
L'Association des maires de France (www.amf.asso.fr)
CompuCentre (www.compucentre.net.au)
The HITman (www.hitman.hm)
Elite Hangout (www.elitehangout.com)
#2 Ministry of Civil Service, Republic of China (www.mocs.gov.tw)
Taiwan Traffic Bureau, Republic Of China (www.tbrocecnsa.gov.tw)
Millennium Computers and Technology Center (www.scmctc.com)
Catholic Men (www.catholic-men.org)
National Guard Bureau (ngbsc2.ngb.army.mil)
Shop-With-Me Wines (wines.shopwithme.com)
Maos Realty (www.maosrealty.com)
Agape (www.agape.ne.jp)
Expoente (BR) (expoente.com.br)
Montelane (www.montelane.com)
and more sites at the attrition cracked web sites mirror:
http://www.attrition.org/mirror/attrition/index.html
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
HWA.hax0r.news Mirror Sites around the world:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.sysbreakers.com/hwa ** NEW **
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW **
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.*DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwa.hax0r.news.8m.com/
http://www.fortunecity.com/skyscraper/feature/103/
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://bewoner.dma.be/cum/
Brasil........: http://www.psynet.net/ka0z
http://www.elementais.cjb.net
Canada .......: http://www.hackcanada.com
Columbia......: http://www.cascabel.8m.com
http://www.intrusos.cjb.net
Finland ........http://hackunlimited.com/
Germany ........http://www.alldas.de/
http://www.security-news.com/
Indonesia.....: http://www.k-elektronik.org/index2.html
http://members.xoom.com/neblonica/
http://hackerlink.or.id/
Netherlands...: http://security.pine.nl/
Russia........: http://www.tsu.ru/~eugene/
Singapore.....: http://www.icepoint.com
South Africa ...http://www.hackers.co.za
http://www.hack.co.za
http://www.posthuman.za.net
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine.
.za (South Africa) sites contributed by wyzwun tnx guy...
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
© 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]